Bug#929221: Keytags missing from ods-enforcer key export

Mon, 20 May 2019 01:24:41 -0700 

On Sun, May 19, 2019 at 11:17:55AM +0000, Jaap Winius wrote:
> 
> Package: opendnssec-enforcer-sqlite3
> Version: 2.1.3-2
> 
> After installing OpenDNSSEC 2.1.3-2 on a Debian buster platform, everything
> seemed okay. As usual I had to wait a while before the first KSK was ready
> for export, but now that I can the keytag (id) and key length (size) are
> missing. For example:
> 
> root@srv2:~# ods-enforcer key export --all
> example.com.  3600    IN      DNSKEY  257 3 8 
> AwEAAcWWn5q1FhzYIciIShkeRYHyuXKKmv4WYgvnBF+8akp3I+2Z2s8SXVVR4bFf6lVZmA6ShLc2oRFO6DscFULtnaAzMTBOFZfe+iJ+0Y3fxuqWy5tkS3/PDv4aI3ynvvH6n2rMvAARnE7aKwtF3Tz60FnLFG23EEeFDTvS0IjjhYOZ9A9jAciUGrhlGuoOMteJBrjsHHS/TkWqdwag7QbnSuKt48gxfG8OyJV2YkVj3wlU7XHHLWl+J9tdrDYRMi4CJug7T2AnN9c3zmZ60DJuXhmAD39t4zMiEqiyQRBBQMj5jQzG/2+3IxQ9121N2wSYJz4+vZ0IMrLtiIQGfA6/z3E=
> root@srv2:~#
> 
> I was expecting the above output string to end with something like " ;{id =
> 1234 (ksk), size = 2048b}", but since this information is missing what I
> have to pass on to my registrar is incomplete and unusable.
> 
> [...]
> 
> So, unless there's some new undocumented option that must be added to the
> above command in order to display the keytag, this looks like a critical
> bug.

Indeed the "ods-enforcer key export" command doesn't output the comment
field with key ID any more. I don't know of any flag that would give you
the key ID along with this line.

This behaviour was introduced with recent versions of OpenDNSSEC and it
is not due to how the Debian package is produced. I would suggest that
you report it upstream.

Note that you can use the <DelegationSignerSubmitCommand> and
<DelegationSignerRetractCommand> configuration options to respectively
publish and retract DS records. These option are the paths to scripts
that are called whenever a DS record needs updating. The scripts get all
required information as arguments and can be used to automatically
update the records of your parent zone (if they have an API) or to email
the key to yourself and update the records manually.

If you need an immediate solution:
- "ods-enforcer key list -v" does list the IDs of all keys.
- "ods-enforcer key export --ds" does list the key ID of the DS record.
- grep your key from your signed zone, the comment field is there.

I agree that having to match the outputs of multiple commands is quite
impractical, the previous output was convenient.

Cheers,

-- 
Mathieu Mirmont <m...@parad0x.org>

Attachment: signature.asc
Description: PGP signature

Reply via email to