Bug#860064: #860064 dnsmasq will not start after dns-root-data upgrade

[Emilio Pozuelo Monfort]

Hi,

On 19/07/18 22:43, Christoph Martin wrote:
> tags 860064 -stretch
> thanks
> 
> Am 19.07.2018 um 19:34 schrieb Adam D. Barratt:
> 
>>>
>>> Please explain how the file was changed in stretch on that date.
>>> Specifically, which version of dns-root-data was updated, from which
>>> version.
>>>
>>> Sorry to keep going on about this, but there wasn't a dns-root-data
>>> update in the stretch point release that occurred on June 24th, so
>>> I'm very confused as to what effect you're apparently seeing.
>>
>> To correct myself, there wasn't even a stretch point release on that
>> date, just a jessie one. The remainder of my request still stands -
>> please provide exact details of the upgrade demonstrating the breakage
>> in stretch, including binary package names and before and after
>> versions.
> 
> Sorry, I have to apologize.
> 
> I manage several hundred Debian machines. Most of them are already
> stretch. I was shure that one of the two machines which I checked is
> stretch, but it is still jessie. I found out when I tried to gather the
> data, which you regested:
> 
>>From jessie dpkg.log:
> 
> 2018-06-24 06:49:52 upgrade dns-root-data:all 2017072601~deb8u1
> 2017072601~deb8u2
> 
> So. Sorry again. The bug is really only in jessie and it came with the
> update of dns-root-data for jessie on 2018-06-24.
> 
> So hopefully the Debian-LTS team can do something about the problem in
> Jessie.

Thanks for the report. I have just updated dnsmasq in jessie to fix this 
problem.

Cheers,
Emilio

Bug#860064: #860064 dnsmasq will not start after dns-root-data upgrade

[Christoph Martin]

tags 860064 -stretch
thanks

Am 19.07.2018 um 19:34 schrieb Adam D. Barratt:

>>
>> Please explain how the file was changed in stretch on that date.
>> Specifically, which version of dns-root-data was updated, from which
>> version.
>>
>> Sorry to keep going on about this, but there wasn't a dns-root-data
>> update in the stretch point release that occurred on June 24th, so
>> I'm very confused as to what effect you're apparently seeing.
> 
> To correct myself, there wasn't even a stretch point release on that
> date, just a jessie one. The remainder of my request still stands -
> please provide exact details of the upgrade demonstrating the breakage
> in stretch, including binary package names and before and after
> versions.

Sorry, I have to apologize.

I manage several hundred Debian machines. Most of them are already
stretch. I was shure that one of the two machines which I checked is
stretch, but it is still jessie. I found out when I tried to gather the
data, which you regested:

>From jessie dpkg.log:

2018-06-24 06:49:52 upgrade dns-root-data:all 2017072601~deb8u1
2017072601~deb8u2

So. Sorry again. The bug is really only in jessie and it came with the
update of dns-root-data for jessie on 2018-06-24.

So hopefully the Debian-LTS team can do something about the problem in
Jessie.

Regards
Christoph

Bug#860064: #860064 dnsmasq will not start after dns-root-data upgrade

[Adam D. Barratt]

On Thu, 2018-07-19 at 18:23 +0100, Adam D. Barratt wrote:
> On Thu, 2018-07-19 at 18:42 +0200, Christoph Martin wrote:
> > tags 860064 +stretch
> > tags 860064 +jessie
> > thanks
> > 
> > Am 01.07.2018 um 15:38 schrieb Adam D. Barratt:
> > > On Sun, 2018-07-01 at 11:38 +, Martin, Christoph wrote:
> > > > dns-root-data had an update a week before. the file with the
> > > > dns
> > > > root
> > > > keys was updated. at least the format has changed.
> > > 
> > > To re-iterate, no such change has happened recently in stretch.
> 
> [...]
> > > The file /usr/share/dns/root.ds was changed in both jessie and
> > 
> > stretch
> > with the update at june 24th:
> 
> Please explain how the file was changed in stretch on that date.
> Specifically, which version of dns-root-data was updated, from which
> version.
> 
> Sorry to keep going on about this, but there wasn't a dns-root-data
> update in the stretch point release that occurred on June 24th, so
> I'm very confused as to what effect you're apparently seeing.

