Package: hash-slinger X-Debbugs-Cc: lavam...@torproject.org Version: 3.1-1.1~bpo11+1 Severity: grave
On Debian bullseye, running the following command here generates an invalid DNS record: pauli# ./tlsa --create --usage=3 --selector=1 --mtype=1 --certificate /srv/puppet.torproject.org/from-letsencrypt/cdn-fastly-backend.torproject.org.crt --port 443 cdn-fastly-backend.torproject.org --output=generic Got a certificate for cdn-fastly-backend.torproject.org. with Subject: /CN=cdn-fastly-backend.torproject.org _443._tcp.cdn-fastly-backend.torproject.org. IN TYPE52 \# 35.0 030101e86cb4aa5bec41b44c5e78c0b3b05992ab276d540376aca18eb494d8e229cd4c Notice the float (35.0) there? That, of course, crashes bind with: Notice: /Stage[main]/Dnsextras::Entries/Exec[rebuild torproject.org zone]/returns: dns_rdata_fromtext: /srv/dns.torproject.org/puppet-extra/include-torproject.org:945: near '35.0': not a valid number I suspect this wasn't caught by other users because it happens when the len() of the cert string is an odd number, which, oddly, I guess it is here. I believe this is a release critical bug that should be fixed in bookworm because it keeps the server from functioning at all. For a little background, we used hash-slinger as a replacement for "swede" here (not packaged) that wasn't ported to Python 3. It *almost* worked but crashed on some records with the above error, taking down our main DNS server... This was also reported in: https://github.com/letoams/hash-slinger/issues/45 And is being tracked on our side at: https://gitlab.torproject.org/tpo/tpa/team/-/issues/41350 -- System Information: Debian Release: 11.7 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable-security'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-25-amd64 (SMP w/2 CPU threads) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages hash-slinger depends on: ii ca-certificates 20210119 ii dns-root-data 2021011101 ii openssh-client 1:8.4p1-5+deb11u1 ii python3 3.9.2-3 ii python3-dnspython 2.0.0-1 ii python3-gnupg 0.4.6-1 ii python3-m2crypto 0.37.1-2 ii python3-unbound 1.13.1-1+deb11u1 hash-slinger recommends no packages. hash-slinger suggests no packages. -- no debconf information -- debsums errors found: debsums: changed file /usr/bin/tlsa (from hash-slinger package) -- Antoine Beaupré torproject.org system administration
