Your message dated Mon, 07 Nov 2016 17:59:39 +0000 with message-id <[email protected]> and subject line Bug#843479: Removed package(s) from unstable has caused the Debian Bug report #783721, regarding dnssec-tools: dnssec-signzone behaviour changed; new signed zonefiles unparseable by rollerd to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 783721: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783721 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: dnssec-tools Version: 1.13-1 Severity: grave Justification: renders package unusable After upgrading to jessie, rollerd will no longer start. It appears that the format of the signed zonefile has changed: --- xen:/etc/bind# for i in db.andrewg.signed db.stibium.signed; do echo $i;head -16 $i; done db.andrewg.signed ; File written on Mon Apr 27 10:40:38 2015 ; dnssec_signzone version 9.9.5-9-Debian andrewg.com. 86400 IN SOA xen.andrewg.com. root.xen.andrewg.com. ( 2014120939 ; serial 28800 ; refresh (8 hours) 7200 ; retry (2 hours) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) 86400 RRSIG SOA 8 2 86400 ( 20150527094038 20150427084038 11508 andrewg.com. oA4xSft7iCqdaxGyjj1blI0E8WNRJlKa+KFK 72xOSPIk8cYp6hdKdTel93WMPNU7l11KLKrd E8uIOumut9jIdKoxjJ1d+dQMJyKtfYAd0tJY TwrtCq3TZOHF1Pzy1pNdg3sHD/3Rptt1AU3Y kK/ng1ieUVww30ipx/UZH4VRewM= ) db.stibium.signed ; File written on Sat Apr 18 08:21:32 2015 ; dnssec_signzone version 9.8.4-rpz2+rl005.12-P1 stibium.net. 86400 IN SOA xen.andrewg.com. root.xen.andrewg.com. ( 2014120938 ; serial 28800 ; refresh (8 hours) 7200 ; retry (2 hours) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) 86400 RRSIG SOA 8 2 86400 20150518082132 ( 20150418072132 53691 stibium.net. IAgXJGD1LzFfi09VDGFtQ4YOTObK4rKEHcXR KSZGMqB11fOxCYMiXd+jN3h2qGvsO9iEVS/b uNc0nKT9XouiYhPEjmQG7774sT86hEnqs2To eD17BrD8t5CtAgYrcfDtnUVyt5AV569qAy+1 3gupeYBrmn7gYsEkn5WhcivyAfM= ) xen:/etc/bind# service rollerd restart Restarting DNSSEC-Tools rollerd: rollerdUNIVERSAL->import is deprecated and will be removed in a future perl at /usr/share/perl5/Net/DNS/SEC/Tools/tooloptions.pm line 19. . xen:/etc/bind# bad RRSIG data 1, line 10 ...propagated at /usr/share/perl5/Net/DNS/ZoneFile/Fast.pm line 164, <GEN0> line 10. --- This may be related to #642772. Fedora has a possibly related patch here: http://pkgs.fedoraproject.org/cgit/dnssec-tools.git/plain/dnssec-tools-zonefile-fast-new-bind-1.13.patch?id2=HEAD Note that the regular expression around line 800 has changed to match three sets of digits rather than four, matching the zonefile format changes observed. Andrew -- System Information: Debian Release: 8.0 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 3.18.5-x86-linode70 (SMP w/8 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: unable to detect Versions of packages dnssec-tools depends on: ii bind9utils 1:9.9.5.dfsg-9 ii libmailtools-perl 2.13-1 ii libnet-dns-perl 0.81-2 ii libnet-dns-sec-perl 0.21-1 ii libtimedate-perl 2.3000-2 ii perl 5.20.2-3 Versions of packages dnssec-tools recommends: ii bind9 1:9.9.5.dfsg-9 dnssec-tools suggests no packages. -- Configuration Files: /etc/dnssec-tools/dnssec-tools.conf changed: admin-email [email protected] keyarch /usr/sbin/keyarch rollchk /usr/sbin/rollchk zonesigner /usr/sbin/zonesigner keygen /usr/sbin/dnssec-keygen rndc /usr/sbin/rndc zonecheck /usr/sbin/named-checkzone zonesign /usr/sbin/dnssec-signzone algorithm rsasha256 ksklength 2048 zsklength 1024 random /dev/urandom usensec3 yes nsec3iter 100 nsec3salt random:64 nsec3optout no endtime +2592000 # RRSIGs good for thirty days. lifespan-max 94608000 lifespan-min 3600 ksklife 31536000 zsklife 604800 archivedir /var/lib/dnssec-tools/archive entropy_msg 1 savekeys 1 kskcount 1 zskcount 1 roll_loadzone 1 roll_logfile /var/log/dnssec-tools/rollerd.log roll_loglevel phase roll_phasemsg long roll_sleeptime 3600 zone_errors 5 autosign 1 log_tz gmt tacontact tasmtpserver localhost taresolvconf localhost tatmpdir /var/run/dnssec-tools/trustman usegui 0 /etc/dnssec-tools/dnssec-tools.rollrec changed: roll "web" zonename "web" zonefile "db.web.signed" keyrec "web.krf" directory "/etc/bind" administrator "root@localhost" kskphase "0" zskphase "1" ksk_rolldate "Sun Dec 