Package: dnssec-tools
Version: 1.13-1
Severity: grave
Justification: renders package unusable
After upgrading to jessie, rollerd will no longer start.
It appears that the format of the signed zonefile has changed:
---
xen:/etc/bind# for i in db.andrewg.signed db.stibium.signed; do echo $i;head
-16 $i; done
db.andrewg.signed
; File written on Mon Apr 27 10:40:38 2015
; dnssec_signzone version 9.9.5-9-Debian
andrewg.com. 86400 IN SOA xen.andrewg.com. root.xen.andrewg.com. (
2014120939 ; serial
28800 ; refresh (8 hours)
7200 ; retry (2 hours)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
86400 RRSIG SOA 8 2 86400 (
20150527094038 20150427084038 11508
andrewg.com.
oA4xSft7iCqdaxGyjj1blI0E8WNRJlKa+KFK
72xOSPIk8cYp6hdKdTel93WMPNU7l11KLKrd
E8uIOumut9jIdKoxjJ1d+dQMJyKtfYAd0tJY
TwrtCq3TZOHF1Pzy1pNdg3sHD/3Rptt1AU3Y
kK/ng1ieUVww30ipx/UZH4VRewM= )
db.stibium.signed
; File written on Sat Apr 18 08:21:32 2015
; dnssec_signzone version 9.8.4-rpz2+rl005.12-P1
stibium.net. 86400 IN SOA xen.andrewg.com. root.xen.andrewg.com. (
2014120938 ; serial
28800 ; refresh (8 hours)
7200 ; retry (2 hours)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
86400 RRSIG SOA 8 2 86400 20150518082132 (
20150418072132 53691 stibium.net.
IAgXJGD1LzFfi09VDGFtQ4YOTObK4rKEHcXR
KSZGMqB11fOxCYMiXd+jN3h2qGvsO9iEVS/b
uNc0nKT9XouiYhPEjmQG7774sT86hEnqs2To
eD17BrD8t5CtAgYrcfDtnUVyt5AV569qAy+1
3gupeYBrmn7gYsEkn5WhcivyAfM= )
xen:/etc/bind# service rollerd restart
Restarting DNSSEC-Tools rollerd: rollerdUNIVERSAL->import is deprecated and
will be removed in a future perl at
/usr/share/perl5/Net/DNS/SEC/Tools/tooloptions.pm line 19.
.
xen:/etc/bind# bad RRSIG data 1, line 10
...propagated at /usr/share/perl5/Net/DNS/ZoneFile/Fast.pm line 164,
<GEN0> line 10.
---
This may be related to #642772. Fedora has a possibly related patch here:
http://pkgs.fedoraproject.org/cgit/dnssec-tools.git/plain/dnssec-tools-zonefile-fast-new-bind-1.13.patch?id2=HEAD
Note that the regular expression around line 800 has changed to match three
sets
of digits rather than four, matching the zonefile format changes observed.
Andrew
-- System Information:
Debian Release: 8.0
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 3.18.5-x86-linode70 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
Versions of packages dnssec-tools depends on:
ii bind9utils 1:9.9.5.dfsg-9
ii libmailtools-perl 2.13-1
ii libnet-dns-perl 0.81-2
ii libnet-dns-sec-perl 0.21-1
ii libtimedate-perl 2.3000-2
ii perl 5.20.2-3
Versions of packages dnssec-tools recommends:
ii bind9 1:9.9.5.dfsg-9
dnssec-tools suggests no packages.
-- Configuration Files:
/etc/dnssec-tools/dnssec-tools.conf changed:
admin-email andr...@andrewg.com
keyarch /usr/sbin/keyarch
rollchk /usr/sbin/rollchk
zonesigner /usr/sbin/zonesigner
keygen /usr/sbin/dnssec-keygen
rndc /usr/sbin/rndc
zonecheck /usr/sbin/named-checkzone
zonesign /usr/sbin/dnssec-signzone
algorithm rsasha256
ksklength 2048
zsklength 1024
random /dev/urandom
usensec3 yes
nsec3iter 100
nsec3salt random:64
nsec3optout no
endtime +2592000 # RRSIGs good for thirty days.
