[Touch-packages] [Bug 2062542] Re: systemd-resolved stub gives SERVFAIL for DNSSEC negative response
This is on mantic, systemd-resolved 253.5-1ubuntu6.1 ** Tags added: mantic ** Description changed: - This issue surface when researching the issue that Postfix on my system + This issue surfaced when researching the issue that Postfix on my system (with DANE enabled) deferred mail deliveries with 100s of this warning in the log: - Warning: DANE TLSA lookup problem: Host or domain name not found. + Warning: DANE TLSA lookup problem: Host or domain name not found. Name service error for name=_25._tcp.cluster5.us.messagelabs.com type=TLSA: Host not found, try again The DNS resolver on my machine was pointing at the systemd-resolved stub: - $ cat /etc/resolv.conf | grep nameserver - nameserver 127.0.0.53 + $ cat /etc/resolv.conf | grep nameserver + nameserver 127.0.0.53 - $ resolvectl status - Global - Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported - resolv.conf mode: stub + $ resolvectl status + Global + Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported + resolv.conf mode: stub Note DNSSEC is enabled (else Postfix couldn't be doing DANE). Now if I query the TLSA record for the messagelab server, I get a SERVFAIL from the stub resolver: - $ delv +dnssec _25._tcp.cluster5.us.messagelabs.com TLSA - ;; resolution failed: SERVFAIL + $ delv +dnssec _25._tcp.cluster5.us.messagelabs.com TLSA + ;; resolution failed: SERVFAIL Whereas if I query my upstream DNS or Google DNS, I get a DNSSEC validated (negative) response: - $ delv @8.8.8.8 +dnssec _25._tcp.cluster5.us.messagelabs.com TLSA - ;; resolution failed: ncache nxrrset - ; negative response, fully validated - ; _25._tcp.cluster5.us.messagelabs.com. 299 IN \-TLSA ;-$NXRRSET - ; _25._tcp.cluster5.us.messagelabs.com. RRSIG NSEC ... - ; _25._tcp.cluster5.us.messagelabs.com. NSEC \000._25._tcp.cluster5.us.messagelabs.com. A PTR HINFO MX TXT RP SRV NAPTR SSHFP RRSIG NSEC SVCB HTTPS SPF IXFR AXFR CAA - ; messagelabs.com. SOA ns-1714.awsdns-22.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400 - ; messagelabs.com. RRSIG SOA ... + $ delv @8.8.8.8 +dnssec _25._tcp.cluster5.us.messagelabs.com TLSA + ;; resolution failed: ncache nxrrset + ; negative response, fully validated + ; _25._tcp.cluster5.us.messagelabs.com. 299 IN \-TLSA ;-$NXRRSET + ; _25._tcp.cluster5.us.messagelabs.com. RRSIG NSEC ... + ; _25._tcp.cluster5.us.messagelabs.com. NSEC \000._25._tcp.cluster5.us.messagelabs.com. A PTR HINFO MX TXT RP SRV NAPTR SSHFP RRSIG NSEC SVCB HTTPS SPF IXFR AXFR CAA + ; messagelabs.com. SOA ns-1714.awsdns-22.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400 + ; messagelabs.com. RRSIG SOA ... I assume Postfix (with smtp_tls_security_level = dane i.e. "Opportunistic DANE") deals with the negative response by downgrading to "encrypt", whereas the SERVFAIL response makes it refuse to connect altogether. My workaround was to switch from the systemd-resolved stub resolver to the upstream servers. In /etc/systemd/resolved.conf set: - DNS=... your upstream servers if not already given through DHCP ... - DNSStubListener=no + DNS=... your upstream servers if not already given through DHCP ... + DNSStubListener=no Then restart the service and restart Postfix if it is chrooted (so the new /etc/resolv.conf gets copied into the chroot): - systemctl restart systemd-resolved - systemctl restart postfix + systemctl restart systemd-resolved + systemctl restart postfix I am not sure if this could be considered a Postfix bug as well (it could consider a SERVFAIL on a TLSA record the same as a negative), but surely it seems to me the systemd-resolved stub resolver should not return the SERVFAIL here. For more background on this bug report, please see https://serverfault.com/a/1158198/299950 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/2062542 Title: systemd-resolved stub gives SERVFAIL for DNSSEC negative response Status in systemd