NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: DNSSEC vs netbsd-8/sparc?

On Tue, 21 Apr 2020, Greg Troxel wrote:

> Havard Eidnes <> writes:
> >> Does anybody think that the bind bits in netbsd-8 are ok, even before we
> >> talk about compilation?
> >
> > I'm about halfway through the diff between what's in-tree in
> > netbsd-8 and what's in ISC BIND 9.10.5-P1, and all I find so far
> > are
> I asked because I had trouble maybe two months ago with bind failing to
> resolve protonmailch due to some DNSSEC issue, on amd64, and the same
> problem on earmv7hf-el.  The consensus seemed to be that bind and the
> root keys file in 8 is old and probably shouldn't be used.

I seem to recall the real issue there was "dnssec-lookaside auto" being
set in "named.conf" and the "" key in "bind.keys" being
expired.  The canned root keys in the file are valid (at least the second
one).  If one has the latest updates to netbsd-{7,8,9,current}, the
"bind.keys" file are all up-to-date and identical aside from RCS IDs.

The solution was to comment-out or remove the "dnssec-lookaside" option.
The latter has been done for netbsd-{8,9,current}.

> I have no idea if the present problem is related to that or not - just
> asking if it was a "netbsd-8 on amd64 works, fails on sparc" clear case.

As per Havard's previous email, the pre-cooked "config.h" in netbsd-8
(and apparently netbsd-7) omitted a crucial macro that was harmless on
little-ending systems, but caused big-endian architectures (sparc{,64},
powerpc, and various foo-eb) to miscalculate the SHA1 hashes.

|/"\ John D. Baker, KN5UKS               NetBSD     Darwin/MacOS X
|\ / jdbaker[snail]consolidated[flyspeck]net  OpenBSD            FreeBSD
| X  No HTML/proprietary data in email.   BSD just sits there and works!
|/ \ GPGkeyID:  D703 4A7E 479F 63F8 D3F4  BD99 9572 8F23 E4AD 1645

Home | Main Index | Thread Index | Old Index