Your message dated Mon, 07 Nov 2016 17:59:39 +0000
with message-id <e1c3ocp-0006ou...@fasolo.debian.org>
and subject line Bug#843479: Removed package(s) from unstable
has caused the Debian Bug report #783721,
regarding dnssec-tools: dnssec-signzone behaviour changed; new signed zonefiles
unparseable by rollerd
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
783721: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783721
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: dnssec-tools
Version: 1.13-1
Severity: grave
Justification: renders package unusable
After upgrading to jessie, rollerd will no longer start.
It appears that the format of the signed zonefile has changed:
---
xen:/etc/bind# for i in db.andrewg.signed db.stibium.signed; do echo $i;head
-16 $i; done
db.andrewg.signed
; File written on Mon Apr 27 10:40:38 2015
; dnssec_signzone version 9.9.5-9-Debian
andrewg.com. 86400 IN SOA xen.andrewg.com. root.xen.andrewg.com. (
2014120939 ; serial
28800 ; refresh (8 hours)
7200 ; retry (2 hours)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
86400 RRSIG SOA 8 2 86400 (
20150527094038 20150427084038 11508
andrewg.com.
oA4xSft7iCqdaxGyjj1blI0E8WNRJlKa+KFK
72xOSPIk8cYp6hdKdTel93WMPNU7l11KLKrd
E8uIOumut9jIdKoxjJ1d+dQMJyKtfYAd0tJY
TwrtCq3TZOHF1Pzy1pNdg3sHD/3Rptt1AU3Y
kK/ng1ieUVww30ipx/UZH4VRewM= )
db.stibium.signed
; File written on Sat Apr 18 08:21:32 2015
; dnssec_signzone version 9.8.4-rpz2+rl005.12-P1
stibium.net. 86400 IN SOA xen.andrewg.com. root.xen.andrewg.com. (
2014120938 ; serial
28800 ; refresh (8 hours)
7200 ; retry (2 hours)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
86400 RRSIG SOA 8 2 86400 20150518082132 (
20150418072132 53691 stibium.net.
IAgXJGD1LzFfi09VDGFtQ4YOTObK4rKEHcXR
KSZGMqB11fOxCYMiXd+jN3h2qGvsO9iEVS/b
uNc0nKT9XouiYhPEjmQG7774sT86hEnqs2To
eD17BrD8t5CtAgYrcfDtnUVyt5AV569qAy+1
3gupeYBrmn7gYsEkn5WhcivyAfM= )
xen:/etc/bind# service rollerd restart
Restarting DNSSEC-Tools rollerd: rollerdUNIVERSAL->import is deprecated and
will be removed in a future perl at
/usr/share/perl5/Net/DNS/SEC/Tools/tooloptions.pm line 19.
.
xen:/etc/bind# bad RRSIG data 1, line 10
...propagated at /usr/share/perl5/Net/DNS/ZoneFile/Fast.pm line 164,
<GEN0> line 10.
---
This may be related to #642772. Fedora has a possibly related patch here:
http://pkgs.fedoraproject.org/cgit/dnssec-tools.git/plain/dnssec-tools-zonefile-fast-new-bind-1.13.patch?id2=HEAD
Note that the regular expression around line 800 has changed to match three
sets
of digits rather than four, matching the zonefile format changes observed.
Andrew
-- System Information:
Debian Release: 8.0
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 3.18.5-x86-linode70 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
Versions of packages dnssec-tools depends on:
ii bind9utils 1:9.9.5.dfsg-9
ii libmailtools-perl 2.13-1
ii libnet-dns-perl 0.81-2
ii libnet-dns-sec-perl 0.21-1
ii libtimedate-perl 2.3000-2
ii perl 5.20.2-3
Versions of packages dnssec-tools recommends:
ii bind9 1:9.9.5.dfsg-9
dnssec-tools suggests no packages.
-- Configuration Files:
/etc/dnssec-tools/dnssec-tools.conf changed:
admin-email andr...@andrewg.com
keyarch /usr/sbin/keyarch
rollchk /usr/sbin/rollchk
zonesigner /usr/sbin/zonesigner
keygen /usr/sbin/dnssec-keygen
rndc /usr/sbin/rndc
zonecheck /usr/sbin/named-checkzone
zonesign /usr/sbin/dnssec-signzone
algorithm rsasha256
ksklength 2048
zsklength 1024
random /dev/urandom
usensec3 yes
nsec3iter 100
nsec3salt random:64
nsec3optout no
endtime +2592000 # RRSIGs good for thirty days.
