Hi Steinar, I am sorry this has caused inconvenience for you, but the original problem here was that the implicit inline-signing with the dnssec-policy was also problematic and causing other problems, see the upstream issue: https://gitlab.isc.org/isc-projects/bind9/-/issues/3381
Especially this: https://gitlab.isc.org/isc-projects/bind9/-/issues/3381#note_308893 I guess what I can do in the package is to add a notice at the upgrade time. Ondřej -- Ondřej Surý <ond...@sury.org> (He/Him) > On 22. 9. 2022, at 20:03, Steinar H. Gunderson <se...@debian.org> wrote: > > Package: bind9 > Version: 1:9.16.33-1~deb11u1 > Severity: grave > > Hi, > > After applying the security updates for DSA 5235-1, named completely breaks > and refuses to start. (This caused downtime in production for us.) The reason > seems to be that the patch includes a full minor version bump, including > policy changes such as: > > 5941. [func] Zones with dnssec-policy now require dynamic DNS or > inline-siging to be configured explicitly. [GL #3381] > > Since we have DNSSEC zones (as is recommended!), and use dnssec-policy to > configure them (also recommended!) it dies on startup with > > Sep 22 16:17:59 cirkus named[3045282]: /etc/bind/named.conf.local:388: > 'dnssec-policy;' requires dynamic DNS or inline-signing to be configured for > the zone > Sep 22 16:17:59 cirkus named[3045282]: loading configuration: failure > Sep 22 16:17:59 cirkus named[3045282]: exiting (due to fatal error) > > It seems that one can change add “inline-signing yes;” manually to each zone > to work around it, but this is not the kind of change that really should be > done in a security update without a very good reason _and_ a very clear > warning. :-) > > It seems the test suite even had to be changed for this change, which should > have been a pretty clear red flag: > > > https://salsa.debian.org/dns-team/bind9/-/commit/9036610e13ed037f776460d7806ea0a0e3841bdf#6f59e8ac2674d0c1120aa79f6f2ac2aa946d99e5 > > I haven't checked if there are other breaking changes. > > -- System Information: > Debian Release: 11.5 > APT prefers stable-security > APT policy: (500, 'stable-security'), (500, 'stable-debug'), (500, > 'proposed-updates'), (500, 'oldoldstable'), (500, 'stable'), (1, > 'experimental') > Architecture: amd64 (x86_64) > Foreign Architectures: i386 > > Kernel: Linux 5.19.10 (SMP w/56 CPU threads; PREEMPT) > Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8), > LANGUAGE=en_NO:en_US:en_GB:en > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > > Versions of packages bind9 depends on: > ii adduser 3.118 > ii bind9-libs 1:9.16.27-1~deb11u1 > pn bind9-utils <none> > pn bind9utils <none> > ii debconf [debconf-2.0] 1.5.77 > ii dns-root-data 2021011101 > ii init-system-helpers 1.60 > ii iproute2 5.10.0-4 > pn libbind9-140 <none> > pn libbind9-161 <none> > ii libc6 2.31-13+deb11u4 > ii libcap2 1:2.44-1 > ii libcom-err2 [libcomerr2] 1.46.2-2 > pn libdns1104 <none> > pn libdns162 <none> > ii libfstrm0 0.6.0-1+b1 > ii libgeoip1 1.6.12-7 > ii libgssapi-krb5-2 1.18.3-6+deb11u2 > pn libirs141 <none> > pn libisc1100 <none> > pn libisc160 <none> > pn libisccc140 <none> > pn libisccc161 <none> > pn libisccfg140 <none> > pn libisccfg163 <none> > pn libjson-c3 <none> > ii libjson-c5 0.15-2 > ii libk5crypto3 1.18.3-6+deb11u2 > ii libkrb5-3 1.18.3-6+deb11u2 > ii liblmdb0 0.9.24-1 > pn liblwres141 <none> > pn liblwres161 <none> > ii libmaxminddb0 1.5.2-1 > ii libnghttp2-14 1.43.0-1 > ii libprotobuf-c1 1.3.3-1+b2 > pn libssl1.0.2 <none> > ii libssl1.1 1.1.1n-0+deb11u3 > ii libuv1 1.40.0-2 > ii libxml2 2.9.10+dfsg-6.7+deb11u2 > ii lsb-base 11.1.0 > ii net-tools 1.60+git20181103.0eebece-1 > ii netbase 6.3 > ii zlib1g 1:1.2.11.dfsg-2+deb11u2 > > bind9 recommends no packages. > > Versions of packages bind9 suggests: > pn bind-doc <none> > ii bind9-dnsutils [dnsutils] 1:9.16.27-1~deb11u1 > pn bind9-doc <none> > ii dnsutils 1:9.16.27-1~deb11u1 > pn resolvconf <none> > pn ufw <none> > > -- Configuration Files: > /etc/bind/named.conf.local changed [not included] > /etc/bind/named.conf.options changed [not included]
