Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ldns 1.8.2 breaks openssh 9.0p1 configured with VerifyHostKeyDNS yes: Assertion failed: (rd != NULL), function ldns_rdf_size, file rdata.c, line 26. #107988

Closed
2 tasks done
kenyon opened this issue Aug 13, 2022 · 5 comments
Closed
2 tasks done

ldns 1.8.2 breaks openssh 9.0p1 configured with VerifyHostKeyDNS yes: Assertion failed: (rd != NULL), function ldns_rdf_size, file rdata.c, line 26. #107988

kenyon opened this issue Aug 13, 2022 · 5 comments
Labels
outdated PR was locked due to age upstream issue An upstream issue report is needed

Comments

@kenyon
Copy link

kenyon commented Aug 13, 2022
edited

brew gist-logs <formula> link OR brew config AND brew doctor output

kenyon@iMac ~ % brew config; brew doctor        
HOMEBREW_VERSION: 3.5.9
ORIGIN: https://github.com/Homebrew/brew
HEAD: 3748bed378401ed75abdf32bcb3d2674d854a6f9
Last commit: 3 days ago
Core tap ORIGIN: https://github.com/Homebrew/homebrew-core
Core tap HEAD: ba22bb6477b0770d1b52a3554aa3e24edaeb4fb2
Core tap last commit: 89 minutes ago
Core tap branch: master
HOMEBREW_PREFIX: /usr/local
HOMEBREW_CASK_OPTS: []
HOMEBREW_EDITOR: emacsclient --tty
HOMEBREW_MAKE_JOBS: 12
Homebrew Ruby: 2.6.8 => /System/Library/Frameworks/Ruby.framework/Versions/2.6/usr/bin/ruby
CPU: dodeca-core 64-bit cometlake
Clang: 13.1.6 build 1316
Git: 2.37.2 => /usr/local/bin/git
Curl: 7.79.1 => /usr/bin/curl
macOS: 12.5-x86_64
CLT: 13.4.0.0.1.1651278267
Xcode: N/A
Your system is ready to brew.

Verification

  • I ran brew update and am still able to reproduce my issue.
  • I have resolved all warnings from brew doctor and that did not fix my problem.

What were you trying to do (and why)?

Ran brew update and brew upgrade to upgrade packages as usual.

What happened (include all command output)?

ldns was upgraded from 1.8.1_1 to 1.8.2 (#107924). Then sshing to any ssh server, when VerifyHostKeyDNS yes is part of the ssh client configuration, causes ssh to abort with Assertion failed: (rd != NULL), function ldns_rdf_size, file rdata.c, line 26. With VerifyHostKeyDNS no (the default), ssh works.

kenyon@iMac ~ % ssh -vvv router.local                     
OpenSSH_9.0p1, OpenSSL 1.1.1q  5 Jul 2022
debug1: Reading configuration data /Users/kenyon/.ssh/config
debug1: /Users/kenyon/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /usr/local/etc/ssh/ssh_config
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/Users/kenyon/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/Users/kenyon/.ssh/known_hosts2'
debug2: resolving "router.local" port 22
debug3: resolve_host: lookup router.local:22
debug3: ssh_connect_direct: entering
debug1: Connecting to router.local [fe80::82ee:73ff:fef1:f2fa%en0] port 22.
debug3: set_sock_tos: set socket 5 IPV6_TCLASS 0x48
debug1: Connection established.
debug1: identity file /Users/kenyon/.ssh/id_rsa type 0
debug1: identity file /Users/kenyon/.ssh/id_rsa-cert type -1
debug1: identity file /Users/kenyon/.ssh/id_ecdsa type -1
debug1: identity file /Users/kenyon/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/kenyon/.ssh/id_ecdsa_sk type -1
debug1: identity file /Users/kenyon/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /Users/kenyon/.ssh/id_ed25519 type 3
debug1: identity file /Users/kenyon/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/kenyon/.ssh/id_ed25519_sk type -1
debug1: identity file /Users/kenyon/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /Users/kenyon/.ssh/id_xmss type -1
debug1: identity file /Users/kenyon/.ssh/id_xmss-cert type -1
debug1: identity file /Users/kenyon/.ssh/id_dsa type -1
debug1: identity file /Users/kenyon/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.0
debug1: Remote protocol version 2.0, remote software version OpenSSH_8.4p1 Debian-5+deb11u1
debug1: compat_banner: match: OpenSSH_8.4p1 Debian-5+deb11u1 pat OpenSSH* compat 0x04000000
debug2: fd 5 setting O_NONBLOCK
debug1: Authenticating to router.local:22 as 'kenyon'
debug3: record_hostkey: found key type ED25519 in file /Users/kenyon/.ssh/known_hosts:38
debug3: load_hostkeys_file: loaded 1 keys from router.local
debug1: load_hostkeys: fopen /Users/kenyon/.ssh/known_hosts2: No such file or directory
debug1: load_hostkeys: fopen /usr/local/etc/ssh/ssh_known_hosts: No such file or directory
debug1: load_hostkeys: fopen /usr/local/etc/ssh/ssh_known_hosts2: No such file or directory
debug3: order_hostkeyalgs: have matching best-preference key type ssh-ed25519-cert-v01@openssh.com, using HostkeyAlgorithms verbatim
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms: ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos: 
debug2: languages stoc: 
debug2: first_kex_follows 0 
debug2: reserved 0 
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: SSH2_MSG_KEX_ECDH_REPLY received
debug1: Server host key: ssh-ed25519 SHA256:P3OAdJWObsCokHeo/YzhqD+AmHdkHYXbwSxDpokIfBY
debug3: verify_host_key_dns
Assertion failed: (rd != NULL), function ldns_rdf_size, file rdata.c, line 26.
zsh: abort      ssh -vvv router.local

What did you expect to happen?

ssh to continue working with VerifyHostKeyDNS yes after an ldns upgrade.

Step-by-step reproduction instructions (by running brew commands)

`brew update && brew upgrade`
@kenyon kenyon added the bug Reproducible Homebrew/homebrew-core bug label Aug 13, 2022
@SMillerDev
Copy link
Member

Have you tried reporting this upstream? It doesn't particularly sound like a homebrew bug.

@kenyon
Copy link
Author

kenyon commented Aug 13, 2022

Have you tried reporting this upstream? It doesn't particularly sound like a homebrew bug.

Not yet. Agreed, probably should file a bug with OpenSSH.

@carlocab carlocab added upstream issue An upstream issue report is needed and removed bug Reproducible Homebrew/homebrew-core bug labels Aug 13, 2022
@it-can
Copy link

it-can commented Aug 15, 2022

Seems to be a issue with ldns

NLnetLabs/ldns#183

@carlocab
Copy link
Member

@it-can, thanks.

Upstream have a fix: NLnetLabs/ldns@1acee0c

They also said they'll release 1.8.3 with a fix soon.

@carlocab carlocab linked a pull request Aug 15, 2022 that will close this issue
ldns 1.8.3 #108094
Closed
6 tasks
@carlocab
Copy link
Member

Fixed in #108094.

@github-actions github-actions bot added the outdated PR was locked due to age label Sep 15, 2022
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 15, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
outdated PR was locked due to age upstream issue An upstream issue report is needed
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

ldns 1.8.3 anandb-ripencc/homebrew-core
4 participants
@kenyon @it-can @SMillerDev @carlocab