Skip to content

GitLab

  • Menu
Projects Groups Snippets
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • BIND BIND
  • Project information
    • Project information
    • Activity
    • Labels
    • Planning hierarchy
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 524
    • Issues 524
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 101
    • Merge requests 101
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • ISC Open Source Projects
  • BINDBIND
  • Issues
  • #585

Closed
Open
Created Oct 09, 2018 by Ghost User@ghost

dnssec-coverage fails with TypeError for KSK with a Deletion date set

Summary

dnssec-coverage fails with a TypeError for a KSK for which a Deletion date set. It doesn't, when only ZSKs with a deletion date are used. But even if a KSK with a deletion date is present for the zone, it fails even with the option -z to restrict it to ZSKs.

BIND version used

BIND 9.11.4-P2-3~bpo9+1-Debian (Extended Support Version) id:7107deb

Steps to reproduce

  1. Create a KSK for a zone.
  2. Create a second KSK for a key rollover event in the future for this zone.
  3. Set the inactivation and deletion times of the first KSK accordingly.
  4. Run dnssec-coverage

that means:

  1. dnssec-keygen -f KSK -a 8 -b 2048 example.com
  2. dnssec-keygen -P +20d -A +40d -f KSK -a 8 -b 2048 example.com
  3. dnssec-settime -I ACTIVATIONTIME-KSK1 -D +40d KSK2.key
  4. dnssec-coverage (either with -z, with -k or without is does occur)

What is the current bug behavior?

Setting a deletion date in 40 days:

dnssec-settime -D +40d *40099.key
./Kexample.com.+008+40099.key
./Kexample.com.+008+40099.private

Then dnssec-coverage fails with a "TypeError: underable types: int() < NoneType()"

dnssec-coverage -k<br>
WARNING: Maximum TTL value was not specified.  Using 1 week<br>
	(604800 seconds); re-run with the -m option to get more<br>
	accurate results.<br>
PHASE 1--Loading keys to check for internal timing problems<br>
Traceback (most recent call last):<br>
 File "/usr/sbin/dnssec-coverage", line 27, in <module><br>
	 isc.coverage.main()<br>
 File "/usr/lib/python3/dist-packages/isc/coverage.py", line 261, in main<br>
	 key.check_postpub(output)<br>
 File "/usr/lib/python3/dist-packages/isc/dnskey.py", line 477, in check_postpub<br>
	 if d - i < timespan:<br>
TypeError: unorderable types: int() < NoneType()

What is the expected correct behavior?

No errors found.

Possible fixes

The error occurs in file "/usr/lib/python3/dist-packages/isc/dnskey.py", line 477, in check_postpub

if d - i < timespan:

but stems from the fact that timespan is of type NoneType and stems therefore most likely from before in line 453:

if timespan = None:
   timespan = self.ttl

and is already there of type NoneType. Though, it is unclear to me, why.

Edited Nov 26, 2018 by Mark Andrews
Assignee
Assign to
Time tracking