Bug#1064452: dkim-rotate: Errors during --new leave state corrupted
Daniel Gröber writes ("Bug#1064452: dkim-rotate: Errors during --new leave
state corrupted"):
> I don't think it's entirely necessary to do that. Just have to take care to
> provide new users with an example that doesn't have this ambiguity.
I'm adding a note next ot the directive that invites the user to
uncomment it, which I hope will help.
> FYI:
> You might also want to include an example config in the .7 manpage. I found
> having to dig through the Debian package to find one a bit inconvenient ;)
I'll add a cross-reference to the example files in the SEE ALSO.
Ian.
--
Ian JacksonThese opinions are my own.
Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.
Bug#1064452: dkim-rotate: Errors during --new leave state corrupted
Hi Ian,
On Sat, Feb 24, 2024 at 02:16:46PM +, Ian Jackson wrote:
> Daniel Gröber writes ("Bug#1064452: dkim-rotate: Errors during --new leave
> state corrupted"):
> > I'm trying to get started with dkim-rotate, but I hit an error during
> > initial provisioning with --new. I use knot for auth DNS so I don't
> > have the rndc, hence I tried to override dns_reload in the config.
>
> Thanks for the report. I'm sorry it didn't work as expected.
>
> > $ sudo dkim-rotate --status dkim
> > dkim-rotate: instance dkim: error: state corrupted!
> > /var/lib/dkim-rotate/dkim/state:5: bad key line
>
> I have reproduced this and will fix it. I agree that this is a
> serious bug and I will try to get it fixed in a stable update.
>
> I'm afraid I don't have a clear workaround for you right now but I
> will send you one as soon as I do.
After fixing the config it does go through successfully so no workaround is
really needed. I just had to wipe the state first.
> > Seems a bit of a usability problem for new users. I'd recommend not
> > commenting out directives in the example config without an
> > explaination
>
> Yes. I may change the syntax too to remove the `;` from the SERIAL,
> but that's not entirely trivial since I would want it to be backward
> compatible.
I don't think it's entirely necessary to do that. Just have to take care to
provide new users with an example that doesn't have this ambiguity. FYI:
You might also want to include an example config in the .7 manpage. I found
having to dig through the Debian package to find one a bit inconvenient ;)
Thanks,
--Daniel
signature.asc
Description: PGP signature
Bug#1064452: dkim-rotate: Errors during --new leave state corrupted
Control: tags -1 confirmed
Daniel Gröber writes ("Bug#1064452: dkim-rotate: Errors during --new leave
state corrupted"):
> I'm trying to get started with dkim-rotate, but I hit an error during
> initial provisioning with --new. I use knot for auth DNS so I don't
> have the rndc, hence I tried to override dns_reload in the config.
Thanks for the report. I'm sorry it didn't work as expected.
> $ sudo dkim-rotate --status dkim
> dkim-rotate: instance dkim: error: state corrupted!
> /var/lib/dkim-rotate/dkim/state:5: bad key line
I have reproduced this and will fix it. I agree that this is a
serious bug and I will try to get it fixed in a stable update.
I'm afraid I don't have a clear workaround for you right now but I
will send you one as soon as I do.
> Seems a bit of a usability problem for new users. I'd recommend not
> commenting out directives in the example config without an
> explaination
Yes. I may change the syntax too to remove the `;` from the SERIAL,
but that's not entirely trivial since I would want it to be backward
compatible.
Ian.
--
Ian JacksonThese opinions are my own.
Pronouns: they/he. If I emailed you from @fyvzl.net or @evade.org.uk,
that is a private address which bypasses my fierce spamfilter.
Bug#1064452: dkim-rotate: Errors during --new leave state corrupted
Package: dkim-rotate Version: 0.4 Severity: important X-Debbugs-Cc: d...@darkboxed.org Hi Ian, I'm trying to get started with dkim-rotate, but I hit an error during initial provisioning with --new. I use knot for auth DNS so I don't have the rndc, hence I tried to override dns_reload in the config. The example config at /usr/share/doc/dkim-rotate/examples/example.zone has ;! mta_group - so I copied that syntax for the dns_reload directive but it was ineffective. Looking at the docs/code I figured out the prefix is supposed to be just an exclamation mark. Honestly this is not very intuitive because 1) the example config has it and 2) the SERIAL directive also uses ';!'. Example understandability aside with the broken config the resulting error left the state file corrupted. Running --new (without rndc installed) I get: $ dkim-rotate --new dkim dkim - +Xreveal? no key dkim - +Ndeadvertise? no key dkim - -1advance/use? no key dkim l -1 generated. sh: 1: rndc: not found dkim-rotate: instance dkim: error: subprocess (DNS reload (rndc reload >/dev/null)) failed, exit status 127 Subsequent calls (say --status or --reinstall) will throw a state corrupted errors: $ sudo dkim-rotate --status dkim dkim-rotate: instance dkim: error: state corrupted! /var/lib/dkim-rotate/dkim/state:5: bad key line Looking at the state file the problem seems to be the 'DNS,MTA' bit in the key line which isn't handled by read_config: sel_offset 11 sel_limit 12 last_serial 2 status -1 key l DNS,MTA 797b760fd46ee2e01eb6c959ff3060af v=DKIM1; h=sha256; s=email; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwxzPdpwjhd+tnMooAWxEYAhVKPI2qHKGRwXpwfSEdaijUPKchNpM79HVB1+FKDmSlFR6w30qbPAdyzl4m/+Txzmv2J/So3jJbqmlSFfN85zXJ3uIdgfePWkHWTP2DAEYDeOsc3nbDNVDHQeoJHQrVyN5tBXQ/eaNTrg6qBzE5Qc1nC+Cd0LE4T9vd9PwZSSoRhYH2yprsEtLVvI+zSDqtDbx3QWAMUvDIILiWi5J/46Qw3/hI04gAFpimSoL9YVmkCNWr+arTA4g5jZatahlzkOOmNnMXZdgSRxVByAp5RtQr8EVEG0jV31re3cgXVwJnqvcJvJzDCzS6+caGjYmpQIDAQAB status +0 status +N status +X Seems a bit of a usability problem for new users. I'd recommend not commenting out directives in the example config without an explaination and handling the intermediate DNS,MTA key state properly even outside of key generation. Thanks, --Daniel -- System Information: Debian Release: 12.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.1.0-13-amd64 (SMP w/32 CPU threads; PREEMPT) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages dkim-rotate depends on: ii bash 5.2.15-2+b2 ii libgetopt-long-descriptive-perl 0.111-1 ii libmime-tools-perl 5.510-1 ii openssl 3.0.11-1~deb12u2 ii perl 5.36.0-7+deb12u1 Versions of packages dkim-rotate recommends: ii curl 7.88.1-10+deb12u5 ii moreutils 0.67-1 dkim-rotate suggests no packages. -- no debconf information
