Package: opendnssec-auditor Severity: normal Tags: patch
Hi, When you have an unsigned zone with $INCLUDE directives, the auditor doen't work correctly, complaining about entries in the signed file that weren't present in the unsigned file. I have attached a patch that does the following Take the sorted file based on the input file that the signer produces, run it through the finalizer command to move the SOA to the top (a bit overkill, but makes for a cleaner patch), write the output in zone.sorted2 file It also modifies the auditor to take the input from the zone.sorted2 file instead of zone.unsorted This works around the issue of having atomicity on the input file as noted in the KNOWN_ISSUES file of the 1.3.0rc3 release. This problem is upstream, but this patch will probably not work, as versions after 1.1.0 (stable on debian) do all the sorting and stuff in memory, so don't have a nice input file with the $INCLUDE's processed TMK. -- System Information: Debian Release: 6.0 APT prefers stable APT policy: (950, 'stable'), (850, 'stable-updates'), (50, 'testing'), (25, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core) Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
--- Begin Message ---Call the finalizer on the sorted import file that was signed. This makes the input file atomic including all the $INCLUDE directives. This file needs to have the SOA record as the first in the file, so pass it through the finalizer script before passing the to auditor --- auditor/lib/kasp_auditor.rb | 2 +- signer/signer_engine/Zone.py | 17 +++++++++++++++++ 2 files changed, 18 insertions(+), 1 deletions(-) diff --git a/auditor/lib/kasp_auditor.rb b/auditor/lib/kasp_auditor.rb index ddf9288..63b59e0 100644 --- a/auditor/lib/kasp_auditor.rb +++ b/auditor/lib/kasp_auditor.rb @@ -141,7 +141,7 @@ module KASPAuditor syslog.log(LOG_INFO, "Auditor starting on #{config.name}") print("Auditor starting on #{config.name}\n") # Override this with @unsigned_zone if present - input_file = signer_working_folder + File::Separator + config.name + ".unsorted" + input_file = signer_working_folder + File::Separator + config.name + ".sorted2" if ((@zone_name == config.name) && (@unsigned_zone)) input_file = @unsigned_zone end diff --git a/signer/signer_engine/Zone.py b/signer/signer_engine/Zone.py index c65cb30..31bc793 100644 --- a/signer/signer_engine/Zone.py +++ b/signer/signer_engine/Zone.py @@ -800,6 +800,23 @@ class Zone: syslog.syslog(syslog.LOG_ERR, "No resource records in output") return False output.close() + cmd = [self.get_tool_filename("finalizer"), + "-f", self.get_zone_tmp_filename(".sorted"), + ] + finalize_p = Util.run_tool(cmd) + if not finalize_p: + return False + output = open(self.get_zone_tmp_filename(".sorted2"), "w") + if not output: + syslog.syslog(syslog.LOG_ERR, + "Error opening finalized zone file: " + + self.get_zone_tmp_filename(".sorted2")) + return False + for line in finalize_p.stdout: + output.write(line) + for line in finalize_p.stderr: + output.write(line) + output.close() return True def move_output(self): --
--- End Message ---
