VerifyHostKeyDNS not working due to missing trust-ad flag

Hello,

I use PowerDNS master, and Is It bst to use their recurser also or ? AND IS PowerDNS own recuursor faster and better than the other ooption like mysql, Postgres as slaves instead or PowerDNS Recursor, is mysql PostgreSQL quicker and better than their recursor ? Tinyds is going out I think. Knot dns is also free and made by they who sell the tsjekkia domain registry knot its called anyone know if that is a better solution? I need anything BUT BIND9 its the worst shit that exist! I need something fast, secure and reliable ad good at being in heavy traffic and which can be used in ISPCONFIG 3.2.. Some said po3werdhs and knot could work in that panel, I have spent 1 mont looking for a panel that supports pdns or knot but none!
Hule lovewom4c advice.

And how do I get DNSSEC for my dns ? Do I login to ripe and get it from them or ?

Im gong to run my own nameservers like before.

> 1. okt. 2020 kl. 16:17 skrev Dan Streetman <email address hidden>:
>
> ** Description changed:
>
> + [impact]
> +
> + without trust-ad resolv.conf option, glibc will strip AD from systemd-
> + resolved responses. one thing this will prevent working is ssh/sftp
> + VerifyHostKeyDNS
> +
> + [test case]
> +
> + TBD
> +
> + [regression potential]
> +
> + TBD
> +
> + [scope]
> +
> + this is needed only in focal.
> +
> + glibc first stripped the AD in version 2.31, so this is not needed in
> + bionic or earlier.
> +
> + this was added upstream in commit a742f9828ea which was included in
> + v246, so this is fixed already in groovy.
> +
> + [original description]
> +
> Hi,
>
> 1)
> Description: Ubuntu 20.04.1 LTS
> Release: 20.04
>
> 2)
> systemd: 245.4-4ubuntu3.2
>
> 3)
> I set VerifyHostKeyDNS to YES and hosts are automatically verified via sshfp.
>
> 4)
> I still get the security question
> Matching host key fingerprint found in DNS.
> - Are you sure you want to continue connecting (yes/no/[fingerprint])?
> + Are you sure you want to continue connecting (yes/no/[fingerprint])?
>
> The issue is known and fixed in systemd v246.
> https://github.com/systemd/systemd/pull/16072
>
> Best regards
> Daniel
>
> ** Also affects: systemd (Ubuntu Focal)
> Importance: Undecided
> Status: New
>
> ** Changed in: systemd (Ubuntu)
> Status: New => Fix Released
>
> --
> You received this bug notification because you are subscribed to Focal.
> Matching subscriptions: <email address hidden>
> https://bugs.launchpad.net/bugs/1897744
>
> Title:
> VerifyHostKeyDNS not working due to missing trust-ad flag
>
> Status in systemd package in Ubuntu:
> Fix Released
> Status in systemd source package in Focal:
> In Progress
>
> Bug description:
> [impact]
>
> without trust-ad resolv.conf option, glibc will strip AD from systemd-
> resolved responses. one thing this will prevent working is ssh/sftp
> VerifyHostKeyDNS
>
> [test case]
>
> TBD
>
> [regression potential]
>
> regressions would likely involve DNS lookup failures, probably if
> DNSSEC is enabled but possibly even without, and likely when the
> application requesting the dns lookup processes the response AD.
>
> [scope]
>
> this is needed only in foca...

I just re-debugged into the same case - now marked as dup.
You might consider using https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1898590/comments/7 as test steps to verify that once uploaded to focal-proposed.

Hello Daniel, or anyone else affected,

Accepted systemd into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/systemd/245.4-4ubuntu3.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

All autopkgtests for the newly accepted systemd (245.4-4ubuntu3.3) for focal have finished running.
The following regressions have been reported in tests triggered by the package:

linux-hwe-5.8/5.8.0-25.26~20.04.1 (armhf)
python-dbusmock/0.19-1 (armhf)
lxc/1:4.0.2-0ubuntu1 (amd64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/focal/update_excuses.html#systemd

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Hello Brian,

I installed version

245.4-4ubuntu3.3 from focal-proposed

on my focal systems, did some restarts, checked the content of the /etc/resolv.conf (trust-ad was always present). Connection to servers using sshfp is working without authenticity question except those servers without sshfp key in DNS. So everything works as it is supposed to.

Thanks a lot and I have changed the tag for focal.

Daniel

The verification of the Stable Release Update for systemd has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package systemd - 245.4-4ubuntu3.3

---------------
systemd (245.4-4ubuntu3.3) focal; urgency=medium

  [ Rafael David Tinoco ]
  * d/p/lp1861941-dont-generate-disk-byuuid-for-bcache-uuid.patch:
    Reworded and reintroduced patch to fully explain delta is NOT a fix to
    LP: #1861941 if the bcache-tools patch exists, but should be kept anyway
    as the change makes sense for a better experience to end user.
    (LP: #1861941)
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=f8f64b3b58a04a83b1c426818b9affc41e0bff6c

  [ Dan Streetman ]
  * d/p/lp1882596-man-fix-some-manvolnum.patch:
    - fix some man section references (LP: #1882596)
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=3959ec95eff78d38ec4409807f151572afe83fe9
  * d/p/lp1895418-correct-resolved-conf-cache-default.patch:
    - fix resolved.conf default Cache= value (LP: #1895418)
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=ebe274a2b01658ee39b372d7033c35209510b028
  * d/p/lp1897744-resolve-enable-RES_TRUSTAD-towards-the-127.0.0.53-st.patch:
    - add resolv.conf 'trust-ad' option (LP: #1897744)
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=f6acc8c620b80adab7b048352d85e722b5ba8214
  * d/t/*:
    - Update tests to fix false negatives (LP: #1892358)
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=cee6c31a6caec7888270c9fa8757105ab950ed0c
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=a1c1a2bb0ff27faf84fe94583631dfd0f1f4ed8f
    https://git.launchpad.net/~ubuntu-core-dev/ubuntu/+source/systemd/commit/?id=9417ce996766c133c2a33d4102ce1494f3166774

 -- Dan Streetman <email address hidden> Thu, 08 Oct 2020 16:14:56 -0400