Bug#923984: marked as done (dnssec-keymgr immediately inactivates/deletes old keys)

Tue, 02 Apr 2019 13:48:35 -0700 

Your message dated Tue, 02 Apr 2019 20:44:51 +0000
with message-id <[email protected]>
and subject line Bug#923984: fixed in bind9 1:9.11.5.P4+dfsg-2
has caused the Debian Bug report #923984,
regarding dnssec-keymgr immediately inactivates/deletes old keys
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
923984: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923984
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: bind9utils
Version: 1:9.11.2+dfsg-1
Severity: important
Tags: upstream

This is a copy of my upstream bugreport at
https://gitlab.isc.org/isc-projects/bind9/issues/117 in order to get the fix
into Buster

When you run dnssec-keymgr with keys that are older (Activation Time further in
the past) than the configured (or default) roll-period, the keys are set to be
inactive/deleted at a date way in the past. You can easily test this with the
default policy by creating a ZSK that has been activated 2 years in the past

---
# dnssec-keygen -f KSK -A -2y -a RSASHA256 -b 2048 example.com
Generating key pair......................................................+++ 
.........................................+++ 
Kexample.com.+008+37477

# dnssec-keygen -A -2y -a RSASHA256 -b 2048 example.com
Generating key pair....................................+++ 
....................+++ 
Kexample.com.+008+19905

# dnssec-coverage 
WARNING: Maximum TTL value was not specified.  Using 1 week
         (604800 seconds); re-run with the -m option to get more
         accurate results.
PHASE 1--Loading keys to check for internal timing problems

PHASE 2--Scanning future key events for coverage failures
Checking scheduled KSK events for zone example.com, algorithm RSASHA256...
  Sun Feb 28 16:02:23 UTC 2016:
    Publish: example.com/RSASHA256/37477 (KSK)
    Activate: example.com/RSASHA256/37477 (KSK)

No errors found

Checking scheduled ZSK events for zone example.com, algorithm RSASHA256...
  Sun Feb 28 16:02:25 UTC 2016:
    Publish: example.com/RSASHA256/19905 (ZSK)
    Activate: example.com/RSASHA256/19905 (ZSK)

No errors found
---
; This is a zone-signing key, keyid 19905, for example.com.
; Created: 20180227160225 (Tue Feb 27 17:02:25 2018)
; Publish: 20160228160225 (Sun Feb 28 17:02:25 2016)
; Activate: 20160228160225 (Sun Feb 28 17:02:25 2016)

Now running dnssec-keymgr sets the key to Inactivate at Publish+1y (which is 1
year in the past) and delete a month later. Additionally there the generation
of the NEW ZSK fails with a Python error, which leaves the zone without any
active ZSK

---
# dnssec-keymgr 
# /usr/sbin/dnssec-settime -K . -I 20170227160225 -D 20170329160225 
Kexample.com.+008+19905
# /usr/sbin/dnssec-keygen -q -K . -S Kexample.com.+008+19905 -L 3600 -i 2592000
Unable to apply policy: example.com/RSASHA256: Can't convert 'bytes' object to 
str implicitly
---

; This is a zone-signing key, keyid 19905, for example.com.
; Created: 20180227160225 (Tue Feb 27 17:02:25 2018)
; Publish: 20160228160225 (Sun Feb 28 17:02:25 2016)
; Activate: 20160228160225 (Sun Feb 28 17:02:25 2016)
; Inactive: 20170227160225 (Mon Feb 27 17:02:25 2017)
; Delete: 20170329160225 (Wed Mar 29 18:02:25 2017) 

The next run of dnssec-keymgr generates a new ZSK.

In the end this creates a completely messed up ZSK rollover where the DNSKEY is
pulled immediately without a new ZSK being present.

