Package: bind9utils
Version: 1:9.10.3.dfsg.P4-12.3+deb9u4
Severity: normal
Tags: patch
We regularly rotate our ZSKs, and just recently we started removing old
.key files from our keydir.
The oldest remaining ZSK now has a published date in the past, and an
activation date also in the past but after the publish date.
(Previously, the oldest ZSK was the *first* ZSK, and it had publish
and activate at the same time.)
dnssec-coverage complains about this:
| Checking scheduled ZSK events for zone debian.nl, algorithm RSASHA256...
| Wed Jul 11 12:07:03 UTC 2018:
| Publish: debian.nl/008/17304 (ZSK)
| ERROR: No ZSK's are active after this event
for
; This is a zone-signing key, keyid 17304, for debian.nl.
; Created: 20180211121307 (Sun Feb 11 12:13:07 2018)
; Publish: 20180711120703 (Wed Jul 11 12:07:03 2018)
; Activate: 20180810120703 (Fri Aug 10 12:07:03 2018)
; Inactive: 20181208120703 (Sat Dec 8 12:07:03 2018)
; Delete: 20190107120703 (Mon Jan 7 12:07:03 2019)
[..key..]
; This is a zone-signing key, keyid 29616, for debian.nl.
; Created: 20180612045523 (Tue Jun 12 04:55:23 2018)
; Publish: 20181108120703 (Thu Nov 8 12:07:03 2018)
; Activate: 20181208120703 (Sat Dec 8 12:07:03 2018)
; Inactive: 20190407120703 (Sun Apr 7 12:07:03 2019)
; Delete: 20190507120703 (Tue May 7 12:07:03 2019)
[..key..]
; This is a zone-signing key, keyid 37155, for debian.nl.
; Created: 20181009121102 (Tue Oct 9 12:11:02 2018)
; Publish: 20190308120703 (Fri Mar 8 12:07:03 2019)
; Activate: 20190407120703 (Sun Apr 7 12:07:03 2019)
; Inactive: 20190805120703 (Mon Aug 5 12:07:03 2019)
; Delete: 20190904120703 (Wed Sep 4 12:07:03 2019)
[..key..]
I propose dnssec-coverage ignore cases of no
active/publish/active&published that happened in the past.
--- /usr/sbin/dnssec-coverage 2018-01-15 21:40:17.000000000 +0000
+++ /srv/dns.debian.org/bin/dnssec-coverage 2018-10-24 18:24:01.216562896
+0000
@@ -15,6 +15,10 @@
# PERFORMANCE OF THIS SOFTWARE.
############################################################################
+# changes 2018-10-24, Peter Palfrader
+# - ignore "errors" in the past (like no active keys)
+# as that can result from retiring old (and deleted) keyfiles
+
import argparse
import os
import glob
@@ -23,6 +27,7 @@
import time
import calendar
from collections import defaultdict
+from itertools import zip_longest
import pprint
prog='dnssec-coverage'
@@ -531,7 +536,7 @@
if eventgroup:
eventgroups.append(eventgroup)
- for eventgroup in eventgroups:
+ for eventgroup, next_eventgroup in zip_longest(eventgroups,
eventgroups[1:]):
if (args.checklimit and
calendar.timegm(eventgroup[0].when) > args.checklimit):
print("Ignoring events after %s" %
@@ -545,18 +550,19 @@
list_events(eventgroup)
# and then check for inconsistencies:
+
+ # but do not bail out on inconsistencies in the past that may be the
result of keys that got retired
+ bygones = next_eventgroup is not None and
calendar.timegm(next_eventgroup[0].when) < time.time()
if len(active) == 0:
- print ("ERROR: No %s's are active after this event" % keytype)
- return False
+ print ("%s: No %s's are active after this event" %(['ERROR',
'INFO'][bygones], keytype))
+ if not bygones: return False
elif len(published) == 0:
- sys.stdout.write("ERROR: ")
- print ("ERROR: No %s's are published after this event" % keytype)
- return False
+ print ("%s: No %s's are published after this event" % (['ERROR',
'INFO'][bygones], keytype))
+ if not bygones: return False
elif len(published.intersection(active)) == 0:
- sys.stdout.write("ERROR: ")
- print (("ERROR: No %s's are both active and published " +
- "after this event") % keytype)
- return False
+ print (("%s: No %s's are both active and published " +
+ "after this event") % (['ERROR', 'INFO'][bygones],
keytype))
+ if not bygones: return False
if not eventsfound:
print ("ERROR: No %s events found in '%s'" %
--
| .''`. ** Debian **
Peter Palfrader | : :' : The universal
https://www.palfrader.org/ | `. `' Operating System
| `- https://www.debian.org/