hash-slinger generates incorrect TLSA certificates on pauli/nevii
In Debian bullseye, running the following command here generates an invalid DNS record:
pauli# ./tlsa --create --usage=3 --selector=1 --mtype=1 --certificate /srv/puppet.torproject.org/from-letsencrypt/cdn-fastly-backend.torproject.org.crt --port 443 cdn-fastly-backend.torproject.org --output=generic
Got a certificate for cdn-fastly-backend.torproject.org. with Subject: /CN=cdn-fastly-backend.torproject.org
_443._tcp.cdn-fastly-backend.torproject.org. IN TYPE52 \# 35.0 030101e86cb4aa5bec41b44c5e78c0b3b05992ab276d540376aca18eb494d8e229cd4c
Notice the float (35.0) there? That, of course, crashes bind with:
Notice: /Stage[main]/Dnsextras::Entries/Exec[rebuild torproject.org zone]/returns: dns_rdata_fromtext: /srv/dns.torproject.org/puppet-extra/include-torproject.org:945: near '35.0': not a valid number
I suspect this wasn't caught by other users because it happens when the len() of the cert string is an odd number, which, oddly, I guess it is here.
This affects pauli, which has a patch to tlsa
to workaround the issue, and has the package pinned. This needs to be fixed before we upgrade to bookworm, sooner rather than later, so that we can get the fix in bookworm itself.
This has been reported upstream at https://github.com/letoams/hash-slinger/issues/45 and in Debian as https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053483.
Edited by anarcat