Package: dnssec-tools
Version: 1.13-1
Severity: normal
Dear Maintainer,
*** Please consider answering these questions, where appropriate ***
* What led up to the situation?
* What exactly did you do (or not do) that was effective (or
ineffective)?
* What was the outcome of this action?
* What outcome did you expect instead?
*** End of the template - remove these lines ***
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Andrew Gallagher <andr...@andrewg.com>
To: Debian Bug Tracking System <sub...@bugs.debian.org>
Subject: dnssec-tools: rollerd does not reload zone after autosigning
Bcc: Andrew Gallagher <andr...@andrewg.com>
Package: dnssec-tools
Version: 1.13-1
Severity: normal
With autosign=1, rollerd re-signs zone files but forgets to subsequently reload
the zone with rndc, even if roll_loadzone=1
To reproduce:
configure autosign=1; roll_loadzone=1
edit a zonefile
wait
Expected behaviour:
Either roll_loadzone should enable zone reloads for both autosigning and key
rolling,
or there should be a separate method to reload a zone after autosigning.
Autosigning
is pretty useless without this feature.
Andrew Gallagher
-- System Information:
Debian Release: 7.7
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 3.14.5-x86-linode61 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages dnssec-tools depends on:
ii bind9utils 1:9.8.4.dfsg.P1-6+nmu2+deb7u2
ii libmailtools-perl 2.09-1
ii libnet-dns-perl 0.66-2+b2
ii libnet-dns-sec-perl 0.16-2
ii libtimedate-perl 1.2000-1
ii perl 5.14.2-21+deb7u2
Versions of packages dnssec-tools recommends:
ii bind9 1:9.8.4.dfsg.P1-6+nmu2+deb7u2
dnssec-tools suggests no packages.
-- Configuration Files:
/etc/dnssec-tools/dnssec-tools.conf changed:
admin-email andr...@andrewg.com
keyarch /usr/sbin/keyarch
rollchk /usr/sbin/rollchk
zonesigner /usr/sbin/zonesigner
keygen /usr/sbin/dnssec-keygen
rndc /usr/sbin/rndc
zonecheck /usr/sbin/named-checkzone
zonesign /usr/sbin/dnssec-signzone
algorithm rsasha256
ksklength 2048
zsklength 1024
random /dev/urandom
usensec3 yes
nsec3iter 100
nsec3salt random:64
nsec3optout no
endtime +2592000 # RRSIGs good for thirty days.
lifespan-max 94608000
lifespan-min 3600
ksklife 31536000
zsklife 604800
archivedir /var/lib/dnssec-tools/archive
entropy_msg 1
savekeys 1
kskcount 1
zskcount 1
roll_loadzone 1
roll_logfile /var/log/dnssec-tools/rollerd.log
roll_loglevel phase
roll_phasemsg long
roll_sleeptime 3600
zone_errors 5
autosign 1
log_tz gmt
tacontact
tasmtpserver localhost
taresolvconf localhost
tatmpdir /var/run/dnssec-tools/trustman
usegui 0
/etc/dnssec-tools/dnssec-tools.rollrec changed:
roll "web"
zonename "web"
zonefile "db.web.signed"
keyrec "web.krf"
directory "/etc/bind"
administrator "root@localhost"
kskphase "0"
zskphase "0"
ksk_rolldate "Sun Dec 7 02:10:42 2014"
ksk_rollsecs "1417918242"
zsk_rolldate "Sun Dec 7 02:10:42 2014"
zsk_rollsecs "1417918242"
maxttl "0"
display "1"
phasestart "new"
# optional records for RFC5011 rolling:
istrustanchor "no"
holddowntime "60D"
roll "test.web"
zonename "test.web"
zonefile "db.test.web.signed"
keyrec "test.web.krf"
directory "/etc/bind"
administrator "root@localhost"
kskphase "0"
zskphase "0"
ksk_rolldate "Sun Dec 7 02:10:42 2014"
ksk_rollsecs "1417918242"
zsk_rolldate "Sun Dec 7 02:10:42 2014"
zsk_rollsecs "1417918242"
maxttl "0"
display "1"
phasestart "new"
# optional records for RFC5011 rolling:
istrustanchor "no"
