[Pkg-dns-devel] Bug#843532: dnssec-trigger: broken by OpenSSL 1.1.0

Zack Weinberg zackw at panix.com
Mon Nov 7 13:39:17 UTC 2016 

Package: dnssec-trigger
Version: 0.13~svn685-6
Severity: critical
Justification: renders package unusable

On upgrading dnssec-trigger within unstable, the postinst fails with
errors from systemd:

Setting up dnssec-trigger (0.13~svn685-6) ...
Job for dnssec-triggerd.service failed because the control process exited with error code.
See "systemctl status dnssec-triggerd.service" and "journalctl -xe" for details.
invoke-rc.d: initscript dnssec-triggerd, action "start" failed.
● dnssec-triggerd.service - Reconfigure local DNSSEC resolver on connectivity changes
   Loaded: loaded (/lib/systemd/system/dnssec-triggerd.service; enabled; vendor preset: enabled)
   Active: activating (auto-restart) (Result: exit-code) since Mon 2016-11-07 08:25:41 EST; 3ms ago
  Process: 8425 ExecStopPost=/usr/lib/dnssec-trigger/dnssec-trigger-script --cleanup (code=exited, status=1/FAILURE)
  Process: 8423 ExecStartPost=/usr/lib/dnssec-trigger/dnssec-trigger-script --update (code=exited, status=1/FAILURE)
  Process: 8422 ExecStart=/usr/sbin/dnssec-triggerd -d (code=exited, status=1/FAILURE)
  Process: 8421 ExecStartPre=/usr/lib/dnssec-trigger/dnssec-trigger-script --prepare (code=exited, status=0/SUCCESS)
 Main PID: 8422 (code=exited, status=1/FAILURE)

Nov 07 08:25:41 moxana systemd[1]: dnssec-triggerd.service: Unit entered fa…ate.
Nov 07 08:25:41 moxana systemd[1]: dnssec-triggerd.service: Failed with res…de'.
Hint: Some lines were ellipsized, use -l to show in full.
dpkg: error processing package dnssec-trigger (--configure):
 subprocess installed post-installation script returned error exit status 1

The real error message is hiding in "journalctl -xe":

-- Unit dnssec-triggerd.service has begun starting up.
Nov 07 08:34:17 moxana dnssec-triggerd[20281]: Nov 07 08:34:17 dnssec-triggerd[20281] error: could not set SSL_OP_NO_SSLv2 crypto error:00000000
Nov 07 08:34:17 moxana dnssec-triggerd[20281]: Nov 07 08:34:17 dnssec-triggerd[20281] error: cannot setup SSL context
Nov 07 08:34:17 moxana dnssec-triggerd[20281]: Nov 07 08:34:17 dnssec-triggerd[20281] fatal error: could not init server
Nov 07 08:34:17 moxana systemd[1]: dnssec-triggerd.service: Main process exited, code=exited, status=1/FAILURE
Nov 07 08:34:17 moxana dnssec-trigger-script[20282]: Cannot connect to dnssec-trigger.
Nov 07 08:34:18 moxana dnssec-trigger-script[20284]: chattr: Operation not supported while reading flags on /etc/resolv.conf
Nov 07 08:34:18 moxana dnssec-trigger-script[20284]: Traceback (most recent call last):
Nov 07 08:34:18 moxana dnssec-trigger-script[20284]:   File "/usr/lib/dnssec-trigger/dnssec-trigger-script", line 465, in <module>
Nov 07 08:34:18 moxana dnssec-trigger-script[20284]:     Application(sys.argv).run()
Nov 07 08:34:18 moxana dnssec-trigger-script[20284]:   File "/usr/lib/dnssec-trigger/dnssec-trigger-script", line 364, in run
Nov 07 08:34:18 moxana dnssec-trigger-script[20284]:     self.method()
Nov 07 08:34:18 moxana dnssec-trigger-script[20284]:   File "/usr/lib/dnssec-trigger/dnssec-trigger-script", line 398, in run_cleanup
Nov 07 08:34:18 moxana dnssec-trigger-script[20284]:     subprocess.check_call(["chattr", "-i", "/etc/resolv.conf"])
Nov 07 08:34:18 moxana dnssec-trigger-script[20284]:   File "/usr/lib/python2.7/subprocess.py", line 186, in check_call
Nov 07 08:34:18 moxana dnssec-trigger-script[20284]:     raise CalledProcessError(retcode, cmd)
Nov 07 08:34:18 moxana dnssec-trigger-script[20284]: subprocess.CalledProcessError: Command '['chattr', '-i', '/etc/resolv.conf']' returned non-
Nov 07 08:34:18 moxana systemd[1]: Failed to start Reconfigure local DNSSEC resolver on connectivity changes.
-- Subject: Unit dnssec-triggerd.service has failed

I get the same SSL-related errors upon attempting to start dnssec-triggerd manually:

# dnssec-triggerd -d -vvvvv
Nov 07 08:37:21 dnssec-triggerd[20314] debug: event mini-event-0.13 uses not_obtainable method.
Nov 07 08:37:21 dnssec-triggerd[20314] error: could not set SSL_OP_NO_SSLv2 crypto error:00000000:lib(0):func(0):reason(0)
Nov 07 08:37:21 dnssec-triggerd[20314] error: cannot setup SSL context
Nov 07 08:37:21 dnssec-triggerd[20314] fatal error: could not init server

The patch for bug #828283 appears to have been either incomplete or broken, and not to have been tested. >:-(

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (501, 'unstable'), (500, 'testing'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.8.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages dnssec-trigger depends on:
ii  gir1.2-networkmanager-1.0  1.4.2-2
ii  init-system-helpers        1.46
ii  libc6                      2.24-5
ii  libgdk-pixbuf2.0-0         2.36.0-1
ii  libglib2.0-0               2.50.1-1
ii  libgtk2.0-0                2.24.31-1
ii  libldns1                   1.6.17-10
ii  libssl1.1                  1.1.0b-2
ii  python                     2.7.11-2
ii  python-gi                  3.22.0-1
ii  python-lockfile            1:0.12.2-2
ii  unbound                    1.5.10-2

dnssec-trigger recommends no packages.

dnssec-trigger suggests no packages.

-- no debconf information

More information about the pkg-dns-devel mailing list