Skip Menu |
 

This queue is for tickets about the Net-DNS-SEC CPAN distribution.

Report information
The Basics
Id: 79606
Status: resolved
Worked: 30 min
Priority: 0/
Queue: Net-DNS-SEC

People
Owner: Nobody in particular
Requestors: tlhackque [...] yahoo.com
Cc:
AdminCc:

Bug Information
Severity: Critical
Broken in: (no value)
Fixed in: (no value)



Subject: DNSKEY privatekeyname broken for non-lowercase key names
Download (untitled) / with headers
text/plain 1.9k
Consider axfr returns a DNSKEY RR such as 4.3.2.1.IN-ADDR.ARPA.600 DNSKEY ... Calling $rr->privatekeyname will produce something like; K4.3.2.1.IN- ADDR.ARPA+007+47553.private Unfortunately, dnssec-keygen and bind expect IN-ADDR.ARPA to be in lower case. One can "fix" this with something like the following - which is expensive: $rr = Net::DNS::RR::->new( name => lc $rr->name, ttl => $rr->ttl, class => $rr->class, type => 'DNSKEY', flags => $rr->flags, protocol => $rr->protocol, algorithm => $rr->algorithm, keybin => $rr->keybin, keytag => $rr->keytag, ); Note also that it would be useful to access all 5 of the key timing attributes from the RR instead of activating dnssec-settime -p all -u. (Create, Activate, Publish, Revoke, Retire and Delete). Better if they can be set too. Rather than read the file, I do this - but it's expensive: my $DNSTIME = '/usr/sbin/dnssec-settime'; sub getKeyAttributes($$$) { my( $view, $rr, $fmt ) = @_; # Copy the RR to downcase the name so that the keyfile can be found # Grrrh. $rr = Net::DNS::RR::->new( name => lc $rr->name, ttl => $rr->ttl, class => $rr->class, type => 'DNSKEY', flags => $rr->flags, protocol => $rr->protocol, algorithm => $rr->algorithm, keybin => $rr->keybin, keytag => $rr->keytag, ); my %kt; my $fn = $rr->privatekeyname; $fn =~ /^(.*)$/; $fn = $1; open( KT, '-|', "$DNSTIME -p all -u -K $bindDir/$view-keys $fn Show quoted text
2>&1" ) or die( "Can't run $DNSTIME: $!\n" );
while( <KT> ) { if( /^dnssec-settime:/ ) { die( "Failed to read key data: $_" ); } next unless( /^\s*(\S+):\s*(\d+|UNSET)\s*$/ ); $kt{$1} = $2; $kt{"d-$1"} = ($2 eq 'UNSET'? $2 : POSIX::strftime( $fmt, localtime( $2 ) ) ); } close KT; return \%kt; }
On Wed 12 Sep 2012 21:36:38, tlhackque wrote: Show quoted text
> Consider axfr returns a DNSKEY RR such as > 4.3.2.1.IN-ADDR.ARPA.600 DNSKEY ... > > Calling $rr->privatekeyname will produce something like; K4.3.2.1.IN- > ADDR.ARPA+007+47553.private > > Unfortunately, dnssec-keygen and bind expect IN-ADDR.ARPA to be in > lower case. > > One can "fix" this with something like the following - which is > expensive: > > $rr = Net::DNS::RR::->new( > name => lc $rr->name, > ttl => $rr->ttl, > class => $rr->class, > type => 'DNSKEY', > flags => $rr->flags, > protocol => $rr->protocol, > algorithm => $rr->algorithm, > keybin => $rr->keybin, > keytag => $rr->keytag, > );
Why not use lc $rr->privatekeyname ? Show quoted text
> Note also that it would be useful to access all 5 of the key timing > attributes from the RR instead of activating dnssec-settime -p all -u.
Those attributes are not part of the RR, but belong to bind's provisioning system. Net::DNS::SEC should not try to mimic that. Sorry, but best regards, -- Willem
From: tlhackque [...] yahoo.com
Download (untitled) / with headers
text/plain 1.5k
On Fri Sep 14 09:32:47 2012, NLNETLABS wrote: Show quoted text
> Why not use lc $rr->privatekeyname ?
Because the filename for open starts with upper-case K. If you're going to return a file name, it should be openable by the user. And any adjustments to input or output belong in Net::DNS (one place), not all over user code where it's hard to find and fix. Note that the case of returned names can be randomized by DNS servers in an attempt to make cache poisoning harder. Also, some administrators use mixed - or even all upper case for reasons of their own. (Like model 33 Teletypes :-( Please reconsider. It's a trivial fix for you (in one place) vs. a lot of work across all the users. just in DNSKEY::privatekeyname insert the lc in front of $self->name. Show quoted text
>
> > Note also that it would be useful to access all 5 of the key timing > > attributes from the RR instead of activating dnssec-settime -p all -
u. Show quoted text
> > Those attributes are not part of the RR, but belong to bind's > provisioning system. Net::DNS::SEC should not try to mimic that. > > Sorry, but best regards, >
I note that in Trunk's DNS::SEC::Private, you already access Created, Publish and Activate. You're just missing Revoke, Inactive and Delete . Yes, that file is labeled for SIG, but it is generally useful for those of us who need to deal with DNSSEC keys. And the data is generic; any other software can adopt those fields - and probably will if they're easy to get. So again, please reconsider... you seem to already be on this path. Both seem generally useful and don't require much effort. Thanks.
Subject: Re: [rt.cpan.org #79606] DNSKEY privatekeyname broken for non-lowercase key names
Date: Fri, 14 Sep 2012 16:40:28 +0200
To: bug-Net-DNS-SEC [...] rt.cpan.org
From: Willem Toorop <willem [...] nlnetlabs.nl>
Download (untitled) / with headers
text/plain 811b
Op 14-09-12 16:11, via RT schreef: Show quoted text
> Queue: Net-DNS-SEC > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=79606 > > > On Fri Sep 14 09:32:47 2012, NLNETLABS wrote:
>> Why not use lc $rr->privatekeyname ?
> > Because the filename for open starts with upper-case K. > > just in DNSKEY::privatekeyname insert the lc in front of $self->name.
Ah... I will of course. Thanks for makeing this clear for me. Show quoted text
> I note that in Trunk's DNS::SEC::Private, you already access Created, > Publish and Activate. You're just missing Revoke, Inactive and > Delete . > > So again, please reconsider... you seem to already be on this path.
Indeed, it is not much trouble to add those to Private.pm and I will. I wrongly understood you wanted to have those in DNSKEY.pm. Show quoted text
> Thanks.
Welcome, -- Willem
Changes applied


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

Please report any issues with rt.cpan.org to rt-cpan-admin@bestpractical.com.