Ubuntu
systemd package

Bug #1897744
Comment #1

Comment 1 for bug 1897744

Revision history for this message

David (liewebagency-deactivatedaccount) wrote on 2020-10-01: Re: [Bug 1897744] VerifyHostKeyDNS not working due to missing trust-ad flag

Hello,

I use PowerDNS master, and Is It bst to use their recurser also or ? AND IS PowerDNS own recuursor faster and better than the other ooption like mysql, Postgres as slaves instead or PowerDNS Recursor, is mysql PostgreSQL quicker and better than their recursor ? Tinyds is going out I think. Knot dns is also free and made by they who sell the tsjekkia domain registry knot its called anyone know if that is a better solution? I need anything BUT BIND9 its the worst shit that exist! I need something fast, secure and reliable ad good at being in heavy traffic and which can be used in ISPCONFIG 3.2.. Some said po3werdhs and knot could work in that panel, I have spent 1 mont looking for a panel that supports pdns or knot but none!
Hule lovewom4c advice.

And how do I get DNSSEC for my dns ? Do I login to ripe and get it from them or ?

Im gong to run my own nameservers like before.

> 1. okt. 2020 kl. 16:17 skrev Dan Streetman <email address hidden>:
>
> ** Description changed:
>
> + [impact]
> +
> + without trust-ad resolv.conf option, glibc will strip AD from systemd-
> + resolved responses. one thing this will prevent working is ssh/sftp
> + VerifyHostKeyDNS
> +
> + [test case]
> +
> + TBD
> +
> + [regression potential]
> +
> + TBD
> +
> + [scope]
> +
> + this is needed only in focal.
> +
> + glibc first stripped the AD in version 2.31, so this is not needed in
> + bionic or earlier.
> +
> + this was added upstream in commit a742f9828ea which was included in
> + v246, so this is fixed already in groovy.
> +
> + [original description]
> +
> Hi,
>
> 1)
> Description: Ubuntu 20.04.1 LTS
> Release: 20.04
>
> 2)
> systemd: 245.4-4ubuntu3.2
>
> 3)
> I set VerifyHostKeyDNS to YES and hosts are automatically verified via sshfp.
>
> 4)
> I still get the security question
> Matching host key fingerprint found in DNS.
> - Are you sure you want to continue connecting (yes/no/[fingerprint])?
> + Are you sure you want to continue connecting (yes/no/[fingerprint])?
>
> The issue is known and fixed in systemd v246.
> https://github.com/systemd/systemd/pull/16072
>
> Best regards
> Daniel
>
> ** Also affects: systemd (Ubuntu Focal)
> Importance: Undecided
> Status: New
>
> ** Changed in: systemd (Ubuntu)
> Status: New => Fix Released
>
> --
> You received this bug notification because you are subscribed to Focal.
> Matching subscriptions: <email address hidden>
> https://bugs.launchpad.net/bugs/1897744
>
> Title:
> VerifyHostKeyDNS not working due to missing trust-ad flag
>
> Status in systemd package in Ubuntu:
> Fix Released
> Status in systemd source package in Focal:
> In Progress
>
> Bug description:
> [impact]
>
> without trust-ad resolv.conf option, glibc will strip AD from systemd-
> resolved responses. one thing this will prevent working is ssh/sftp
> VerifyHostKeyDNS
>
> [test case]
>
> TBD
>
> [regression potential]
>
> regressions would likely involve DNS lookup failures, probably if
> DNSSEC is enabled but possibly even without, and likely when the
> application requesting the dns lookup processes the response AD.
>
> [scope]
>
> this is needed only in focal.
>
> glibc first stripped the AD in version 2.31, so this is not needed in
> bionic or earlier.
>
> this was added upstream in commit a742f9828ea which was included in
> v246, so this is fixed already in groovy.
>
> [original description]
>
> Hi,
>
> 1)
> Description: Ubuntu 20.04.1 LTS
> Release: 20.04
>
> 2)
> systemd: 245.4-4ubuntu3.2
>
> 3)
> I set VerifyHostKeyDNS to YES and hosts are automatically verified via sshfp.
>
> 4)
> I still get the security question
> Matching host key fingerprint found in DNS.
> Are you sure you want to continue connecting (yes/no/[fingerprint])?
>
> The issue is known and fixed in systemd v246.
> https://github.com/systemd/systemd/pull/16072
>
> Best regards
> Daniel
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1897744/+subscriptions
>
> Launchpad-Notification-Type: bug
> Launchpad-Bug: distribution=ubuntu; sourcepackage=systemd; component=main; status=Fix Released; importance=Undecided; assignee=None;
> Launchpad-Bug: distribution=ubuntu; distroseries=focal; sourcepackage=systemd; component=main; status=In Progress; importance=Medium; <email address hidden>;
> Launchpad-Bug-Information-Type: Public
> Launchpad-Bug-Private: no
> Launchpad-Bug-Security-Vulnerability: no
> Launchpad-Bug-Commenters: itzonban
> Launchpad-Bug-Reporter: Daniel von Obernitz (itzonban)
> Launchpad-Bug-Modifier: Dan Streetman (ddstreet)
> Launchpad-Message-Rationale: Subscriber (Focal)
> Launchpad-Message-For: liewebagency-deactivatedaccount
> Launchpad-Subscription: <email address hidden>

Hello,

I use PowerDNS master, and Is It bst to use their recurser also or ? AND  IS  PowerDNS own recuursor faster and better than the other ooption like mysql,  Postgres  as slaves instead or PowerDNS Recursor, is mysql PostgreSQL quicker and better than their recursor ? Tinyds is going out I think. Knot dns is also free and made by they who sell the tsjekkia domain registry knot its called anyone know if that is a better solution? I need anything BUT BIND9 its the worst shit that exist! I need something fast, secure and reliable ad good at being in heavy  traffic and which can be used in ISPCONFIG 3.2.. Some said po3werdhs and knot could work in that panel, I have spent 1 mont looking for a panel that supports pdns or knot but none!
Hule lovewom4c advice.

