Bug#927778: unblock: bind9/1:9.11.5.P4+dfsg-3
Package: release.debian.org
Severity: normal
Tags: d-i confirmed
User: release.debian.org@packages.debian.org
Usertags: unblock
Hi,
I am filing an unblock for bind9 as it has a fixed RC bug and
needs a d-i ack.
bind9 (1:9.11.5.P4+dfsg-3) unstable; urgency=medium
* More fixes to the AppArmor policy for Samba AD DLZ
- allow access to /dev/urandom
- allow locking for dns.keytab
- fix path to smb.conf
-- Bernhard Schmidt <berni@debian.org> Mon, 22 Apr 2019 22:31:06 +0200
bind9 (1:9.11.5.P4+dfsg-2) unstable; urgency=medium
[ Ondřej Surý ]
* Update d/gbp.conf for Debian Buster
[ Bernhard Schmidt ]
* Cherry-Pick upstream commit to prevent dnssec-keymgr from immediately
expiring and deleting old DNSSEC keys when being run for the first
time (Closes: #923984)
* Update AppArmor policy for Samba AD DLZ
- Add changed default location for named.conf
- Allow read/mmap on some Samba libraries
Thanks to Steven Monai (Closes: #920530)
[ Andreas Beckmann ]
* bind9.preinst: cope with ancient conffile named.conf.options
(Closes: #905177)
-- Bernhard Schmidt <berni@debian.org> Tue, 02 Apr 2019 21:12:50 +0200
unblock bind9/1:9.11.5.P4+dfsg-3
Thanks,
~Niels
Base version: bind9_1:9.11.5.P4+dfsg-1 from testing
Target version: bind9_1:9.11.5.P4+dfsg-3 from unstable
Hints in place:
==> nthykier
#2019-04-23
unblock bind9/1:9.11.5.P4+dfsg-3
==> freeze
# These udebs need to be put in one of the lists:
block-udeb bind9
Excuses:
bind9 (1:9.11.5.P4+dfsg-1 to 1:9.11.5.P4+dfsg-3)
Migration status: BLOCKED: Needs an approval (either due to a freeze, the source suite or a manual hint)
Maintainer: Debian DNS Team
Too young, only 0 of 2 days old
Updating bind9 fixes old bugs: #905177
Piuparts tested OK - https://piuparts.debian.org/sid/source/b/bind9.html
Required age reduced by 3 days because of autopkgtest
Not touching package due to block-udeb request by freeze (please contact the d-i release manager if an update is needed)
Not touching package due to block request by freeze (please contact debian-release if update is needed)
Filter applied (not reflected in the diffstat):
filterdiff -x **/*.po -x **/*.pot
bind9.preinst | 10 +
changelog | 29 +++
extras/apparmor.d/usr.sbin.named | 11 +
gbp.conf | 3
patches/keymgr-dont-immediately-delete.diff | 217 ++++++++++++++++++++++++++++
patches/series | 1
6 files changed, 267 insertions(+), 4 deletions(-)
gpgv: unknown type of key resource 'trustedkeys.kbx'
gpgv: keyblock resource '/home/nthykier/.gnupg/trustedkeys.kbx': General error
gpgv: Signature made 2019-02-22T17:47:49 UTC
gpgv: using RSA key D6E01EC516A5DFCEF71956D3775079E5B850BC93
gpgv: issuer "berni@debian.org"
gpgv: Can't check signature: No public key
dpkg-source: warning: failed to verify signature on /tmp/tmplzeh50h3/bind9_9.11.5.P4+dfsg-1.dsc
gpgv: unknown type of key resource 'trustedkeys.kbx'
gpgv: keyblock resource '/home/nthykier/.gnupg/trustedkeys.kbx': General error