--- End Message ---
--- Begin Message --- 
Source: bind9
Source-Version: 1:9.11.5.P4+dfsg-2

We believe that the bug you reported is fixed in the latest version of
bind9, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bernhard Schmidt <[email protected]> (supplier of updated bind9 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 02 Apr 2019 21:12:50 +0200
Source: bind9
Architecture: source
Version: 1:9.11.5.P4+dfsg-2
Distribution: unstable
Urgency: medium
Maintainer: Debian DNS Team <[email protected]>
Changed-By: Bernhard Schmidt <[email protected]>
Closes: 905177 920530 923984
Changes:
 bind9 (1:9.11.5.P4+dfsg-2) unstable; urgency=medium
 .
   [ Ondřej Surý ]
   * Update d/gbp.conf for Debian Buster
 .
   [ Bernhard Schmidt ]
   * Cherry-Pick upstream commit to prevent dnssec-keymgr from immediately
     expiring and deleting old DNSSEC keys when being run for the first
     time (Closes: #923984)
   * Update AppArmor policy for Samba AD DLZ
     - Add changed default location for named.conf
     - Allow read/mmap on some Samba libraries
     Thanks to Steven Monai (Closes: #920530)
 .
   [ Andreas Beckmann ]
   * bind9.preinst: cope with ancient conffile named.conf.options
     (Closes: #905177)
Checksums-Sha1:
 3c850ef765e25e817929c25b93760ee7b7fd8f8f 3948 bind9_9.11.5.P4+dfsg-2.dsc
 631957d500f611c874afacbb1b6585a732fa684b 91296 
bind9_9.11.5.P4+dfsg-2.debian.tar.xz
 558a5dbcf7a62c7173ee9d0813a1a561a0012c83 19454 
bind9_9.11.5.P4+dfsg-2_amd64.buildinfo
Checksums-Sha256:
 967b7ca732237155f20dde13757873d68d38ac731a9ce6ba5db8ec9ff14409d7 3948 
bind9_9.11.5.P4+dfsg-2.dsc
 deb000a186de7211342e5f34ba5364d939e751812719c2d09b573cf786e72c2b 91296 
bind9_9.11.5.P4+dfsg-2.debian.tar.xz
 8fc12f5872f9c1358988c1cad7eeeb454b20d604820a8e8294dadd4ef50dffdb 19454 
bind9_9.11.5.P4+dfsg-2_amd64.buildinfo
Files:
 d0e8b2672e14c992942171ef26c2c589 3948 net optional bind9_9.11.5.P4+dfsg-2.dsc
 a4c189151abbfc7b872b608fbbcc54a7 91296 net optional 
bind9_9.11.5.P4+dfsg-2.debian.tar.xz
 4c9680845a51801e25ee3dcaa9b42045 19454 net optional 
bind9_9.11.5.P4+dfsg-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCgAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAlyjwmkRHGJlcm5pQGRl
Ymlhbi5vcmcACgkQd1B55bhQvJPnfA//S08hyUqGzQVqY9e1XgCNuBglHocN59V0
ZdbNVab6DpJv7JygFespO86juBGA4VBo20/1dpLpzB5TgEKqrAxxI1cJW5PIrHMw
LmDwntI/DtAsFPraQWogf6NaRjxEK8CpQrZ+AuyketWN/ScsicRgXw1zr1vczVw/
TLM9VORJE3wdy5D2AgcH712wDw8d7s8qUlmiCJKvJgIjhVNlsEOJzw6ybDjIIb86
I+jT6zxYCWcF5ENDNNtoj01xLRDTAlAgSya6qN7QCaDWKUlsOSMHug+kRtjRBCvr
9KL5GDH0X1xTI5C0D34Sagg5tsJkCEd7y5dIPdrEc8s/QVW9hHa/VkPzwvdK2OqC
3slgJQP80LtKTJzvUiwGgEAk8SFNRiHiHOU3hED0/A0TLBEb4PZzjU4NPOCNrdte
d7hkISuQn1qNQ0leAm+zW1ySyqskYDXhW3eMTtC0urn0lYf5fc/G0mSBU07r6QXX
VrvuDCuuihFKp+snpBKKIzeviuHDov10cglsYVu7TYspY7a5uTgih7L6iTyBT9F+
YiYFPuNhIEThxrFqjpbfzdorEV55zvuYXavSA6DQVW5f/S/S/t1+PyDGNBt4yRYe
Rr8TdFuWtb9lPLq6OkLW7GGQrzWdRQkwr/znXv0OYIeIyPHTXZdxgMCarBkB2Ta9
Mvx2lelafBo=
=fZwg
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to