[Bug 1426460] Re: [MIR] dns-root-data
I'm going to promote this one to main, based on a cursory review. We just need the server team to subscribe to bugs, but that can happen out of sync. ** Changed in: dns-root-data (Ubuntu) Status: New = Fix Released ** Changed in: dns-root-data (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) = (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1426460 Title: [MIR] dns-root-data To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dns-root-data/+bug/1426460/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1426460] Re: [MIR] dns-root-data
Hi Michael, Thanks for your comments and your point abount inconsistency in the MIR decription. It seems to me that you read between the lines and got me correctly. But to avoid any other confusion I want to tell the whole story about config options. (1) by default dnssec is disabled and no anchors are needed at all (2) to enable dnssec capability in dnsmasq you need to put 'dnssec' option into /etc/dnsmasq.conf If you have dnssec enabled you have two options: (1) if dns-root-data package is installed -- dnsmasq uses its anchors automatically: /etc/init.d/dnsmasq: ... # If the dns-root-data package is installed, then the trust anchors will be # available in $ROOT_DS, in BIND zone-file format. Reformat as dnsmasq # --trust-anchor options. ROOT_DS=/usr/share/dns/root.ds if [ -f $ROOT_DS ]; then DNSMASQ_OPTS=$DNSMASQ_OPTS `sed -e s/. IN DS /--trust-anchor=.,/ -e s/ /,/g $ROOT_DS | tr '\n' ' '` fi ... (2) if dns-root-data package is not installed but 'dnssec' option is enabled -- you'll get an error: dnsmasq[2623]: No trust anchors provided for DNSSEC To deal with this error you need to put the following line into /etc/dnsmasq.conf as well: conf-file=/usr/share/dnsmasq-base/trust-anchors.conf By putting this line into config we force dnsmasq to use its own anchors which are installed by dnsmasq-base package. You may put a path to your own anchors as well. Bottom line: We can live without dns-root-data installed. It's just a good way to centralize important security data in one place which might be useful. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1426460 Title: [MIR] dns-root-data To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dns-root-data/+bug/1426460/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1426460] Re: [MIR] dns-root-data
Well, (a) isn't entirely accurate. If this package is a Suggests, the user can still get the third-party data, they just have to install it themselves. And the user has to manually edit a config file before this is even an issue, yes? Seems weird to force this package installation on everyone just in case a user edits the config to want it. But I'm very sympathetic to the argument that we want one copy of this data shared between packages. I'll pass to security team to see if they have an opinion of any sort on this package. From a maintainer point of view, the only issue with this package is that it doesn't have a team bug subscriber. Might that be the security team? ** Changed in: dns-root-data (Ubuntu) Assignee: (unassigned) = Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1426460 Title: [MIR] dns-root-data To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dns-root-data/+bug/1426460/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1426460] Re: [MIR] dns-root-data
** Description changed: Package provides centralized version of DNS root data including root zone and DNSSEC key Package provides information available at https://data.iana.org/root-anchors/ and http://www.internic.net/domain/named.root together with some derived bytes This is data-only package: http://packages.ubuntu.com/vivid/all/dns-root-data/filelist == Availability == In universe == Rationale == New dependency (recommends) for dnsmasq-base - If dns-root-data package is installed dnsmasq uses /usr/share/dns/root.ds provided by this package as --trust-anchor - If dns-root-data package is not installed dnsmasq uses its own trust anchor stored inside /usr/share/dnsmasq/trust-anchors.conf + + Dnsmasq doesn't provide DNSSEC functionality by default but if you + enable it via /etc/dnsmasq.conf you have two options: + + If dns-root-data package is installed dnsmasq uses + /usr/share/dns/root.ds provided by this package as --trust-anchor + + If dns-root-data package is not installed -- you need to uncomment + 'conf-file=/usr/share/dnsmasq/trust-anchors.conf' line in + /etc/dnsmasq.conf to ask dnsmasq to use its own trust anchor stored + inside /usr/share/dnsmasq/trust-anchors.conf + Right now both anchors are the same. It means that we have two options: (a) drop 'recommends' to 'suggests' -- dnsmasq will use its own trust-anchor all the time (b) include dns-root-data into main and keep it 'recommends' While (a) is simpler, there are some arguments for (b) as well: (1) some other packages may start using dns-root-data in the near future (see bug opened for bind9: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=760459) (2) when and if dnssec keys will be changed it's much simpler to update them in a single place than to provide deltas to all depending packages - + I would appreciate any input on which option to choose. == Security == No CVE's found: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=dns-root-data http://secunia.com/advisories/search/?search=dns-root-data http://people.canonical.com/~ubuntu-security/cve/universe.html Package is about public keys / certificates used to verify validity of DNSSEC signatures. Special attention of security team might be needed. == QA == Package works out of the box (data-only package) with no prompting There is no major bugs in Ubuntu: https://launchpad.net/ubuntu/+source/dns-root-data/+bugs - There is no major bugs in Debian (just a single wishlist bug): + There is no major bugs in Debian (just a single wishlist bug): https://bugs.debian.org/cgi-bin/pkgreport.cgi?package=dns-root-data No testsuite provided (seems to be okay for data-only package) The package is maintained well in Debian by Ondřej Surý: https://packages.qa.debian.org/d/dns-root-data.html The package provides debian/README.source == Dependencies == Package has no dependencies == Standards Compliance == FHS compliant Debian Policy compliant (package is compliant to Debian Policy 3.9.5 not the latest 3.9.6) == Maintenance == Can be synced with Debian Server team will own the package -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1426460 Title: [MIR] dns-root-data To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dns-root-data/+bug/1426460/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs