Bug#697681: bind9: DNSSEC validating resolver spams log file after upgrade to 9.8.4

[Rik Theys]

Package: bind9
Version: 1:9.8.4.dfsg.P1-1
Severity: important
Hi,

After upgrading bind to 9.8.4 (now in testing) on our DNSSEC validating
resolvers, our log files are being spammed with the following messages:

Jan  8 12:06:06 sulphur named[26473]: RSA_verify failed
Jan  8 12:06:06 sulphur named[26473]: error:04091068:rsa 
routines:INT_RSA_VERIFY:bad signature:rsa_sign.c:291:
Jan  8 12:06:06 sulphur named[26473]: sucessfully validated after lower 
casing signer 'BIZ'
Jan  8 12:06:06 sulphur named[26473]: RSA_verify failed
Jan  8 12:06:06 sulphur named[26473]: error:04091068:rsa 
routines:INT_RSA_VERIFY:bad signature:rsa_sign.c:291:
Jan  8 12:06:06 sulphur named[26473]: sucessfully validated after lower 
casing signer 'BIZ'
Jan  8 12:07:41 sulphur named[26473]: RSA_verify failed
Jan  8 12:07:41 sulphur named[26473]: error:04091068:rsa 
routines:INT_RSA_VERIFY:bad signature:rsa_sign.c:291:
Jan  8 12:07:41 sulphur named[26473]: sucessfully validated after lower 
casing signer 'US'
Jan  8 12:07:41 sulphur named[26473]: RSA_verify failed
Jan  8 12:07:41 sulphur named[26473]: error:04091068:rsa 
routines:INT_RSA_VERIFY:bad signature:rsa_sign.c:291:
Jan  8 12:07:41 sulphur named[26473]: sucessfully validated after lower 
casing signer 'US'

This appears to be a known issue with the 9.8.4 update as
discussed in the following thread:

http://www.mail-archive.com/bind-users@lists.isc.org/msg14759.html

Please apply the changes discussed in this thread to the Debian bind9 
packages.
Hopefully this fix will make it into Wheezy as it's filling up our logs 
and disks.

Regards,

Rik

-- System Information:
Debian Release: 7.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages bind9 depends on:
ii  adduser                3.113+nmu3
ii  bind9utils             1:9.8.4.dfsg.P1-1
ii  debconf [debconf-2.0]  1.5.49
ii  libbind9-80            1:9.8.4.dfsg.P1-1
ii  libc6                  2.13-37
ii  libcap2                1:2.22-1.2
ii  libdns88               1:9.8.4.dfsg.P1-1
ii  libgssapi-krb5-2       1.10.1+dfsg-3
ii  libisc84               1:9.8.4.dfsg.P1-1
ii  libisccc80             1:9.8.4.dfsg.P1-1
ii  libisccfg82            1:9.8.4.dfsg.P1-1
ii  liblwres80             1:9.8.4.dfsg.P1-1
ii  libssl1.0.0            1.0.1c-4
ii  libxml2                2.8.0+dfsg1-7
ii  lsb-base               4.1+Debian8
ii  net-tools              1.60-24.2
ii  netbase                5.0

bind9 recommends no packages.

Versions of packages bind9 suggests:
pn  bind9-doc   <none>
ii  dnsutils    1:9.8.4.dfsg.P1-1
pn  resolvconf  <none>
pn  ufw         <none>

-- Configuration Files:
/etc/bind/named.conf.local changed [not included]

-- debconf information:
  bind9/different-configuration-file:
  bind9/run-resolvconf: false
  bind9/start-as-user: bind


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org