Bug#878173: stretch-pu: package pdns/4.0.3-1+deb9u1
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Dear Release Team,
pdns before 4.0.4 replies incorrectly to DNS questions with the
DNSSEC query bit (DO) set, when the query also uses the "0x20"
mechanism to increase spoofing resistance.
Unfortunately this is the configuration letsencrypt uses to check
for CAA records on domains. This implies letsencrypt being broken
for all users that have domains on pdns from stretch.
Upstream has fixed this in 4.0.4, but that didn't make it into
stretch.
There is more discussion on this in Debian bug #869222 and
at https://github.com/PowerDNS/pdns/issues/5546 and at
https://community.letsencrypt.org/t/caa-servfail-changes/38298/2
I have imported a minimal patch from upstream and attached the
debdiff. Please let me know if this looks good or if I got something
wrong.
Thanks,
Chris
diff -Nru pdns-4.0.3/debian/changelog pdns-4.0.3/debian/changelog
--- pdns-4.0.3/debian/changelog 2017-01-19 23:05:09.000000000 +0000
+++ pdns-4.0.3/debian/changelog 2017-10-10 18:08:15.000000000 +0000
@@ -1,3 +1,9 @@
+pdns (4.0.3-1+deb9u1) stable; urgency=medium
+
+ * Fix incorrect qname casing in NSEC3 generation (Closes: #869222)
+
+ -- Christian Hofstaedtler <zeha@debian.org> Tue, 10 Oct 2017 18:08:15 +0000
+
pdns (4.0.3-1) unstable; urgency=medium
* New upstream version 4.0.3, fixing bug when running bindbackend
diff -Nru pdns-4.0.3/debian/patches/869222-lowercase-qname-before-NSEC-generation.patch pdns-4.0.3/debian/patches/869222-lowercase-qname-before-NSEC-generation.patch
--- pdns-4.0.3/debian/patches/869222-lowercase-qname-before-NSEC-generation.patch 1970-01-01 00:00:00.000000000 +0000
+++ pdns-4.0.3/debian/patches/869222-lowercase-qname-before-NSEC-generation.patch 2017-10-10 18:08:15.000000000 +0000
@@ -0,0 +1,25 @@
+From b91cfe5c069df975176f5fd944540f72fc5d01bb Mon Sep 17 00:00:00 2001
+From: Kees Monshouwer <mind04@monshouwer.org>
+Date: Wed, 3 May 2017 21:49:11 +0200
+Subject: [PATCH] auth: lowercase qname before NSEC generation
+
+[zeha@debian.org]: Patch from upstream PR #5289.
+https://github.com/PowerDNS/pdns/commit/b91cfe5c069df975176f5fd944540f72fc5d01bb
+
+---
+ pdns/dnsbackend.cc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/pdns/dnsbackend.cc b/pdns/dnsbackend.cc
+index 4e43ffc2b1..2454d6efb8 100644
+--- a/pdns/dnsbackend.cc
++++ b/pdns/dnsbackend.cc
+@@ -273,7 +273,7 @@ bool DNSBackend::getBeforeAndAfterNames(uint32_t id, const DNSName& zonename, co
+ // lcqname=labelReverse(lcqname);
+ DNSName dnc;
+ string relqname, sbefore, safter;
+- relqname=labelReverse(makeRelative(qname.toStringNoDot(), zonename.toStringNoDot())); // FIXME400
++ relqname=labelReverse(makeRelative(toLower(qname.toStringNoDot()), zonename.toStringNoDot()));
+ //sbefore = before.toString();
+ //safter = after.toString();
+ bool ret = this->getBeforeAndAfterNamesAbsolute(id, relqname, dnc, sbefore, safter);
diff -Nru pdns-4.0.3/debian/patches/series pdns-4.0.3/debian/patches/series
--- pdns-4.0.3/debian/patches/series 1970-01-01 00:00:00.000000000 +0000
+++ pdns-4.0.3/debian/patches/series 2017-10-10 18:08:15.000000000 +0000
@@ -0,0 +1 @@
+869222-lowercase-qname-before-NSEC-generation.patch
Reply to: