Skip to content

GitLab

  • Menu
Projects Groups Snippets
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • BIND BIND
  • Project information
    • Project information
    • Activity
    • Labels
    • Planning hierarchy
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 526
    • Issues 526
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 102
    • Merge requests 102
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • ISC Open Source Projects
  • BINDBIND
  • Issues
  • #1541

Closed
Open
Created Jan 04, 2020 by Graham Clinch@gclinch

dnssec-coverage and dnssec-keymgr do not understand escaped filename format used by dnssec-keygen

Summary

dnssec-keygen can generate filenames with escaped characters (eg '%2F'), which dnssec-coverage and dnssec-keymgr do not identify as related to a zone they are working on.

BIND version used

BIND 9.14.8 (Stable Release) id:5d87f66 running on Darwin x86_64 19.2.0 Darwin Kernel Version 19.2.0: Sat Nov 9 03:47:04 PST 2019; root:xnu-6153.61.1~20/RELEASE_X86_64 built by make with '--prefix=/usr/local/Cellar/bind/9.14.8' '--with-openssl=/usr/local/opt/openssl@1.1' '--with-libjson=/usr/local/opt/json-c' '--with-python=/usr/local/opt/python/bin/python3' '--with-python-install-dir=/usr/local/Cellar/bind/9.14.8/libexec/vendor/lib/python3.7/site-packages' '--without-lmdb' 'CC=clang' 'PKG_CONFIG_PATH=/usr/local/opt/json-c/lib/pkgconfig:/usr/local/opt/openssl@1.1/lib/pkgconfig:/usr/local/opt/readline/lib/pkgconfig:/usr/local/opt/sqlite/lib/pkgconfig:/usr/local/opt/xz/lib/pkgconfig:/usr/local/opt/python/lib/pkgconfig' 'PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig:/usr/local/Homebrew/Library/Homebrew/os/mac/pkgconfig/10.15' compiled by CLANG 4.2.1 Compatible Apple LLVM 11.0.0 (clang-1100.0.33.12) compiled with OpenSSL version: OpenSSL 1.1.1d 10 Sep 2019 linked to OpenSSL version: OpenSSL 1.1.1d 10 Sep 2019 compiled with libxml2 version: 2.9.4 linked to libxml2 version: 20904 compiled with libjson-c version: 0.13.1 linked to libjson-c version: 0.13.1 threads support is enabled

default paths: named configuration: /usr/local/Cellar/bind/9.14.8/etc/named.conf rndc configuration: /usr/local/Cellar/bind/9.14.8/etc/rndc.conf DNSSEC root key: /usr/local/Cellar/bind/9.14.8/etc/bind.keys nsupdate session key: /usr/local/Cellar/bind/9.14.8/var/run/named/session.key named PID file: /usr/local/Cellar/bind/9.14.8/var/run/named/named.pid named lock file: /usr/local/Cellar/bind/9.14.8/var/run/named/named.lock

Steps to reproduce

Assume two reverse zones - one using RFC 2317 style names containing a '/':

  • c.b.a.in-addr.arpa
  • d/len.c.b.a.in-addr.arpa

dnssec-coverage

Run dnssec-keygen in an empty directory, and list the resulting files:

$ dnssec-keygen -a RSASHA256 c.b.a.in-addr.arpa
Generating key pair.......+++++ ..........................+++++ 
Kc.b.a.in-addr.arpa.+008+35658
$ dnssec-keygen -a RSASHA256 d/len.c.b.a.in-addr.arpa
Generating key pair..............................................+++++ ..........+++++ 
Kd%2Flen.c.b.a.in-addr.arpa.+008+08751
$ ls -1
Kc.b.a.in-addr.arpa.+008+35658.key
Kc.b.a.in-addr.arpa.+008+35658.private
Kd%2Flen.c.b.a.in-addr.arpa.+008+08751.key
Kd%2Flen.c.b.a.in-addr.arpa.+008+08751.private
$ 

Notice the filename does not contain the literal '/' character.

Run dnssec-coverage:

$ dnssec-coverage c.b.a.in-addr.arpa
WARNING: Maximum TTL value was not specified.  Using 1 week
	 (604800 seconds); re-run with the -m option to get more
	 accurate results.
PHASE 1--Loading keys to check for internal timing problems

PHASE 2--Scanning future key events for coverage failures
Checking scheduled KSK events for zone c.b.a.in-addr.arpa, algorithm RSASHA256...

