dnssec-keymgr fails with "Publish time for key is already past", for successor keys after their publish time
dnssec-keymgr fails with "Publish time for key X is already past" for successor keys that are after their Publish time (perhaps between their Publish and Activate times?)
BIND version used
BIND 9.14.9 (Stable Release) <id:623e23e> running on Darwin x86_64 19.2.0 Darwin Kernel Version 19.2.0: Sat Nov 9 03:47:04 PST 2019; root:xnu-6153.61.1~20/RELEASE_X86_64 built by make with '--prefix=/usr/local/Cellar/bind/9.14.9' '--firstname.lastname@example.org' '--with-libjson=/usr/local/opt/json-c' '--with-python=/usr/local/opt/python/bin/python3' '--with-python-install-dir=/usr/local/Cellar/bind/9.14.9/libexec/vendor/lib/python3.7/site-packages' '--without-lmdb' 'CC=clang' 'PKG_CONFIG_PATH=/usr/local/opt/json-c/lib/pkgconfig:/email@example.com/lib/pkgconfig:/usr/local/opt/readline/lib/pkgconfig:/usr/local/opt/sqlite/lib/pkgconfig:/usr/local/opt/xz/lib/pkgconfig:/usr/local/opt/python/lib/pkgconfig' 'PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig:/usr/local/Homebrew/Library/Homebrew/os/mac/pkgconfig/10.15' compiled by CLANG 4.2.1 Compatible Apple LLVM 11.0.0 (clang-1184.108.40.206) compiled with OpenSSL version: OpenSSL 1.1.1d 10 Sep 2019 linked to OpenSSL version: OpenSSL 1.1.1d 10 Sep 2019 compiled with libxml2 version: 2.9.4 linked to libxml2 version: 20904 compiled with libjson-c version: 0.13.1 linked to libjson-c version: 0.13.1 threads support is enabled default paths: named configuration: /usr/local/Cellar/bind/9.14.9/etc/named.conf rndc configuration: /usr/local/Cellar/bind/9.14.9/etc/rndc.conf DNSSEC root key: /usr/local/Cellar/bind/9.14.9/etc/bind.keys nsupdate session key: /usr/local/Cellar/bind/9.14.9/var/run/named/session.key named PID file: /usr/local/Cellar/bind/9.14.9/var/run/named/named.pid named lock file: /usr/local/Cellar/bind/9.14.9/var/run/named/named.lock
Steps to reproduce
Start in an empty directory, create a key, move its publication and activation times before the roll-period (simulating importing keys created a long time ago), and run dnssec-keymgr again to create the successor key:
$ dnssec-keymgr -z example.net # /usr/local/Cellar/bind/9.14.9/sbin/dnssec-keygen -q -K . -L 3600 -a RSASHA256 -b 2048 example.net $ dnssec-settime -P 20150101 -A 20150101 Kexample.net.+008+35355 ./Kexample.net.+008+35355.key ./Kexample.net.+008+35355.private $ dnssec-keymgr -z # /usr/local/Cellar/bind/9.14.9/sbin/dnssec-settime -K . -I 20200204231440 -D 20200305231440 Kexample.net.+008+35355 # /usr/local/Cellar/bind/9.14.9/sbin/dnssec-keygen -q -K . -S Kexample.net.+008+35355 -L 3600 -i 2592000 $ dnssec-coverage WARNING: Maximum TTL value was not specified. Using 1 week (604800 seconds); re-run with the -m option to get more accurate results. PHASE 1--Loading keys to check for internal timing problems PHASE 2--Scanning future key events for coverage failures Checking scheduled KSK events for zone example.net, algorithm RSASHA256... ERROR: No KSK events found Checking scheduled ZSK events for zone example.net, algorithm RSASHA256... Thu Jan 01 00:00:00 UTC 2015: Publish: example.net/RSASHA256/35355 (ZSK) Activate: example.net/RSASHA256/35355 (ZSK) Sun Jan 05 23:14:40 UTC 2020: Publish: example.net/RSASHA256/30624 (ZSK) Tue Feb 04 23:14:40 UTC 2020: Activate: example.net/RSASHA256/30624 (ZSK) Inactive: example.net/RSASHA256/35355 (ZSK) Thu Mar 05 23:14:40 UTC 2020: Delete: example.net/RSASHA256/35355 (ZSK) No errors found $ date Sun 5 Jan 2020 23:09:45 GMT $
Wait until after the publish time, then call dnssec-keymgr again:
$ date Sun 5 Jan 2020 23:15:09 GMT $ dnssec-keymgr -z Unable to apply policy: example.net/RSASHA256: Publish time for key example.net/RSASHA256/30624 (1578266080) is already past $ echo $? 1 $
What is the current bug behavior?
dnssec-keymgr fails to complete.
What is the expected correct behavior?
dnssec-keymgr completes successfully (no actions are required of it for this zone).
Relevant configuration files
Relevant logs and/or screenshots