Hi Rob, thanks for the bug report and for the patch. Would it be possible for you to check if the version 1.12.1 (which will be uploaded to unstable just now) suffers from the same behaviour? If that's the case I would like to report the bug to the upstream.
O. On Sun, Apr 1, 2012 at 03:55, Rob Leslie <r...@mars.org> wrote: > Package: dnssec-tools > Version: 1.7-3 > Severity: important > File: /usr/share/perl5/Net/DNS/SEC/Tools/keyrec.pm > Tags: patch > > When RFC5011 KSK revocation is enabled (the default), at some point after > KSK keys have been revoked, zonesigner fails with the following error: > > dnssec-signzone: fatal: revoked KSK is not self signed > > The problem is that zonesigner is not passing a -k argument to dnssec-signzone > with the revoked key. This appears to be because keyrec_keypaths() (from > Net::DNS::SEC::Tools::keyrec) is not finding the kskrev keypaths, which have > an additional level of indirection in their keyrec signing sets. > > The attached patch attempts to correct this problem. > > > -- System Information: > Debian Release: 6.0.4 > APT prefers stable-updates > APT policy: (500, 'stable-updates'), (500, 'stable') > Architecture: i386 (i686) > > Kernel: Linux 2.6.32-5-openvz-686 (SMP w/2 CPU cores) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > > Versions of packages dnssec-tools depends on: > ii bind9utils 1:9.7.3.dfsg-1~squeeze4 Utilities for BIND > ii libnet-dns-perl 0.66-2 Perform DNS queries from a Perl > sc > ii libnet-dns-sec-p 0.16-1 DNSSEC extension to NET::DNS > ii libtimedate-perl 1.2000-1 collection of modules to > manipulat > ii perl 5.10.1-17squeeze3 Larry Wall's Practical Extraction > > Versions of packages dnssec-tools recommends: > ii bind9 1:9.7.3.dfsg-1~squeeze4 Internet Domain Name Server > > dnssec-tools suggests no packages. > > -- Configuration Files: > /etc/dnssec-tools/dnssec-tools.conf changed [not included] > > -- no debconf information -- Ondřej Surý <ond...@sury.org> -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
