dnssec-coverage complains about issues in the past
Reported by Peter Palfrader in Debian:
We regularly rotate our ZSKs, and just recently we started removing old .key files from our keydir.
The oldest remaining ZSK now has a published date in the past, and an activation date also in the past but after the publish date. (Previously, the oldest ZSK was the first ZSK, and it had publish and activate at the same time.)
dnssec-coverage complains about this:
| Checking scheduled ZSK events for zone debian.nl, algorithm RSASHA256...
| Wed Jul 11 12:07:03 UTC 2018:
| Publish: debian.nl/008/17304 (ZSK)
| ERROR: No ZSK's are active after this event
for
; This is a zone-signing key, keyid 17304, for debian.nl.
; Created: 20180211121307 (Sun Feb 11 12:13:07 2018)
; Publish: 20180711120703 (Wed Jul 11 12:07:03 2018)
; Activate: 20180810120703 (Fri Aug 10 12:07:03 2018)
; Inactive: 20181208120703 (Sat Dec 8 12:07:03 2018)
; Delete: 20190107120703 (Mon Jan 7 12:07:03 2019)
[..key..]
; This is a zone-signing key, keyid 29616, for debian.nl.
; Created: 20180612045523 (Tue Jun 12 04:55:23 2018)
; Publish: 20181108120703 (Thu Nov 8 12:07:03 2018)
; Activate: 20181208120703 (Sat Dec 8 12:07:03 2018)
; Inactive: 20190407120703 (Sun Apr 7 12:07:03 2019)
; Delete: 20190507120703 (Tue May 7 12:07:03 2019)
[..key..]
; This is a zone-signing key, keyid 37155, for debian.nl.
; Created: 20181009121102 (Tue Oct 9 12:11:02 2018)
; Publish: 20190308120703 (Fri Mar 8 12:07:03 2019)
; Activate: 20190407120703 (Sun Apr 7 12:07:03 2019)
; Inactive: 20190805120703 (Mon Aug 5 12:07:03 2019)
; Delete: 20190904120703 (Wed Sep 4 12:07:03 2019)
[..key..]
I propose dnssec-coverage ignore cases of no active/publish/active&published that happened in the past.
--- /usr/sbin/dnssec-coverage 2018-01-15 21:40:17.000000000 +0000
+++ /srv/dns.debian.org/bin/dnssec-coverage 2018-10-24 18:24:01.216562896 +0000
@@ -15,6 +15,10 @@
# PERFORMANCE OF THIS SOFTWARE.
############################################################################
+# changes 2018-10-24, Peter Palfrader
+# - ignore "errors" in the past (like no active keys)
+# as that can result from retiring old (and deleted) keyfiles
+
import argparse
import os
import glob
@@ -23,6 +27,7 @@
import time
import calendar
from collections import defaultdict
+from itertools import zip_longest
import pprint
prog='dnssec-coverage'
@@ -531,7 +536,7 @@
if eventgroup:
eventgroups.append(eventgroup)
- for eventgroup in eventgroups:
+ for eventgroup, next_eventgroup in zip_longest(eventgroups, eventgroups[1:]):
if (args.checklimit and
calendar.timegm(eventgroup[0].when) > args.checklimit):
print("Ignoring events after %s" %
@@ -545,18 +550,19 @@
list_events(eventgroup)
# and then check for inconsistencies:
+
+ # but do not bail out on inconsistencies in the past that may be the result of keys that got retired
+ bygones = next_eventgroup is not None and calendar.timegm(next_eventgroup[0].when) < time.time()
if len(active) == 0:
- print ("ERROR: No %s's are active after this event" % keytype)
- return False
+ print ("%s: No %s's are active after this event" %(['ERROR', 'INFO'][bygones], keytype))
+ if not bygones: return False
elif len(published) == 0:
- sys.stdout.write("ERROR: ")
- print ("ERROR: No %s's are published after this event" % keytype)
- return False
+ print ("%s: No %s's are published after this event" % (['ERROR', 'INFO'][bygones], keytype))
+ if not bygones: return False
elif len(published.intersection(active)) == 0:
- sys.stdout.write("ERROR: ")
- print (("ERROR: No %s's are both active and published " +
- "after this event") % keytype)
- return False
+ print (("%s: No %s's are both active and published " +
+ "after this event") % (['ERROR', 'INFO'][bygones], keytype))
+ if not bygones: return False
if not eventsfound:
print ("ERROR: No %s events found in '%s'" %
To reproduce:
mkdir example.com
cd example.com
faketime -f '-1y' /usr/sbin/dnssec-keygen -f KSK -K . -a RSASHA256 -3 -b 2048 example.com
key=$(faketime -f '-1y' /usr/sbin/dnssec-keygen -K . -a RSASHA256 -3 -b 1024 -I +120d -D +150d example.com)
first=$key
lt=120
for i in `seq 1 5`; do
lt=$((lt + 120))
key=$(faketime -f '-1y' /usr/sbin/dnssec-keygen -K . -S "$key.key" -I +${lt}d -D +$((lt+30))d example.com)
done
/usr/sbin/dnssec-coverage -K . -l 200d -c /usr/sbin/named-compilezone example.com
rm $first.key $first.private
/usr/sbin/dnssec-coverage -K . -l 200d -c /usr/sbin/named-compilezone example.com