gpgv: Signature made 2019-04-22T21:03:24 UTC
gpgv: using RSA key D6E01EC516A5DFCEF71956D3775079E5B850BC93
gpgv: issuer "berni@debian.org"
gpgv: Can't check signature: No public key
dpkg-source: warning: failed to verify signature on /tmp/tmplzeh50h3/bind9_9.11.5.P4+dfsg-3.dsc
diff -Nru bind9-9.11.5.P4+dfsg/debian/bind9.preinst bind9-9.11.5.P4+dfsg/debian/bind9.preinst
--- bind9-9.11.5.P4+dfsg/debian/bind9.preinst 2019-02-22 16:54:10.000000000 +0000
+++ bind9-9.11.5.P4+dfsg/debian/bind9.preinst 2019-04-22 20:31:06.000000000 +0000
@@ -20,7 +20,15 @@
theirs=$(md5sum /etc/bind/named.conf.options | sed 's/ .*$//')
mine=56919cbc0d819c9a303a8bdeb306b5f1
if [ "$mine" = "$theirs" ]; then
- mv /etc/bind/named.conf.options /etc/bind/named.conf.options.dpkg-old
+ if [ -n "$(dpkg-query -f '${Conffiles}' -W bind9 | grep /etc/bind/named.conf.options)" ]; then
+ # dpkg knows /etc/bind/named.conf.options as a conffile (from squeeze or older)
+ # cannot move the outdated file aside to avoid dpkg noticing deleted-by-local-admin
+ # therefore edit it in place to make it match the to-be-installed version
+ cp -p /etc/bind/named.conf.options /etc/bind/named.conf.options.dpkg-old
+ sed -i '26{/^$/d}; 23{/auth-nxdomain no;/d}' /etc/bind/named.conf.options
+ else
+ mv /etc/bind/named.conf.options /etc/bind/named.conf.options.dpkg-old
+ fi
fi
fi
;;
diff -Nru bind9-9.11.5.P4+dfsg/debian/changelog bind9-9.11.5.P4+dfsg/debian/changelog
--- bind9-9.11.5.P4+dfsg/debian/changelog 2019-02-22 16:54:10.000000000 +0000
+++ bind9-9.11.5.P4+dfsg/debian/changelog 2019-04-22 20:31:06.000000000 +0000
@@ -1,3 +1,32 @@
+bind9 (1:9.11.5.P4+dfsg-3) unstable; urgency=medium
+
+ * More fixes to the AppArmor policy for Samba AD DLZ
+ - allow access to /dev/urandom
+ - allow locking for dns.keytab
+ - fix path to smb.conf
+
+ -- Bernhard Schmidt <berni@debian.org> Mon, 22 Apr 2019 22:31:06 +0200
+
+bind9 (1:9.11.5.P4+dfsg-2) unstable; urgency=medium
+
+ [ Ondřej Surý ]
+ * Update d/gbp.conf for Debian Buster
+
+ [ Bernhard Schmidt ]
+ * Cherry-Pick upstream commit to prevent dnssec-keymgr from immediately
+ expiring and deleting old DNSSEC keys when being run for the first
+ time (Closes: #923984)
+ * Update AppArmor policy for Samba AD DLZ
+ - Add changed default location for named.conf
+ - Allow read/mmap on some Samba libraries
+ Thanks to Steven Monai (Closes: #920530)
+
+ [ Andreas Beckmann ]
+ * bind9.preinst: cope with ancient conffile named.conf.options
+ (Closes: #905177)
+
+ -- Bernhard Schmidt <berni@debian.org> Tue, 02 Apr 2019 21:12:50 +0200
+
bind9 (1:9.11.5.P4+dfsg-1) unstable; urgency=high
[ Bernhard Schmidt ]
diff -Nru bind9-9.11.5.P4+dfsg/debian/extras/apparmor.d/usr.sbin.named bind9-9.11.5.P4+dfsg/debian/extras/apparmor.d/usr.sbin.named
--- bind9-9.11.5.P4+dfsg/debian/extras/apparmor.d/usr.sbin.named 2019-02-22 16:54:10.000000000 +0000
+++ bind9-9.11.5.P4+dfsg/debian/extras/apparmor.d/usr.sbin.named 2019-04-22 20:31:06.000000000 +0000
