Ubuntu
bind9 package

Bug #2015176
Comment #1

Comment 1 for bug 2015176

Revision history for this message

Sergio Durigan Junior (sergiodj) wrote on 2023-04-05:

Thank you for taking the time to report this bug.

As you have noticed, bind9 has been updated to its latest version in the 9.18.x series. This was quite a leap, which brought many important bugfixes to Ubuntu users across many release. We do our best to guarantee that these bigger-than-normal updates go smooth, but unfortunately there are scenarios which are too complex or uncommon to cover. It seems that you've hit one of those bumps.

I was able to successfully reproduce the problem you reported after I generated an HMAC-MD5 key on Bionic (which is the only LTS distro that's still able to generate keys using this algorithm), by doing:

$ dnssec-keygen -a HMAC-MD5 -b 128 -n HOST bind9.lxd
$ cat Kbind9.lxd.+157+25064.key
bind9.lxd. IN KEY 512 3 157 0OaUhv7uRii9yrq6kdSnbA==
$ cat Kbind9.lxd.+157+25064.private
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: 0OaUhv7uRii9yrq6kdSnbA==
Bits: AAA=
Created: 20230405201738
Publish: 20230405201738
Activate: 20230405201738

This effectively created a pair of keys, which I transferred to a Jammy container and then tried invoking "nsupdate -k":

# nsupdate -k /etc/bind/Kbind9.lxd.+157+25064
could not read key from /etc/bind/Kbind9.lxd.+157+25064.{private,key}: file not found

I spent some time debugging the problem, and was able to track down the issue to the fact that bind9 has chosen different numbers to represent key algorithms internally. These numbers happen to be hardcoded inside the keys, which means that, when nsupdate checks if the specified algorithm is supported (and HMAC-MD5 is still supported), it can't find the entry associated with the old number and bails out.

In order to make things work again, a quick workaround is to edit your key files and replace "157" with "160". For example, here are the two files listed above with the modifications in place:

# cat Kbind9.lxd.+157+25064.key
bind9.lxd. IN KEY 512 3 160 0OaUhv7uRii9yrq6kdSnbA==
# cat Kbind9.lxd.+157+25064.private
Private-key-format: v1.3
Algorithm: 160 (HMAC_MD5)
Key: 0OaUhv7uRii9yrq6kdSnbA==
Bits: AAA=
Created: 20230405201738
Publish: 20230405201738
Activate: 20230405201738

There is also a newer format for key files which you can use. For the example I'm using here, it looks like this:

# cat Kbind9.lxd.+157+25064
key "bind9.lxd" {
algorithm hmac-md5;
secret "0OaUhv7uRii9yrq6kdSnbA==";
};

Note that this format doesn't contain any internal references to how bind9 numbers the algorithms, which is more future-proof. An even better solution would be to move away from HMAC-MD5, but I understand that that's not always possible.

For reference, the upstream commit that broke things was:

https://gitlab.isc.org/isc-projects/bind9/-/commit/09f7e0607a34d90eae53f862954e98c31b5ae532

There's an upstream bug about this problem, which I will link in a moment.

Thank you for taking the time to report this bug.

As you have noticed, bind9 has been updated to its latest version in the 9.18.x series.  This was quite a leap, which brought many important bugfixes to Ubuntu users across many release.  We do our best to guarantee that these bigger-than-normal updates go smooth, but unfortunately there are scenarios which are too complex or uncommon to cover.  It seems that you've hit one of those bumps.

This effectively created a pair of keys, which I transferred to a Jammy container and then tried invoking "nsupdate -k":

# nsupdate -k /etc/bind/Kbind9.lxd.+157+25064
could not read key from /etc/bind/Kbind9.lxd.+157+25064.{private,key}: file not found

I spent some time debugging the problem, and was able to track down the issue to the fact that bind9 has chosen different numbers to represent key algorithms internally.  These numbers happen to be hardcoded inside the keys, which means that, when nsupdate checks if the specified algorithm is supported (and HMAC-MD5 is still supported), it can't find the entry associated with the old number and bails out.

In order to make things work again, a quick workaround is to edit your key files and replace "157" with "160".  For example, here are the two files listed above with the modifications in place:

# cat Kbind9.lxd.+157+25064.key 
bind9.lxd. IN KEY 512 3 160 0OaUhv7uRii9yrq6kdSnbA==
# cat Kbind9.lxd.+157+25064.private 
Private-key-format: v1.3
Algorithm: 160 (HMAC_MD5)
Key: 0OaUhv7uRii9yrq6kdSnbA==
Bits: AAA=
Created: 20230405201738
Publish: 20230405201738
Activate: 20230405201738

There is also a newer format for key files which you can use.  For the example I'm using here, it looks like this:

# cat Kbind9.lxd.+157+25064 
key "bind9.lxd" {
        algorithm hmac-md5;
        secret "0OaUhv7uRii9yrq6kdSnbA==";
};

Note that this format doesn't contain any internal references to how bind9 numbers the algorithms, which is more future-proof.  An even better solution would be to move away from HMAC-MD5, but I understand that that's not always possible.

For reference, the upstream commit that broke things was:

https://gitlab.isc.org/isc-projects/bind9/-/commit/09f7e0607a34d90eae53f862954e98c31b5ae532

There's an upstream bug about this problem, which I will link in a moment.

Ubuntubind9 package

Comment 1 for bug 2015176

Ubuntu
bind9 package