dnssec-coverage complains about issues in the past (#625) · Issues · ISC Open Source Projects / BIND

dnssec-coverage complains about issues in the past

Reported by Peter Palfrader in Debian:

We regularly rotate our ZSKs, and just recently we started removing old .key files from our keydir.

The oldest remaining ZSK now has a published date in the past, and an activation date also in the past but after the publish date. (Previously, the oldest ZSK was the first ZSK, and it had publish and activate at the same time.)

dnssec-coverage complains about this:

| Checking scheduled ZSK events for zone debian.nl, algorithm RSASHA256...
|   Wed Jul 11 12:07:03 UTC 2018:
|     Publish: debian.nl/008/17304 (ZSK)
| ERROR: No ZSK's are active after this event

for
; This is a zone-signing key, keyid 17304, for debian.nl.
; Created: 20180211121307 (Sun Feb 11 12:13:07 2018)
; Publish: 20180711120703 (Wed Jul 11 12:07:03 2018)
; Activate: 20180810120703 (Fri Aug 10 12:07:03 2018)
; Inactive: 20181208120703 (Sat Dec  8 12:07:03 2018)
; Delete: 20190107120703 (Mon Jan  7 12:07:03 2019)
[..key..]

; This is a zone-signing key, keyid 29616, for debian.nl.
; Created: 20180612045523 (Tue Jun 12 04:55:23 2018)
; Publish: 20181108120703 (Thu Nov  8 12:07:03 2018)
; Activate: 20181208120703 (Sat Dec  8 12:07:03 2018)
; Inactive: 20190407120703 (Sun Apr  7 12:07:03 2019)
; Delete: 20190507120703 (Tue May  7 12:07:03 2019)
[..key..]

; This is a zone-signing key, keyid 37155, for debian.nl.
; Created: 20181009121102 (Tue Oct  9 12:11:02 2018)
; Publish: 20190308120703 (Fri Mar  8 12:07:03 2019)
; Activate: 20190407120703 (Sun Apr  7 12:07:03 2019)
; Inactive: 20190805120703 (Mon Aug  5 12:07:03 2019)
; Delete: 20190904120703 (Wed Sep  4 12:07:03 2019)
[..key..]

I propose dnssec-coverage ignore cases of no active/publish/active&published that happened in the past.

--- /usr/sbin/dnssec-coverage   2018-01-15 21:40:17.000000000 +0000
+++ /srv/dns.debian.org/bin/dnssec-coverage     2018-10-24 18:24:01.216562896 +0000
@@ -15,6 +15,10 @@
# PERFORMANCE OF THIS SOFTWARE.
############################################################################

+# changes 2018-10-24, Peter Palfrader
+#  - ignore "errors" in the past (like no active keys)
+#    as that can result from retiring old (and deleted) keyfiles
+
import argparse
import os
import glob
@@ -23,6 +27,7 @@
import time
import calendar
from collections import defaultdict
+from itertools import zip_longest
import pprint

prog='dnssec-coverage'
@@ -531,7 +536,7 @@
    if eventgroup:
        eventgroups.append(eventgroup)

-    for eventgroup in eventgroups:
+    for eventgroup, next_eventgroup in zip_longest(eventgroups, eventgroups[1:]):
        if (args.checklimit and
            calendar.timegm(eventgroup[0].when) > args.checklimit):
            print("Ignoring events after %s" %
@@ -545,18 +550,19 @@
        list_events(eventgroup)

        # and then check for inconsistencies:
+
+        # but do not bail out on inconsistencies in the past that may be the result of keys that got retired
+        bygones = next_eventgroup is not None and calendar.timegm(next_eventgroup[0].when) < time.time()
        if len(active) == 0:
-            print ("ERROR: No %s's are active after this event" % keytype)
-            return False
+            print ("%s: No %s's are active after this event" %(['ERROR', 'INFO'][bygones], keytype))
+            if not bygones: return False
        elif len(published) == 0:
-            sys.stdout.write("ERROR: ")
-            print ("ERROR: No %s's are published after this event" % keytype)
-            return False
+            print ("%s: No %s's are published after this event" % (['ERROR', 'INFO'][bygones], keytype))
+            if not bygones: return False
        elif len(published.intersection(active)) == 0:
-            sys.stdout.write("ERROR: ")
-            print (("ERROR: No %s's are both active and published " +
-                    "after this event") % keytype)
-            return False
+            print (("%s: No %s's are both active and published " +
+                    "after this event") % (['ERROR', 'INFO'][bygones], keytype))
+            if not bygones: return False

    if not eventsfound:
        print ("ERROR: No %s events found in '%s'" %

To reproduce:

mkdir example.com
cd example.com
faketime -f '-1y'  /usr/sbin/dnssec-keygen -f KSK -K . -a RSASHA256 -3 -b 2048 example.com

key=$(faketime -f '-1y'  /usr/sbin/dnssec-keygen -K . -a RSASHA256 -3 -b 1024 -I +120d -D +150d example.com)
first=$key

lt=120
for i in `seq 1 5`; do
 lt=$((lt + 120))
 key=$(faketime -f '-1y'  /usr/sbin/dnssec-keygen -K . -S "$key.key" -I +${lt}d -D +$((lt+30))d example.com)
done

/usr/sbin/dnssec-coverage -K . -l 200d -c /usr/sbin/named-compilezone example.com
rm $first.key $first.private
/usr/sbin/dnssec-coverage -K . -l 200d -c /usr/sbin/named-compilezone example.com

Reported by Peter Palfrader in Debian:

We regularly rotate our ZSKs, and just recently we started removing old
.key files from our keydir.

