dnssec-coverage and dnssec-keymgr do not understand escaped filename format used by dnssec-keygen (#1541) · Issues · ISC Open Source Projects / BIND

dnssec-coverage and dnssec-keymgr do not understand escaped filename format used by dnssec-keygen

Summary

dnssec-keygen can generate filenames with escaped characters (eg '%2F'), which dnssec-coverage and dnssec-keymgr do not identify as related to a zone they are working on.

BIND version used

BIND 9.14.8 (Stable Release) id:5d87f66 running on Darwin x86_64 19.2.0 Darwin Kernel Version 19.2.0: Sat Nov 9 03:47:04 PST 2019; root:xnu-6153.61.1~20/RELEASE_X86_64 built by make with '--prefix=/usr/local/Cellar/bind/9.14.8' '--with-openssl=/usr/local/opt/openssl@1.1' '--with-libjson=/usr/local/opt/json-c' '--with-python=/usr/local/opt/python/bin/python3' '--with-python-install-dir=/usr/local/Cellar/bind/9.14.8/libexec/vendor/lib/python3.7/site-packages' '--without-lmdb' 'CC=clang' 'PKG_CONFIG_PATH=/usr/local/opt/json-c/lib/pkgconfig:/usr/local/opt/openssl@1.1/lib/pkgconfig:/usr/local/opt/readline/lib/pkgconfig:/usr/local/opt/sqlite/lib/pkgconfig:/usr/local/opt/xz/lib/pkgconfig:/usr/local/opt/python/lib/pkgconfig' 'PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig:/usr/local/Homebrew/Library/Homebrew/os/mac/pkgconfig/10.15' compiled by CLANG 4.2.1 Compatible Apple LLVM 11.0.0 (clang-1100.0.33.12) compiled with OpenSSL version: OpenSSL 1.1.1d 10 Sep 2019 linked to OpenSSL version: OpenSSL 1.1.1d 10 Sep 2019 compiled with libxml2 version: 2.9.4 linked to libxml2 version: 20904 compiled with libjson-c version: 0.13.1 linked to libjson-c version: 0.13.1 threads support is enabled

default paths: named configuration: /usr/local/Cellar/bind/9.14.8/etc/named.conf rndc configuration: /usr/local/Cellar/bind/9.14.8/etc/rndc.conf DNSSEC root key: /usr/local/Cellar/bind/9.14.8/etc/bind.keys nsupdate session key: /usr/local/Cellar/bind/9.14.8/var/run/named/session.key named PID file: /usr/local/Cellar/bind/9.14.8/var/run/named/named.pid named lock file: /usr/local/Cellar/bind/9.14.8/var/run/named/named.lock

Steps to reproduce

Assume two reverse zones - one using RFC 2317 style names containing a '/':

c.b.a.in-addr.arpa
d/len.c.b.a.in-addr.arpa

dnssec-coverage

Run dnssec-keygen in an empty directory, and list the resulting files:

$ dnssec-keygen -a RSASHA256 c.b.a.in-addr.arpa
Generating key pair.......+++++ ..........................+++++ 
Kc.b.a.in-addr.arpa.+008+35658
$ dnssec-keygen -a RSASHA256 d/len.c.b.a.in-addr.arpa
Generating key pair..............................................+++++ ..........+++++ 
Kd%2Flen.c.b.a.in-addr.arpa.+008+08751
$ ls -1
Kc.b.a.in-addr.arpa.+008+35658.key
Kc.b.a.in-addr.arpa.+008+35658.private
Kd%2Flen.c.b.a.in-addr.arpa.+008+08751.key
Kd%2Flen.c.b.a.in-addr.arpa.+008+08751.private
$

Notice the filename does not contain the literal '/' character.

Run dnssec-coverage:

$ dnssec-coverage c.b.a.in-addr.arpa
WARNING: Maximum TTL value was not specified.  Using 1 week
	 (604800 seconds); re-run with the -m option to get more
	 accurate results.
PHASE 1--Loading keys to check for internal timing problems

PHASE 2--Scanning future key events for coverage failures
Checking scheduled KSK events for zone c.b.a.in-addr.arpa, algorithm RSASHA256...