To correct myself, there wasn't even a stretch point release on that
date, just a jessie one. The remainder of my request still stands -
please provide exact details of the upgrade demonstrating the breakage
in stretch, including binary package names and before and after
versions.

Regards,

Adam

Bug#860064: #860064 dnsmasq will not start after dns-root-data upgrade

[Adam D. Barratt]

On Thu, 2018-07-19 at 18:42 +0200, Christoph Martin wrote:
> tags 860064 +stretch
> tags 860064 +jessie
> thanks
> 
> Am 01.07.2018 um 15:38 schrieb Adam D. Barratt:
> > On Sun, 2018-07-01 at 11:38 +, Martin, Christoph wrote:
> > > dns-root-data had an update a week before. the file with the dns
> > > root
> > > keys was updated. at least the format has changed.
> > 
> > To re-iterate, no such change has happened recently in stretch.
[...]
> > The file /usr/share/dns/root.ds was changed in both jessie and
> stretch
> with the update at june 24th:

Please explain how the file was changed in stretch on that date.
Specifically, which version of dns-root-data was updated, from which
version.

Sorry to keep going on about this, but there wasn't a dns-root-data
update in the stretch point release that occurred on June 24th, so I'm
very confused as to what effect you're apparently seeing.

regards,

Adam

Bug#860064: #860064 dnsmasq will not start after dns-root-data upgrade

[Christoph Martin]

tags 860064 +stretch
tags 860064 +jessie
thanks

Am 01.07.2018 um 15:38 schrieb Adam D. Barratt:
> On Sun, 2018-07-01 at 11:38 +, Martin, Christoph wrote:
>> dns-root-data had an update a week before. the file with the dns root
>> keys was updated. at least the format has changed.
> 
> To re-iterate, no such change has happened recently in stretch.
> 
> I understand that the update in jessie may have introduced such a
> change, but at this stage there's unfortunately nothing that either the
> security or release teams can do about that, as jessie is EOL and has
> moved to the LTS team.

The file /usr/share/dns/root.ds was changed in both jessie and stretch
with the update at june 24th:

# ls -l /tmp/usr/share/dns/root.ds /usr/share/dns/root.ds
-rw-r--r-- 1 root root  83 Aug 24  2017 /tmp/usr/share/dns/root.ds
-rw-r--r-- 1 root root 180 Dec  8  2017 /usr/share/dns/root.ds

# diff -u /tmp/usr/share/dns/root.ds /usr/share/dns/root.ds
--- /tmp/usr/share/dns/root.ds  2017-08-24 11:37:46.0 +0200
+++ /usr/share/dns/root.ds  2017-12-08 07:31:40.0 +0100
@@ -1 +1,2 @@
-. IN DS 19036 8 2
49AAC11D7B6F6446702E54A1607371607A1A41855200FD2CE1CDDE32F24E8FB5
+.  172800  IN  DS  19036 8 2
49aac11d7b6f6446702e54a1607371607a1a41855200fd2ce1cdde32f24e8fb5
+.  172800  IN  DS  20326 8 2
e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d

So both jessie and stretch are affected und should get an update of
/etc/init.d/dnsmasq .

The following patch fixes it:

# diff -u /etc/init.d/dnsmasq~ /etc/init.d/dnsmasq
--- /etc/init.d/dnsmasq~2015-05-05 11:17:08.0 +0200
+++ /etc/init.d/dnsmasq 2018-06-25 10:04:05.138221809 +0200
@@ -111,7 +111,8 @@
 ROOT_DS="/usr/share/dns/root.ds"

 if [ -f $ROOT_DS ]; then
-   DNSMASQ_OPTS="$DNSMASQ_OPTS `sed -e s/". IN DS "/--trust-anchor=.,/
-e s/" "/,/g $ROOT_DS | tr '\n' ' '`"
+#   DNSMASQ_OPTS="$DNSMASQ_OPTS `sed -e s/". IN DS "/--trust-anchor=.,/
-e s/" "/,/g $ROOT_DS | tr '\n' ' '`"
+   DNSMASQ_OPTS="$DNSMASQ_OPTS `sed -e
s/".*\sIN\sDS\s"/--trust-anchor=.,/ -e s/" "/,/g $ROOT_DS | tr '\n' ' '`"
 fi

 start()



