Bug 1572949 - python-certbot-dns-rfc2136 with DNSSEC: PATCH UPSTREAM
Summary: python-certbot-dns-rfc2136 with DNSSEC: PATCH UPSTREAM
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Fedora
Classification: Fedora
Component: python-certbot-dns-rfc2136
Version: 27
Hardware: All
OS: All
unspecified
unspecified
Target Milestone: ---
Assignee: Ed Marshall
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-29 07:03 UTC by H. Peter Anvin
Modified: 2018-05-16 22:55 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-05-16 22:55:34 UTC
Type: Bug


Attachments (Terms of Use)
Patch from upstream (8.98 KB, application/mbox)
2018-04-29 07:03 UTC, H. Peter Anvin
no flags Details

Description H. Peter Anvin 2018-04-29 07:03:40 UTC
Created attachment 1428321 [details]
Patch from upstream

Description of problem:

For DNSSEC to be secure, dynamically modified zones must be kept separate from zones with static content. That requires the _acme-challenge name to be in its own, separate, dynamic zone. This is supported by the ACME protocol, but certbot 0.22.x or lower has a bug in this area.

THIS IS FIXED UPSTREAM IN CERTBOT 0.23.

The patch from the upstream repo (attached) can also be applied separately to the 0.22 codebase.

Version-Release number of selected component (if applicable):

python3-certbot-dns-rfc2136-0.22.2-1

How reproducible:

100%


Steps to Reproduce:

1. Set up a DNS structure with _acme-challenge as a separate modified zone
2. Try to configure it with certbot
3.

Actual results:

Error message

Expected results:

Zone update

Comment 1 Eli Young 2018-04-30 20:10:51 UTC
Considering that we have shipped certbot 0.23.0, is this necessary?

Comment 2 H. Peter Anvin 2018-05-16 22:55:34 UTC
If  python3-certbot-dns-rfc2136 has also been upgraded to 0.23.0 or higher (looks like 0.24.0 is in Fedora 27+ now), then no, this is resolved.


Note You need to log in before you can comment on or make changes to this bug.