And how do I get DNSSEC for my dns ? Do I login to ripe and get it from them or ?

Im gong to run my own nameservers like before.

> 1. okt. 2020 kl. 16:17 skrev Dan Streetman <1897744@bugs.launchpad.net>:
> 
> ** Description changed:
> 
> + [impact]
> + 
> + without trust-ad resolv.conf option, glibc will strip AD from systemd-
> + resolved responses. one thing this will prevent working is ssh/sftp
> + VerifyHostKeyDNS
> + 
> + [test case]
> + 
> + TBD
> + 
> + [regression potential]
> + 
> + TBD
> +  
> + [scope]
> + 
> + this is needed only in focal.
> + 
> + glibc first stripped the AD in version 2.31, so this is not needed in
> + bionic or earlier.
> + 
> + this was added upstream in commit a742f9828ea which was included in
> + v246, so this is fixed already in groovy.
> + 
> + [original description]
> + 
>  Hi,
> 
>  1)
>  Description:	Ubuntu 20.04.1 LTS
>  Release:	20.04
> 
>  2)
>  systemd:        245.4-4ubuntu3.2
> 
>  3)
>  I set VerifyHostKeyDNS to YES and hosts are automatically verified via sshfp.
> 
>  4)
>  I still get the security question
>  Matching host key fingerprint found in DNS.
> - Are you sure you want to continue connecting (yes/no/[fingerprint])? 
> + Are you sure you want to continue connecting (yes/no/[fingerprint])?
> 
>  The issue is known and fixed in systemd v246.
>  https://github.com/systemd/systemd/pull/16072
> 
>  Best regards
>  Daniel
> 
> ** Also affects: systemd (Ubuntu Focal)
>   Importance: Undecided
>       Status: New
> 
> ** Changed in: systemd (Ubuntu)
>       Status: New => Fix Released
> 
> -- 
> You received this bug notification because you are subscribed to Focal.
> Matching subscriptions: info@lie.as
> https://bugs.launchpad.net/bugs/1897744
> 
> Title:
>  VerifyHostKeyDNS not working due to missing trust-ad flag
> 
> Status in systemd package in Ubuntu:
>  Fix Released
> Status in systemd source package in Focal:
>  In Progress
> 
> Bug description:
>  [impact]
> 
>  without trust-ad resolv.conf option, glibc will strip AD from systemd-
>  resolved responses. one thing this will prevent working is ssh/sftp
>  VerifyHostKeyDNS
> 
>  [test case]
> 
>  TBD
> 
>  [regression potential]
> 
>  regressions would likely involve DNS lookup failures, probably if
>  DNSSEC is enabled but possibly even without, and likely when the
>  application requesting the dns lookup processes the response AD.
> 
>  [scope]
> 
>  this is needed only in focal.
> 
>  glibc first stripped the AD in version 2.31, so this is not needed in
>  bionic or earlier.
> 
>  this was added upstream in commit a742f9828ea which was included in
>  v246, so this is fixed already in groovy.
> 
>  [original description]
> 
>  Hi,
> 
>  1)
>  Description:	Ubuntu 20.04.1 LTS
>  Release:	20.04
> 
>  2)
>  systemd:        245.4-4ubuntu3.2
> 
>  3)
>  I set VerifyHostKeyDNS to YES and hosts are automatically verified via sshfp.
> 
>  4)
>  I still get the security question
>  Matching host key fingerprint found in DNS.
>  Are you sure you want to continue connecting (yes/no/[fingerprint])?
> 
>  The issue is known and fixed in systemd v246.
>  https://github.com/systemd/systemd/pull/16072
> 
>  Best regards
>  Daniel
> 
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1897744/+subscriptions
> 
> Launchpad-Notification-Type: bug
> Launchpad-Bug: distribution=ubuntu; sourcepackage=systemd; component=main; status=Fix Released; importance=Undecided; assignee=None;
> Launchpad-Bug: distribution=ubuntu; distroseries=focal; sourcepackage=systemd; component=main; status=In Progress; importance=Medium; assignee=ddstreet@canonical.com;
> Launchpad-Bug-Information-Type: Public
> Launchpad-Bug-Private: no
> Launchpad-Bug-Security-Vulnerability: no
> Launchpad-Bug-Commenters: itzonban
> Launchpad-Bug-Reporter: Daniel von Obernitz (itzonban)
> Launchpad-Bug-Modifier: Dan Streetman (ddstreet)
> Launchpad-Message-Rationale: Subscriber (Focal)
> Launchpad-Message-For: liewebagency-deactivatedaccount
> Launchpad-Subscription: info@lie.as

Ubuntusystemd package

Comment 1 for bug 1897744

Ubuntu
systemd package