holddowntime "60D"
roll "andrewg.com"
zonename "andrewg.com"
zonefile "db.andrewg.signed"
keyrec "andrewg.com.krf"
directory "/etc/bind"
administrator "root@localhost"
kskphase "0"
zskphase "0"
ksk_rolldate "Sun Dec 7 02:10:42 2014"
ksk_rollsecs "1417918242"
zsk_rolldate "Sun Dec 7 02:10:42 2014"
zsk_rollsecs "1417918242"
maxttl "0"
display "1"
phasestart "new"
# optional records for RFC5011 rolling:
istrustanchor "no"
holddowntime "60D"
roll "llagher.net"
zonename "llagher.net"
zonefile "db.llagher.signed"
keyrec "llagher.net.krf"
directory "/etc/bind"
administrator "root@localhost"
kskphase "0"
zskphase "0"
ksk_rolldate "Sun Dec 7 02:10:42 2014"
ksk_rollsecs "1417918242"
zsk_rolldate "Sun Dec 7 02:10:42 2014"
zsk_rollsecs "1417918242"
maxttl "0"
display "1"
phasestart "new"
# optional records for RFC5011 rolling:
istrustanchor "no"
holddowntime "60D"
roll "stibium.net"
zonename "stibium.net"
zonefile "db.stibium.signed"
keyrec "stibium.net.krf"
directory "/etc/bind"
administrator "root@localhost"
kskphase "0"
zskphase "0"
ksk_rolldate "Sun Dec 7 02:10:42 2014"
ksk_rollsecs "1417918242"
zsk_rolldate "Sun Dec 7 02:10:42 2014"
zsk_rollsecs "1417918242"
maxttl "0"
display "1"
phasestart "new"
# optional records for RFC5011 rolling:
istrustanchor "no"
holddowntime "60D"
roll "gatewaytheatre.org"
zonename "gatewaytheatre.org"
zonefile "db.gatewaytheatre.signed"
keyrec "gatewaytheatre.org.krf"
directory "/etc/bind"
administrator "root@localhost"
kskphase "0"
zskphase "0"
ksk_rolldate "Sun Dec 7 02:10:42 2014"
ksk_rollsecs "1417918242"
zsk_rolldate "Sun Dec 7 02:10:42 2014"
zsk_rollsecs "1417918242"
maxttl "0"
display "1"
phasestart "new"
# optional records for RFC5011 rolling:
istrustanchor "no"
holddowntime "60D"
roll "hemispherepictures.com"
zonename "hemispherepictures.com"
zonefile "db.hemispherepictures.signed"
keyrec "hemispherepictures.com.krf"
directory "/etc/bind"
administrator "root@localhost"
kskphase "0"
zskphase "0"
ksk_rolldate "Sun Dec 7 02:10:42 2014"
ksk_rollsecs "1417918242"
zsk_rolldate "Sun Dec 7 02:10:42 2014"
zsk_rollsecs "1417918242"
maxttl "0"
display "1"
phasestart "new"
# optional records for RFC5011 rolling:
istrustanchor "no"
holddowntime "60D"
roll "hemisphere-pictures.com"
zonename "hemisphere-pictures.com"
zonefile "db.hemisphere-pictures.signed"
keyrec "hemisphere-pictures.com.krf"
directory "/etc/bind"
administrator "root@localhost"
kskphase "0"
zskphase "0"
ksk_rolldate "Sun Dec 7 02:10:42 2014"
ksk_rollsecs "1417918242"
zsk_rolldate "Sun Dec 7 02:10:42 2014"
zsk_rollsecs "1417918242"
maxttl "0"
display "1"
phasestart "new"
# optional records for RFC5011 rolling:
istrustanchor "no"
holddowntime "60D"
-- no debconf information
-- System Information:
Debian Release: 7.7
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 3.14.5-x86-linode61 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages dnssec-tools depends on:
ii bind9utils 1:9.8.4.dfsg.P1-6+nmu2+deb7u2
ii libmailtools-perl 2.09-1
ii libnet-dns-perl 0.66-2+b2
ii libnet-dns-sec-perl 0.16-2
ii libtimedate-perl 1.2000-1
ii perl 5.14.2-21+deb7u2
Versions of packages dnssec-tools recommends:
ii bind9 1:9.8.4.dfsg.P1-6+nmu2+deb7u2
dnssec-tools suggests no packages.
-- Configuration Files:
/etc/dnssec-tools/dnssec-tools.conf changed [not included]
/etc/dnssec-tools/dnssec-tools.rollrec changed [not included]
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
