Hi Ondřej, I wasn’t able to test it thoroughly on my production system, but in my cursory review I didn’t see anything to suggest the keyrec_keypaths() routine from 1.12.1 is any smarter about the doubly-indirected kskrev keys.
I think it probably warrants at least an inquiry upstream. Thanks, -- Rob Leslie r...@mars.org On Apr 1, 2012, at 12:55 AM, Ondřej Surý wrote: > Hi Rob, > > thanks for the bug report and for the patch. Would it be possible for > you to check > if the version 1.12.1 (which will be uploaded to unstable just now) > suffers from the > same behaviour? If that's the case I would like to report the bug to > the upstream. > > O. > > On Sun, Apr 1, 2012 at 03:55, Rob Leslie <r...@mars.org> wrote: >> Package: dnssec-tools >> Version: 1.7-3 >> Severity: important >> File: /usr/share/perl5/Net/DNS/SEC/Tools/keyrec.pm >> Tags: patch >> >> When RFC5011 KSK revocation is enabled (the default), at some point after >> KSK keys have been revoked, zonesigner fails with the following error: >> >> dnssec-signzone: fatal: revoked KSK is not self signed >> >> The problem is that zonesigner is not passing a -k argument to >> dnssec-signzone >> with the revoked key. This appears to be because keyrec_keypaths() (from >> Net::DNS::SEC::Tools::keyrec) is not finding the kskrev keypaths, which have >> an additional level of indirection in their keyrec signing sets. >> >> The attached patch attempts to correct this problem. >> >> >> -- System Information: >> Debian Release: 6.0.4 >> APT prefers stable-updates >> APT policy: (500, 'stable-updates'), (500, 'stable') >> Architecture: i386 (i686) >> >> Kernel: Linux 2.6.32-5-openvz-686 (SMP w/2 CPU cores) >> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) >> Shell: /bin/sh linked to /bin/dash >> >> Versions of packages dnssec-tools depends on: >> ii bind9utils 1:9.7.3.dfsg-1~squeeze4 Utilities for BIND >> ii libnet-dns-perl 0.66-2 Perform DNS queries from a Perl >> sc >> ii libnet-dns-sec-p 0.16-1 DNSSEC extension to NET::DNS >> ii libtimedate-perl 1.2000-1 collection of modules to >> manipulat >> ii perl 5.10.1-17squeeze3 Larry Wall's Practical >> Extraction >> >> Versions of packages dnssec-tools recommends: >> ii bind9 1:9.7.3.dfsg-1~squeeze4 Internet Domain Name Server >> >> dnssec-tools suggests no packages. >> >> -- Configuration Files: >> /etc/dnssec-tools/dnssec-tools.conf changed [not included] >> >> -- no debconf information > > > > -- > Ondřej Surý <ond...@sury.org> -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org