Bug 267558 - dns/bind-tools: nsupdate fails to read keys
Summary: dns/bind-tools: nsupdate fails to read keys
Status: New
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: amd64 Any
: --- Affects Only Me
Assignee: Mathieu Arnold
URL:
Keywords: regression
Depends on:
Blocks:
 
Reported: 2022-11-04 09:53 UTC by Dirk Meyer
Modified: 2023-11-02 17:46 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (mat)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dirk Meyer freebsd_committer freebsd_triage 2022-11-04 09:53:10 UTC 
Setup:
A aerver jail running "bind916-9.16.34_1":
A client jail running "bind-tools"
The client app sends changes to a dynamic zone via "nsupdate" to the server.

I was upgrading the client jail:

Installed packages to be UPGRADED:
        bind-tools: 9.18.7 -> 9.18.8
        bind916: 9.16.33_1 -> 9.16.34_1

The packages where build with:
/etc/make.conf
DEFAULT_VERSIONS+=      ssl=openssl

After the upgrade, nsupdate failed with:

/usr/local/bin/nsupdate -k '/usr/local/etc/namedb/Kexample.com.dyn.+157+56215.key'

04-Nov-2022 09:54:01.525 /usr/local/etc/namedb/Kexample.com.dyn.+157+56215.key:1: unknown option 'example.com.dyn.'
04-Nov-2022 09:54:01.525 /usr/local/etc/namedb/Kexample.com.dyn.+157+56215.key:2: unexpected token near end of file
could not read key from /usr/local/etc/namedb/Kexample.com.dyn.+157+56215.{private,key}: unexpected token
update failed: REFUSED

After downgrading both packages, everything works again.

diff of "pkg info bind-tools"
-bind-tools-9.18.7
+bind-tools-9.18.8
-Version        : 9.18.7
+Version        : 9.18.8
 Options        :
-       GSSAPI_BASE    : off
-       GSSAPI_HEIMDAL : off
-       GSSAPI_MIT     : off
-       GSSAPI_NONE    : on
+       GSSAPI_BASE    : off
+       GSSAPI_HEIMDAL : off
+       GSSAPI_MIT     : off
+       GSSAPI_NONE    : on
 Shared Libs provided:
-       libns-9.18.7.so
-       libisccfg-9.18.7.so
-       libisccc-9.18.7.so
-       libisc-9.18.7.so
-       libirs-9.18.7.so
-       libdns-9.18.7.so
-       libbind9-9.18.7.so
+       libbind9-9.18.8.so
+       libdns-9.18.8.so
+       libirs-9.18.8.so
+       libisc-9.18.8.so
+       libisccc-9.18.8.so
+       libisccfg-9.18.8.so
+       libns-9.18.8.so
 Annotations    :
+       cpe            : cpe:2.3:a:isc:bind:9.18.8:::::freebsd12:x64
-       cpe            : cpe:2.3:a:isc:bind:9.18.7:::::freebsd12:x64
-Flat size      : 9.37MiB
+Flat size      : 9.38MiB

I found nothing related in the upstream Changelogs for 9.16 ann 9.18
Comment 1 Dirk Meyer freebsd_committer freebsd_triage 2022-11-28 18:57:10 UTC 
Same problem after upgrading to bind-tools-9.18.9
reverting to bind-tools-9.18.7 fixed the problem.
Comment 2 Mathieu Arnold freebsd_committer freebsd_triage 2022-12-15 09:25:34 UTC 
As nothing changed in the port itself, I don't see how could be related to the update, have you opened an issue upstream ?
Comment 3 Dirk Meyer freebsd_committer freebsd_triage 2022-12-18 20:42:27 UTC 
I failed to create an issue upstream, my account had been expired.

The issue does happen with older key keys.
Newly generated key files do work for now.

Keys with "algorithm hmac-md5" can no longer be used.
Sadly there was no documentation upstream about this.

Reverting to older openssl did not had any effect.
Comment 4 Andrew 2023-04-26 10:35:58 UTC 
Just tried with version 9.18.14: the issue still persists.
Comment 5 Andrew 2023-11-02 17:46:31 UTC 
I just tried version 9.18.19 and it works again now, even if the command outputs this warning message: "Use of K* file pairs for HMAC is deprecated".

Thus I think this issue can be closed.