@@ -75,10 +75,17 @@
/usr/lib/bind/*.so rm,
# Samba DLZ
- /var/lib/samba/private/dns.keytab r,
+ /{usr/,}lib/@{multiarch}/samba/bind9/*.so rm,
+ /{usr/,}lib/@{multiarch}/samba/gensec/*.so rm,
+ /{usr/,}lib/@{multiarch}/samba/ldb/*.so rm,
+ /{usr/,}lib/@{multiarch}/ldb/modules/ldb/*.so rm,
+ /var/lib/samba/bind-dns/dns.keytab rk,
+ /var/lib/samba/bind-dns/named.conf r,
+ /var/lib/samba/private/dns.keytab rk,
/var/lib/samba/private/named.conf r,
/var/lib/samba/private/dns/** rwk,
- /etc/smb.conf r,
+ /etc/samba/smb.conf r,
+ /dev/urandom rwmk,
# Site-specific additions and overrides. See local/README for details.
#include <local/usr.sbin.named>
diff -Nru bind9-9.11.5.P4+dfsg/debian/gbp.conf bind9-9.11.5.P4+dfsg/debian/gbp.conf
--- bind9-9.11.5.P4+dfsg/debian/gbp.conf 2019-02-22 16:54:10.000000000 +0000
+++ bind9-9.11.5.P4+dfsg/debian/gbp.conf 2019-04-22 20:31:06.000000000 +0000
@@ -1,3 +1,4 @@
[DEFAULT]
+debian-branch = debian/buster
pristine-tar = True
-
+upstream-branch = upstream/buster
diff -Nru bind9-9.11.5.P4+dfsg/debian/patches/keymgr-dont-immediately-delete.diff bind9-9.11.5.P4+dfsg/debian/patches/keymgr-dont-immediately-delete.diff
--- bind9-9.11.5.P4+dfsg/debian/patches/keymgr-dont-immediately-delete.diff 1970-01-01 00:00:00.000000000 +0000
+++ bind9-9.11.5.P4+dfsg/debian/patches/keymgr-dont-immediately-delete.diff 2019-04-22 20:31:06.000000000 +0000
@@ -0,0 +1,217 @@
+diff --git a/bin/python/isc/keyseries.py.in b/bin/python/isc/keyseries.py.in
+index e1241f00710ab3be115c10eebbfe96f40ab92e4d..74ccc645f8eace170bf09232953e7aba49a04743 100644
+--- a/bin/python/isc/keyseries.py.in
++++ b/bin/python/isc/keyseries.py.in
+@@ -77,15 +77,39 @@ class keyseries:
+ a = key.activate()
+ if not p or p > now:
+ key.setpublish(now)
++ p = now
+ if not a or a > now:
+ key.setactivate(now)
++ a = now
+
++ i = key.inactive()
+ if not rp:
+ key.setinactive(None, **kwargs)
+ key.setdelete(None, **kwargs)
++ elif not i or a + rp != i:
++ if not i and a + rp > now + prepub:
++ key.setinactive(a + rp, **kwargs)
++ key.setdelete(a + rp + postpub, **kwargs)
++ elif not i:
++ key.setinactive(now + prepub, **kwargs)
++ key.setdelete(now + prepub + postpub, **kwargs)
++ elif a + rp > i:
++ key.setinactive(a + rp, **kwargs)
++ key.setdelete(a + rp + postpub, **kwargs)
++ elif a + rp > now + prepub:
++ key.setinactive(a + rp, **kwargs)
++ key.setdelete(a + rp + postpub, **kwargs)
++ else:
++ key.setinactive(now + prepub, **kwargs)
++ key.setdelete(now + prepub + postpub, **kwargs)
+ else:
+- key.setinactive(a + rp, **kwargs)
+- key.setdelete(a + rp + postpub, **kwargs)
++ d = key.delete()
++ if not d or i + postpub > now:
++ key.setdelete(i + postpub, **kwargs)
++ elif not d:
++ key.setdelete(now + postpub, **kwargs)
++ elif d < i + postpub:
++ key.setdelete(i + postpub, **kwargs)
+
+ if policy.keyttl != key.ttl:
+ key.setttl(policy.keyttl)
+diff --git a/bin/tests/system/keymgr/19-old-keys/README b/bin/tests/system/keymgr/19-old-keys/README
+new file mode 100644
+index 0000000000000000000000000000000000000000..424b70c4f559eb7f901cdd12a1f36ce41767ef08
+--- /dev/null
++++ b/bin/tests/system/keymgr/19-old-keys/README
+@@ -0,0 +1,7 @@
++Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++
++See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
++
++This directory has a key set which is valid, but which was published
++and activated more than one rollover period ago. dnssec-keymgr should
++not mark the keys as already being inactive and deleted.
