NetBSD-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: DNSSEC vs netbsd-8/sparc?

> The problem I reproduced in March (but didn't solve) was on amd64 where 
> the DS didn't match. It used SHA384.
> 
> Two different examples:
> https://mail-index.netbsd.org/netbsd-users/2020/03/24/msg024303.html

Hm, that's ... mine :)

The protonmail.ch DS issue really seems to be a general "in-tree
BIND on netbsd-8 fails doing the sha384 DS checksum" issue:

% which dnssec-dsfromkey
/usr/sbin/dnssec-dsfromkey
% dnssec-dsfromkey -V
dnssec-dsfromkey 9.10.5-P1
% dig protonmail.ch. dnskey | dnssec-dsfromkey -f - -a sha384 protonmail.ch
protonmail.ch. IN DS 27196 8 4 73D3962080B965B6A3D80AB3097FDA1C561C49FB938C06941D9910DC6B3E21AC0F2C8610BB8F6ADB0279EC726D2C4648
% /usr/local/sbin/dnssec-dsfromkey -V
dnssec-dsfromkey 9.14.1
% dig protonmail.ch. dnskey | /usr/local/sbin/dnssec-dsfromkey -f - -a sha384 protonmail.ch
protonmail.ch. IN DS 27196 8 4 E422EE237DE2FE29190F1BDDC0C0E2469679411F329AAB2A7BD8DE43575C1C6FAB6B9FFC521996E526F4B5D513798D9E
% dig protonmail.ch. ds +short
27196 8 4 E422EE237DE2FE29190F1BDDC0C0E2469679411F329AAB2A7BD8DE43 575C1C6FAB6B9FFC521996E526F4B5D513798D9E
% uname -mr
8.1 amd64
%

The /usr/local installation is locally built directly from the
ISC BIND distribution.

Hmm, let's go dig in some BIND release notes...  Hm, no mention
of sha384 being broken there (no big surprise, really...).

Testing the system dnssec-dsfromkey and some other local builds I
had lying around from earlier on another amd64 machine which now
runs 9.0_RC1:

% dig protonmail.ch. dnskey | dnssec-dsfromkey -f - -a sha384 protonmail.ch
protonmail.ch. IN DS 27196 8 4 E422EE237DE2FE29190F1BDDC0C0E2469679411F329AAB2A7BD8DE43575C1C6FAB6B9FFC521996E526F4B5D513798D9E
%
% dig protonmail.ch. dnskey | bind-9.10.5/bin/dnssec/dnssec-dsfromkey -f - -a sha384 protonmail.ch
protonmail.ch. IN DS 27196 8 4 E422EE237DE2FE29190F1BDDC0C0E2469679411F329AAB2A7BD8DE43575C1C6FAB6B9FFC521996E526F4B5D513798D9E
%
% dig protonmail.ch. dnskey | bind-9.10.5-P3/bin/dnssec/dnssec-dsfromkey -f - -a sha384 protonmail.ch
protonmail.ch. IN DS 27196 8 4 E422EE237DE2FE29190F1BDDC0C0E2469679411F329AAB2A7BD8DE43575C1C6FAB6B9FFC521996E526F4B5D513798D9E
%
% dig protonmail.ch. dnskey | bind-9.10.6-P1/bin/dnssec/dnssec-dsfromkey -f - -a sha384 protonmail.ch
protonmail.ch. IN DS 27196 8 4 E422EE237DE2FE29190F1BDDC0C0E2469679411F329AAB2A7BD8DE43575C1C6FAB6B9FFC521996E526F4B5D513798D9E
%

Hm, so the problem doesn't actually come from BIND itself.

% file bind-9.10.5/bin/dnssec/dnssec-dsfromkey
bind-9.10.5/bin/dnssec/dnssec-dsfromkey: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /usr/libexec/ld.elf_so, for NetBSD 7.1, with debug_info, not stripped
% 
% uname -rm
9.0_RC1 amd64
% 

So this was built for NetBSD 7.1, but run on 9.0_RC1.  The ldd
output indicates no BIND libraries, but plenty of system
libraries:

% ldd bind-9.10.5/bin/dnssec/dnssec-dsfromkey
bind-9.10.5/bin/dnssec/dnssec-dsfromkey:
        -lgssapi.10 => /usr/lib/libgssapi.so.10
        -lkrb5.26 => /usr/lib/libkrb5.so.26
        -lhx509.5 => /usr/lib/libhx509.so.5
        -lasn1.9 => /usr/lib/libasn1.so.9
        -lcom_err.7 => /usr/lib/libcom_err.so.7
        -lgcc_s.1 => /usr/lib/libgcc_s.so.1
        -lc.12 => /usr/lib/libc.so.12
        -lroken.19 => /usr/lib/libroken.so.19
        -lutil.7 => /usr/lib/libutil.so.7
        -lcrypt.1 => /lib/libcrypt.so.1
        -lcrypto.8 => /usr/lib/libcrypto.so.8
        -lwind.0 => /usr/lib/libwind.so.0
        -lheimbase.1 => /usr/lib/libheimbase.so.1
        -lheimntlm.4 => /usr/lib/libheimntlm.so.4
        -lpthread.1 => /usr/lib/libpthread.so.1
        -lxml2.2 => /usr/pkg/lib/libxml2.so.2
        -lz.1 => /usr/lib/libz.so.1
        -llzma.2 => /usr/lib/liblzma.so.2
        -lm.0 => /usr/lib/libm.so.0
        -llzma.1 => /usr/lib/liblzma.so.1
%

So ... this one does it correctly, but still uses a rather old
-lcrypto (which I have still lying around from when it ran that
release), so it's not that the crypto library is at fault either.

And this time, comparing the two config.h's being used doesn't
point out anything glaringly obvious, neither does comparing the
two isc/platform.h files.

The in-tree BIND in netbsd-8 re-built on 9.0_RC1 still ends up
mis-calculating the sha384 checksum:

% dig protonmail.ch dnskey | env LD_LIBRARY_PATH=/usr/obj/external/bsd/bind/lib/liblwres /usr/obj/external/bsd/bind/bin/dnssec/dnssec-dsfromkey/dnssec-dsfromkey -f - -a sha384 protonmail.ch
protonmail.ch. IN DS 27196 8 4 73D3962080B965B6A3D80AB3097FDA1C561C49FB938C06941D9910DC6B3E21AC0F2C8610BB8F6ADB0279EC726D2C4648

I must admit I'm scratching my head about this one.

Further hints welcome.

Regards,

- Havard
Home | Main Index | Thread Index | Old Index