[Bug 1898590] Re: Verify DNS fingerprints not working

Christian Ehrhardt  Wed, 14 Oct 2020 03:51:03 -0700

*** This bug is a duplicate of bug 1897744 ***
    https://bugs.launchpad.net/bugs/1897744


ok up/downgrading just "libc6" is enough to trigger.

I also found that libc6 from Eoan version 2.30-0ubuntu2.2 is good.
So it is new in 2.31!

The changelog mentions soem DNSSEC
https://sourceware.org/legacy-ml/libc-announce/2020/msg00001.html

"* The DNS stub resolver will optionally send the AD (authenticated
  data) bit in queries if the trust-ad option is set via the options
  directive in /etc/resolv.conf (or if RES_TRUSTAD is set in
  _res.options).  In this mode, the AD bit, as provided by the name
  server, is available to applications which call res_search and
  related functions.  In the default mode, the AD bit is not set in
  queries, and it is automatically cleared in responses, indicating a
  lack of DNSSEC validation.  (Therefore, the name servers and the
  network path to them are treated as untrusted.)"

Once I knew that it was a small step and I found that
  options edns0 trust-ad
in /etc/resolv.conf indeed fixes the issue.

I'm not sure if openssh would be entitled to set  RES_TRUSTAD is set in 
_res.options.
Maybe not as that is more a decision of the admin setting up and configuring 
the system than the openssh software.

Therefore I think this is actually a little detail that upgraders that
use dnssec for openssh (and maybe others) via libc6 resolv need to
consider.

** Bug watch added: Debian Bug tracker #960023
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960023

** Also affects: openssh (Debian) via
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960023
   Importance: Unknown
       Status: Unknown

** Bug watch added: github.com/systemd/systemd/issues #15767
   https://github.com/systemd/systemd/issues/15767

** Also affects: systemd via
   https://github.com/systemd/systemd/issues/15767
   Importance: Unknown
       Status: Unknown

** Also affects: systemd (Ubuntu)
   Importance: Undecided
       Status: New

** Changed in: systemd (Ubuntu)
       Status: New => Fix Released

** Also affects: glibc (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: openssh (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: systemd (Ubuntu Focal)
   Importance: Undecided
       Status: New

** No longer affects: glibc (Ubuntu Focal)

** Changed in: openssh (Ubuntu)
       Status: Confirmed => Invalid

** No longer affects: openssh (Ubuntu Focal)

** Changed in: glibc (Ubuntu)
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1898590

Title:
  Verify DNS fingerprints not working

To manage notifications about this bug go to:
https://bugs.launchpad.net/systemd/+bug/1898590/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1898590] Re: Verify DNS fingerprints not working

Reply via email to