Description of problem: dnssec-signzone is now generating multi-line NSEC3 records. These records are not supported by the DNS::Zonefile::Fast.pm module and hence rollerd aborts. Version-Release number of selected component (if applicable): bind 9.9.2-8-P1, dnssec-tools-1.14-2, dnssec-tools-perlmods-1.14-2 How reproducible: Consistent failure.
Created attachment 711147 [details] My solution
My attached patch only supports the new multi-line NSEC3 so parsing of files with single line NSEC3s would now fail. I needed this in a hurry, my DNSSec implementation being snarfu'ed. A more generic solution is probably worth considering.
Created attachment 711239 [details] 2nd attempt at a solution. Hopefully this patch will work for both single and multi-line NSEC3 records.
dnssec-tools-1.13-11.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/dnssec-tools-1.13-11.fc17
dnssec-tools-1.14-5.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/dnssec-tools-1.14-5.fc18
dnssec-tools-1.13-11.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/dnssec-tools-1.13-11.el6
Package dnssec-tools-1.13-11.el6: * should fix your issue, * was pushed to the Fedora EPEL 6 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=epel-testing dnssec-tools-1.13-11.el6' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-5497/dnssec-tools-1.13-11.el6 then log in and leave karma (feedback).
dnssec-tools-1.14-5.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
dnssec-tools-1.13-11.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
Seems that I need a patch to my patch. One can get NSEC3 records with no TYPEs. --- Fast.pm.orig 2013-05-08 16:40:14.783668525 +1200 +++ Fast.pm 2013-05-08 16:41:22.269388066 +1200 @@ -1248,7 +1248,7 @@ sub parse_nsec3 { #got more data - if ( /\G\s*((\w+\s+)+)\)\s*$/) { + if ( /\G\s*((\w+\s+)*)\)\s*$/) { my $typelist = $1; $typelist = join(" ",sort split(/\s+/,$typelist)); $nsec3->{ 'typelist' } = $typelist;
Do you have an example record that it is supposed to match?
I am now seeing two different NSEC3 resources being generated both with and without the list of RRs. ... ... JDLSSS5SH3E8G6G5OGJ8N58ICPUI0DED.leithalweapon.geek.nz. 3600 IN NSEC3 1 0 100 D2DE7F290F200819 ( JOC9G7NN6R36LNBTAONOINAJD1B5TB3A ) ... ... UK3BPPAJR8JPTGCM8RN0A65IR0MIHU4O.leithalweapon.geek.nz. 3600 IN NSEC3 1 0 100 D2DE7F290F200819 ( 4FN8MTCORO6CI3IOOGVCBTI777PNJ5O9 CNAME RRSIG ) ... ...
Here's the full entered patch, FYI. I added a test suite for the problem too, and made it deal with single line NSEC3 records without a type field as well. diff --git a/dnssec-tools/tools/modules/ZoneFile-Fast/Fast.pm b/dnssec-tools/tools/modules/ZoneFile-Fast/Fast.pm index 0c931a2..d2b8dd8 100644 --- a/dnssec-tools/tools/modules/ZoneFile-Fast/Fast.pm +++ b/dnssec-tools/tools/modules/ZoneFile-Fast/Fast.pm @@ -983,7 +983,7 @@ sub parse_line } elsif (/\G(nsec3)[ \t]+/igc) { error ("You are missing required modules for NSEC3 support") if (!$nsec3capable); - if (/\G\s*(\d+)\s+(\d+)\s+(\d+)\s+([-0-9A-Fa-f]+)\s+($pat_maybefullname)\s+(.*?)$pat_skip$/gc) { + if (/\G\s*(\d+)\s+(\d+)\s+(\d+)\s+([-0-9A-Fa-f]+)\s+($pat_maybefullname)\s*(.*?)$pat_skip$/gc) { # XXX: set the typebm field ourselves? my ($alg, $flags, $iters, $salt, $nxthash, $typelist) = ($1, $2, $3, $4, $5, $6); @@ -1335,7 +1335,7 @@ sub parse_tlsa sub parse_nsec3 { #got more data - if ( /\G\s*((\w+\s+)+)\)\s*$/) { + if ( /\G\s*((\w+\s+)*)\)\s*$/) { my $typelist = $1; $typelist = join(" ",sort split(/\s+/,$typelist)); $nsec3->{ 'typelist' } = $typelist; Modified dnssec-tools/tools/modules/ZoneFile-Fast/t/rr-dnssec.t
dnssec-tools-1.13-12.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/dnssec-tools-1.13-12.fc17
dnssec-tools-1.13-12.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/dnssec-tools-1.13-12.el6
dnssec-tools-1.14-6.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/dnssec-tools-1.14-6.fc18
Package dnssec-tools-1.13-12.el6: * should fix your issue, * was pushed to the Fedora EPEL 6 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=epel-testing dnssec-tools-1.13-12.el6' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-5924/dnssec-tools-1.13-12.el6 then log in and leave karma (feedback).
dnssec-tools-1.14-6.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
dnssec-tools-1.13-12.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
dnssec-tools-1.13-12.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.