Skip to content

keymgr 19-old-keys failing on penguin

SRCID=342a0dd0e5

Test Failed: keymgr
S:keymgr:Tue Jan 29 11:01:08 PST 2019
T:keymgr:1:A
A:keymgr:System test keymgr
I:keymgr:PORTRANGE:6700 - 6799
I:keymgr:set up 01-ksk-inactive
I:keymgr:set up 02-zsk-inactive
I:keymgr:set up 03-ksk-unpublished
I:keymgr:set up 04-zsk-unpublished
I:keymgr:set up 05-ksk-unpub-active
I:keymgr:set up 06-zsk-unpub-active
I:keymgr:set up 07-ksk-ttl
I:keymgr:set up 08-zsk-ttl
I:keymgr:set up 10-change-roll
I:keymgr:set up 11-many-simul
I:keymgr:set up 12-many-active
I:keymgr:set up 13-noroll
I:keymgr:set up 14-wrongalg
I:keymgr:set up 15-unspec
I:keymgr:set up 16-wrongalg-unspec
I:keymgr:set up 17-noforce
I:keymgr:set up 18-nonstd-prepub
I:keymgr:set up 19-old-keys
I:keymgr:checking for DNSSEC key coverage issues
I:keymgr:01-ksk-inactive (1)
I:keymgr:02-zsk-inactive (2)
I:keymgr:03-ksk-unpublished (3)
I:keymgr:04-zsk-unpublished (4)
I:keymgr:05-ksk-unpub-active (5)
I:keymgr:06-zsk-unpub-active (6)
I:keymgr:07-ksk-ttl (7)
I:keymgr:08-zsk-ttl (8)
I:keymgr:09-no-keys (9)
I:keymgr:10-change-roll (10)
I:keymgr:11-many-simul (11)
I:keymgr:12-many-active (12)
I:keymgr:13-noroll (13)
I:keymgr:14-wrongalg (14)
I:keymgr:15-unspec (15)
I:keymgr:16-wrongalg-unspec (16)
I:keymgr:17-noforce (17)
I:keymgr:18-nonstd-prepub (18)
I:keymgr:19-old-keys (19)
keymgr retcode was 1 expected 0
coverage retcode was 1 expected 0
error count was 1 expected 0
good count was 1 expected 2
'Publish': expected     4 found 2
I:keymgr:failed
I:keymgr:checking domains ending in . (20)
I:keymgr:checking policy.conf parser (21)
I:keymgr:exit status: 1
R:keymgr:FAIL
E:keymgr:Tue Jan 29 11:01:21 PST 2019

penguin:~/cvs/robie/builds/bind9.v9_11.no-ipv6/bind9/bin/tests/system/keymgr> more *.19
::::::::::::::
coverage.19
::::::::::::::
PHASE 1--Loading keys to check for internal timing problems
PHASE 2--Scanning future key events for coverage failures
Checking scheduled KSK events for zone example.com, algorithm NSEC3RSASHA1...
  Sun Jan 29 19:01:14 UTC 2017:
    Publish: example.com/NSEC3RSASHA1/23253 (KSK)
    Activate: example.com/NSEC3RSASHA1/23253 (KSK)

No errors found

Checking scheduled ZSK events for zone example.com, algorithm NSEC3RSASHA1...
  Sun Jan 29 19:01:14 UTC 2017:
    Publish: example.com/NSEC3RSASHA1/04478 (ZSK)
    Activate: example.com/NSEC3RSASHA1/04478 (ZSK)
  Tue Mar 12 19:01:19 UTC 2019:
    Inactive: example.com/NSEC3RSASHA1/04478 (ZSK)

ERROR: No ZSK's are active after this event
::::::::::::::
keymgr.19
::::::::::::::
# /home/tbox/cvs/robie/builds/bind9.v9_11.no-ipv6/bind9/bin/dnssec/dnssec-settime -K 19-old-keys -I 20190312190119 -D 20190423190119 Kexam
ple.com.+007+04478
# /home/tbox/cvs/robie/builds/bind9.v9_11.no-ipv6/bind9/bin/dnssec/dnssec-keygen -q -K 19-old-keys -S Kexample.com.+007+04478 -L 3600 -r /
home/tbox/cvs/robie/builds/bind9.v9_11.no-ipv6/bind9/bin/tests/system/random.data -i 3628800
Unable to apply policy: example.com/NSEC3RSASHA1: unable to generate key: dnssec-keygen: fatal: Key example.com/NSEC3RSASHA1/4478 becomes 
inactive
	sooner than the prepublication period for the new key ends.
	Either change the inactivation date with dnssec-settime -I,
	or use the -i option to set a shorter prepublication interval.

penguin:~/cvs/robie/builds/bind9.v9_11.no-ipv6/bind9/bin/tests/system/keymgr> ls 19-old-keys
expect	  Kexample.com.+007+04478.key	   Kexample.com.+007+23253.key	    policy.conf
extra.sh  Kexample.com.+007+04478.private  Kexample.com.+007+23253.private  README
penguin:~/cvs/robie/builds/bind9.v9_11.no-ipv6/bind9/bin/tests/system/keymgr>
Edited by Mark Andrews
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information