ERROR: No KSK events found

Checking scheduled ZSK events for zone c.b.a.in-addr.arpa, algorithm RSASHA256...
  Sat Jan 04 14:59:00 UTC 2020:
    Publish: c.b.a.in-addr.arpa/RSASHA256/35658 (ZSK)
    Activate: c.b.a.in-addr.arpa/RSASHA256/35658 (ZSK)

No errors found
$ dnssec-coverage d/len.c.b.a.in-addr.arpa
WARNING: Maximum TTL value was not specified.  Using 1 week
	 (604800 seconds); re-run with the -m option to get more
	 accurate results.
PHASE 1--Loading keys to check for internal timing problems

PHASE 2--Scanning future key events for coverage failures
ERROR: No key events found for d/len.c.b.a.in-addr.arpa
$ 

dnssec-coverage does not discover the files for d/len.c.b.a.in-addr.arpa.

dnssec-keymgr

Run dnssec-keymgr in an empty directory, and list the resulting files:

$ dnssec-keymgr c.b.a.in-addr.arpa
# /usr/local/Cellar/bind/9.14.8/sbin/dnssec-keygen -q -K . -L 3600 -a RSASHA256 -b 2048 c.b.a.in-addr.arpa
# /usr/local/Cellar/bind/9.14.8/sbin/dnssec-keygen -q -K . -L 3600 -fk -a RSASHA256 -b 2048 c.b.a.in-addr.arpa
$ dnssec-keymgr d/len.c.b.a.in-addr.arpa
# /usr/local/Cellar/bind/9.14.8/sbin/dnssec-keygen -q -K . -L 3600 -a RSASHA256 -b 2048 d/len.c.b.a.in-addr.arpa
# /usr/local/Cellar/bind/9.14.8/sbin/dnssec-keygen -q -K . -L 3600 -fk -a RSASHA256 -b 2048 d/len.c.b.a.in-addr.arpa
$ ls -1
Kc.b.a.in-addr.arpa.+008+31185.key
Kc.b.a.in-addr.arpa.+008+31185.private
Kc.b.a.in-addr.arpa.+008+50407.key
Kc.b.a.in-addr.arpa.+008+50407.private
Kd%2Flen.c.b.a.in-addr.arpa.+008+48886.key
Kd%2Flen.c.b.a.in-addr.arpa.+008+48886.private
Kd%2Flen.c.b.a.in-addr.arpa.+008+58401.key
Kd%2Flen.c.b.a.in-addr.arpa.+008+58401.private
$ 

Run dnssec-keymgr again, and list the resulting files:

$ dnssec-keymgr c.b.a.in-addr.arpa
$ dnssec-keymgr d/len.c.b.a.in-addr.arpa
# /usr/local/Cellar/bind/9.14.8/sbin/dnssec-keygen -q -K . -L 3600 -a RSASHA256 -b 2048 d/len.c.b.a.in-addr.arpa
# /usr/local/Cellar/bind/9.14.8/sbin/dnssec-keygen -q -K . -L 3600 -fk -a RSASHA256 -b 2048 d/len.c.b.a.in-addr.arpa
$ ls -1
Kc.b.a.in-addr.arpa.+008+31185.key
Kc.b.a.in-addr.arpa.+008+31185.private
Kc.b.a.in-addr.arpa.+008+50407.key
Kc.b.a.in-addr.arpa.+008+50407.private
Kd%2Flen.c.b.a.in-addr.arpa.+008+36084.key
Kd%2Flen.c.b.a.in-addr.arpa.+008+36084.private
Kd%2Flen.c.b.a.in-addr.arpa.+008+48886.key
Kd%2Flen.c.b.a.in-addr.arpa.+008+48886.private
Kd%2Flen.c.b.a.in-addr.arpa.+008+58401.key
Kd%2Flen.c.b.a.in-addr.arpa.+008+58401.private
Kd%2Flen.c.b.a.in-addr.arpa.+008+65392.key
Kd%2Flen.c.b.a.in-addr.arpa.+008+65392.private
$ 

dnssec-keymgr does not discover the files for d/len.c.b.a.in-addr.arpa, so calls keygen again.

What is the current bug behavior?

dnssec-coverage and dnssec-keymgr do not discover existing files whose name on the filesystem has been generated by encoding/escaping the zone name.

What is the expected correct behavior?

dnssec-coverage and dnssec-keymgr should perform the same escaping/encoding of zone names as dnssec-keygen does, before searching the filesystem.

Relevant configuration files

None

Relevant logs and/or screenshots

None

Possible fixes

Unknown

Assignee
Assign to
Time tracking