Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
BIND
BIND
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 580
    • Issues 580
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 113
    • Merge Requests 113
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
  • ISC Open Source Projects
  • BINDBIND
  • Issues
  • #1544

Closed
Open
Opened Jan 05, 2020 by Graham Clinch@gclinch

dnssec-keymgr fails with "Publish time for key is already past", for successor keys after their publish time

Summary

dnssec-keymgr fails with "Publish time for key X is already past" for successor keys that are after their Publish time (perhaps between their Publish and Activate times?)

BIND version used

BIND 9.14.9 (Stable Release) <id:623e23e>
running on Darwin x86_64 19.2.0 Darwin Kernel Version 19.2.0: Sat Nov  9 03:47:04 PST 2019; root:xnu-6153.61.1~20/RELEASE_X86_64
built by make with '--prefix=/usr/local/Cellar/bind/9.14.9' '--with-openssl=/usr/local/opt/openssl@1.1' '--with-libjson=/usr/local/opt/json-c' '--with-python=/usr/local/opt/python/bin/python3' '--with-python-install-dir=/usr/local/Cellar/bind/9.14.9/libexec/vendor/lib/python3.7/site-packages' '--without-lmdb' 'CC=clang' 'PKG_CONFIG_PATH=/usr/local/opt/json-c/lib/pkgconfig:/usr/local/opt/openssl@1.1/lib/pkgconfig:/usr/local/opt/readline/lib/pkgconfig:/usr/local/opt/sqlite/lib/pkgconfig:/usr/local/opt/xz/lib/pkgconfig:/usr/local/opt/python/lib/pkgconfig' 'PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig:/usr/local/Homebrew/Library/Homebrew/os/mac/pkgconfig/10.15'
compiled by CLANG 4.2.1 Compatible Apple LLVM 11.0.0 (clang-1100.0.33.16)
compiled with OpenSSL version: OpenSSL 1.1.1d  10 Sep 2019
linked to OpenSSL version: OpenSSL 1.1.1d  10 Sep 2019
compiled with libxml2 version: 2.9.4
linked to libxml2 version: 20904
compiled with libjson-c version: 0.13.1
linked to libjson-c version: 0.13.1
threads support is enabled

default paths:
  named configuration:  /usr/local/Cellar/bind/9.14.9/etc/named.conf
  rndc configuration:   /usr/local/Cellar/bind/9.14.9/etc/rndc.conf
  DNSSEC root key:      /usr/local/Cellar/bind/9.14.9/etc/bind.keys
  nsupdate session key: /usr/local/Cellar/bind/9.14.9/var/run/named/session.key
  named PID file:       /usr/local/Cellar/bind/9.14.9/var/run/named/named.pid
  named lock file:      /usr/local/Cellar/bind/9.14.9/var/run/named/named.lock

Steps to reproduce

Start in an empty directory, create a key, move its publication and activation times before the roll-period (simulating importing keys created a long time ago), and run dnssec-keymgr again to create the successor key:

$ dnssec-keymgr -z example.net
# /usr/local/Cellar/bind/9.14.9/sbin/dnssec-keygen -q -K . -L 3600 -a RSASHA256 -b 2048 example.net
$ dnssec-settime -P 20150101 -A 20150101 Kexample.net.+008+35355
./Kexample.net.+008+35355.key
./Kexample.net.+008+35355.private
$ dnssec-keymgr -z
# /usr/local/Cellar/bind/9.14.9/sbin/dnssec-settime -K . -I 20200204231440 -D 20200305231440 Kexample.net.+008+35355
# /usr/local/Cellar/bind/9.14.9/sbin/dnssec-keygen -q -K . -S Kexample.net.+008+35355 -L 3600 -i 2592000
$ dnssec-coverage 
WARNING: Maximum TTL value was not specified.  Using 1 week
	 (604800 seconds); re-run with the -m option to get more
	 accurate results.
PHASE 1--Loading keys to check for internal timing problems

PHASE 2--Scanning future key events for coverage failures
Checking scheduled KSK events for zone example.net, algorithm RSASHA256...

ERROR: No KSK events found

Checking scheduled ZSK events for zone example.net, algorithm RSASHA256...
  Thu Jan 01 00:00:00 UTC 2015:
    Publish: example.net/RSASHA256/35355 (ZSK)
    Activate: example.net/RSASHA256/35355 (ZSK)
  Sun Jan 05 23:14:40 UTC 2020:
    Publish: example.net/RSASHA256/30624 (ZSK)
  Tue Feb 04 23:14:40 UTC 2020:
    Activate: example.net/RSASHA256/30624 (ZSK)
    Inactive: example.net/RSASHA256/35355 (ZSK)
  Thu Mar 05 23:14:40 UTC 2020:
    Delete: example.net/RSASHA256/35355 (ZSK)

No errors found
$ date
Sun  5 Jan 2020 23:09:45 GMT
$ 

Wait until after the publish time, then call dnssec-keymgr again:

$ date
Sun  5 Jan 2020 23:15:09 GMT
$ dnssec-keymgr -z
Unable to apply policy: example.net/RSASHA256: Publish time for key example.net/RSASHA256/30624 (1578266080) is already past
$ echo $?
1
$ 

What is the current bug behavior?

dnssec-keymgr fails to complete.

What is the expected correct behavior?

dnssec-keymgr completes successfully (no actions are required of it for this zone).

Relevant configuration files

None

Relevant logs and/or screenshots

None

Possible fixes

Unknown

Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None
Reference: isc-projects/bind9#1544