> The problem I reproduced in March (but didn't solve) was on amd64 where > the DS didn't match. It used SHA384. > > Two different examples: > https://mail-index.netbsd.org/netbsd-users/2020/03/24/msg024303.html
Hm, that's ... mine :) The protonmail.ch DS issue really seems to be a general "in-tree BIND on netbsd-8 fails doing the sha384 DS checksum" issue: % which dnssec-dsfromkey /usr/sbin/dnssec-dsfromkey % dnssec-dsfromkey -V dnssec-dsfromkey 9.10.5-P1 % dig protonmail.ch. dnskey | dnssec-dsfromkey -f - -a sha384 protonmail.ch protonmail.ch. IN DS 27196 8 4 73D3962080B965B6A3D80AB3097FDA1C561C49FB938C06941D9910DC6B3E21AC0F2C8610BB8F6ADB0279EC726D2C4648 % /usr/local/sbin/dnssec-dsfromkey -V dnssec-dsfromkey 9.14.1 % dig protonmail.ch. dnskey | /usr/local/sbin/dnssec-dsfromkey -f - -a sha384 protonmail.ch protonmail.ch. IN DS 27196 8 4 E422EE237DE2FE29190F1BDDC0C0E2469679411F329AAB2A7BD8DE43575C1C6FAB6B9FFC521996E526F4B5D513798D9E % dig protonmail.ch. ds +short 27196 8 4 E422EE237DE2FE29190F1BDDC0C0E2469679411F329AAB2A7BD8DE43 575C1C6FAB6B9FFC521996E526F4B5D513798D9E % uname -mr 8.1 amd64 % The /usr/local installation is locally built directly from the ISC BIND distribution. Hmm, let's go dig in some BIND release notes... Hm, no mention of sha384 being broken there (no big surprise, really...). Testing the system dnssec-dsfromkey and some other local builds I had lying around from earlier on another amd64 machine which now runs 9.0_RC1: % dig protonmail.ch. dnskey | dnssec-dsfromkey -f - -a sha384 protonmail.ch protonmail.ch. IN DS 27196 8 4 E422EE237DE2FE29190F1BDDC0C0E2469679411F329AAB2A7BD8DE43575C1C6FAB6B9FFC521996E526F4B5D513798D9E % % dig protonmail.ch. dnskey | bind-9.10.5/bin/dnssec/dnssec-dsfromkey -f - -a sha384 protonmail.ch protonmail.ch. IN DS 27196 8 4 E422EE237DE2FE29190F1BDDC0C0E2469679411F329AAB2A7BD8DE43575C1C6FAB6B9FFC521996E526F4B5D513798D9E % % dig protonmail.ch. dnskey | bind-9.10.5-P3/bin/dnssec/dnssec-dsfromkey -f - -a sha384 protonmail.ch protonmail.ch. IN DS 27196 8 4 E422EE237DE2FE29190F1BDDC0C0E2469679411F329AAB2A7BD8DE43575C1C6FAB6B9FFC521996E526F4B5D513798D9E % % dig protonmail.ch. dnskey | bind-9.10.6-P1/bin/dnssec/dnssec-dsfromkey -f - -a sha384 protonmail.ch protonmail.ch. IN DS 27196 8 4 E422EE237DE2FE29190F1BDDC0C0E2469679411F329AAB2A7BD8DE43575C1C6FAB6B9FFC521996E526F4B5D513798D9E % Hm, so the problem doesn't actually come from BIND itself. % file bind-9.10.5/bin/dnssec/dnssec-dsfromkey bind-9.10.5/bin/dnssec/dnssec-dsfromkey: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /usr/libexec/ld.elf_so, for NetBSD 7.1, with debug_info, not stripped % % uname -rm 9.0_RC1 amd64 % So this was built for NetBSD 7.1, but run on 9.0_RC1. The ldd output indicates no BIND libraries, but plenty of system libraries: % ldd bind-9.10.5/bin/dnssec/dnssec-dsfromkey bind-9.10.5/bin/dnssec/dnssec-dsfromkey: -lgssapi.10 => /usr/lib/libgssapi.so.10 -lkrb5.26 => /usr/lib/libkrb5.so.26 -lhx509.5 => /usr/lib/libhx509.so.5 -lasn1.9 => /usr/lib/libasn1.so.9 -lcom_err.7 => /usr/lib/libcom_err.so.7 -lgcc_s.1 => /usr/lib/libgcc_s.so.1 -lc.12 => /usr/lib/libc.so.12 -lroken.19 => /usr/lib/libroken.so.19 -lutil.7 => /usr/lib/libutil.so.7 -lcrypt.1 => /lib/libcrypt.so.1 -lcrypto.8 => /usr/lib/libcrypto.so.8 -lwind.0 => /usr/lib/libwind.so.0 -lheimbase.1 => /usr/lib/libheimbase.so.1 -lheimntlm.4 => /usr/lib/libheimntlm.so.4 -lpthread.1 => /usr/lib/libpthread.so.1 -lxml2.2 => /usr/pkg/lib/libxml2.so.2 -lz.1 => /usr/lib/libz.so.1 -llzma.2 => /usr/lib/liblzma.so.2 -lm.0 => /usr/lib/libm.so.0 -llzma.1 => /usr/lib/liblzma.so.1 % So ... this one does it correctly, but still uses a rather old -lcrypto (which I have still lying around from when it ran that release), so it's not that the crypto library is at fault either. And this time, comparing the two config.h's being used doesn't point out anything glaringly obvious, neither does comparing the two isc/platform.h files. The in-tree BIND in netbsd-8 re-built on 9.0_RC1 still ends up mis-calculating the sha384 checksum: % dig protonmail.ch dnskey | env LD_LIBRARY_PATH=/usr/obj/external/bsd/bind/lib/liblwres /usr/obj/external/bsd/bind/bin/dnssec/dnssec-dsfromkey/dnssec-dsfromkey -f - -a sha384 protonmail.ch protonmail.ch. IN DS 27196 8 4 73D3962080B965B6A3D80AB3097FDA1C561C49FB938C06941D9910DC6B3E21AC0F2C8610BB8F6ADB0279EC726D2C4648 I must admit I'm scratching my head about this one. Further hints welcome. Regards, - Havard