The oldest remaining ZSK now has a published date in the past, and an
activation date also in the past but after the publish date.
 (Previously, the oldest ZSK was the *first* ZSK, and it had publish
  and activate at the same time.)

dnssec-coverage complains about this:

```
| Checking scheduled ZSK events for zone debian.nl, algorithm RSASHA256...
|   Wed Jul 11 12:07:03 UTC 2018:
|     Publish: debian.nl/008/17304 (ZSK)
| ERROR: No ZSK's are active after this event

for
; This is a zone-signing key, keyid 17304, for debian.nl.
; Created: 20180211121307 (Sun Feb 11 12:13:07 2018)
; Publish: 20180711120703 (Wed Jul 11 12:07:03 2018)
; Activate: 20180810120703 (Fri Aug 10 12:07:03 2018)
; Inactive: 20181208120703 (Sat Dec  8 12:07:03 2018)
; Delete: 20190107120703 (Mon Jan  7 12:07:03 2019)
[..key..]

; This is a zone-signing key, keyid 29616, for debian.nl.
; Created: 20180612045523 (Tue Jun 12 04:55:23 2018)
; Publish: 20181108120703 (Thu Nov  8 12:07:03 2018)
; Activate: 20181208120703 (Sat Dec  8 12:07:03 2018)
; Inactive: 20190407120703 (Sun Apr  7 12:07:03 2019)
; Delete: 20190507120703 (Tue May  7 12:07:03 2019)
[..key..]

; This is a zone-signing key, keyid 37155, for debian.nl.
; Created: 20181009121102 (Tue Oct  9 12:11:02 2018)
; Publish: 20190308120703 (Fri Mar  8 12:07:03 2019)
; Activate: 20190407120703 (Sun Apr  7 12:07:03 2019)
; Inactive: 20190805120703 (Mon Aug  5 12:07:03 2019)
; Delete: 20190904120703 (Wed Sep  4 12:07:03 2019)
[..key..]
```

I propose dnssec-coverage ignore cases of no
active/publish/active&published that happened in the past.

```
--- /usr/sbin/dnssec-coverage   2018-01-15 21:40:17.000000000 +0000
+++ /srv/dns.debian.org/bin/dnssec-coverage     2018-10-24 18:24:01.216562896 +0000
@@ -15,6 +15,10 @@
# PERFORMANCE OF THIS SOFTWARE.
############################################################################

+# changes 2018-10-24, Peter Palfrader
+#  - ignore "errors" in the past (like no active keys)
+#    as that can result from retiring old (and deleted) keyfiles
+
import argparse
import os
import glob
@@ -23,6 +27,7 @@
import time
import calendar
from collections import defaultdict
+from itertools import zip_longest
import pprint

prog='dnssec-coverage'
@@ -531,7 +536,7 @@
    if eventgroup:
        eventgroups.append(eventgroup)

-    for eventgroup in eventgroups:
+    for eventgroup, next_eventgroup in zip_longest(eventgroups, eventgroups[1:]):
        if (args.checklimit and
            calendar.timegm(eventgroup[0].when) > args.checklimit):
            print("Ignoring events after %s" %
@@ -545,18 +550,19 @@
        list_events(eventgroup)

# and then check for inconsistencies:
+
+        # but do not bail out on inconsistencies in the past that may be the result of keys that got retired
+        bygones = next_eventgroup is not None and calendar.timegm(next_eventgroup[0].when) < time.time()
        if len(active) == 0:
-            print ("ERROR: No %s's are active after this event" % keytype)
-            return False
+            print ("%s: No %s's are active after this event" %(['ERROR', 'INFO'][bygones], keytype))
+            if not bygones: return False
        elif len(published) == 0:
-            sys.stdout.write("ERROR: ")
-            print ("ERROR: No %s's are published after this event" % keytype)
-            return False
+            print ("%s: No %s's are published after this event" % (['ERROR', 'INFO'][bygones], keytype))
+            if not bygones: return False
        elif len(published.intersection(active)) == 0:
-            sys.stdout.write("ERROR: ")
-            print (("ERROR: No %s's are both active and published " +
-                    "after this event") % keytype)
-            return False
+            print (("%s: No %s's are both active and published " +
+                    "after this event") % (['ERROR', 'INFO'][bygones], keytype))
+            if not bygones: return False

if not eventsfound:
        print ("ERROR: No %s events found in '%s'" %
```

To reproduce:

```
mkdir example.com
cd example.com
faketime -f '-1y'  /usr/sbin/dnssec-keygen -f KSK -K . -a RSASHA256 -3 -b 2048 example.com

key=$(faketime -f '-1y'  /usr/sbin/dnssec-keygen -K . -a RSASHA256 -3 -b 1024 -I +120d -D +150d example.com)
first=$key

lt=120
for i in `seq 1 5`; do
 lt=$((lt + 120))
 key=$(faketime -f '-1y'  /usr/sbin/dnssec-keygen -K . -S "$key.key" -I +${lt}d -D +$((lt+30))d example.com)
done

/usr/sbin/dnssec-coverage -K . -l 200d -c /usr/sbin/named-compilezone example.com
rm $first.key $first.private
/usr/sbin/dnssec-coverage -K . -l 200d -c /usr/sbin/named-compilezone example.com
```

Discussion
Designs

The one place for your designs

To enable design management, you'll need to meet the requirements. If you need help, reach out to our support team for assistance.