lifespan-max 94608000
lifespan-min 3600
ksklife 31536000
zsklife 604800
archivedir /var/lib/dnssec-tools/archive
entropy_msg 1
savekeys 1
kskcount 1
zskcount 1
roll_loadzone 1
roll_logfile /var/log/dnssec-tools/rollerd.log
roll_loglevel phase
roll_phasemsg long
roll_sleeptime 3600
zone_errors 5
autosign 1
log_tz gmt
tacontact
tasmtpserver localhost
taresolvconf localhost
tatmpdir /var/run/dnssec-tools/trustman
usegui 0
/etc/dnssec-tools/dnssec-tools.rollrec changed:
roll "web"
zonename "web"
zonefile "db.web.signed"
keyrec "web.krf"
directory "/etc/bind"
administrator "root@localhost"
kskphase "0"
zskphase "1"
ksk_rolldate "Sun Dec 7 02:10:42 2014"
ksk_rollsecs "1417918242"
zsk_rolldate "Sat Apr 18 08:21:33 2015"
zsk_rollsecs "1429345293"
maxttl "86400"
display "1"
phasestart "Sat Apr 25 09:36:08 2015"
# optional records for RFC5011 rolling:
istrustanchor "no"
holddowntime "60D"
roll "test.web"
zonename "test.web"
zonefile "db.test.web.signed"
keyrec "test.web.krf"
directory "/etc/bind"
administrator "root@localhost"
kskphase "0"
zskphase "1"
ksk_rolldate "Sun Dec 7 02:10:42 2014"
ksk_rollsecs "1417918242"
zsk_rolldate "Sat Apr 18 08:21:32 2015"
zsk_rollsecs "1429345292"
maxttl "86400"
display "1"
phasestart "Sat Apr 25 09:36:08 2015"
# optional records for RFC5011 rolling:
istrustanchor "no"
holddowntime "60D"
roll "andrewg.com"
zonename "andrewg.com"
zonefile "db.andrewg.signed"
keyrec "andrewg.com.krf"
directory "/etc/bind"
administrator "root@localhost"
kskphase "0"
zskphase "3"
ksk_rolldate "Sun Dec 7 02:10:42 2014"
ksk_rollsecs "1417918242"
zsk_rolldate "Sat Apr 18 08:21:28 2015"
zsk_rollsecs "1429345288"
maxttl "86400"
display "1"
phasestart "Mon Apr 27 09:40:39 2015"
# optional records for RFC5011 rolling:
istrustanchor "no"
holddowntime "60D"
roll "llagher.net"
zonename "llagher.net"
zonefile "db.llagher.signed"
keyrec "llagher.net.krf"
directory "/etc/bind"
administrator "root@localhost"
kskphase "0"
zskphase "1"
ksk_rolldate "Sun Dec 7 02:10:42 2014"
ksk_rollsecs "1417918242"
zsk_rolldate "Sat Apr 18 08:21:31 2015"
zsk_rollsecs "1429345291"
maxttl "86400"
display "1"
phasestart "Sat Apr 25 09:36:08 2015"
# optional records for RFC5011 rolling:
istrustanchor "no"
holddowntime "60D"
roll "stibium.net"
zonename "stibium.net"
zonefile "db.stibium.signed"
keyrec "stibium.net.krf"
directory "/etc/bind"
administrator "root@localhost"
kskphase "0"
zskphase "1"
ksk_rolldate "Sun Dec 7 02:10:42 2014"
ksk_rollsecs "1417918242"
zsk_rolldate "Sat Apr 18 08:21:32 2015"
zsk_rollsecs "1429345292"
maxttl "86400"
display "1"
phasestart "Sat Apr 25 09:36:08 2015"
# optional records for RFC5011 rolling:
istrustanchor "no"
holddowntime "60D"
roll "gatewaytheatre.org"
zonename "gatewaytheatre.org"
zonefile "db.gatewaytheatre.signed"
keyrec "gatewaytheatre.org.krf"
directory "/etc/bind"
administrator "root@localhost"
kskphase "0"
zskphase "1"
ksk_rolldate "Sun Dec 7 02:10:42 2014"
ksk_rollsecs "1417918242"
zsk_rolldate "Sat Apr 18 08:21:29 2015"
zsk_rollsecs "1429345289"
maxttl "86400"
display "1"
phasestart "Sat Apr 25 09:36:08 2015"
# optional records for RFC5011 rolling:
istrustanchor "no"
holddowntime "60D"
roll "hemispherepictures.com"
zonename "hemispherepictures.com"
zonefile "db.hemispherepictures.signed"
keyrec "hemispherepictures.com.krf"
directory "/etc/bind"
administrator "root@localhost"
kskphase "0"
zskphase "1"
ksk_rolldate "Sun Dec 7 02:10:42 2014"
ksk_rollsecs "1417918242"
zsk_rolldate "Sat Apr 18 08:21:30 2015"
zsk_rollsecs "1429345290"
maxttl "86400"
display "1"
phasestart "Sat Apr 25 09:36:08 2015"
# optional records for RFC5011 rolling:
istrustanchor "no"
holddowntime "60D"
roll "hemisphere-pictures.com"
zonename "hemisphere-pictures.com"
zonefile "db.hemisphere-pictures.signed"
keyrec "hemisphere-pictures.com.krf"
directory "/etc/bind"
administrator "root@localhost"
kskphase "0"
zskphase "1"
ksk_rolldate "Sun Dec 7 02:10:42 2014"
ksk_rollsecs "1417918242"
zsk_rolldate "Sat Apr 18 08:21:30 2015"
zsk_rollsecs "1429345290"
maxttl "86400"
display "1"
phasestart "Sat Apr 25 09:36:08 2015"
# optional records for RFC5011 rolling:
istrustanchor "no"
holddowntime "60D"
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