package in Ubuntu: Incomplete Bug description: This issue surfaced when researching the issue that Postfix on my system (with DANE enabled) deferred mail deliveries with 100s of this warning in the log: Warning: DANE TLSA lookup problem: Host or domain name not found. Name service error for name=_25._tcp.cluster5.us.messagelabs.com type=TLSA: Host not found, try again The DNS resolver on my machine was pointing at the systemd-resolved stub: $ cat /etc/resolv.conf | grep nameserver nameserver 127.0.0.53 $ resolvectl status Global Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported resolv.conf mode: stub
[Touch-packages] [Bug 2062542] [NEW] systemd-resolved stub gives SERVFAIL for DNSSEC negative response
Public bug reported: This issue surface when researching the issue that Postfix on my system (with DANE enabled) deferred mail deliveries with 100s of this warning in the log: Warning: DANE TLSA lookup problem: Host or domain name not found. Name service error for name=_25._tcp.cluster5.us.messagelabs.com type=TLSA: Host not found, try again The DNS resolver on my machine was pointing at the systemd-resolved stub: $ cat /etc/resolv.conf | grep nameserver nameserver 127.0.0.53 $ resolvectl status Global Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported resolv.conf mode: stub Note DNSSEC is enabled (else Postfix couldn't be doing DANE). Now if I query the TLSA record for the messagelab server, I get a SERVFAIL from the stub resolver: $ delv +dnssec _25._tcp.cluster5.us.messagelabs.com TLSA ;; resolution failed: SERVFAIL Whereas if I query my upstream DNS or Google DNS, I get a DNSSEC validated (negative) response: $ delv @8.8.8.8 +dnssec _25._tcp.cluster5.us.messagelabs.com TLSA ;; resolution failed: ncache nxrrset ; negative response, fully validated ; _25._tcp.cluster5.us.messagelabs.com. 299 IN \-TLSA ;-$NXRRSET ; _25._tcp.cluster5.us.messagelabs.com. RRSIG NSEC ... ; _25._tcp.cluster5.us.messagelabs.com. NSEC \000._25._tcp.cluster5.us.messagelabs.com. A PTR HINFO MX TXT RP SRV NAPTR SSHFP RRSIG NSEC SVCB HTTPS SPF IXFR AXFR CAA ; messagelabs.com. SOA ns-1714.awsdns-22.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400 ; messagelabs.com. RRSIG SOA ... I assume Postfix (with smtp_tls_security_level = dane i.e. "Opportunistic DANE") deals with the negative response by downgrading to "encrypt", whereas the SERVFAIL response makes it refuse to connect altogether. My workaround was to switch from the systemd-resolved stub resolver to the upstream servers. In /etc/systemd/resolved.conf set: DNS=... your upstream servers if not already given through DHCP ... DNSStubListener=no Then restart the service and restart Postfix if it is chrooted (so the new /etc/resolv.conf gets copied into the chroot): systemctl restart systemd-resolved systemctl restart postfix I am not sure if this could be considered a Postfix bug as well (it could consider a SERVFAIL on a TLSA record the same as a negative), but surely it seems to me the systemd-resolved stub resolver should not return the SERVFAIL here. For more background on this bug report, please see https://serverfault.com/a/1158198/299950 ** Affects: systemd (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to systemd in Ubuntu. https://bugs.launchpad.net/bugs/2062542 Title: systemd-resolved stub gives SERVFAIL for DNSSEC negative response Status in systemd package in Ubuntu: New Bug description: This issue surface when researching the issue that Postfix on my system (with DANE enabled) deferred mail deliveries with 100s of this warning in the log: Warning: DANE TLSA lookup problem: Host or domain name not found. Name service error for name=_25._tcp.cluster5.us.messagelabs.com type=TLSA: Host not found, try again The DNS resolver on my machine was pointing at the systemd-resolved stub: $ cat /etc/resolv.conf | grep nameserver nameserver 127.0.0.53 $ resolvectl status Global Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported