Package: dnssec-trigger
Version: 0.17+repack-3+b1
Severity: important
File: /usr/lib/dnssec-trigger/dnssec-trigger-script

It looks like the dnssec-trigger-script will need to be adapted to this
change in glibc in order to keep working:

glibc (2.31-0experimental2) experimental; urgency=medium

  Starting with glibc 2.31, the DNS stub resolver does not blindly trust the
  AD (authenticated data) flag, indicating a DNSSEC validation:

  - By default the name servers and the network path to them are treated as
    untrusted. In this mode, the AD flag is not set in queries, and it is
    automatically cleared in responses, indicating a lack of DNSSEC
    validation.

  - A new trust-ad option, set via the options directive in /etc/resolv.conf
    (or if RES_TRUSTAD is set in _res.options), indicates that the name
    server is trusted. In this mode, the AD bit, as provided by the name
    server, is made available to the applications.

  Therefore if you trust your name servers, for example because you use a
  locally running validating resolver (e.g. unbound, systemd-resolved or
  dnsmasq), you might want to add the following line to /etc/resolv.conf:

    options trust-ad

 -- Aurelien Jarno <[email protected]>  Sun, 17 May 2020 15:59:38 +0200

-- System Information:
Debian Release: bullseye/sid
  APT prefers testing-debug
  APT policy: (900, 'testing-debug'), (900, 'testing'), (800, 
'unstable-debug'), (800, 'unstable'), (790, 'buildd-unstable'), (700, 
'experimental-debug'), (700, 'experimental'), (690, 'buildd-experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.7.0-1-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8), LANGUAGE=en_AU:en
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages dnssec-trigger depends on:
ii  gir1.2-nm-1.0       1.26.0-1
iu  libc6               2.31-1
ii  libgdk-pixbuf2.0-0  2.40.0+dfsg-5
ii  libglib2.0-0        2.64.3-2
ii  libgtk2.0-0         2.24.32-4
ii  libldns3            1.7.1-2
ii  libssl1.1           1.1.1g-1
ii  python3             3.8.2-3
ii  python3-gi          3.36.0-3
ii  python3-lockfile    1:0.12.2-2.2
ii  sensible-utils      0.0.12+nmu1
ii  unbound             1.10.1-1

dnssec-trigger recommends no packages.

dnssec-trigger suggests no packages.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to