Skip Menu |

This queue is for tickets about the Net-DNS-SEC CPAN distribution.

Report information
The Basics
Id: 79606
Status: resolved
Worked: 30 min
Priority: 0/
Queue: Net-DNS-SEC
People
Owner: Nobody in particular
Requestors: tlhackque [...] yahoo.com
Cc:
AdminCc:
Bug Information
Severity: Critical
Broken in: (no value)
Fixed in: (no value)

History Show all quoted text
  Wed Sep 12 21:36:38 2012 tlhackque [...] yahoo.com - Ticket created
Subject: DNSKEY privatekeyname broken for non-lowercase key names
Consider axfr returns a DNSKEY RR such as 4.3.2.1.IN-ADDR.ARPA.600 DNSKEY ... Calling $rr->privatekeyname will produce something like; K4.3.2.1.IN- ADDR.ARPA+007+47553.private Unfortunately, dnssec-keygen and bind expect IN-ADDR.ARPA to be in lower case. One can "fix" this with something like the following - which is expensive: $rr = Net::DNS::RR::->new( name => lc $rr->name, ttl => $rr->ttl, class => $rr->class, type => 'DNSKEY', flags => $rr->flags, protocol => $rr->protocol, algorithm => $rr->algorithm, keybin => $rr->keybin, keytag => $rr->keytag, ); Note also that it would be useful to access all 5 of the key timing attributes from the RR instead of activating dnssec-settime -p all -u. (Create, Activate, Publish, Revoke, Retire and Delete). Better if they can be set too. Rather than read the file, I do this - but it's expensive: my $DNSTIME = '/usr/sbin/dnssec-settime'; sub getKeyAttributes($$$) { my( $view, $rr, $fmt ) = @_; # Copy the RR to downcase the name so that the keyfile can be found # Grrrh. $rr = Net::DNS::RR::->new( name => lc $rr->name, ttl => $rr->ttl, class => $rr->class, type => 'DNSKEY', flags => $rr->flags, protocol => $rr->protocol, algorithm => $rr->algorithm, keybin => $rr->keybin, keytag => $rr->keytag, ); my %kt; my $fn = $rr->privatekeyname; $fn =~ /^(.*)$/; $fn = $1; open( KT, '-|', "$DNSTIME -p all -u -K $bindDir/$view-keys $fn Show quoted text
2>&1" ) or die( "Can't run $DNSTIME: $!\n" );
while( <KT> ) { if( /^dnssec-settime:/ ) { die( "Failed to read key data: $_" ); } next unless( /^\s*(\S+):\s*(\d+|UNSET)\s*$/ ); $kt{$1} = $2; $kt{"d-$1"} = ($2 eq 'UNSET'? $2 : POSIX::strftime( $fmt, localtime( $2 ) ) ); } close KT; return \%kt; }
  Fri Sep 14 09:17:53 2012 NLNETLABS [...] cpan.org - Queue changed from Net-DNS to Net-DNS-SEC
  Fri Sep 14 09:32:47 2012 NLNETLABS [...] cpan.org - Correspondence added 30 min
On Wed 12 Sep 2012 21:36:38, tlhackque wrote: Show quoted text
> Consider axfr returns a DNSKEY RR such as > 4.3.2.1.IN-ADDR.ARPA.600 DNSKEY ... > > Calling $rr->privatekeyname will produce something like; K4.3.2.1.IN- > ADDR.ARPA+007+47553.private > > Unfortunately, dnssec-keygen and bind expect IN-ADDR.ARPA to be in > lower case. > > One can "fix" this with something like the following - which is > expensive: > > $rr = Net::DNS::RR::->new( > name => lc $rr->name, > ttl => $rr->ttl, > class => $rr->class, > type => 'DNSKEY', > flags => $rr->flags, > protocol => $rr->protocol, > algorithm => $rr->algorithm, > keybin => $rr->keybin, > keytag => $rr->keytag, > );
Why not use lc $rr->privatekeyname ? Show quoted text
> Note also that it would be useful to access all 5 of the key timing > attributes from the RR instead of activating dnssec-settime -p all -u.
Those attributes are not part of the RR, but belong to bind's provisioning system. Net::DNS::SEC should not try to mimic that. Sorry, but best regards, -- Willem
  Fri Sep 14 09:32:48 2012 The RT System itself - Status changed from 'new' to 'open'
  Fri Sep 14 09:32:48 2012 NLNETLABS [...] cpan.org - Status changed from 'open' to 'rejected'
  Fri Sep 14 10:11:38 2012 tlhackque [...] yahoo.com - Correspondence added
From: tlhackque [...] yahoo.com
On Fri Sep 14 09:32:47 2012, NLNETLABS wrote: Show quoted text
> Why not use lc $rr->privatekeyname ?
Because the filename for open starts with upper-case K. If you're going to return a file name, it should be openable by the user. And any adjustments to input or output belong in Net::DNS (one place), not all over user code where it's hard to find and fix. Note that the case of returned names can be randomized by DNS servers in an attempt to make cache poisoning harder. Also, some administrators use mixed - or even all upper case for reasons of their own. (Like model 33 Teletypes :-( Please reconsider. It's a trivial fix for you (in one place) vs. a lot of work across all the users. just in DNSKEY::privatekeyname insert the lc in front of $self->name. Show quoted text
>
> > Note also that it would be useful to access all 5 of the key timing > > attributes from the RR instead of activating dnssec-settime -p all -
u. Show quoted text
> > Those attributes are not part of the RR, but belong to bind's > provisioning system. Net::DNS::SEC should not try to mimic that. > > Sorry, but best regards, >
I note that in Trunk's DNS::SEC::Private, you already access Created, Publish and Activate. You're just missing Revoke, Inactive and Delete . Yes, that file is labeled for SIG, but it is generally useful for those of us who need to deal with DNSSEC keys. And the data is generic; any other software can adopt those fields - and probably will if they're easy to get. So again, please reconsider... you seem to already be on this path. Both seem generally useful and don't require much effort. Thanks.
  Fri Sep 14 10:11:39 2012 The RT System itself - Status changed from 'rejected' to 'open'
  Fri Sep 14 10:40:42 2012 willem [...] nlnetlabs.nl - Correspondence added
Subject: Re: [rt.cpan.org #79606] DNSKEY privatekeyname broken for non-lowercase key names
Date: Fri, 14 Sep 2012 16:40:28 +0200
To: bug-Net-DNS-SEC [...] rt.cpan.org
From: Willem Toorop <willem [...] nlnetlabs.nl>
Op 14-09-12 16:11, via RT schreef: Show quoted text
> Queue: Net-DNS-SEC > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=79606 > > > On Fri Sep 14 09:32:47 2012, NLNETLABS wrote:
>> Why not use lc $rr->privatekeyname ?
> > Because the filename for open starts with upper-case K. > > just in DNSKEY::privatekeyname insert the lc in front of $self->name.
Ah... I will of course. Thanks for makeing this clear for me. Show quoted text
> I note that in Trunk's DNS::SEC::Private, you already access Created, > Publish and Activate. You're just missing Revoke, Inactive and > Delete . > > So again, please reconsider... you seem to already be on this path.
Indeed, it is not much trouble to add those to Private.pm and I will. I wrongly understood you wanted to have those in DNSKEY.pm. Show quoted text
> Thanks.
Welcome, -- Willem
  Thu Nov 21 10:23:10 2013 NLNETLABS [...] cpan.org - Correspondence added
Changes applied
  Thu Nov 21 10:23:11 2013 NLNETLABS [...] cpan.org - Status changed from 'open' to 'resolved'