resolv.conf mode: stub Note DNSSEC is enabled (else Postfix couldn't be doing DANE). Now if I query the TLSA record for the messagelab server, I get a SERVFAIL from the stub resolver: $ delv +dnssec _25._tcp.cluster5.us.messagelabs.com TLSA ;; resolution failed: SERVFAIL Whereas if I query my upstream DNS or Google DNS, I get a DNSSEC validated (negative) response: $ delv @8.8.8.8 +dnssec _25._tcp.cluster5.us.messagelabs.com TLSA ;; resolution failed: ncache nxrrset ; negative response, fully validated ; _25._tcp.cluster5.us.messagelabs.com. 299 IN \-TLSA ;-$NXRRSET ; _25._tcp.cluster5.us.messagelabs.com. RRSIG NSEC ... ; _25._tcp.cluster5.us.messagelabs.com. NSEC \000._25._tcp.cluster5.us.messagelabs.com. A PTR HINFO MX TXT RP SRV NAPTR SSHFP RRSIG NSEC SVCB HTTPS SPF IXFR AXFR CAA ; messagelabs.com. SOA ns-1714.awsdns-22.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400 ; messagelabs.com. RRSIG SOA ... I assume Postfix (with smtp_tls_security_level = dane i.e. "Opportunistic DANE") deals with the negative response by downgrading to "encrypt", whereas the SERVFAIL response makes it refuse to connect altogether. My workaround was to switch from the systemd-resolved stub resolver to the upstream servers. In /etc/systemd/resolved.conf set: DNS=... your upstream servers if not already gi
[Touch-packages] [Bug 1701068] Re: motd.ubuntu.com currently shows media item (HBO's Silicon Valley using Ubuntu)
I actually spent time tracking down this 'bug' because on my upgrade 17.04 servers I kept seeing: * Ubuntu 16.10 will reach end of life on Thursday, July 20, 2017 How to upgrade from 16.10 to 17.04: - https://ubu.one/upgY2Z making me wonder if my upgrade was botched or something. I have little against the feature in general (though I would certainly make it opt-in rather than opt-out), but this motd is confusing. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to base-files in Ubuntu. https://bugs.launchpad.net/bugs/1701068 Title: motd.ubuntu.com currently shows media item (HBO's Silicon Valley using Ubuntu) Status in base-files package in Ubuntu: Opinion Bug description: In Ubuntu 17.04 or newer, there is a script at /etc/update-motd.d/50 -motd-news that reads https://motd.ubuntu.com/ and displays that text with the rest of the MOTD. Currently, https://motd.ubuntu.com shows a news item about HBO's Silicon Valley which has a reference to Ubuntu. Instead, https://motd.ubuntu.com should show relevant items to those that use Ubuntu Server (relevant security issues, etc), instead of items for desktop users. = Welcome to Ubuntu 17.04 (GNU/Linux 4.10.0-21-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support:https://ubuntu.com/advantage * How HBO's Silicon Valley built "Not Hotdog" with mobile TensorFlow, Keras & React Native on Ubuntu - https://ubu.one/HBOubu == ProblemType: Bug DistroRelease: Ubuntu 17.04 Package: base-files 9.6ubuntu13 ProcVersionSignature: Ubuntu 4.10.0-24.28-generic 4.10.15 Uname: Linux 4.10.0-24-generic x86_64 ApportVersion: 2.20.4-0ubuntu4 Architecture: amd64 Date: Wed Jun 28 12:31:24 2017 InstallationDate: Installed on 2017-05-02 (56 days ago) InstallationMedia: Xubuntu 17.04 "Zesty Zapus" - Release amd64 (20170412) ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: base-files UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1701068/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1504531] [NEW] apt show gibberish in package description
