Package: bind9utils
Version: 1:9.10.3.dfsg.P4-12.3+deb9u4
Severity: normal
Tags: patch

We regularly rotate our ZSKs, and just recently we started removing old
.key files from our keydir.

The oldest remaining ZSK now has a published date in the past, and an
activation date also in the past but after the publish date.
  (Previously, the oldest ZSK was the *first* ZSK, and it had publish
   and activate at the same time.)

dnssec-coverage complains about this:

| Checking scheduled ZSK events for zone debian.nl, algorithm RSASHA256...
|   Wed Jul 11 12:07:03 UTC 2018:
|     Publish: debian.nl/008/17304 (ZSK)
| ERROR: No ZSK's are active after this event

for
; This is a zone-signing key, keyid 17304, for debian.nl.
; Created: 20180211121307 (Sun Feb 11 12:13:07 2018)
; Publish: 20180711120703 (Wed Jul 11 12:07:03 2018)
; Activate: 20180810120703 (Fri Aug 10 12:07:03 2018)
; Inactive: 20181208120703 (Sat Dec  8 12:07:03 2018)
; Delete: 20190107120703 (Mon Jan  7 12:07:03 2019)
[..key..]

; This is a zone-signing key, keyid 29616, for debian.nl.
; Created: 20180612045523 (Tue Jun 12 04:55:23 2018)
; Publish: 20181108120703 (Thu Nov  8 12:07:03 2018)
; Activate: 20181208120703 (Sat Dec  8 12:07:03 2018)
; Inactive: 20190407120703 (Sun Apr  7 12:07:03 2019)
; Delete: 20190507120703 (Tue May  7 12:07:03 2019)
[..key..]

; This is a zone-signing key, keyid 37155, for debian.nl.
; Created: 20181009121102 (Tue Oct  9 12:11:02 2018)
; Publish: 20190308120703 (Fri Mar  8 12:07:03 2019)
; Activate: 20190407120703 (Sun Apr  7 12:07:03 2019)
; Inactive: 20190805120703 (Mon Aug  5 12:07:03 2019)
; Delete: 20190904120703 (Wed Sep  4 12:07:03 2019)
[..key..]

I propose dnssec-coverage ignore cases of no
active/publish/active&published that happened in the past.


--- /usr/sbin/dnssec-coverage   2018-01-15 21:40:17.000000000 +0000
+++ /srv/dns.debian.org/bin/dnssec-coverage     2018-10-24 18:24:01.216562896 
+0000
@@ -15,6 +15,10 @@
 # PERFORMANCE OF THIS SOFTWARE.
 ############################################################################
 
+# changes 2018-10-24, Peter Palfrader
+#  - ignore "errors" in the past (like no active keys)
+#    as that can result from retiring old (and deleted) keyfiles
+
 import argparse
 import os
 import glob
@@ -23,6 +27,7 @@
 import time
 import calendar
 from collections import defaultdict
+from itertools import zip_longest
 import pprint
 
 prog='dnssec-coverage'
@@ -531,7 +536,7 @@
     if eventgroup:
         eventgroups.append(eventgroup)
 
-    for eventgroup in eventgroups:
+    for eventgroup, next_eventgroup in zip_longest(eventgroups, 
eventgroups[1:]):
         if (args.checklimit and
             calendar.timegm(eventgroup[0].when) > args.checklimit):
             print("Ignoring events after %s" %
@@ -545,18 +550,19 @@
         list_events(eventgroup)
 
         # and then check for inconsistencies:
+
+        # but do not bail out on inconsistencies in the past that may be the 
result of keys that got retired
+        bygones = next_eventgroup is not None and 
calendar.timegm(next_eventgroup[0].when) < time.time()
         if len(active) == 0:
-            print ("ERROR: No %s's are active after this event" % keytype)
-            return False
+            print ("%s: No %s's are active after this event" %(['ERROR', 
'INFO'][bygones], keytype))
+            if not bygones: return False
         elif len(published) == 0:
-            sys.stdout.write("ERROR: ")
-            print ("ERROR: No %s's are published after this event" % keytype)
-            return False
+            print ("%s: No %s's are published after this event" % (['ERROR', 
'INFO'][bygones], keytype))
+            if not bygones: return False
         elif len(published.intersection(active)) == 0:
-            sys.stdout.write("ERROR: ")
-            print (("ERROR: No %s's are both active and published " +
-                    "after this event") % keytype)
-            return False
+            print (("%s: No %s's are both active and published " +
+                    "after this event") % (['ERROR', 'INFO'][bygones], 
keytype))
+            if not bygones: return False
 
     if not eventsfound:
         print ("ERROR: No %s events found in '%s'" %

-- 
                            |  .''`.       ** Debian **
      Peter Palfrader       | : :' :      The  universal
 https://www.palfrader.org/ | `. `'      Operating System
                            |   `-    https://www.debian.org/

Reply via email to