7 02:10:42 2014" ksk_rollsecs "1417918242" zsk_rolldate "Sat Apr 18 08:21:33 2015" zsk_rollsecs "1429345293" maxttl "86400" display "1" phasestart "Sat Apr 25 09:36:08 2015" # optional records for RFC5011 rolling: istrustanchor "no" holddowntime "60D" roll "test.web" zonename "test.web" zonefile "db.test.web.signed" keyrec "test.web.krf" directory "/etc/bind" administrator "root@localhost" kskphase "0" zskphase "1" ksk_rolldate "Sun Dec 7 02:10:42 2014" ksk_rollsecs "1417918242" zsk_rolldate "Sat Apr 18 08:21:32 2015" zsk_rollsecs "1429345292" maxttl "86400" display "1" phasestart "Sat Apr 25 09:36:08 2015" # optional records for RFC5011 rolling: istrustanchor "no" holddowntime "60D" roll "andrewg.com" zonename "andrewg.com" zonefile "db.andrewg.signed" keyrec "andrewg.com.krf" directory "/etc/bind" administrator "root@localhost" kskphase "0" zskphase "3" ksk_rolldate "Sun Dec 7 02:10:42 2014" ksk_rollsecs "1417918242" zsk_rolldate "Sat Apr 18 08:21:28 2015" zsk_rollsecs "1429345288" maxttl "86400" display "1" phasestart "Mon Apr 27 09:40:39 2015" # optional records for RFC5011 rolling: istrustanchor "no" holddowntime "60D" roll "llagher.net" zonename "llagher.net" zonefile "db.llagher.signed" keyrec "llagher.net.krf" directory "/etc/bind" administrator "root@localhost" kskphase "0" zskphase "1" ksk_rolldate "Sun Dec 7 02:10:42 2014" ksk_rollsecs "1417918242" zsk_rolldate "Sat Apr 18 08:21:31 2015" zsk_rollsecs "1429345291" maxttl "86400" display "1" phasestart "Sat Apr 25 09:36:08 2015" # optional records for RFC5011 rolling: istrustanchor "no" holddowntime "60D" roll "stibium.net" zonename "stibium.net" zonefile "db.stibium.signed" keyrec "stibium.net.krf" directory "/etc/bind" administrator "root@localhost" kskphase "0" zskphase "1" ksk_rolldate "Sun Dec 7 02:10:42 2014" ksk_rollsecs "1417918242" zsk_rolldate "Sat Apr 18 08:21:32 2015" zsk_rollsecs "1429345292" maxttl "86400" display "1" phasestart "Sat Apr 25 09:36:08 2015" # optional records for RFC5011 rolling: istrustanchor "no" holddowntime "60D" roll "gatewaytheatre.org" zonename "gatewaytheatre.org" zonefile "db.gatewaytheatre.signed" keyrec "gatewaytheatre.org.krf" directory "/etc/bind" administrator "root@localhost" kskphase "0" zskphase "1" ksk_rolldate "Sun Dec 7 02:10:42 2014" ksk_rollsecs "1417918242" zsk_rolldate "Sat Apr 18 08:21:29 2015" zsk_rollsecs "1429345289" maxttl "86400" display "1" phasestart "Sat Apr 25 09:36:08 2015" # optional records for RFC5011 rolling: istrustanchor "no" holddowntime "60D" roll "hemispherepictures.com" zonename "hemispherepictures.com" zonefile "db.hemispherepictures.signed" keyrec "hemispherepictures.com.krf" directory "/etc/bind" administrator "root@localhost" kskphase "0" zskphase "1" ksk_rolldate "Sun Dec 7 02:10:42 2014" ksk_rollsecs "1417918242" zsk_rolldate "Sat Apr 18 08:21:30 2015" zsk_rollsecs "1429345290" maxttl "86400" display "1" phasestart "Sat Apr 25 09:36:08 2015" # optional records for RFC5011 rolling: istrustanchor "no" holddowntime "60D" roll "hemisphere-pictures.com" zonename "hemisphere-pictures.com" zonefile "db.hemisphere-pictures.signed" keyrec "hemisphere-pictures.com.krf" directory "/etc/bind" administrator "root@localhost" kskphase "0" zskphase "1" ksk_rolldate "Sun Dec 7 02:10:42 2014" ksk_rollsecs "1417918242" zsk_rolldate "Sat Apr 18 08:21:30 2015" zsk_rollsecs "1429345290" maxttl "86400" display "1" phasestart "Sat Apr 25 09:36:08 2015" # optional records for RFC5011 rolling: istrustanchor "no" holddowntime "60D" -- no debconf information
--- End Message ---
--- Begin Message ---Version: 2.2-2+rm Dear submitter, as the package dnssec-tools has just been removed from the Debian archive unstable we hereby close the associated bug reports. We are sorry that we couldn't deal with your issue properly. For details on the removal, please see https://bugs.debian.org/843479 The version of this package that was in Debian prior to this removal can still be found using http://snapshot.debian.org/. This message was generated automatically; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]. Debian distribution maintenance software pp. Scott Kitterman (the ftpmaster behind the curtain)
--- End Message ---