+diff --git a/bin/tests/system/keymgr/19-old-keys/expect b/bin/tests/system/keymgr/19-old-keys/expect
+new file mode 100644
+index 0000000000000000000000000000000000000000..f3e49b3d28600e2219ddbdc44b87ea56f24ccdcb
+--- /dev/null
++++ b/bin/tests/system/keymgr/19-old-keys/expect
+@@ -0,0 +1,12 @@
++kargs="-c policy.conf example.com"
++kmatch=""
++kret=0
++cargs="-d 1w -m 2w example.com"
++cmatch="4,Publish
++4,Activate
++2,Inactive
++2,Delete"
++cret=0
++warn=0
++error=0
++ok=2
+diff --git a/bin/tests/system/keymgr/19-old-keys/extra.sh b/bin/tests/system/keymgr/19-old-keys/extra.sh
+new file mode 100644
+index 0000000000000000000000000000000000000000..8da6aa1329b5a972abcfddb126ff970ff8e72a35
+--- /dev/null
++++ b/bin/tests/system/keymgr/19-old-keys/extra.sh
+@@ -0,0 +1,19 @@
++# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++#
++# This Source Code Form is subject to the terms of the Mozilla Public
++# License, v. 2.0. If a copy of the MPL was not distributed with this
++# file, You can obtain one at http://mozilla.org/MPL/2.0/.
++#
++# See the COPYRIGHT file distributed with this work for additional
++# information regarding copyright ownership.
++
++now=`$PERL -e 'print time()."\n";'`
++for keyfile in K*.key; do
++ inactive=`$SETTIME -upI $keyfile | awk '{print $2}'`
++ if [ "$inactive" = UNSET ]; then
++ continue
++ elif [ "$inactive" -lt "$now" ]; then
++ echo_d "inactive date is in the past"
++ ret=1
++ fi
++done
+diff --git a/bin/tests/system/keymgr/19-old-keys/policy.conf b/bin/tests/system/keymgr/19-old-keys/policy.conf
+new file mode 100644
+index 0000000000000000000000000000000000000000..91817ff41b6955c7512583839c0b99cf47a220a0
+--- /dev/null
++++ b/bin/tests/system/keymgr/19-old-keys/policy.conf
+@@ -0,0 +1,18 @@
++/*
++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++ *
++ * This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0. If a copy of the MPL was not distributed with this
++ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
++ *
++ * See the COPYRIGHT file distributed with this work for additional
++ * information regarding copyright ownership.
