Your message dated Sun, 25 Nov 2012 16:22:04 +0100
with message-id <[email protected]>
and subject line Re: Bug#666700: Net::DNS::SEC::Tools::keyrec.pm fails to
locate kskrev keypaths
has caused the Debian Bug report #666700,
regarding Net::DNS::SEC::Tools::keyrec.pm fails to locate kskrev keypaths
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
666700: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=666700
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: dnssec-tools
Version: 1.7-3
Severity: important
File: /usr/share/perl5/Net/DNS/SEC/Tools/keyrec.pm
Tags: patch
When RFC5011 KSK revocation is enabled (the default), at some point after
KSK keys have been revoked, zonesigner fails with the following error:
dnssec-signzone: fatal: revoked KSK is not self signed
The problem is that zonesigner is not passing a -k argument to dnssec-signzone
with the revoked key. This appears to be because keyrec_keypaths() (from
Net::DNS::SEC::Tools::keyrec) is not finding the kskrev keypaths, which have
an additional level of indirection in their keyrec signing sets.
The attached patch attempts to correct this problem.
-- System Information:
Debian Release: 6.0.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-openvz-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages dnssec-tools depends on:
ii bind9utils 1:9.7.3.dfsg-1~squeeze4 Utilities for BIND
ii libnet-dns-perl 0.66-2 Perform DNS queries from a Perl sc
ii libnet-dns-sec-p 0.16-1 DNSSEC extension to NET::DNS
ii libtimedate-perl 1.2000-1 collection of modules to manipulat
ii perl 5.10.1-17squeeze3 Larry Wall's Practical Extraction
Versions of packages dnssec-tools recommends:
ii bind9 1:9.7.3.dfsg-1~squeeze4 Internet Domain Name Server
dnssec-tools suggests no packages.
-- Configuration Files:
/etc/dnssec-tools/dnssec-tools.conf changed [not included]
-- no debconf information
--- /usr/share/perl5/Net/DNS/SEC/Tools/keyrec.pm 2010-06-25
08:42:00.000000000 -0700
+++ keyrec.pm 2012-03-31 18:09:37.000000000 -0700
@@ -704,15 +704,50 @@
foreach my $kn (split /[\s,]/, $keylist)
{
#
- # Verify that this key exists and is the right type.
+ # Verify that this key exists.
#
next if(!defined($keyrecs{$kn}));
- next if($keyrecs{$kn}{'keyrec_type'} ne $krt);
#
- # Push the key's path onto the path list.
+ # Maybe follow another level of indirection for kskrev sets.
#
- push @paths, $keyrecs{$kn}{'keypath'};
+ if ($krt eq "kskrev" && $keyrecs{$kn}{'set_type'} eq $krt) {
+ my $sset = $kn;
+
+ #
+ # Get and verify the key list.
+ #
+ next if(!defined($keyrecs{$sset}{'keys'}));
+ my $keylist = $keyrecs{$sset}{'keys'};
+
+ #
+ # Get the key's paths and add 'em to the path array.
+ #
+ foreach my $kn (split /[\s,]/, $keylist)
+ {
+ #
+ # Verify that this key exists and is the right
type.
+ #
+ next if(!defined($keyrecs{$kn}));
+ next if($keyrecs{$kn}{'keyrec_type'} ne $krt);
+
+ #
+ # Push the key's path onto the path list.
+ #
+ push @paths, $keyrecs{$kn}{'keypath'};
+ }
+ }
+ else {
+ #
+ # Verify that this key is the right type.
+ #
+ next if($keyrecs{$kn}{'keyrec_type'} ne $krt);
+
+ #
+ # Push the key's path onto the path list.
+ #
+ push @paths, $keyrecs{$kn}{'keypath'};
+ }
}
#
--- End Message ---
--- Begin Message ---
On Sun, Apr 01, 2012 at 05:41:41PM -0700, Rob Leslie wrote:
> I wasn’t able to test it thoroughly on my production system, but in my
> cursory review I didn’t see anything to suggest the keyrec_keypaths() routine
> from 1.12.1 is any smarter about the doubly-indirected kskrev keys.
I can confirm this being fixed at least in 1.13.1. (svn blame shows
your patch, Bob, dated 2007-11-01[1]. I have no clue how that works.)
Therefore I take the liberty to close this bug.
Sebastian
References
==========
1:
http://dnssec-tools.svn.sourceforge.net/viewvc/dnssec-tools/trunk/dnssec-tools/tools/modules/keyrec.pm?r1=3695&r2=3785&pathrev=3785
signature.asc
Description: Digital signature
--- End Message ---
