Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#60750 - [bind] 9.13.3-3: support for ed25519 broken with OpenSSL 1.1.1 final

Attached to Project: Arch Linux
Opened by Pascal E. (hardfalcon) - Friday, 09 November 2018, 01:13 GMT
Last edited by Doug Newgard (Scimmia) - Sunday, 18 November 2018, 14:34 GMT
Task Type Bug Report
Category Upstream Bugs
Status Assigned
Assigned To S├ębastien Luttringer (seblu)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No


Support for creating ed25519 signatures is broken when bind is built/used with the final release of OpenSSL 1.1.1. Key generation works, but actually signing a zone fails. The zone will still be loaded and can be queried, but no DNSKEY records are generated even if named is configured to manage DNSSEC signatures by itself (the same configuration works flawlessly when using non-EDDSA keys, for example RSASHA256 or ECDSAP384SHA384 keys).

A patch which fixes this has been merged by upstream:

I've slightly modified the CHANGES hunk in that patch to make the patch applicable to bind 9.13.3.

Note that even with this patch, ed448 support will still be completely broken (not even key generation works), even though upstream's changelog claims otherwise. This is a known bug which will likely only be fixed in bind 9.15.x:
This task depends upon