Uploaded image for project: 'Support'
  1. Support
  2. SUPPORT-251

ods-enforcer crashes on seeing "key list --zone <zone> --verbose --keytag"

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 2.1.5
    • Fix Version/s: None
    • Component/s: Enforcer
    • Labels:
      None
    • Environment:

      NetBSD 9.0_BETA / amd64

      Description

      I am looking for a way to get the DS for a key in "waiting for ds-gone" state exported,
      so that I can initiate action to have the correct now-obsolete DS record removed

      from the DNS.  However, "key list --verbose --zone <zone>" only leaves me with cka_id and keytag to uniquely identify a given key.

      However, "key export" does apparently not accept either "--cka_id"
      or "--keytag" to identify the key to be exported.

      "key export" has a "--keystate <state>" option, but that leaves me with the
      unanswered question about how the different states are presented to the operator
      and how "key export" expects its input as a value to the "--keystate" option.

      So this turned me back to "key list" again.

      However, doing

      ods @ hugin: {37} ods-enforcer key list --zone 62.38.158.in-addr.arpa --verbose --keystate
Keys:
Zone:                           Keytype: State:    Date of next transition: Size: Algorithm: CKA_ID:                          Repository: KeyTag:
[Remote closed connection]
ods @ hugin: {38}

      leaves me with an error message and an ods-enforcer which has either crashed or exit()ed. This is quite serious in my judgement, and violates the most basic robustness principles, especially since the "--keystate" option is among the documented options for "key list".

      Also, the question about how to get at the "--keystate" values is left unanswered.

      Just for reference, when I omit the "--keystate" option, I get:

      ods @ hugin: {41} ods-enforcer key list --zone 62.38.158.in-addr.arpa --verbose
Keys:
Zone:                           Keytype: State:    Date of next transition: Size: Algorithm: CKA_ID:                          Repository: KeyTag:
62.38.158.in-addr.arpa          KSK      retire    waiting for ds-gone      2048  8          22ec65fc0843188321b5ce68da186317 SoftHSM     2966
62.38.158.in-addr.arpa          ZSK      retire    ds-unsubmitted           1280  8          df0f2ec165e2e6a0338cd317412cd0a1 SoftHSM     3114
62.38.158.in-addr.arpa          ZSK      active    ds-unsubmitted           1280  8          f19e5f007a7da953e6b0d9f816415447 SoftHSM     53118
62.38.158.in-addr.arpa          KSK      active    ds-seen                  2048  8          465bba03e99cac2fb4a5bf9bb9331cc2 SoftHSM     34886
ods @ hugin: {42}

      which doesn't say anything about the values of "--keystate", and does not bring
      me closer to being able to identify the now-obsolete DS key in the DNS.

      "Help!"

      Håvard

       

        Attachments

          Activity

            People

            Assignee:
            berry Berry van Halderen
            Reporter:
            he Håvard Eidnes
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated: