Bug#860064: #860064 dnsmasq will not start after dns-root-data upgrade
Hi, On 19/07/18 22:43, Christoph Martin wrote: > tags 860064 -stretch > thanks > > Am 19.07.2018 um 19:34 schrieb Adam D. Barratt: > >>> >>> Please explain how the file was changed in stretch on that date. >>> Specifically, which version of dns-root-data was updated, from which >>> version. >>> >>> Sorry to keep going on about this, but there wasn't a dns-root-data >>> update in the stretch point release that occurred on June 24th, so >>> I'm very confused as to what effect you're apparently seeing. >> >> To correct myself, there wasn't even a stretch point release on that >> date, just a jessie one. The remainder of my request still stands - >> please provide exact details of the upgrade demonstrating the breakage >> in stretch, including binary package names and before and after >> versions. > > Sorry, I have to apologize. > > I manage several hundred Debian machines. Most of them are already > stretch. I was shure that one of the two machines which I checked is > stretch, but it is still jessie. I found out when I tried to gather the > data, which you regested: > >>From jessie dpkg.log: > > 2018-06-24 06:49:52 upgrade dns-root-data:all 2017072601~deb8u1 > 2017072601~deb8u2 > > So. Sorry again. The bug is really only in jessie and it came with the > update of dns-root-data for jessie on 2018-06-24. > > So hopefully the Debian-LTS team can do something about the problem in > Jessie. Thanks for the report. I have just updated dnsmasq in jessie to fix this problem. Cheers, Emilio
Bug#860064: #860064 dnsmasq will not start after dns-root-data upgrade
tags 860064 -stretch thanks Am 19.07.2018 um 19:34 schrieb Adam D. Barratt: >> >> Please explain how the file was changed in stretch on that date. >> Specifically, which version of dns-root-data was updated, from which >> version. >> >> Sorry to keep going on about this, but there wasn't a dns-root-data >> update in the stretch point release that occurred on June 24th, so >> I'm very confused as to what effect you're apparently seeing. > > To correct myself, there wasn't even a stretch point release on that > date, just a jessie one. The remainder of my request still stands - > please provide exact details of the upgrade demonstrating the breakage > in stretch, including binary package names and before and after > versions. Sorry, I have to apologize. I manage several hundred Debian machines. Most of them are already stretch. I was shure that one of the two machines which I checked is stretch, but it is still jessie. I found out when I tried to gather the data, which you regested: >From jessie dpkg.log: 2018-06-24 06:49:52 upgrade dns-root-data:all 2017072601~deb8u1 2017072601~deb8u2 So. Sorry again. The bug is really only in jessie and it came with the update of dns-root-data for jessie on 2018-06-24. So hopefully the Debian-LTS team can do something about the problem in Jessie. Regards Christoph
Bug#860064: #860064 dnsmasq will not start after dns-root-data upgrade
On Thu, 2018-07-19 at 18:23 +0100, Adam D. Barratt wrote: > On Thu, 2018-07-19 at 18:42 +0200, Christoph Martin wrote: > > tags 860064 +stretch > > tags 860064 +jessie > > thanks > > > > Am 01.07.2018 um 15:38 schrieb Adam D. Barratt: > > > On Sun, 2018-07-01 at 11:38 +, Martin, Christoph wrote: > > > > dns-root-data had an update a week before. the file with the > > > > dns > > > > root > > > > keys was updated. at least the format has changed. > > > > > > To re-iterate, no such change has happened recently in stretch. > > [...] > > > The file /usr/share/dns/root.ds was changed in both jessie and > > > > stretch > > with the update at june 24th: > > Please explain how the file was changed in stretch on that date. > Specifically, which version of dns-root-data was updated, from which > version. > > Sorry to keep going on about this, but there wasn't a dns-root-data > update in the stretch point release that occurred on June 24th, so > I'm very confused as to what effect you're apparently seeing. To correct myself, there wasn't even a stretch point release on that date, just a jessie one. The remainder of my request still stands - please provide exact details of the upgrade demonstrating the breakage in stretch, including binary package names and before and after versions. Regards, Adam
Bug#860064: #860064 dnsmasq will not start after dns-root-data upgrade
On Thu, 2018-07-19 at 18:42 +0200, Christoph Martin wrote: > tags 860064 +stretch > tags 860064 +jessie > thanks > > Am 01.07.2018 um 15:38 schrieb Adam D. Barratt: > > On Sun, 2018-07-01 at 11:38 +, Martin, Christoph wrote: > > > dns-root-data had an update a week before. the file with the dns > > > root > > > keys was updated. at least the format has changed. > > > > To re-iterate, no such change has happened recently in stretch. [...] > > The file /usr/share/dns/root.ds was changed in both jessie and > stretch > with the update at june 24th: Please explain how the file was changed in stretch on that date. Specifically, which version of dns-root-data was updated, from which version. Sorry to keep going on about this, but there wasn't a dns-root-data update in the stretch point release that occurred on June 24th, so I'm very confused as to what effect you're apparently seeing. regards, Adam
Bug#860064: #860064 dnsmasq will not start after dns-root-data upgrade
tags 860064 +stretch tags 860064 +jessie thanks Am 01.07.2018 um 15:38 schrieb Adam D. Barratt: > On Sun, 2018-07-01 at 11:38 +, Martin, Christoph wrote: >> dns-root-data had an update a week before. the file with the dns root >> keys was updated. at least the format has changed. > > To re-iterate, no such change has happened recently in stretch. > > I understand that the update in jessie may have introduced such a > change, but at this stage there's unfortunately nothing that either the > security or release teams can do about that, as jessie is EOL and has > moved to the LTS team. The file /usr/share/dns/root.ds was changed in both jessie and stretch with the update at june 24th: # ls -l /tmp/usr/share/dns/root.ds /usr/share/dns/root.ds -rw-r--r-- 1 root root 83 Aug 24 2017 /tmp/usr/share/dns/root.ds -rw-r--r-- 1 root root 180 Dec 8 2017 /usr/share/dns/root.ds # diff -u /tmp/usr/share/dns/root.ds /usr/share/dns/root.ds --- /tmp/usr/share/dns/root.ds 2017-08-24 11:37:46.0 +0200 +++ /usr/share/dns/root.ds 2017-12-08 07:31:40.0 +0100 @@ -1 +1,2 @@ -. IN DS 19036 8 2 49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5 +. 172800 IN DS 19036 8 2 49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5 +. 172800 IN DS 20326 8 2 e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d So both jessie and stretch are affected und should get an update of /etc/init.d/dnsmasq . The following patch fixes it: # diff -u /etc/init.d/dnsmasq~ /etc/init.d/dnsmasq --- /etc/init.d/dnsmasq~2015-05-05 11:17:08.0 +0200 +++ /etc/init.d/dnsmasq 2018-06-25 10:04:05.138221809 +0200 @@ -111,7 +111,8 @@ ROOT_DS="/usr/share/dns/root.ds" if [ -f $ROOT_DS ]; then - DNSMASQ_OPTS="$DNSMASQ_OPTS `sed -e s/". IN DS "/--trust-anchor=.,/ -e s/" "/,/g $ROOT_DS | tr '\n' ' '`" +# DNSMASQ_OPTS="$DNSMASQ_OPTS `sed -e s/". IN DS "/--trust-anchor=.,/ -e s/" "/,/g $ROOT_DS | tr '\n' ' '`" + DNSMASQ_OPTS="$DNSMASQ_OPTS `sed -e s/".*\sIN\sDS\s"/--trust-anchor=.,/ -e s/" "/,/g $ROOT_DS | tr '\n' ' '`" fi start() -- Christoph Martin, Leiter Unix-Systeme Zentrum für Datenverarbeitung, Uni-Mainz, Germany Anselm Franz von Bentzel-Weg 12, 55128 Mainz Telefon: +49(6131)3926337 Instant-Messaging: Jabber/XMPP: mar...@jabber.uni-mainz.de <> signature.asc Description: OpenPGP digital signature
Bug#860064: #860064 dnsmasq will not start after dns-root-data upgrade
On Sun, 2018-07-01 at 11:38 +, Martin, Christoph wrote: > dns-root-data had an update a week before. the file with the dns root > keys was updated. at least the format has changed. To re-iterate, no such change has happened recently in stretch. I understand that the update in jessie may have introduced such a change, but at this stage there's unfortunately nothing that either the security or release teams can do about that, as jessie is EOL and has moved to the LTS team. Regards, Adam
Bug#860064: #860064 dnsmasq will not start after dns-root-data upgrade
Hi, sorry for the late reply. I don‘t have everyday internet connection at the moment. dns-root-data had an update a week before. the file with the dns root keys was updated. at least the format has changed. now there a dns time to live values in front of the keys. dnsmasq tries to parse these lines an puts the ttl value into the command line of dnsmasq which then fails to start. and yes I consider a failing dnsmasq which is often used as a dns forwarder for whole networks as a critical problem. > Am 27.06.2018 um 23:29 schrieb Adam D. Barratt : > >> On Mon, 2018-06-25 at 10:44 +0200, Christoph Martin wrote: >> severity 860064 critical >> > > On which grounds are you claiming this qualifies for critical severity? > > > It doesn't introduce a security hole, cause severe data loss or break > your whole system. I have difficulty with dnsmasq and dns-root-data > being "unrelated software", particularly given that dnsmasq-base has > "Recommends: dns-root-data". > > Regards, > > Adam
Bug#860064: #860064 dnsmasq will not start after dns-root-data upgrade
On Mon, 2018-06-25 at 10:44 +0200, Christoph Martin wrote: > severity 860064 critical > On which grounds are you claiming this qualifies for critical severity? It doesn't introduce a security hole, cause severe data loss or break your whole system. I have difficulty with dnsmasq and dns-root-data being "unrelated software", particularly given that dnsmasq-base has "Recommends: dns-root-data". Regards, Adam
Bug#860064: #860064 dnsmasq will not start after dns-root-data upgrade
On Mon, 2018-06-25 at 10:44 +0200, Christoph Martin wrote: > severity 860064 critical > tags 860064 +jessie > thanks > > yesterday jessie and stretch upgraded the dns-root-data package, > which includes the new root DNSSEC keys with a time to live value > added. This is factually incorrect. Absolutely nothing changed in stretch with respect to dns-root-data since October 2017. Please don't spread misinformation. > Because auf this update and the bug in dnsmasq, every dnsmasq > installation on jessie and stretch which has dns-root-data installed > will fail to work. > > The patch in the bug report is easy and works. > > We need an urgent update for jessie and stretch. Why is an update for stretch required, given that nothing changed? Regards, Adam
Bug#860064: #860064 dnsmasq will not start after dns-root-data upgrade
severity 860064 critical tags 860064 +jessie thanks yesterday jessie and stretch upgraded the dns-root-data package, which includes the new root DNSSEC keys with a time to live value added. Because auf this update and the bug in dnsmasq, every dnsmasq installation on jessie and stretch which has dns-root-data installed will fail to work. The patch in the bug report is easy and works. We need an urgent update for jessie and stretch. Regards Christoph signature.asc Description: OpenPGP digital signature