Package: libldns2 Version: 1.7.0-4 Dear maintainer
The ldns library from stable, testing and unstable (libldns2 1.7.0-4) signs CDS and CDNSKEY RRs with the ZSK; such RRs must be signed with the KSK instead (see RFC 7344 section 4.1). This bug makes managing DS RRs in the parent zone via CDS and CDNSKEY RRs impossible. This bug has been [1]reported and [2]fixed in ldns-1.7.1. [1] https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=3437 [2] https://git.nlnetlabs.nl/ldns/commit/?id=f3c465b9 I applied [2]that patch on a Debian buster system and it indeed fixed the problem. Please find the debdiff output attached. Cheers, Jukka -- System Information: Debian Release: 10.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-6-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libldns2 depends on: ii libc6 2.28-10 ii libssl1.1 1.1.1d-0+deb10u2 libldns2 recommends no packages. libldns2 suggests no packages. -- no debconf information -- This email fills a much-needed gap in your mailbox.
diff -Nru ldns-1.7.0/debian/changelog ldns-1.7.0/debian/changelog --- ldns-1.7.0/debian/changelog 2019-03-10 21:56:02.000000000 +0000 +++ ldns-1.7.0/debian/changelog 2019-11-23 00:05:23.000000000 +0000 @@ -1,3 +1,11 @@ +ldns (1.7.0-4.1) UNRELEASED; urgency=medium + + * Non-maintainer upload. + * Add upstream fix to sign CDS and CDNSKEY RRs with KSK instead of ZSK + (as specified in RFC 7344 section 4.1) + + -- Jukka Salmi <ju...@salmi.ch> Sat, 23 Nov 2019 00:05:23 +0000 + ldns (1.7.0-4) unstable; urgency=medium * Fix invalid maintainer (Closes: #899938) diff -Nru ldns-1.7.0/debian/patches/0004-sign-CDS-CDNSKEY-with-KSK.patch ldns-1.7.0/debian/patches/0004-sign-CDS-CDNSKEY-with-KSK.patch --- ldns-1.7.0/debian/patches/0004-sign-CDS-CDNSKEY-with-KSK.patch 1970-01-01 00:00:00.000000000 +0000 +++ ldns-1.7.0/debian/patches/0004-sign-CDS-CDNSKEY-with-KSK.patch 2019-11-23 00:05:19.000000000 +0000 @@ -0,0 +1,38 @@ +From: Tony Finch <d...@dotat.at> +Date: Fri, 9 Mar 2018 17:55:58 +0000 +Subject: Your CDS RR is not signed with your KSK as specified in RFC7344 + +Willem Toorop <wil...@nlnetlabs.nl> wrote: + +> Yes indeed! I've created a bug report for it: +> +> https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=3437 + +I think the following patch fixes it. (I don't have an account on your bugzilla) +--- + dnssec_sign.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/dnssec_sign.c ++++ b/dnssec_sign.c +@@ -1251,12 +1251,15 @@ + key_list, + func, + arg); +- if(!(flags&LDNS_SIGN_DNSKEY_WITH_ZSK) && +- cur_rrset->type == LDNS_RR_TYPE_DNSKEY) +- ldns_key_list_filter_for_dnskey(key_list, flags); +- +- if(cur_rrset->type != LDNS_RR_TYPE_DNSKEY) ++ if(cur_rrset->type == LDNS_RR_TYPE_DNSKEY || ++ cur_rrset->type == LDNS_RR_TYPE_CDNSKEY || ++ cur_rrset->type == LDNS_RR_TYPE_CDS) { ++ if(!(flags&LDNS_SIGN_DNSKEY_WITH_ZSK)) { ++ ldns_key_list_filter_for_dnskey(key_list, flags); ++ } ++ } else { + ldns_key_list_filter_for_non_dnskey(key_list, flags); ++ } + + /* TODO: just set count to zero? */ + rr_list = ldns_rr_list_new(); diff -Nru ldns-1.7.0/debian/patches/series ldns-1.7.0/debian/patches/series --- ldns-1.7.0/debian/patches/series 2019-03-10 21:56:02.000000000 +0000 +++ ldns-1.7.0/debian/patches/series 2019-11-23 00:04:49.000000000 +0000 @@ -1,2 +1,3 @@ 0002-Check-parse-limit-before-t-increment.patch 0003-bugfix-1257-Free-after-reallocing-to-0-size.patch +0004-sign-CDS-CDNSKEY-with-KSK.patch
