Your message dated Sat, 09 Dec 2017 10:46:36 +0000
with message-id <1512816396.1994.30.ca...@adam-barratt.org.uk>
and subject line Closing bugs for updates included in stretch point release
has caused the Debian Bug report #878173,
regarding stretch-pu: package pdns/4.0.3-1+deb9u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
878173: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=878173
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu
Dear Release Team,
pdns before 4.0.4 replies incorrectly to DNS questions with the
DNSSEC query bit (DO) set, when the query also uses the "0x20"
mechanism to increase spoofing resistance.
Unfortunately this is the configuration letsencrypt uses to check
for CAA records on domains. This implies letsencrypt being broken
for all users that have domains on pdns from stretch.
Upstream has fixed this in 4.0.4, but that didn't make it into
stretch.
There is more discussion on this in Debian bug #869222 and
at https://github.com/PowerDNS/pdns/issues/5546 and at
https://community.letsencrypt.org/t/caa-servfail-changes/38298/2
I have imported a minimal patch from upstream and attached the
debdiff. Please let me know if this looks good or if I got something
wrong.
Thanks,
Chris
diff -Nru pdns-4.0.3/debian/changelog pdns-4.0.3/debian/changelog
--- pdns-4.0.3/debian/changelog 2017-01-19 23:05:09.000000000 +0000
+++ pdns-4.0.3/debian/changelog 2017-10-10 18:08:15.000000000 +0000
@@ -1,3 +1,9 @@
+pdns (4.0.3-1+deb9u1) stable; urgency=medium
+
+ * Fix incorrect qname casing in NSEC3 generation (Closes: #869222)
+
+ -- Christian Hofstaedtler <z...@debian.org> Tue, 10 Oct 2017 18:08:15 +0000
+
pdns (4.0.3-1) unstable; urgency=medium
* New upstream version 4.0.3, fixing bug when running bindbackend
diff -Nru
pdns-4.0.3/debian/patches/869222-lowercase-qname-before-NSEC-generation.patch
pdns-4.0.3/debian/patches/869222-lowercase-qname-before-NSEC-generation.patch
---
pdns-4.0.3/debian/patches/869222-lowercase-qname-before-NSEC-generation.patch
1970-01-01 00:00:00.000000000 +0000
+++
pdns-4.0.3/debian/patches/869222-lowercase-qname-before-NSEC-generation.patch
2017-10-10 18:08:15.000000000 +0000
@@ -0,0 +1,25 @@
+From b91cfe5c069df975176f5fd944540f72fc5d01bb Mon Sep 17 00:00:00 2001
+From: Kees Monshouwer <min...@monshouwer.org>
+Date: Wed, 3 May 2017 21:49:11 +0200
+Subject: [PATCH] auth: lowercase qname before NSEC generation
+
+[z...@debian.org]: Patch from upstream PR #5289.
+https://github.com/PowerDNS/pdns/commit/b91cfe5c069df975176f5fd944540f72fc5d01bb
+
+---
+ pdns/dnsbackend.cc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/pdns/dnsbackend.cc b/pdns/dnsbackend.cc
+index 4e43ffc2b1..2454d6efb8 100644
+--- a/pdns/dnsbackend.cc
++++ b/pdns/dnsbackend.cc
+@@ -273,7 +273,7 @@ bool DNSBackend::getBeforeAndAfterNames(uint32_t id, const
DNSName& zonename, co
+ // lcqname=labelReverse(lcqname);
+ DNSName dnc;
+ string relqname, sbefore, safter;
+- relqname=labelReverse(makeRelative(qname.toStringNoDot(),
zonename.toStringNoDot())); // FIXME400
++ relqname=labelReverse(makeRelative(toLower(qname.toStringNoDot()),
zonename.toStringNoDot()));
+ //sbefore = before.toString();
+ //safter = after.toString();
+ bool ret = this->getBeforeAndAfterNamesAbsolute(id, relqname, dnc, sbefore,
safter);
diff -Nru pdns-4.0.3/debian/patches/series pdns-4.0.3/debian/patches/series
--- pdns-4.0.3/debian/patches/series 1970-01-01 00:00:00.000000000 +0000
+++ pdns-4.0.3/debian/patches/series 2017-10-10 18:08:15.000000000 +0000
@@ -0,0 +1 @@
+869222-lowercase-qname-before-NSEC-generation.patch
--- End Message ---
--- Begin Message ---
Version: 9.3
Hi,
Each of the updates referenced in these bugs was included in this
morning's stretch point release. Thanks!
Regards,
Adam
--- End Message ---