ERROR: No KSK events found

Checking scheduled ZSK events for zone c.b.a.in-addr.arpa, algorithm RSASHA256...
  Sat Jan 04 14:59:00 UTC 2020:
    Publish: c.b.a.in-addr.arpa/RSASHA256/35658 (ZSK)
    Activate: c.b.a.in-addr.arpa/RSASHA256/35658 (ZSK)

No errors found
$ dnssec-coverage d/len.c.b.a.in-addr.arpa
WARNING: Maximum TTL value was not specified.  Using 1 week
	 (604800 seconds); re-run with the -m option to get more
	 accurate results.
PHASE 1--Loading keys to check for internal timing problems

PHASE 2--Scanning future key events for coverage failures
ERROR: No key events found for d/len.c.b.a.in-addr.arpa
$

dnssec-coverage does not discover the files for d/len.c.b.a.in-addr.arpa.

dnssec-keymgr

Run dnssec-keymgr in an empty directory, and list the resulting files:

$ dnssec-keymgr c.b.a.in-addr.arpa
# /usr/local/Cellar/bind/9.14.8/sbin/dnssec-keygen -q -K . -L 3600 -a RSASHA256 -b 2048 c.b.a.in-addr.arpa
# /usr/local/Cellar/bind/9.14.8/sbin/dnssec-keygen -q -K . -L 3600 -fk -a RSASHA256 -b 2048 c.b.a.in-addr.arpa
$ dnssec-keymgr d/len.c.b.a.in-addr.arpa
# /usr/local/Cellar/bind/9.14.8/sbin/dnssec-keygen -q -K . -L 3600 -a RSASHA256 -b 2048 d/len.c.b.a.in-addr.arpa
# /usr/local/Cellar/bind/9.14.8/sbin/dnssec-keygen -q -K . -L 3600 -fk -a RSASHA256 -b 2048 d/len.c.b.a.in-addr.arpa
$ ls -1
Kc.b.a.in-addr.arpa.+008+31185.key
Kc.b.a.in-addr.arpa.+008+31185.private
Kc.b.a.in-addr.arpa.+008+50407.key
Kc.b.a.in-addr.arpa.+008+50407.private
Kd%2Flen.c.b.a.in-addr.arpa.+008+48886.key
Kd%2Flen.c.b.a.in-addr.arpa.+008+48886.private
Kd%2Flen.c.b.a.in-addr.arpa.+008+58401.key
Kd%2Flen.c.b.a.in-addr.arpa.+008+58401.private
$

Run dnssec-keymgr again, and list the resulting files:

$ dnssec-keymgr c.b.a.in-addr.arpa
$ dnssec-keymgr d/len.c.b.a.in-addr.arpa
# /usr/local/Cellar/bind/9.14.8/sbin/dnssec-keygen -q -K . -L 3600 -a RSASHA256 -b 2048 d/len.c.b.a.in-addr.arpa
# /usr/local/Cellar/bind/9.14.8/sbin/dnssec-keygen -q -K . -L 3600 -fk -a RSASHA256 -b 2048 d/len.c.b.a.in-addr.arpa
$ ls -1
Kc.b.a.in-addr.arpa.+008+31185.key
Kc.b.a.in-addr.arpa.+008+31185.private
Kc.b.a.in-addr.arpa.+008+50407.key
Kc.b.a.in-addr.arpa.+008+50407.private
Kd%2Flen.c.b.a.in-addr.arpa.+008+36084.key
Kd%2Flen.c.b.a.in-addr.arpa.+008+36084.private
Kd%2Flen.c.b.a.in-addr.arpa.+008+48886.key
Kd%2Flen.c.b.a.in-addr.arpa.+008+48886.private
Kd%2Flen.c.b.a.in-addr.arpa.+008+58401.key
Kd%2Flen.c.b.a.in-addr.arpa.+008+58401.private
Kd%2Flen.c.b.a.in-addr.arpa.+008+65392.key
Kd%2Flen.c.b.a.in-addr.arpa.+008+65392.private
$

dnssec-keymgr does not discover the files for d/len.c.b.a.in-addr.arpa, so calls keygen again.

What is the current bug behavior?

dnssec-coverage and dnssec-keymgr do not discover existing files whose name on the filesystem has been generated by encoding/escaping the zone name.

What is the expected correct behavior?

dnssec-coverage and dnssec-keymgr should perform the same escaping/encoding of zone names as dnssec-keygen does, before searching the filesystem.