lifespan-max 94608000
lifespan-min 3600
ksklife 31536000
zsklife 604800
archivedir /var/lib/dnssec-tools/archive
entropy_msg 1
savekeys 1
kskcount 1
zskcount 1
roll_loadzone 1
roll_logfile /var/log/dnssec-tools/rollerd.log
roll_loglevel phase
roll_phasemsg long
roll_sleeptime 3600
zone_errors 5
autosign 1
log_tz gmt
tacontact
tasmtpserver localhost
taresolvconf localhost
tatmpdir /var/run/dnssec-tools/trustman
usegui 0
/etc/dnssec-tools/dnssec-tools.rollrec changed:
roll "web"
zonename "web"
zonefile "db.web.signed"
keyrec "web.krf"
directory "/etc/bind"
administrator "root@localhost"
kskphase "0"
zskphase "1"
ksk_rolldate "Sun Dec 7 02:10:42 2014"
ksk_rollsecs "1417918242"
zsk_rolldate "Sat Apr 18 08:21:33 2015"
zsk_rollsecs "1429345293"
maxttl "86400"
display "1"
phasestart "Sat Apr 25 09:36:08 2015"
# optional records for RFC5011 rolling:
istrustanchor "no"
holddowntime "60D"
roll "test.web"
zonename "test.web"
zonefile "db.test.web.signed"
keyrec "test.web.krf"
directory "/etc/bind"
administrator "root@localhost"
kskphase "0"
zskphase "1"
ksk_rolldate "Sun Dec 7 02:10:42 2014"
ksk_rollsecs "1417918242"
zsk_rolldate "Sat Apr 18 08:21:32 2015"
zsk_rollsecs "1429345292"
maxttl "86400"
display "1"
phasestart "Sat Apr 25 09:36:08 2015"
# optional records for RFC5011 rolling:
istrustanchor "no"
holddowntime "60D"
roll "andrewg.com"
zonename "andrewg.com"
zonefile "db.andrewg.signed"
keyrec "andrewg.com.krf"
directory "/etc/bind"
administrator "root@localhost"
kskphase "0"
zskphase "3"
ksk_rolldate "Sun Dec 7 02:10:42 2014"
ksk_rollsecs "1417918242"
zsk_rolldate "Sat Apr 18 08:21:28 2015"
zsk_rollsecs "1429345288"
maxttl "86400"
display "1"
phasestart "Mon Apr 27 09:40:39 2015"
# optional records for RFC5011 rolling:
istrustanchor "no"
holddowntime "60D"
roll "llagher.net"
zonename "llagher.net"
zonefile "db.llagher.signed"
keyrec "llagher.net.krf"
directory "/etc/bind"
administrator "root@localhost"
kskphase "0"
zskphase "1"
ksk_rolldate "Sun Dec 7 02:10:42 2014"
ksk_rollsecs "1417918242"
zsk_rolldate "Sat Apr 18 08:21:31 2015"
zsk_rollsecs "1429345291"
maxttl "86400"
display "1"
phasestart "Sat Apr 25 09:36:08 2015"
# optional records for RFC5011 rolling:
istrustanchor "no"
holddowntime "60D"
roll "stibium.net"
zonename "stibium.net"
zonefile "db.stibium.signed"
keyrec "stibium.net.krf"
directory "/etc/bind"
administrator "root@localhost"
kskphase "0"
zskphase "1"
ksk_rolldate "Sun Dec 7 02:10:42 2014"
ksk_rollsecs "1417918242"
zsk_rolldate "Sat Apr 18 08:21:32 2015"
zsk_rollsecs "1429345292"
maxttl "86400"
display "1"
phasestart "Sat Apr 25 09:36:08 2015"
# optional records for RFC5011 rolling:
istrustanchor "no"
holddowntime "60D"
roll "gatewaytheatre.org"
zonename "gatewaytheatre.org"
zonefile "db.gatewaytheatre.signed"
keyrec "gatewaytheatre.org.krf"
directory "/etc/bind"
administrator "root@localhost"
kskphase "0"
zskphase "1"
ksk_rolldate "Sun Dec 7 02:10:42 2014"
ksk_rollsecs "1417918242"
zsk_rolldate "Sat Apr 18 08:21:29 2015"
zsk_rollsecs "1429345289"
maxttl "86400"
display "1"
phasestart "Sat Apr 25 09:36:08 2015"
# optional records for RFC5011 rolling:
istrustanchor "no"
holddowntime "60D"
roll "hemispherepictures.com"
zonename "hemispherepictures.com"
zonefile "db.hemispherepictures.signed"
keyrec "hemispherepictures.com.krf"
directory "/etc/bind"
administrator "root@localhost"
kskphase "0"
zskphase "1"
ksk_rolldate "Sun Dec 7 02:10:42 2014"
ksk_rollsecs "1417918242"
zsk_rolldate "Sat Apr 18 08:21:30 2015"
zsk_rollsecs "1429345290"
maxttl "86400"
display "1"
phasestart "Sat Apr 25 09:36:08 2015"
# optional records for RFC5011 rolling:
istrustanchor "no"
holddowntime "60D"
roll "hemisphere-pictures.com"
zonename "hemisphere-pictures.com"
zonefile "db.hemisphere-pictures.signed"
keyrec "hemisphere-pictures.com.krf"
directory "/etc/bind"
administrator "root@localhost"
kskphase "0"
zskphase "1"
ksk_rolldate "Sun Dec 7 02:10:42 2014"
ksk_rollsecs "1417918242"
zsk_rolldate "Sat Apr 18 08:21:30 2015"
zsk_rollsecs "1429345290"
maxttl "86400"
display "1"
phasestart "Sat Apr 25 09:36:08 2015"
# optional records for RFC5011 rolling:
istrustanchor "no"
holddowntime "60D"
-- no debconf information
--- End Message ---
--- Begin Message ---
Version: 2.2-2+rm
Dear submitter,
as the package dnssec-tools has just been removed from the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see https://bugs.debian.org/843479
The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@ftp-master.debian.org.
Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)
--- End Message ---