dnssec-keymgr fails with "Publish time for key is already past", for successor keys after their publish time (#1544) · Issues · ISC Open Source Projects / BIND

dnssec-keymgr fails with "Publish time for key is already past", for successor keys after their publish time

Summary

dnssec-keymgr fails with "Publish time for key X is already past" for successor keys that are after their Publish time (perhaps between their Publish and Activate times?)

BIND version used

BIND 9.14.9 (Stable Release) <id:623e23e>
running on Darwin x86_64 19.2.0 Darwin Kernel Version 19.2.0: Sat Nov  9 03:47:04 PST 2019; root:xnu-6153.61.1~20/RELEASE_X86_64
built by make with '--prefix=/usr/local/Cellar/bind/9.14.9' '--with-openssl=/usr/local/opt/openssl@1.1' '--with-libjson=/usr/local/opt/json-c' '--with-python=/usr/local/opt/python/bin/python3' '--with-python-install-dir=/usr/local/Cellar/bind/9.14.9/libexec/vendor/lib/python3.7/site-packages' '--without-lmdb' 'CC=clang' 'PKG_CONFIG_PATH=/usr/local/opt/json-c/lib/pkgconfig:/usr/local/opt/openssl@1.1/lib/pkgconfig:/usr/local/opt/readline/lib/pkgconfig:/usr/local/opt/sqlite/lib/pkgconfig:/usr/local/opt/xz/lib/pkgconfig:/usr/local/opt/python/lib/pkgconfig' 'PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig:/usr/local/Homebrew/Library/Homebrew/os/mac/pkgconfig/10.15'
compiled by CLANG 4.2.1 Compatible Apple LLVM 11.0.0 (clang-1100.0.33.16)
compiled with OpenSSL version: OpenSSL 1.1.1d  10 Sep 2019
linked to OpenSSL version: OpenSSL 1.1.1d  10 Sep 2019
compiled with libxml2 version: 2.9.4
linked to libxml2 version: 20904
compiled with libjson-c version: 0.13.1
linked to libjson-c version: 0.13.1
threads support is enabled

default paths:
  named configuration:  /usr/local/Cellar/bind/9.14.9/etc/named.conf
  rndc configuration:   /usr/local/Cellar/bind/9.14.9/etc/rndc.conf
  DNSSEC root key:      /usr/local/Cellar/bind/9.14.9/etc/bind.keys
  nsupdate session key: /usr/local/Cellar/bind/9.14.9/var/run/named/session.key
  named PID file:       /usr/local/Cellar/bind/9.14.9/var/run/named/named.pid
  named lock file:      /usr/local/Cellar/bind/9.14.9/var/run/named/named.lock

Steps to reproduce

Start in an empty directory, create a key, move its publication and activation times before the roll-period (simulating importing keys created a long time ago), and run dnssec-keymgr again to create the successor key:

$ dnssec-keymgr -z example.net
# /usr/local/Cellar/bind/9.14.9/sbin/dnssec-keygen -q -K . -L 3600 -a RSASHA256 -b 2048 example.net
$ dnssec-settime -P 20150101 -A 20150101 Kexample.net.+008+35355
./Kexample.net.+008+35355.key
./Kexample.net.+008+35355.private
$ dnssec-keymgr -z
# /usr/local/Cellar/bind/9.14.9/sbin/dnssec-settime -K . -I 20200204231440 -D 20200305231440 Kexample.net.+008+35355
# /usr/local/Cellar/bind/9.14.9/sbin/dnssec-keygen -q -K . -S Kexample.net.+008+35355 -L 3600 -i 2592000
$ dnssec-coverage 
WARNING: Maximum TTL value was not specified.  Using 1 week
	 (604800 seconds); re-run with the -m option to get more
	 accurate results.
PHASE 1--Loading keys to check for internal timing problems

PHASE 2--Scanning future key events for coverage failures
Checking scheduled KSK events for zone example.net, algorithm RSASHA256...

ERROR: No KSK events found

Checking scheduled ZSK events for zone example.net, algorithm RSASHA256...
  Thu Jan 01 00:00:00 UTC 2015:
    Publish: example.net/RSASHA256/35355 (ZSK)
    Activate: example.net/RSASHA256/35355 (ZSK)
  Sun Jan 05 23:14:40 UTC 2020:
    Publish: example.net/RSASHA256/30624 (ZSK)
  Tue Feb 04 23:14:40 UTC 2020:
    Activate: example.net/RSASHA256/30624 (ZSK)
    Inactive: example.net/RSASHA256/35355 (ZSK)
  Thu Mar 05 23:14:40 UTC 2020:
    Delete: example.net/RSASHA256/35355 (ZSK)

No errors found
$ date
Sun  5 Jan 2020 23:09:45 GMT
$

Wait until after the publish time, then call dnssec-keymgr again:

$ date
Sun  5 Jan 2020 23:15:09 GMT
$ dnssec-keymgr -z
Unable to apply policy: example.net/RSASHA256: Publish time for key example.net/RSASHA256/30624 (1578266080) is already past
$ echo $?
1
$

What is the current bug behavior?

dnssec-keymgr fails to complete.

What is the expected correct behavior?

dnssec-keymgr completes successfully (no actions are required of it for this zone).

