Package: dnssec-tools
Version: 1.7-3
Severity: important
File: /usr/share/perl5/Net/DNS/SEC/Tools/keyrec.pm
Tags: patch
When RFC5011 KSK revocation is enabled (the default), at some point after
KSK keys have been revoked, zonesigner fails with the following error:
dnssec-signzone: fatal: revoked KSK is not self signed
The problem is that zonesigner is not passing a -k argument to dnssec-signzone
with the revoked key. This appears to be because keyrec_keypaths() (from
Net::DNS::SEC::Tools::keyrec) is not finding the kskrev keypaths, which have
an additional level of indirection in their keyrec signing sets.
The attached patch attempts to correct this problem.
-- System Information:
Debian Release: 6.0.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-openvz-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages dnssec-tools depends on:
ii bind9utils 1:9.7.3.dfsg-1~squeeze4 Utilities for BIND
ii libnet-dns-perl 0.66-2 Perform DNS queries from a Perl sc
ii libnet-dns-sec-p 0.16-1 DNSSEC extension to NET::DNS
ii libtimedate-perl 1.2000-1 collection of modules to manipulat
ii perl 5.10.1-17squeeze3 Larry Wall's Practical Extraction
Versions of packages dnssec-tools recommends:
ii bind9 1:9.7.3.dfsg-1~squeeze4 Internet Domain Name Server
dnssec-tools suggests no packages.
-- Configuration Files:
/etc/dnssec-tools/dnssec-tools.conf changed [not included]
-- no debconf information
--- /usr/share/perl5/Net/DNS/SEC/Tools/keyrec.pm 2010-06-25
08:42:00.000000000 -0700
+++ keyrec.pm 2012-03-31 18:09:37.000000000 -0700
@@ -704,15 +704,50 @@
foreach my $kn (split /[\s,]/, $keylist)
{
#
- # Verify that this key exists and is the right type.
+ # Verify that this key exists.
#
next if(!defined($keyrecs{$kn}));
- next if($keyrecs{$kn}{'keyrec_type'} ne $krt);
#
- # Push the key's path onto the path list.
+ # Maybe follow another level of indirection for kskrev sets.
#
- push @paths, $keyrecs{$kn}{'keypath'};
+ if ($krt eq "kskrev" && $keyrecs{$kn}{'set_type'} eq $krt) {
+ my $sset = $kn;
+
+ #
+ # Get and verify the key list.
+ #
+ next if(!defined($keyrecs{$sset}{'keys'}));
+ my $keylist = $keyrecs{$sset}{'keys'};
+
+ #
+ # Get the key's paths and add 'em to the path array.
+ #
+ foreach my $kn (split /[\s,]/, $keylist)
+ {
+ #
+ # Verify that this key exists and is the right
type.
+ #
+ next if(!defined($keyrecs{$kn}));
+ next if($keyrecs{$kn}{'keyrec_type'} ne $krt);
+
+ #
+ # Push the key's path onto the path list.
+ #
+ push @paths, $keyrecs{$kn}{'keypath'};
+ }
+ }
+ else {
+ #
+ # Verify that this key is the right type.
+ #
+ next if($keyrecs{$kn}{'keyrec_type'} ne $krt);
+
+ #
+ # Push the key's path onto the path list.
+ #
+ push @paths, $keyrecs{$kn}{'keypath'};
+ }
}
#
