Your message dated Thu, 21 Jan 2021 14:47:27 +0100
with message-id <[email protected]>
and subject line Re: Bug#966422: bind9utils: dnssec-signzone -N unixtime
behaves like increment
has caused the Debian Bug report #966422,
regarding bind9utils: dnssec-signzone -N unixtime behaves like increment
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
966422: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=966422
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: bind9utils
Version: 1:9.11.5.P4+dfsg-5.1+deb10u1
Severity: important
Dear Maintainer,
I recently upgraded from Debian 9.13 to 10.4. Starting from this date
"dnssec-signzone -N unixtime" does not work any more causing my DNS slaves to
fail receiving changes.
With Debian 9 "dnssec-signzone -N unixtime" uses the current unix timestamp as
the serial numer for the generated signed zone, however, with the version
shipped with Debian 10 the serial number is just incremented from the to be
signd zone file. As I use a common zone-template for a huge nubmer of zones,
every further signing of the template will use the very same serial numer
(template serial number + 1).
I use the following command to sign my zones (using a script):
/usr/sbin/dnssec-signzone -o ZONE.TLD. -e +1209600 -N unixtime zone.db
K*.private
I don't get any warning or error. I checked that "-N date" uses the current
date, however, "date" does not fit the needs of my scenario 8see above). Using
"-N something" causes an error.
Best,
Sven
-- System Information:
Debian Release: 10.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.7.0-1-amd64 (SMP w/16 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages bind9utils depends on:
ii libbind9-161 1:9.11.5.P4+dfsg-5.1+deb10u1
ii libc6 2.28-10
ii libcap2 1:2.25-2
ii libcom-err2 1.44.5-1+deb10u3
ii libdns1104 1:9.11.5.P4+dfsg-5.1+deb10u1
ii libfstrm0 0.4.0-1
ii libgeoip1 1.6.12-1
ii libgssapi-krb5-2 1.17-3
ii libisc1100 1:9.11.5.P4+dfsg-5.1+deb10u1
ii libisccc161 1:9.11.5.P4+dfsg-5.1+deb10u1
ii libisccfg163 1:9.11.5.P4+dfsg-5.1+deb10u1
ii libjson-c3 0.12.1+ds-2
ii libk5crypto3 1.17-3
ii libkrb5-3 1.17-3
ii liblmdb0 0.9.22-1
ii libprotobuf-c1 1.3.1-1+b1
ii libssl1.1 1.1.1d-0+deb10u3
ii libxml2 2.9.4+dfsg1-7+b3
ii python3 3.7.3-1
ii python3-ply 3.11-3
bind9utils recommends no packages.
bind9utils suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Version: 1:9.16.11-1
On 29/07/20 05:45 PM, Sven Strickroth wrote:
> > Please report this upstream at
> > https://gitlab.isc.org/isc-projects/bind9/-/issues . When you have a
> > bugid feel free to report back to we can tag this bug accordingly.
>
> Reported upstream: <https://gitlab.isc.org/isc-projects/bind9/-/issues/2058>
>From the 9.16.11 release notes
---
When using the unixtime or date method to update the SOA serial number,
named and dnssec-signzone silently fell back to the increment method to
prevent the new serial number from being smaller than the old serial
number (using serial number arithmetics). dnssec-signzone now prints a
warning message, and named logs a warning, when such a fallback happens.
[GL #2058]
---
Bernhard
--- End Message ---
