Package: bind9utils Version: 1:9.9.5.dfsg-9+deb8u8 Severity: normal Dear Maintainer,
I am trying to use dnssec-keygen to generate successor keys for a KSK rollover on my DNSSEC signed zone. When using dnssec-keygen with the -S operator, specifying the current KSK, the successor KSK is generated as a 'stub' file. This file contains only metadata, no key content, and is given the key ID 00000. After testing, I have determined that this occurs when attempting to rollover ECDSAP384SHA384 and ECDSAP256SHA256 keys. RSA key rollovers work as expected. Attached is terminal output of my testing to replicate the bug: a) Generate ECDSAP384SHA384 KSK & ZSK b) Amend timing data of KSK c) Attempt to generate successor key - fails - invalid stub keyfile generated Repeat the above with an RSA KSK & ZSK - works OK, valid key generated. Repeat the above with an ECDSAP256SHA256 KSK & ZSK - fails. Begin terminal output: ---------------------- root@rpi:/var/lib/bind/zones# cd internal/ root@rpi:/var/lib/bind/zones/internal# mkdir example.com/ root@rpi:/var/lib/bind/zones/internal# cd example.com/ root@rpi:/var/lib/bind/zones/internal/example.com# ls root@rpi:/var/lib/bind/zones/internal/example.com# dnssec-keygen -a ECDSAP384SHA384 -3 -n ZONE -c IN -r /dev/urandom -P now -A now example.com Generating key pair. Kexample.com.+014+15094 root@rpi:/var/lib/bind/zones/internal/example.com# dnssec-keygen -a ECDSAP384SHA384 -3 -n ZONE -c IN -r /dev/urandom -P now -A now -f KSK example.com Generating key pair. Kexample.com.+014+61808 root@rpi:/var/lib/bind/zones/internal/example.com# ls Kexample.com.+014+15094.key Kexample.com.+014+61808.key Kexample.com.+014+15094.private Kexample.com.+014+61808.private root@rpi:/var/lib/bind/zones/internal/example.com# dnssec-settime -I 20170110 -D 20170110 Kexample.com.+014+61808 ./Kexample.com.+014+61808.key ./Kexample.com.+014+61808.private root@rpi:/var/lib/bind/zones/internal/example.com# dnssec-keygen -S Kexample.com.+014+61808 -i 2d Generating key pair. Kexample.com.+014+00000 root@rpi:/var/lib/bind/zones/internal/example.com# ls Kexample.com.+014+00000.key Kexample.com.+014+61808.key Kexample.com.+014+15094.key Kexample.com.+014+61808.private Kexample.com.+014+15094.private root@rpi:/var/lib/bind/zones/internal/example.com# rm * root@rpi:/var/lib/bind/zones/internal/example.com# ls root@rpi:/var/lib/bind/zones/internal/example.com# dnssec-keygen -a RSASHA256 -b 2048 -f KSK example.com Generating key pair...+++..............................................................................................................................................................+++ Kexample.com.+008+60019 root@rpi:/var/lib/bind/zones/internal/example.com# dnssec-keygen -a RSASHA256 -b 1024 example.com Generating key pair..........++++++ ......................................................++++++ Kexample.com.+008+34614 root@rpi:/var/lib/bind/zones/internal/example.com# dnssec-settime -I 20170110 -D 20170110 Kexample.com.+008+60019 ./Kexample.com.+008+60019.key ./Kexample.com.+008+60019.private root@rpi:/var/lib/bind/zones/internal/example.com# dnssec-keygen -S Kexample.com.+008+60019 -i 2d Generating key pair......................................................+++ ...........................+++ Kexample.com.+008+00439 root@rpi:/var/lib/bind/zones/internal/example.com# rm * root@rpi:/var/lib/bind/zones/internal/example.com# dnssec-keygen -a ECDSAP256SHA256 -f KSK example.com Generating key pair. Kexample.com.+013+35490 root@rpi:/var/lib/bind/zones/internal/example.com# dnssec-keygen -a ECDSAP256SHA256 example.com Generating key pair. Kexample.com.+013+41709 root@rpi:/var/lib/bind/zones/internal/example.com# dnssec-settime -I 20170110 -D 20170110 Kexample.com.+013+35490 ./Kexample.com.+013+35490.key ./Kexample.com.+013+35490.private root@rpi:/var/lib/bind/zones/internal/example.com# dnssec-keygen -S Kexample.com.+013+35490 -i 2d Generating key pair. Kexample.com.+013+00000 ------------------- End terminal output Sample output of 'stub' keyfile: ; This is a key-signing key, keyid 0, for example.com. ; Created: 20170107010646 (Sat Jan 7 01:06:46 2017) ; Publish: 20170108000000 (Sun Jan 8 00:00:00 2017) ; Activate: 20170110000000 (Tue Jan 10 00:00:00 2017) example.com. IN DNSKEY 49409 3 13 -- System Information: Distributor ID: Raspbian Description: Raspbian GNU/Linux 8.0 (jessie) Release: 8.0 Codename: jessie Architecture: armv7l Kernel: Linux 4.4.26-v7+ (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages bind9utils depends on: ii libbind9-90 1:9.9.5.dfsg-9+deb8u8 ii libc6 2.19-18+deb8u6 ii libcap2 1:2.24-8 ii libcomerr2 1.42.12-2 ii libdns100 1:9.9.5.dfsg-9+deb8u8 ii libgssapi-krb5-2 1.12.1+dfsg-19+deb8u2 ii libisc95 1:9.9.5.dfsg-9+deb8u8 ii libisccc90 1:9.9.5.dfsg-9+deb8u8 ii libisccfg90 1:9.9.5.dfsg-9+deb8u8 ii libk5crypto3 1.12.1+dfsg-19+deb8u2 ii libkrb5-3 1.12.1+dfsg-19+deb8u2 ii libpython2.7-stdlib [python-argparse] 2.7.9-2+deb8u1 ii libssl1.0.0 1.0.1t-1+deb8u5 ii libxml2 2.9.1+dfsg1-5+deb8u4 ii python 2.7.9-1 bind9utils recommends no packages. bind9utils suggests no packages. -- no debconf information
