Your message dated Wed, 6 Jul 2022 07:29:53 +0200 with message-id <[email protected]> and subject line dnssec-coverage removed in favor of dnssec-policy has caused the Debian Bug report #911785, regarding dnssec-coverage complains about issues in the past to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 911785: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=911785 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: bind9utils Version: 1:9.10.3.dfsg.P4-12.3+deb9u4 Severity: normal Tags: patch We regularly rotate our ZSKs, and just recently we started removing old .key files from our keydir. The oldest remaining ZSK now has a published date in the past, and an activation date also in the past but after the publish date. (Previously, the oldest ZSK was the *first* ZSK, and it had publish and activate at the same time.) dnssec-coverage complains about this: | Checking scheduled ZSK events for zone debian.nl, algorithm RSASHA256... | Wed Jul 11 12:07:03 UTC 2018: | Publish: debian.nl/008/17304 (ZSK) | ERROR: No ZSK's are active after this event for ; This is a zone-signing key, keyid 17304, for debian.nl. ; Created: 20180211121307 (Sun Feb 11 12:13:07 2018) ; Publish: 20180711120703 (Wed Jul 11 12:07:03 2018) ; Activate: 20180810120703 (Fri Aug 10 12:07:03 2018) ; Inactive: 20181208120703 (Sat Dec 8 12:07:03 2018) ; Delete: 20190107120703 (Mon Jan 7 12:07:03 2019) [..key..] ; This is a zone-signing key, keyid 29616, for debian.nl. ; Created: 20180612045523 (Tue Jun 12 04:55:23 2018) ; Publish: 20181108120703 (Thu Nov 8 12:07:03 2018) ; Activate: 20181208120703 (Sat Dec 8 12:07:03 2018) ; Inactive: 20190407120703 (Sun Apr 7 12:07:03 2019) ; Delete: 20190507120703 (Tue May 7 12:07:03 2019) [..key..] ; This is a zone-signing key, keyid 37155, for debian.nl. ; Created: 20181009121102 (Tue Oct 9 12:11:02 2018) ; Publish: 20190308120703 (Fri Mar 8 12:07:03 2019) ; Activate: 20190407120703 (Sun Apr 7 12:07:03 2019) ; Inactive: 20190805120703 (Mon Aug 5 12:07:03 2019) ; Delete: 20190904120703 (Wed Sep 4 12:07:03 2019) [..key..] I propose dnssec-coverage ignore cases of no active/publish/active&published that happened in the past. --- /usr/sbin/dnssec-coverage 2018-01-15 21:40:17.000000000 +0000 +++ /srv/dns.debian.org/bin/dnssec-coverage 2018-10-24 18:24:01.216562896 +0000 @@ -15,6 +15,10 @@ # PERFORMANCE OF THIS SOFTWARE. ############################################################################ +# changes 2018-10-24, Peter Palfrader +# - ignore "errors" in the past (like no active keys) +# as that can result from retiring old (and deleted) keyfiles + import argparse import os import glob @@ -23,6 +27,7 @@ import time import calendar from collections import defaultdict +from itertools import zip_longest import pprint prog='dnssec-coverage' @@ -531,7 +536,7 @@ if eventgroup: eventgroups.append(eventgroup) - for eventgroup in eventgroups: + for eventgroup, next_eventgroup in zip_longest(eventgroups, eventgroups[1:]): if (args.checklimit and calendar.timegm(eventgroup[0].when) > args.checklimit): print("Ignoring events after %s" % @@ -545,18 +550,19 @@ list_events(eventgroup) # and then check for inconsistencies: + + # but do not bail out on inconsistencies in the past that may be the result of keys that got retired + bygones = next_eventgroup is not None and calendar.timegm(next_eventgroup[0].when) < time.time() if len(active) == 0: - print ("ERROR: No %s's are active after this event" % keytype) - return False + print ("%s: No %s's are active after this event" %(['ERROR', 'INFO'][bygones], keytype)) + if not bygones: return False elif len(published) == 0: - sys.stdout.write("ERROR: ") - print ("ERROR: No %s's are published after this event" % keytype) - return False + print ("%s: No %s's are published after this event" % (['ERROR', 'INFO'][bygones], keytype)) + if not bygones: return False elif len(published.intersection(active)) == 0: - sys.stdout.write("ERROR: ") - print (("ERROR: No %s's are both active and published " + - "after this event") % keytype) - return False + print (("%s: No %s's are both active and published " + + "after this event") % (['ERROR', 'INFO'][bygones], keytype)) + if not bygones: return False if not eventsfound: print ("ERROR: No %s events found in '%s'" % -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal https://www.palfrader.org/ | `. `' Operating System | `- https://www.debian.org/
--- End Message ---
--- Begin Message ---Version: 1:9.16.0-1 Hi, the dnssec-keymgr/dnssec-coverage has been removed in favor of dnssec-policy in 9.16.0+, so I am closing the bug. Ondrej -- Ondřej Surý (He/Him) [email protected]
--- End Message ---
