Bind 9.7.0-P1 validation errors

correction, the bug fix was released in Bind 9.7.0-P2:

 --- 9.7.0-P2 released ---

2876. [bug] Named could return SERVFAIL for negative responses
   from unsigned zones. [RT #21131]

 --- 9.7.0-P1 released ---

2852. [bug] Handle broken DNSSEC trust chains better. [RT #15619]

 --- 9.7.0 released ---

Marking this as fix-released in maverick.
Getting the changes back to 10.04 will require following SRU guidelines at https://wiki.ubuntu.com/StableReleaseUpdates .

I have no experience in filing bugreports for Ubuntu, so I wonder what the status of this bug is, and what it's waiting for now ?
Cannot find any references to activities to fix this in Lucid....

We probably need this also:

2890.
[bug]
Handle the introduction of new trusted-keys and
DS, DLV RRsets better. [RT #21097]

as per the Verisign document here: http://www.verisignlabs.com/documents/BIND-DS-Servfail.pdf

A lot of development work to get dnssec properly supported and stabilized went into bind9 releases after lucid was released. Unfortunately, I don't see how it could be possible to backport all of those fixes into the version of bind currently in Lucid, especially since upstream does not have a public repository where individual patches can be looked at.

We have two choices:
1- Live with the version of bind we currently have in Lucid with known broken DNSSEC support
2- Do a one-time SRU of bind 9.7.3 into Lucid and Maverick, and revert to applying cherry-picked fixes in the future.

Since Lucid is an LTS release, it would be preferable to get proper DNSSEC support in it, especially before the March 31st deadline.

In terms of supportability, I am FAR more comfortable supporting 9.7.3 than any attempt at backporting just the DNSSEC changes from 9.7.3 to some previous 9.7 release. Upstream tends to be very good about only putting fixes into fix-release version releases.

lamont

http://bazaar.launchpad.net/~davewalker/ubuntu/lucid/bind9/lp_651875/revision/22 looks fine to me in any case. I agree that we should retrofit better DNSSEC support to lucid.

Do you have a changelog between 9.7.0-P1 and 9.7.3? If these changes look reasonable, and we have a reasonably well covering test suite for it (upstream or in our qa-regression-tests), I'm ok with SRUing this as well.

Thanks,

Martin

Here is the enormous changelog between 9.7.0 and 9.7.3. Probably half of those commits are necessary to get DNSSEC working properly.

The upstream package has an excellent and complete test suite, and instructions for running it are located in qa-regression-testing, along with a basic testing script.

I agree that it makes more sense to go with 9.7.3 here. It's only a "minor" upgrade and .0 releases are historically problematic anyway.

Amending my comment #9. This appears to qualify as micro-version release per https://wiki.ubuntu.com/StableReleaseUpdates/MicroReleaseExceptions and thus needs to be approved by the technical board for the criteria.

@Mark, The Technical Board have already been invited for comment, via email. Thanks.

MicroReleaseExceptions is a list of standing exceptions. It's not necessary to go through the tech board to handle one-off requests like this one. The SRU team can decide what to do here without TB involvement.

Dave says we don't have a comprehensive test suite, instead he'll do a wide call for testing on the mailing list. This will then take a little longer to progress.

If this issue is urgent, I recommend backporting the single fix for this, as it's much safer and a lot quicker to test.

But I'm ok with either approach (or both).

Huh? Bind9 contains it's own test suite that pretty much covers all functionality. Instructions here:
http://bazaar.launchpad.net/~ubuntu-bugcontrol/qa-regression-testing/master/view/head:/build_testing/bind9/bind9-testing.txt

I'm sorry, but I think I introduced some confusion. I thought we were talking about our derived test cases, rather than upstream test suite.

On Mon, Mar 28, 2011 at 02:36:16PM -0000, Martin Pitt wrote:
> If this issue is urgent, I recommend backporting the single fix for
> this, as it's much safer and a lot quicker to test.

The "single fix" in this case consists of all the DNSSEC cleanup and
bugfixing since the lucid version. I'd be uncomfortable trying to
maintain a franken-version...

lamont

As you wish.

I had to reject the current lucid/maverick uploads, as they have an incomplete changelog which doesn't refer to this SRU bug (as the very minimum) and also don't give a rationale (remember that update-manager will prominently display the changelog, to aid users in deciding whether or not they want to install it).

Just a FYI, updates for lucid and maverick need to contain transitional packages for libdns* and libisc* since update-manager will not remove any package when installing updates...