Skip to content

GitLab

Closed
Created by Sven Duscha@duscha

dnssec-coverage fails with TypeError for KSK with a Deletion date set

Summary

dnssec-coverage fails with a TypeError for a KSK for which a Deletion date set. It doesn't, when only ZSKs with a deletion date are used. But even if a KSK with a deletion date is present for the zone, it fails even with the option -z to restrict it to ZSKs.

BIND version used

BIND 9.11.4-P2-3~bpo9+1-Debian (Extended Support Version) id:7107deb

Steps to reproduce

  1. Create a KSK for a zone.
  2. Create a second KSK for a key rollover event in the future for this zone.
  3. Set the inactivation and deletion times of the first KSK accordingly.
  4. Run dnssec-coverage

that means:

  1. dnssec-keygen -f KSK -a 8 -b 2048 example.com
  2. dnssec-keygen -P +20d -A +40d -f KSK -a 8 -b 2048 example.com
  3. dnssec-settime -I ACTIVATIONTIME-KSK1 -D +40d KSK2.key
  4. dnssec-coverage (either with -z, with -k or without is does occur)

What is the current bug behavior?

Setting a deletion date in 40 days:

dnssec-settime -D +40d *40099.key
./Kexample.com.+008+40099.key
./Kexample.com.+008+40099.private

Then dnssec-coverage fails with a "TypeError: underable types: int() < NoneType()"

dnssec-coverage -k<br>
WARNING: Maximum TTL value was not specified.  Using 1 week<br>
	(604800 seconds); re-run with the -m option to get more<br>
	accurate results.<br>
PHASE 1--Loading keys to check for internal timing problems<br>
Traceback (most recent call last):<br>
 File "/usr/sbin/dnssec-coverage", line 27, in <module><br>
	 isc.coverage.main()<br>
 File "/usr/lib/python3/dist-packages/isc/coverage.py", line 261, in main<br>
	 key.check_postpub(output)<br>
 File "/usr/lib/python3/dist-packages/isc/dnskey.py", line 477, in check_postpub<br>
	 if d - i < timespan:<br>
TypeError: unorderable types: int() < NoneType()

What is the expected correct behavior?

No errors found.

Possible fixes

The error occurs in file "/usr/lib/python3/dist-packages/isc/dnskey.py", line 477, in check_postpub

if d - i < timespan:

but stems from the fact that timespan is of type NoneType and stems therefore most likely from before in line 453:

if timespan = None:
   timespan = self.ttl

and is already there of type NoneType. Though, it is unclear to me, why.

Edited by Mark Andrews