Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 230667 - -d option to dnssec-signzone does not work
-d option to dnssec-signzone does not work
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: bind (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Adam Tkac
: FutureFeature
Depends On:
  Show dependency treegraph
Reported: 2007-03-01 19:06 EST by Sander Steffann
Modified: 2013-04-30 19:35 EDT (History)
1 user (show)

See Also:
Fixed In Version: RHBA-2007-0744
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-11-07 12:27:58 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2007:0744 normal SHIPPED_LIVE bind bug fix update 2007-10-30 19:00:26 EDT

  None (edit)
Description Sander Steffann 2007-03-01 19:06:09 EST
Description of problem:
The -d option (specify different key directory) of dnssec-signzone does not
work. Using strace I see dnssec-signzone trying to open the keys in the current
cirectory, with and without the -d option.

Version-Release number of selected component (if applicable):
bind-9.3.3-5.el5 (although the software reports 9.3.3rc2)

How reproducible:
- Create a DNS zone file (example.com)
- Create a zone signing key:
  dnssec-keygen -a RSASHA1 -b 1024 -n ZONE example.com
- Create a key signing key:
  dnssec-keygen -f KSK -a RSASHA1 -b 1280 -n ZONE example.com
- Add the contents of the generated .key files to the zone file
- Move the key files (both .key and .private) to another directory
- Sign the zone:
  dnssec-signzone -d /other/dir/ example.com

Actual results:
This will fail with the error: "dnssec-signzone: warning: No keys specified or
found". Placing the .key and .private files in the same directory as the zone
file makes it work (with and without the -d option)

Expected results:
It should use the specified directory instead of the current directory.
Comment 1 Adam Tkac 2007-04-11 09:57:58 EDT
dnssec-signzone now really ignores -d option. Could you please test proposed fix
and tell me your impressions?

Regards, -A-
Comment 2 Sander Steffann 2007-04-11 10:05:34 EDT
I'm downloading the source RPM now, and I'll test it as soon as possible. I will
be out of the office tomorrow, but I hope to have it tested by friday.
Comment 3 Sander Steffann 2007-04-11 11:38:49 EDT
Fix confirmed. Works like a charm :)

Comment 4 Adam Tkac 2007-04-11 11:41:36 EDT
(In reply to comment #3)
Yeah, thanks for your very fast response. Fix could be avaliable in RHEL5 U1

Comment 6 RHEL Product and Program Management 2007-04-25 16:56:32 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
Comment 9 Adam Tkac 2007-05-07 10:49:49 EDT
Upstream denied proposed patch because it breaks regression. -d option is now
used for keyset files for child zones, not for signing keys. It's absolutely
neccessary create new option. I've called it -D and proposed update is now
avaliable (http://people.redhat.com/atkac/test_srpms/bind-9.3.3-8.2.el5.src.rpm)

Regards, Adam
Comment 13 Sander Steffann 2007-05-29 10:40:56 EDT
Sorry for the late reply. I will look at this new version soon. I just read up
on the -d option in bind, and it is very useful the way it is now, so good
decision to add a new -D option :-)
Comment 14 Sander Steffann 2007-05-29 10:59:18 EDT
Can you make the RPM available again? The current link does not work anymore.
Comment 15 Adam Tkac 2007-05-29 12:12:01 EDT
(In reply to comment #14)
Yeah. You could visit http://people.redhat.com/atkac/test_srpms/ and download
rhel5 version. I always doing cleanup after reporter verify fix :)

Regards, -A-

Comment 19 errata-xmlrpc 2007-11-07 12:27:58 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.