Relevant configuration files

None

Relevant logs and/or screenshots

None

Possible fixes

Unknown

### Summary

dnssec-keygen can generate filenames with escaped characters (eg '%2F'), which dnssec-coverage and dnssec-keymgr do not identify as related to a zone they are working on.

### BIND version used

BIND 9.14.8 (Stable Release) <id:5d87f66>
running on Darwin x86_64 19.2.0 Darwin Kernel Version 19.2.0: Sat Nov  9 03:47:04 PST 2019; root:xnu-6153.61.1~20/RELEASE_X86_64
built by make with '--prefix=/usr/local/Cellar/bind/9.14.8' '--with-openssl=/usr/local/opt/openssl@1.1' '--with-libjson=/usr/local/opt/json-c' '--with-python=/usr/local/opt/python/bin/python3' '--with-python-install-dir=/usr/local/Cellar/bind/9.14.8/libexec/vendor/lib/python3.7/site-packages' '--without-lmdb' 'CC=clang' 'PKG_CONFIG_PATH=/usr/local/opt/json-c/lib/pkgconfig:/usr/local/opt/openssl@1.1/lib/pkgconfig:/usr/local/opt/readline/lib/pkgconfig:/usr/local/opt/sqlite/lib/pkgconfig:/usr/local/opt/xz/lib/pkgconfig:/usr/local/opt/python/lib/pkgconfig' 'PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig:/usr/local/Homebrew/Library/Homebrew/os/mac/pkgconfig/10.15'
compiled by CLANG 4.2.1 Compatible Apple LLVM 11.0.0 (clang-1100.0.33.12)
compiled with OpenSSL version: OpenSSL 1.1.1d  10 Sep 2019
linked to OpenSSL version: OpenSSL 1.1.1d  10 Sep 2019
compiled with libxml2 version: 2.9.4
linked to libxml2 version: 20904
compiled with libjson-c version: 0.13.1
linked to libjson-c version: 0.13.1
threads support is enabled

default paths:
  named configuration:  /usr/local/Cellar/bind/9.14.8/etc/named.conf
  rndc configuration:   /usr/local/Cellar/bind/9.14.8/etc/rndc.conf
  DNSSEC root key:      /usr/local/Cellar/bind/9.14.8/etc/bind.keys
  nsupdate session key: /usr/local/Cellar/bind/9.14.8/var/run/named/session.key
  named PID file:       /usr/local/Cellar/bind/9.14.8/var/run/named/named.pid
  named lock file:      /usr/local/Cellar/bind/9.14.8/var/run/named/named.lock

### Steps to reproduce

Assume two reverse zones - one using RFC 2317 style names containing a '/':
 - c.b.a.in-addr.arpa
 - d/len.c.b.a.in-addr.arpa

#### dnssec-coverage

Run dnssec-keygen in an empty directory, and list the resulting files:

```
$ dnssec-keygen -a RSASHA256 c.b.a.in-addr.arpa
Generating key pair.......+++++ ..........................+++++ 
Kc.b.a.in-addr.arpa.+008+35658
$ dnssec-keygen -a RSASHA256 d/len.c.b.a.in-addr.arpa
Generating key pair..............................................+++++ ..........+++++ 
Kd%2Flen.c.b.a.in-addr.arpa.+008+08751
$ ls -1
Kc.b.a.in-addr.arpa.+008+35658.key
Kc.b.a.in-addr.arpa.+008+35658.private
Kd%2Flen.c.b.a.in-addr.arpa.+008+08751.key
Kd%2Flen.c.b.a.in-addr.arpa.+008+08751.private
$ 
```

Notice the filename does not contain the literal '/' character.

Run dnssec-coverage:

```
$ dnssec-coverage c.b.a.in-addr.arpa
WARNING: Maximum TTL value was not specified.  Using 1 week
	 (604800 seconds); re-run with the -m option to get more
	 accurate results.
PHASE 1--Loading keys to check for internal timing problems

PHASE 2--Scanning future key events for coverage failures
Checking scheduled KSK events for zone c.b.a.in-addr.arpa, algorithm RSASHA256...

ERROR: No KSK events found

Checking scheduled ZSK events for zone c.b.a.in-addr.arpa, algorithm RSASHA256...
  Sat Jan 04 14:59:00 UTC 2020:
    Publish: c.b.a.in-addr.arpa/RSASHA256/35658 (ZSK)
    Activate: c.b.a.in-addr.arpa/RSASHA256/35658 (ZSK)

No errors found
$ dnssec-coverage d/len.c.b.a.in-addr.arpa
WARNING: Maximum TTL value was not specified.  Using 1 week
	 (604800 seconds); re-run with the -m option to get more
	 accurate results.
PHASE 1--Loading keys to check for internal timing problems

PHASE 2--Scanning future key events for coverage failures
ERROR: No key events found for d/len.c.b.a.in-addr.arpa
$ 
```

dnssec-coverage does not discover the files for d/len.c.b.a.in-addr.arpa.

