Package: opendnssec-enforcer-sqlite3
Version: 2.1.3-2
After installing OpenDNSSEC 2.1.3-2 on a Debian buster platform,
everything seemed okay. As usual I had to wait a while before the
first KSK was ready for export, but now that I can the keytag (id) and
key length (size) are missing. For example:
root@srv2:~# ods-enforcer key export --all
example.com. 3600 IN DNSKEY 257 3 8
AwEAAcWWn5q1FhzYIciIShkeRYHyuXKKmv4WYgvnBF+8akp3I+2Z2s8SXVVR4bFf6lVZmA6ShLc2oRFO6DscFULtnaAzMTBOFZfe+iJ+0Y3fxuqWy5tkS3/PDv4aI3ynvvH6n2rMvAARnE7aKwtF3Tz60FnLFG23EEeFDTvS0IjjhYOZ9A9jAciUGrhlGuoOMteJBrjsHHS/TkWqdwag7QbnSuKt48gxfG8OyJV2YkVj3wlU7XHHLWl+J9tdrDYRMi4CJug7T2AnN9c3zmZ60DJuXhmAD39t4zMiEqiyQRBBQMj5jQzG/2+3IxQ9121N2wSYJz4+vZ0IMrLtiIQGfA6/z3E=
root@srv2:~#
I was expecting the above output string to end with something like "
;{id = 1234 (ksk), size = 2048b}", but since this information is
missing what I have to pass on to my registrar is incomplete and
unusable.
When I run the above command, nothing shows up in the syslog by
default, and if I jack the verbosity level up to 5 in conf.xml only
informational stuff shows up:
May 19 12:47:58 srv2 ods-enforcerd: [cmdhandler] accept client 9
May 19 12:47:58 srv2 ods-enforcerd: received command key export --zone
example.com --keystate ready --keytype ksk
May 19 12:47:58 srv2 ods-enforcerd: [cmdhandler] key export command
May 19 12:47:58 srv2 ods-enforcerd: [keystate_export_cmd] key export command
May 19 12:47:58 srv2 ods-enforcerd: SELECT zone.id, zone.rev,
zone.policyId, zone.name, zone.signconfNeedsWriting,
zone.signconfPath, zone.nextChange, zone.ttlEndDs, zone.ttlEndDk,
zone.ttlEndRs, zone.rollKskNow, zone.rollZskNow, zone.rollCskNow,
zone.inputAdapterType, zone.inputAdapterUri, zone.outputAdapterType,
zone.outputAdapterUri, zone.nextKskRoll, zone.nextZskRoll,
zone.nextCskRoll FROM zone WHERE zone.name = ?
May 19 12:47:58 srv2 ods-enforcerd: SELECT zone.id, zone.rev,
zone.policyId, zone.name, zone.signconfNeedsWriting,
zone.signconfPath, zone.nextChange, zone.ttlEndDs, zone.ttlEndDk,
zone.ttlEndRs, zone.rollKskNow, zone.rollZskNow, zone.rollCskNow,
zone.inputAdapterType, zone.inputAdapterUri, zone.outputAdapterType,
zone.outputAdapterUri, zone.nextKskRoll, zone.nextZskRoll,
zone.nextCskRoll FROM zone WHERE zone.name = ?
May 19 12:47:58 srv2 ods-enforcerd: SELECT keyData.id, keyData.rev,
keyData.zoneId, keyData.hsmKeyId, keyData.algorithm,
keyData.inception, keyData.role, keyData.introducing,
keyData.shouldRevoke, keyData.standby, keyData.activeZsk,
keyData.publish, keyData.activeKsk, keyData.dsAtParent,
keyData.keytag, keyData.minimize FROM keyData WHERE keyData.zoneId = ?
May 19 12:47:58 srv2 ods-enforcerd: SELECT keyState.id, keyState.rev,
keyState.keyDataId, keyState.type, keyState.state,
keyState.lastChange, keyState.minimize, keyState.ttl FROM keyState
WHERE keyState.keyDataId = ?
May 19 12:47:58 srv2 ods-enforcerd: SELECT hsmKey.id, hsmKey.rev,
hsmKey.policyId, hsmKey.locator, hsmKey.state, hsmKey.bits,
hsmKey.algorithm, hsmKey.role, hsmKey.inception, hsmKey.isRevoked,
hsmKey.keyType, hsmKey.repository, hsmKey.backup FROM hsmKey WHERE
hsmKey.id = ?
May 19 12:47:58 srv2 ods-enforcerd: SELECT keyState.id, keyState.rev,
keyState.keyDataId, keyState.type, keyState.state,
keyState.lastChange, keyState.minimize, keyState.ttl FROM keyState
WHERE keyState.keyDataId = ?
May 19 12:47:58 srv2 ods-enforcerd: [cmdhandler] done handling command
key export --zone example.com --keystate ready --keytype ksk
So, unless there's some new undocumented option that must be added to
the above command in order to display the keytag, this looks like a
critical bug.