-- 

Christoph Martin, Leiter Unix-Systeme
Zentrum für Datenverarbeitung, Uni-Mainz, Germany
 Anselm Franz von Bentzel-Weg 12, 55128 Mainz
 Telefon: +49(6131)3926337
 Instant-Messaging: Jabber/XMPP: mar...@jabber.uni-mainz.de

<>

signature.asc
Description: OpenPGP digital signature

Bug#860064: #860064 dnsmasq will not start after dns-root-data upgrade

[Adam D. Barratt]

On Sun, 2018-07-01 at 11:38 +, Martin, Christoph wrote:
> dns-root-data had an update a week before. the file with the dns root
> keys was updated. at least the format has changed.

To re-iterate, no such change has happened recently in stretch.

I understand that the update in jessie may have introduced such a
change, but at this stage there's unfortunately nothing that either the
security or release teams can do about that, as jessie is EOL and has
moved to the LTS team.

Regards,

Adam

Bug#860064: #860064 dnsmasq will not start after dns-root-data upgrade

[Martin, Christoph]

Hi,

sorry for the late reply. I don‘t have everyday internet connection at the 
moment.

dns-root-data had an update a week before. the file with the dns root keys was 
updated. at least the format has changed. now there a dns time to live values 
in front of the keys. dnsmasq tries to parse these lines an puts the ttl value 
into the command line of dnsmasq which then fails to start.

and yes I consider a failing dnsmasq which is often used as a dns forwarder for 
whole networks as a critical problem.

> Am 27.06.2018 um 23:29 schrieb Adam D. Barratt :
> 
>> On Mon, 2018-06-25 at 10:44 +0200, Christoph Martin wrote:
>> severity 860064 critical
>> 
> 
> On which grounds are you claiming this qualifies for critical severity?
> 
> 
> It doesn't introduce a security hole, cause severe data loss or break
> your whole system. I have difficulty with dnsmasq and dns-root-data
> being "unrelated software", particularly given that dnsmasq-base has
> "Recommends: dns-root-data".
> 
> Regards,
> 
> Adam

Bug#860064: #860064 dnsmasq will not start after dns-root-data upgrade

[Adam D. Barratt]

On Mon, 2018-06-25 at 10:44 +0200, Christoph Martin wrote:
> severity 860064 critical  
> 

On which grounds are you claiming this qualifies for critical severity?
  

It doesn't introduce a security hole, cause severe data loss or break
your whole system. I have difficulty with dnsmasq and dns-root-data
being "unrelated software", particularly given that dnsmasq-base has
"Recommends: dns-root-data".

Regards,

Adam

Bug#860064: #860064 dnsmasq will not start after dns-root-data upgrade

[Adam D. Barratt]

On Mon, 2018-06-25 at 10:44 +0200, Christoph Martin wrote:
> severity 860064 critical  
> tags 860064 +jessie
> thanks
> 
> yesterday jessie and stretch upgraded the dns-root-data package,
> which includes the new root DNSSEC keys with a time to live value
> added.

This is factually incorrect. Absolutely nothing changed in stretch with
respect to dns-root-data since October 2017. Please don't spread
misinformation.

> Because auf this update and the bug in dnsmasq, every dnsmasq
> installation on jessie and stretch which has dns-root-data installed
> will fail to work.
> 
> The patch in the bug report is easy and works.
> 
> We need an urgent update for jessie and stretch.

Why is an update for stretch required, given that nothing changed?

Regards,

Adam

Bug#860064: #860064 dnsmasq will not start after dns-root-data upgrade

[Christoph Martin]

severity 860064 critical
tags 860064 +jessie
thanks

yesterday jessie and stretch upgraded the dns-root-data package, which
includes the new root DNSSEC keys with a time to live value added.

Because auf this update and the bug in dnsmasq, every dnsmasq
installation on jessie and stretch which has dns-root-data installed
will fail to work.

The patch in the bug report is easy and works.

We need an urgent update for jessie and stretch.

Regards
Christoph



signature.asc
Description: OpenPGP digital signature