FS#60750 - [bind] 9.13.3-3: support for ed25519 broken with OpenSSL 1.1.1 final
Attached to Project:
Arch Linux
Opened by Pascal Ernster (hardfalcon) - Friday, 09 November 2018, 01:13 GMT
Last edited by Sébastien Luttringer (seblu) - Sunday, 07 April 2019, 13:45 GMT
Opened by Pascal Ernster (hardfalcon) - Friday, 09 November 2018, 01:13 GMT
Last edited by Sébastien Luttringer (seblu) - Sunday, 07 April 2019, 13:45 GMT
|
Details
Support for creating ed25519 signatures is broken when bind
is built/used with the final release of OpenSSL 1.1.1. Key
generation works, but actually signing a zone fails. The
zone will still be loaded and can be queried, but no DNSKEY
records are generated even if named is configured to manage
DNSSEC signatures by itself (the same configuration works
flawlessly when using non-EDDSA keys, for example RSASHA256
or ECDSAP384SHA384 keys).
A patch which fixes this has been merged by upstream: https://gitlab.isc.org/isc-projects/bind9/commit/739b74759d383a091eee55d161832ab76aecacd5 I've slightly modified the CHANGES hunk in that patch to make the patch applicable to bind 9.13.3. Note that even with this patch, ed448 support will still be completely broken (not even key generation works), even though upstream's changelog claims otherwise. This is a known bug which will likely only be fixed in bind 9.15.x: https://gitlab.isc.org/isc-projects/bind9/issues/225#note_25969 |
This task depends upon
Closed by Sébastien Luttringer (seblu)
Sunday, 07 April 2019, 13:45 GMT
Reason for closing: Upstream
Additional comments about closing: Patch is included in 9.14
Sunday, 07 April 2019, 13:45 GMT
Reason for closing: Upstream
Additional comments about closing: Patch is included in 9.14