Public bug reported: I am not sure whether to report this bug against apt, the vim-snipmate package, or as a translation bug. It seems to be located in the en_GB translation of the package description for vim-snipmate. On my Ubuntu Vivid (locale en_GB) the output of "apt show vim-snipmate" contains this section: --- snip --- for (i = 0; i < count; i++) { . Project-Id-Version: ddtp-ubuntu Report-Msgid-Bugs-To: FULL NAME POT-Creation-Date: 2014-09-03 08:41+0200 PO-Revision-Date: 2014-05-06 13:30+ Last-Translator: FULL NAME Language-Team: English (United Kingdom) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Launchpad-Export-Date: 2014-09-04 23:31+ X-Generator: Launchpad (build 17196) . To go to the next item in the loop, simply over to it; if there is --- snip --- The middle part starting with "Project-Id-Version" upto "X-Generator" doesn't belong here. I have checked and it isn't present in the "DEBIAN/control" file in vim-snipmate_0.87-2_all.deb. Instead the control file contains the expected single '}' character at that location. Grepping through /var/lib/apt I have found the injected bit in the vim-snipmate description in /var/lib/apt/lists/partial/tz.archive.ubuntu.com_ubuntu_dists_vivid_universe_i18n_Translation-en%5fGB.bz2 It is not present in the vim-snipmate description in /var/lib/apt/lists/partial/tz.archive.ubuntu.com_ubuntu_dists_vivid_universe_i18n_Translation-en.bz ProblemType: Bug DistroRelease: Ubuntu 15.04 Package: apt 1.0.9.7ubuntu4.1 ProcVersionSignature: Ubuntu 3.19.0-30.34-generic 3.19.8-ckt6 Uname: Linux 3.19.0-30-generic x86_64 NonfreeKernelModules: wl ApportVersion: 2.17.2-0ubuntu1.5 Architecture: amd64 CurrentDesktop: Unity Date: Fri Oct 9 15:01:02 2015 InstallationDate: Installed on 2013-09-28 (740 days ago) InstallationMedia: Ubuntu 13.04 "Raring Ringtail" - Release amd64 (20130424) SourcePackage: apt UpgradeStatus: Upgraded to vivid on 2015-05-27 (135 days ago) ** Affects: apt (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug vivid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apt in Ubuntu. https://bugs.launchpad.net/bugs/1504531 Title: apt show gibberish in package description Status in apt package in Ubuntu: New Bug description: I am not sure whether to report this bug against apt, the vim-snipmate package, or as a translation bug. It seems to be located in the en_GB translation of the package description for vim-snipmate. On my Ubuntu Vivid (locale en_GB) the output of "apt show vim- snipmate" contains this section: --- snip --- for (i = 0; i < count; i++) { . Project-Id-Version: ddtp-ubuntu Report-Msgid-Bugs-To: FULL NAME POT-Creation-Date: 2014-09-03 08:41+0200 PO-Revision-Date: 2014-05-06 13:30+ Last-Translator: FULL NAME Language-Team: English (United Kingdom) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Launchpad-Export-Date: 2014-09-04 23:31+ X-Generator: Launchpad (build 17196) . To go to the next item in the loop, simply over to it; if there is --- snip --- The middle part starting with "Project-Id-Version" upto "X-Generator" doesn't belong here. I have checked and it isn't present in the "DEBIAN/control" file in vim-snipmate_0.87-2_all.deb. Instead the control file contains the expected single '}' character at that location. Grepping through /var/lib/apt I have found the injected bit in the vim-snipmate description in /var/lib/apt/lists/partial/tz.archive.ubuntu.com_ubuntu_dists_vivid_universe_i18n_Translation-en%5fGB.bz2 It is not present in the vim-snipmate description in /var/lib/apt/lists/partial/tz.archive.ubuntu.com_ubuntu_dists_vivid_universe_i18n_Translation-en.bz ProblemType: Bug DistroRelease: Ubuntu 15.04 Package: apt 1.0.9.7ubuntu4.1 ProcVersionSignature: Ubuntu 3.19.0-30.34-generic 3.19.8-ckt6 Uname: Linux 3.19.0-30-generic x86_64 NonfreeKernelModules: wl ApportVersion: 2.17.2-0ubuntu1.5 Architecture: amd64 CurrentDesktop: Unity Date: Fri Oct 9 15:01:02 2015 InstallationDate: Installed on 2013-09-28 (740 days ago) InstallationMedia: Ubuntu 13.04 "Raring Ringtail" - Release amd64 (20130424) SourcePackage: apt UpgradeStatus: Upgraded to vivid on 2015-05-27 (135 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1504531/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1434525] Re: Router solicitation blocked, makes network-manager complain
