Your message dated Wed, 01 Jul 2015 11:52:33 +0200
with message-id
<1435744353.1767514.312382369.3f0bb...@webmail.messagingengine.com>
and subject line Re: Bug#738491: hash-slinger: tlsa fails with "query data not
secure and secure data requested" even though DNSSEC is present
has caused the Debian Bug report #738491,
regarding hash-slinger: tlsa fails with "query data not secure and secure data
requested" even though DNSSEC is present
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
738491: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=738491
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: hash-slinger
Version: 2.5-1
Severity: minor
Dear Maintainer,
tlsa fails for a domain that has DNSSEC records, unless the --insecure
argument is used. dig output shows the 'ad' flag, so my understanding
is that the lookup really is secure and tlsa incorrect and there's
probably some underlying libunbound2 problem.
$ tlsa --create www.debian.org
Error: query data not secure and secure data requested, unable to continue
Unable to resolve www.debian.org.: Unsuccesful lookup or no data returned for
rrtype 28.
$ dig +dnssec www.debian.org | grep flags
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
; EDNS: version: 0, flags: do; udp: 4096
$ tlsa --create --insecure www.debian.org
Warning: query data is not secure.
Unable to resolve www.debian.org.: Unsuccesful lookup or no data returned for
rrtype 28.
Got a certificate with Subject: /OU=Domain Control Validated/OU=Gandi Standard
SSL/CN=debian.org
_443._tcp.www.debian.org. IN TLSA 3 0 1
07a9ff1059c430e973b7abd8cb754627bb9c8a3031f5ea329bfc8caf4a41e5e2
Got a certificate with Subject: /OU=Domain Control Validated/OU=Gandi Standard
SSL/CN=dsa.debian.org
_443._tcp.www.debian.org. IN TLSA 3 0 1
ccb2cbee8c1947b4eee4ffab090f9f3d604bc6f3dea3d9683042a6654618ac1f
-- System Information:
Debian Release: jessie/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.12-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages hash-slinger depends on:
ii libpython2.7-stdlib [python-argparse] 2.7.6-5
ii openssh-client 1:6.4p1-2
ii python 2.7.5-5
ii python-dnspython 1.11.1-1
ii python-gnupg 0.3.5-2
ii python-ipaddr 2.1.10-1
ii python-m2crypto 0.21.1-3
ii python-unbound 1.4.21-1
hash-slinger recommends no packages.
hash-slinger suggests no packages.
-- no debconf information
--
Gerald Turner Encrypted mail preferred!
0xEC942276FDB8716D CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D
pgps1lFrZz5NB.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Version: 2.6-1
Hi Gerald,
this has been fixed in version 2.6-1 available from unstable and Debian
stretch.
I'll prepare backported version for Debian jessie.
Cheers,
Ondrej
On Mon, Feb 10, 2014, at 01:07, Gerald Turner wrote:
> Package: hash-slinger
> Version: 2.5-1
> Severity: minor
>
> Dear Maintainer,
>
> tlsa fails for a domain that has DNSSEC records, unless the --insecure
> argument is used. dig output shows the 'ad' flag, so my understanding
> is that the lookup really is secure and tlsa incorrect and there's
> probably some underlying libunbound2 problem.
>
> $ tlsa --create www.debian.org
> Error: query data not secure and secure data requested, unable to
> continue
> Unable to resolve www.debian.org.: Unsuccesful lookup or no data returned
> for rrtype 28.
>
> $ dig +dnssec www.debian.org | grep flags
> ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
> ; EDNS: version: 0, flags: do; udp: 4096
>
> $ tlsa --create --insecure www.debian.org
> Warning: query data is not secure.
> Unable to resolve www.debian.org.: Unsuccesful lookup or no data returned
> for rrtype 28.
> Got a certificate with Subject: /OU=Domain Control Validated/OU=Gandi
> Standard SSL/CN=debian.org
> _443._tcp.www.debian.org. IN TLSA 3 0 1
> 07a9ff1059c430e973b7abd8cb754627bb9c8a3031f5ea329bfc8caf4a41e5e2
> Got a certificate with Subject: /OU=Domain Control Validated/OU=Gandi
> Standard SSL/CN=dsa.debian.org
> _443._tcp.www.debian.org. IN TLSA 3 0 1
> ccb2cbee8c1947b4eee4ffab090f9f3d604bc6f3dea3d9683042a6654618ac1f
>
> -- System Information:
> Debian Release: jessie/sid
> APT prefers testing
> APT policy: (500, 'testing')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 3.12-1-amd64 (SMP w/4 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
>
> Versions of packages hash-slinger depends on:
> ii libpython2.7-stdlib [python-argparse] 2.7.6-5
> ii openssh-client 1:6.4p1-2
> ii python 2.7.5-5
> ii python-dnspython 1.11.1-1
> ii python-gnupg 0.3.5-2
> ii python-ipaddr 2.1.10-1
> ii python-m2crypto 0.21.1-3
> ii python-unbound 1.4.21-1
>
> hash-slinger recommends no packages.
>
> hash-slinger suggests no packages.
>
> -- no debconf information
>
> --
> Gerald Turner Encrypted mail preferred!
> 0xEC942276FDB8716D CA89 B27A 30FA 66C5 1B80 3858 EC94 2276 FDB8 716D
> Email had 1 attachment:
> + Attachment2
> 1k (application/pgp-signature)
--
Ondřej Surý <[email protected]>
Knot DNS (https://www.knot-dns.cz/) – a high-performance DNS server
--- End Message ---
