FS#60750 - [bind] 9.13.3-3: support for ed25519 broken with OpenSSL 1.1.1 final

Attached to Project: Arch Linux
Opened by Pascal Ernster (hardfalcon) - Friday, 09 November 2018, 01:13 GMT
Last edited by Sébastien Luttringer (seblu) - Sunday, 07 April 2019, 13:45 GMT
Task Type Bug Report
Category Upstream Bugs
Status Closed
Assigned To Sébastien Luttringer (seblu)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Support for creating ed25519 signatures is broken when bind is built/used with the final release of OpenSSL 1.1.1. Key generation works, but actually signing a zone fails. The zone will still be loaded and can be queried, but no DNSKEY records are generated even if named is configured to manage DNSSEC signatures by itself (the same configuration works flawlessly when using non-EDDSA keys, for example RSASHA256 or ECDSAP384SHA384 keys).

A patch which fixes this has been merged by upstream:

https://gitlab.isc.org/isc-projects/bind9/commit/739b74759d383a091eee55d161832ab76aecacd5

I've slightly modified the CHANGES hunk in that patch to make the patch applicable to bind 9.13.3.


Note that even with this patch, ed448 support will still be completely broken (not even key generation works), even though upstream's changelog claims otherwise. This is a known bug which will likely only be fixed in bind 9.15.x:

https://gitlab.isc.org/isc-projects/bind9/issues/225#note_25969
This task depends upon

Closed by  Sébastien Luttringer (seblu)
Sunday, 07 April 2019, 13:45 GMT
Reason for closing:  Upstream
Additional comments about closing:  Patch is included in 9.14

Loading...