Relevant configuration files

None

Relevant logs and/or screenshots

None

Possible fixes

Unknown

### Summary

dnssec-keymgr fails with "Publish time for key X is already past" for successor keys that are after their Publish time (perhaps between their Publish and Activate times?)

### BIND version used

```
BIND 9.14.9 (Stable Release) <id:623e23e>
running on Darwin x86_64 19.2.0 Darwin Kernel Version 19.2.0: Sat Nov  9 03:47:04 PST 2019; root:xnu-6153.61.1~20/RELEASE_X86_64
built by make with '--prefix=/usr/local/Cellar/bind/9.14.9' '--with-openssl=/usr/local/opt/openssl@1.1' '--with-libjson=/usr/local/opt/json-c' '--with-python=/usr/local/opt/python/bin/python3' '--with-python-install-dir=/usr/local/Cellar/bind/9.14.9/libexec/vendor/lib/python3.7/site-packages' '--without-lmdb' 'CC=clang' 'PKG_CONFIG_PATH=/usr/local/opt/json-c/lib/pkgconfig:/usr/local/opt/openssl@1.1/lib/pkgconfig:/usr/local/opt/readline/lib/pkgconfig:/usr/local/opt/sqlite/lib/pkgconfig:/usr/local/opt/xz/lib/pkgconfig:/usr/local/opt/python/lib/pkgconfig' 'PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig:/usr/local/Homebrew/Library/Homebrew/os/mac/pkgconfig/10.15'
compiled by CLANG 4.2.1 Compatible Apple LLVM 11.0.0 (clang-1100.0.33.16)
compiled with OpenSSL version: OpenSSL 1.1.1d  10 Sep 2019
linked to OpenSSL version: OpenSSL 1.1.1d  10 Sep 2019
compiled with libxml2 version: 2.9.4
linked to libxml2 version: 20904
compiled with libjson-c version: 0.13.1
linked to libjson-c version: 0.13.1
threads support is enabled

default paths:
  named configuration:  /usr/local/Cellar/bind/9.14.9/etc/named.conf
  rndc configuration:   /usr/local/Cellar/bind/9.14.9/etc/rndc.conf
  DNSSEC root key:      /usr/local/Cellar/bind/9.14.9/etc/bind.keys
  nsupdate session key: /usr/local/Cellar/bind/9.14.9/var/run/named/session.key
  named PID file:       /usr/local/Cellar/bind/9.14.9/var/run/named/named.pid
  named lock file:      /usr/local/Cellar/bind/9.14.9/var/run/named/named.lock
```

### Steps to reproduce

```
$ dnssec-keymgr -z example.net
# /usr/local/Cellar/bind/9.14.9/sbin/dnssec-keygen -q -K . -L 3600 -a RSASHA256 -b 2048 example.net
$ dnssec-settime -P 20150101 -A 20150101 Kexample.net.+008+35355
./Kexample.net.+008+35355.key
./Kexample.net.+008+35355.private
$ dnssec-keymgr -z
# /usr/local/Cellar/bind/9.14.9/sbin/dnssec-settime -K . -I 20200204231440 -D 20200305231440 Kexample.net.+008+35355
# /usr/local/Cellar/bind/9.14.9/sbin/dnssec-keygen -q -K . -S Kexample.net.+008+35355 -L 3600 -i 2592000
$ dnssec-coverage 
WARNING: Maximum TTL value was not specified.  Using 1 week
	 (604800 seconds); re-run with the -m option to get more
	 accurate results.
PHASE 1--Loading keys to check for internal timing problems

PHASE 2--Scanning future key events for coverage failures
Checking scheduled KSK events for zone example.net, algorithm RSASHA256...

ERROR: No KSK events found

Checking scheduled ZSK events for zone example.net, algorithm RSASHA256...
  Thu Jan 01 00:00:00 UTC 2015:
    Publish: example.net/RSASHA256/35355 (ZSK)
    Activate: example.net/RSASHA256/35355 (ZSK)
  Sun Jan 05 23:14:40 UTC 2020:
    Publish: example.net/RSASHA256/30624 (ZSK)
  Tue Feb 04 23:14:40 UTC 2020:
    Activate: example.net/RSASHA256/30624 (ZSK)
    Inactive: example.net/RSASHA256/35355 (ZSK)
  Thu Mar 05 23:14:40 UTC 2020:
    Delete: example.net/RSASHA256/35355 (ZSK)

No errors found
$ date
Sun  5 Jan 2020 23:09:45 GMT
$ 
```

Wait until after the publish time, then call dnssec-keymgr again:

```
$ date
Sun  5 Jan 2020 23:15:09 GMT
$ dnssec-keymgr -z
Unable to apply policy: example.net/RSASHA256: Publish time for key example.net/RSASHA256/30624 (1578266080) is already past
$ echo $?
1
$ 
```

### What is the current *bug* behavior?

dnssec-keymgr fails to complete.

### What is the expected *correct* behavior?

dnssec-keymgr completes successfully (no actions are required of it for this zone).

### Relevant configuration files

None

### Relevant logs and/or screenshots

None

### Possible fixes

Unknown

Discussion
Designs

The one place for your designs

To enable design management, you'll need to meet the requirements. If you need help, reach out to our support team for assistance.