#### dnssec-keymgr

Run dnssec-keymgr in an empty directory, and list the resulting files:

```
$ dnssec-keymgr c.b.a.in-addr.arpa
# /usr/local/Cellar/bind/9.14.8/sbin/dnssec-keygen -q -K . -L 3600 -a RSASHA256 -b 2048 c.b.a.in-addr.arpa
# /usr/local/Cellar/bind/9.14.8/sbin/dnssec-keygen -q -K . -L 3600 -fk -a RSASHA256 -b 2048 c.b.a.in-addr.arpa
$ dnssec-keymgr d/len.c.b.a.in-addr.arpa
# /usr/local/Cellar/bind/9.14.8/sbin/dnssec-keygen -q -K . -L 3600 -a RSASHA256 -b 2048 d/len.c.b.a.in-addr.arpa
# /usr/local/Cellar/bind/9.14.8/sbin/dnssec-keygen -q -K . -L 3600 -fk -a RSASHA256 -b 2048 d/len.c.b.a.in-addr.arpa
$ ls -1
Kc.b.a.in-addr.arpa.+008+31185.key
Kc.b.a.in-addr.arpa.+008+31185.private
Kc.b.a.in-addr.arpa.+008+50407.key
Kc.b.a.in-addr.arpa.+008+50407.private
Kd%2Flen.c.b.a.in-addr.arpa.+008+48886.key
Kd%2Flen.c.b.a.in-addr.arpa.+008+48886.private
Kd%2Flen.c.b.a.in-addr.arpa.+008+58401.key
Kd%2Flen.c.b.a.in-addr.arpa.+008+58401.private
$ 
```

Run dnssec-keymgr again, and list the resulting files:

```
$ dnssec-keymgr c.b.a.in-addr.arpa
$ dnssec-keymgr d/len.c.b.a.in-addr.arpa
# /usr/local/Cellar/bind/9.14.8/sbin/dnssec-keygen -q -K . -L 3600 -a RSASHA256 -b 2048 d/len.c.b.a.in-addr.arpa
# /usr/local/Cellar/bind/9.14.8/sbin/dnssec-keygen -q -K . -L 3600 -fk -a RSASHA256 -b 2048 d/len.c.b.a.in-addr.arpa
$ ls -1
Kc.b.a.in-addr.arpa.+008+31185.key
Kc.b.a.in-addr.arpa.+008+31185.private
Kc.b.a.in-addr.arpa.+008+50407.key
Kc.b.a.in-addr.arpa.+008+50407.private
Kd%2Flen.c.b.a.in-addr.arpa.+008+36084.key
Kd%2Flen.c.b.a.in-addr.arpa.+008+36084.private
Kd%2Flen.c.b.a.in-addr.arpa.+008+48886.key
Kd%2Flen.c.b.a.in-addr.arpa.+008+48886.private
Kd%2Flen.c.b.a.in-addr.arpa.+008+58401.key
Kd%2Flen.c.b.a.in-addr.arpa.+008+58401.private
Kd%2Flen.c.b.a.in-addr.arpa.+008+65392.key
Kd%2Flen.c.b.a.in-addr.arpa.+008+65392.private
$ 
```

dnssec-keymgr does not discover the files for d/len.c.b.a.in-addr.arpa, so calls keygen again.

### What is the current *bug* behavior?

dnssec-coverage and dnssec-keymgr do not discover existing files whose name on the filesystem has been generated by encoding/escaping the zone name.

### What is the expected *correct* behavior?

dnssec-coverage and dnssec-keymgr should perform the same escaping/encoding of zone names as dnssec-keygen does, before searching the filesystem.
 
### Relevant configuration files

None

### Relevant logs and/or screenshots

None

### Possible fixes

Unknown

Discussion
Designs

The one place for your designs

To enable design management, you'll need to meet the requirements. If you need help, reach out to our support team for assistance.