Bug 1077799

Summary: ldns could produce bad DSA sign
Product: Red Hat Enterprise Linux 7 Reporter: Tomáš Hozza <thozza>
Component: ldnsAssignee: Tomáš Hozza <thozza>
Status: CLOSED ERRATA QA Contact: Radka Brychtova <rskvaril>
Severity: low Docs Contact:
Priority: low    
Version: 7.0CC: bgollahe, jscotka, psimerda, pwouters, rskvaril, thozza
Target Milestone: rcKeywords: EasyFix, Patch, Reproducer
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ldns-1.6.16-10.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1077776 Environment:
Last Closed: 2016-11-04 05:05:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
reproducer
none
patch
none
patch none

Description Tomáš Hozza 2014-03-18 15:17:34 UTC 
Created attachment 875981 [details]
reproducer

+++ This bug was initially created as a clone of Bug #1077776 +++

Description of problem:
Recently I noticed communication on ldns-users list about error in ldns.
The error was causing ldns to randomly produce bad signs when using DSA
algorithm.

Version-Release number of selected component (if applicable):
ldns-1.6.16-6.fc20.x86_64

How reproducible:
randomly

Steps to Reproduce:
1. run the attached reproducer

Actual results:
reproducer exiting with "1"

Expected results:
reproducer exiting with "0"

Additional info:
mailing list communication:
https://open.nlnetlabs.nl/pipermail/ldns-users/2014-March/000728.html


As unbound used in RHEL-7 as validator for DNSSEC on Workstations feature
is linked against ldns, I think we should fix it, if possible.
Comment 1 Tomáš Hozza 2014-03-18 15:18:35 UTC 
Created attachment 875982 [details]
patch
Comment 2 Tomáš Hozza 2014-03-18 16:58:05 UTC 
Created attachment 876040 [details]
patch
Comment 4 Paul Wouters 2014-03-18 19:41:10 UTC 
No one is really using DSA for DNSSEC any. I would not worry about it too much.

http://secspider.cs.ucla.edu/stats.html

800 out of 1M DNSKEYs seems to be DSA - prob mostly legacy and test sites

So I wouldn't make this a high priority item
Comment 5 Tomáš Hozza 2014-03-19 08:00:37 UTC 
(In reply to Paul Wouters from comment #4)
> No one is really using DSA for DNSSEC any. I would not worry about it too
> much.
> 
> http://secspider.cs.ucla.edu/stats.html
> 
> 800 out of 1M DNSKEYs seems to be DSA - prob mostly legacy and test sites
> 
> So I wouldn't make this a high priority item

I agree it is not high priority. This bug is more for tracking that the issue
is there and if possible, it can be easily fixed and tested.
Comment 9 Radka Brychtova 2016-05-27 13:16:41 UTC 
Created automated test, which runs the reproducer 

********************************
Old package:
ldns-1.6.16-7.el7.x86_64

:: [   FAIL   ] :: Run test script (Expected 0, got 1)


********************************
New packge:
ldns-1.6.16-10.el7.x86_64

:: [   PASS   ] :: Run test script (Expected 0, got 0)


Since the test Passed  => verified
Comment 11 errata-xmlrpc 2016-11-04 05:05:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2386.html