Learn more about these different git repos.
Other Git URLs
Adam Tkac and I would like to ask you to release updated dnssec-conf packages (for Fedora 11 and 12 and EL-5) as soon as possible.
Current dnssec-conf packages contain obsolete DNSSEC keys for reverse RIPE zones. Due this RIPE nameservers are flooded from all Fedora nameservers because BIND (named daemon) continuously sends questions to RIPE servers trying to oobtain these non-existing DNSSEC keys.
Reference: https://lists.isc.org/pipermail/bind-users/2010-February/078726.html
Build references: https://admin.fedoraproject.org/updates/dnssec-conf-1.21-3.fc11 https://admin.fedoraproject.org/updates/dnssec-conf-1.21-7.fc12 https://admin.fedoraproject.org/updates/dnssec-conf-1.21-7.el5
These updates only remove those old keys and restart the the bind/unbound nameservers. No new keys are put in as RIPE keys are already loaded into the DLV. Care is taken to not modify named.conf, only named.dnssec.keys
These will get pushed out as part of the normal updates process, not really sure why you felt it necessary to file a ticket.
From: Paul W. Frields stickster@gmail.com Cc: Adam Tkac atkac@redhat.com, Anand Buddhdev anandb@ripe.net, Jesse Keating jkeating@redhat.com To: Mike McGrath mmcgrath@redhat.com, paul@xelerance.com Subject: Re: #3357: Release updated dnssec-conf packages (fwd)
On Mon, Feb 08, 2010 at 09:20:28AM -0600, Mike McGrath wrote:
On Mon, 8 Feb 2010, Paul Wouters wrote: On Sun, 7 Feb 2010, Paul Frields wrote: urgent enough to need that treatment. You could add some assurance by encouraging a few people to test the update and give it karma, but AIUI, it's not necessary if you and Adam are certain this isn't going to break things for users. Yes, Adam and me have extensively tested this update for bind as well as unbound. We also made sure not to run dnssec-configure anywhere, to avoid more reformatting/rewriting of the named.conf file that people did not like. Phasing out dnssec-conf will be done in a later regular package update. This update will restore DNS lookups for the RIPE reverse tree, currently failing for users, and will end the accidental DDoS attack that's being performed against RIPE's nameservers now, due to the combination of expired trust anchor and the bind bug. Please let me know if I need to do anything else to get this update out as soon as possible. You might want to contact the actual package maintainers. I'm not actually involved in any of the DNS packages so I think I was mistakenly added to the CC :)
On Mon, 8 Feb 2010, Paul Wouters wrote:
On Sun, 7 Feb 2010, Paul Frields wrote: urgent enough to need that treatment. You could add some assurance by encouraging a few people to test the update and give it karma, but AIUI, it's not necessary if you and Adam are certain this isn't going to break things for users. Yes, Adam and me have extensively tested this update for bind as well as unbound. We also made sure not to run dnssec-configure anywhere, to avoid more reformatting/rewriting of the named.conf file that people did not like. Phasing out dnssec-conf will be done in a later regular package update. This update will restore DNS lookups for the RIPE reverse tree, currently failing for users, and will end the accidental DDoS attack that's being performed against RIPE's nameservers now, due to the combination of expired trust anchor and the bind bug. Please let me know if I need to do anything else to get this update out as soon as possible.
On Sun, 7 Feb 2010, Paul Frields wrote:
urgent enough to need that treatment. You could add some assurance by encouraging a few people to test the update and give it karma, but AIUI, it's not necessary if you and Adam are certain this isn't going to break things for users.
Yes, Adam and me have extensively tested this update for bind as well as unbound. We also made sure not to run dnssec-configure anywhere, to avoid more reformatting/rewriting of the named.conf file that people did not like.
Phasing out dnssec-conf will be done in a later regular package update.
This update will restore DNS lookups for the RIPE reverse tree, currently failing for users, and will end the accidental DDoS attack that's being performed against RIPE's nameservers now, due to the combination of expired trust anchor and the bind bug.
Please let me know if I need to do anything else to get this update out as soon as possible.
You might want to contact the actual package maintainers. I'm not actually involved in any of the DNS packages so I think I was mistakenly added to the CC :)
Paul Wouters is the package owner for dnssec-conf. Paul W., maybe you should get with some of the rel-eng'ers in #fedora-devel to check status for this update? I don't see it pushed as of this morning, but I'm not sure when the last push went out.
I see hits searching, https://admin.fedoraproject.org/updates/dnssec-conf
https://admin.fedoraproject.org/updates/dnssec-conf-1.21-3.fc11 https://admin.fedoraproject.org/updates/dnssec-conf-1.21-7.fc12 (queue'd 02-05)
which are queue'd for stable already.
I concur with jesse, no need for a ticket... can and should be handled by the usual update process... unless there's a problem getting an updates push going in a timely manner.
Yes, Fedora packages were pushed. Thanks! Just the epel package is pending now.
EPEL updates have to go to testing. They can be pushed to stable either via getting 3 positive karma and auto promoting, or waiting 2 weeks in testing. but there is no need for a ticket for it
This update seems to have broken things for a number of users. Now this is in stable and we have to scramble to fix it. This is why we don't like to do direct to stable pushes, because inevitably something goes wrong!!!!
Metadata Update from @pwouters: - Issue tagged with: dnssec
Login to comment on this ticket.