Confirming that the patch in #2 solves the issue. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to ufw in Ubuntu. https://bugs.launchpad.net/bugs/1434525 Title: Router solicitation blocked, makes network-manager complain Status in ufw package in Ubuntu: Confirmed Bug description: In Vivid, my syslog is full of complains by network-manager about blocked Router solicitation. In my log, I get things like this: ... Mar 20 12:47:04 franck-ThinkPad-T430s NetworkManager[1134]: [1426852024.960398] [rdisc/nm-lndp-rdisc.c:241] send_rs(): (wlan0): cannot send router solicitation: -1. Mar 20 12:47:04 franck-ThinkPad-T430s kernel: [ 8209.218586] [UFW BLOCK] IN= OUT=wlan0 SRC=fe80::::2677:03ff:fe8a:47a0 DST=ff02:::::::0002 LEN=48 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=133 CODE=0 Mar 20 12:47:05 franck-ThinkPad-T430s NetworkManager[1134]: [1426852025.959574] [rdisc/nm-lndp-rdisc.c:241] send_rs(): (eth0): cannot send router solicitation: -1. Mar 20 12:47:08 franck-ThinkPad-T430s NetworkManager[1134]: [1426852028.958727] [rdisc/nm-lndp-rdisc.c:241] send_rs(): (wlan0): cannot send router solicitation: -1. Mar 20 12:47:09 franck-ThinkPad-T430s NetworkManager[1134]: [1426852029.958873] [rdisc/nm-lndp-rdisc.c:241] send_rs(): (eth0): cannot send router solicitation: -1. Mar 20 12:47:12 franck-ThinkPad-T430s NetworkManager[1134]: [1426852032.961342] [rdisc/nm-lndp-rdisc.c:241] send_rs(): (wlan0): cannot send router solicitation: -1. Mar 20 12:47:13 franck-ThinkPad-T430s NetworkManager[1134]: [1426852033.959493] [rdisc/nm-lndp-rdisc.c:241] send_rs(): (eth0): cannot send router solicitation: -1. Mar 20 12:47:16 franck-ThinkPad-T430s NetworkManager[1134]: [1426852036.960008] [rdisc/nm-lndp-rdisc.c:241] send_rs(): (wlan0): cannot send router solicitation: -1. Mar 20 12:47:17 franck-ThinkPad-T430s NetworkManager[1134]: [1426852037.959215] [rdisc/nm-lndp-rdisc.c:241] send_rs(): (eth0): cannot send router solicitation: -1. Mar 20 12:47:20 franck-ThinkPad-T430s NetworkManager[1134]: [1426852040.961811] [rdisc/nm-lndp-rdisc.c:241] send_rs(): (wlan0): cannot send router solicitation: -1. Mar 20 12:47:21 franck-ThinkPad-T430s NetworkManager[1134]: [1426852041.958641] [rdisc/nm-lndp-rdisc.c:241] send_rs(): (eth0): cannot send router solicitation: -1. Mar 20 12:47:24 franck-ThinkPad-T430s NetworkManager[1134]: [1426852044.960743] [rdisc/nm-lndp-rdisc.c:241] send_rs(): (wlan0): cannot send router solicitation: -1. Mar 20 12:47:24 franck-ThinkPad-T430s kernel: [ 8229.224325] [UFW BLOCK] IN= OUT=wlan0 SRC=fe80::::2677:03ff:fe8a:47a0 DST=ff02:::::::0002 LEN=48 TC=0 HOPLIMIT=255 FLOWLBL=0 PROTO=ICMPv6 TYPE=133 CODE=0 Mar 20 12:47:25 franck-ThinkPad-T430s NetworkManager[1134]: [1426852045.958895] [rdisc/nm-lndp-rdisc.c:241] send_rs(): (eth0): cannot send router solicitation: -1. Mar 20 12:47:28 franck-ThinkPad-T430s NetworkManager[1134]: [1426852048.960527] [rdisc/nm-lndp-rdisc.c:241] send_rs(): (wlan0): cannot send router solicitation: -1. ... and so on. I have read through http://www.ietf.org/rfc/rfc4890.txt but this is a bit tougth, and I like ufw doing the job for me :-). Here is the output of ip6tables --list : Chain INPUT (policy DROP) target prot opt source destination ufw6-before-logging-input all anywhere anywhere ufw6-before-input all anywhere anywhere ufw6-after-input all anywhere anywhere ufw6-after-logging-input all anywhere anywhere ufw6-reject-input all anywhere anywhere ufw6-track-input all anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination ufw6-before-logging-forward all anywhere anywhere ufw6-before-forward all anywhere anywhere ufw6-after-forward all anywhere anywhere ufw6-after-logging-forward all anywhere anywhere ufw6-reject-forward all anywhere anywhere ufw6-track-forward all anywhere anywhere Chain OUTPUT (policy DROP) target prot opt source destination ufw6-before-logging-output all anywhere anywhere ufw6-before-output all anywhere anywhere ufw6-after-output all anywhere anywhere ufw6-after-logging-output all anywhere anywhere ufw6-reject-output all anywhere anywhere ufw6-track-output all anywhere