++ */
++
++policy default {
++ policy global;
++ algorithm nsec3rsasha1;
++ pre-publish zsk 2w;
++ roll-period zsk 6mo;
++ coverage 364d;
++};
+diff --git a/bin/tests/system/keymgr/clean.sh b/bin/tests/system/keymgr/clean.sh
+index dc9f0a0c8437fd81dee2f8fa44e122c1df9ec6a5..3b9b1a2ea62a56f209f28d14412d474eb69bf481 100644
+--- a/bin/tests/system/keymgr/clean.sh
++++ b/bin/tests/system/keymgr/clean.sh
+@@ -11,5 +11,7 @@
+
+ rm -f */K*.key
+ rm -f */K*.private
++rm -f Kexample.com.*.key
++rm -f Kexample.com.*.private
+ rm -f coverage.* keymgr.*
+ rm -f policy.out
+diff --git a/bin/tests/system/keymgr/setup.sh b/bin/tests/system/keymgr/setup.sh
+index 24e6c7cf0dd99c0ac51cb54bd5bb7beaca3ff692..ea6e5667947547848a8cf082d23269a82d9bb97a 100644
+--- a/bin/tests/system/keymgr/setup.sh
++++ b/bin/tests/system/keymgr/setup.sh
+@@ -214,3 +214,13 @@ rm -f $dir/K*.private
+ ksk1=`$KEYGEN -K $dir -3fk example.com`
+ zsk1=`$KEYGEN -K $dir -3 example.com`
+ $SETTIME -K $dir -I now+2mo -D now+3mo $zsk1 > /dev/null
++
++# Test 19: Key has been published/active a long time
++dir=19-old-keys
++echo_i "set up $dir"
++rm -f $dir/K*.key
++rm -f $dir/K*.private
++ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
++zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
++$SETTIME -K $dir -P now-2y -A now-2y $ksk1 > /dev/null
++$SETTIME -K $dir -P now-2y -A now-2y $zsk1 > /dev/null
+diff --git a/bin/tests/system/keymgr/tests.sh b/bin/tests/system/keymgr/tests.sh
+index 88b43d90fb4b00b4157eed27831106b621db56df..89fedd31dff5c455399ffdd0545f2770281321dc 100644
+--- a/bin/tests/system/keymgr/tests.sh
++++ b/bin/tests/system/keymgr/tests.sh
+@@ -16,13 +16,19 @@ status=0
+ n=1
+
+ matchall () {
++ match_result=ok
+ file=$1
+- echo "$2" | while read matchline; do
+- grep "$matchline" $file > /dev/null 2>&1 || {
+- echo "FAIL"
+- return
++ while IFS="," read expect matchline; do
++ [ -z "$matchline" ] && continue
++ matches=`grep "$matchline" $file | wc -l`
++ [ "$matches" -ne "$expect" ] && {
++ echo "'$matchline': expected $expect found $matches"
++ return 1
+ }
+- done
++ done << EOF
++ $2
++EOF
++ return 0
+ }
+
+ echo_i "checking for DNSSEC key coverage issues"
+@@ -51,11 +57,8 @@ for dir in [0-9][0-9]-*; do
+ ret=1
+ fi
+
+- found=`matchall keymgr.$n "$kmatch"`
+- if [ "$found" = "FAIL" ]; then
+- echo "no match on '$kmatch'"
+- ret=1
+- fi
++ # check for matches in keymgr output
++ matchall keymgr.$n "$kmatch" || ret=1
+
+ # now check coverage
+ $COVERAGE -K $dir $cargs > coverage.$n 2>&1
+@@ -87,10 +90,13 @@ for dir in [0-9][0-9]-*; do
+ ret=1
+ fi
+
+- found=`matchall coverage.$n "$cmatch"`
+- if [ "$found" = "FAIL" ]; then
+- echo "no match on '$cmatch'"
+- ret=1
++ # check for matches in coverage output
++ matchall coverage.$n "$cmatch" || ret=1
++
++ if [ -f $dir/extra.sh ]; then
++ cd $dir
++ . ./extra.sh
++ cd ..
+ fi
+
+ n=`expr $n + 1`
diff -Nru bind9-9.11.5.P4+dfsg/debian/patches/series bind9-9.11.5.P4+dfsg/debian/patches/series
--- bind9-9.11.5.P4+dfsg/debian/patches/series 2019-02-22 16:54:10.000000000 +0000
+++ bind9-9.11.5.P4+dfsg/debian/patches/series 2019-04-22 20:31:06.000000000 +0000
@@ -8,3 +8,4 @@
80_reproducible_build.diff
Add_--install-layout=deb_to_setup.py_call.patch
skip-rtld-deepbind-for-dyndb.diff
+keymgr-dont-immediately-delete.diff
Hints needed:
unblock bind9/1:9.11.5.P4+dfsg-3
# XXXX: Confirm with d-i RM
unblock-udeb bind9/1:9.11.5.P4+dfsg-3
Reply to: