Report information
The Basics
Id:
44667
Status:
resolved
Priority:
Medium/Medium
Queue:
bind9-public
People
BugTracker
Version Fixed:
9.12.0
Version Found:
(no value)
Versions Affected:
(no value)
Versions Planned:
(no value)
Priority:
P2 Normal
Severity:
S3 Low
CVSS Score:
(no value)
CVE ID:
(no value)
Component:
BIND Utilities
Area:
feature
Attachments
signature.asc
Dates
Created:Fri, 10 Feb 2017 15:28:42 -0500
Updated:Fri, 27 Oct 2017 14:48:59 -0400
Closed:Fri, 27 Oct 2017 14:48:59 -0400

This bug tracker is no longer active.

Please go to our Gitlab to submit issues (both feature requests and bug reports) for active projects maintained by Internet Systems Consortium (ISC).

Due to security and confidentiality requirements, full access is limited to the primary maintainers.

History
  Fri, 10 Feb 2017 15:28:42 -0500 Cathy Almond <cathya@isc.org> - Ticket created
Subject: Suggested enhancement to dnssec-checkds

I need to verify a DS RRset against a master file offline in advance of publication of the DS records at the parent. I've modified dnssec-checkds as shown below to do this. I expect that this may be useful to others, and hope it can be considered for inclusion in future release. Best regards, Niall O'Reilly -- diff output follows niall@ns:~/zones$ diff -u /usr/sbin/dnssec-checkds ~/bin/new-dnssec-checkdns --- /usr/sbin/dnssec-checkds 2016-11-17 23:31:25.000000000 +0000 +++ /home/niall/bin/new-dnssec-checkdns 2017-02-08 15:32:45.600498090 +0000 @@ -174,10 +174,14 @@ # Generate a set of expected DS records from the DNSKEY RRset, # and report on congruency. ############################################################################ -def checkds(zone, masterfile = None): +def checkds(zone, masterfile = None, dssetfile = None): dslist=[] - fp=os.popen("%s +noall +answer -t ds -q %s" % - (shellquote(args.dig), shellquote(zone))) + if dssetfile: + fp=open(dssetfile) + print('Reading DS RRset from file: ' + dssetfile) + else: + fp=os.popen("%s +noall +answer -t ds -q %s" % + (shellquote(args.dig), shellquote(zone))) for line in fp: dslist.append(DSRR(line)) dslist = sorted(dslist, key=lambda ds: (ds.keyid, ds.keyalg, ds.hashalg)) @@ -296,6 +300,8 @@ help='zone master file') parser.add_argument('-l', '--lookaside', dest='lookaside', type=str, help='DLV lookaside zone') + parser.add_argument('-p', '--prepared', dest='dssetfile', type=str, + help='prepared DSset file') parser.add_argument('-d', '--dig', dest='dig', default=os.path.join(prefix(bindir), 'dig'), type=str, help='path to \'dig\'') @@ -319,7 +325,7 @@ if args.lookaside: found = checkdlv(args.zone, args.lookaside, args.masterfile) else: - found = checkds(args.zone, args.masterfile) + found = checkds(args.zone, args.masterfile, args.dssetfile) exit(0 if found else 1) niall@ns:~/zones$ -- ends
Tue, 25 Jul 2017 11:41:08 -0400 Vicky Risk <vicky@isc.org> - Subject changed from 'Suggested enhancement to dnssec-checkds' to '[PATCH] Suggested enhancement to dnssec-checkds'
Tue, 25 Jul 2017 11:41:08 -0400 Vicky Risk <vicky@isc.org> - Queue changed from #3 to bind9-public
Tue, 25 Jul 2017 11:41:08 -0400 Vicky Risk <vicky@isc.org> - Component BIND Utilities added
Tue, 25 Jul 2017 11:41:08 -0400 Vicky Risk <vicky@isc.org> - Area feature added
Tue, 25 Jul 2017 11:41:09 -0400 Vicky Risk <vicky@isc.org> - Severity S3 Low added
Tue, 25 Jul 2017 11:41:09 -0400 Vicky Risk <vicky@isc.org> - Priority P2 Normal added
Wed, 02 Aug 2017 18:03:12 -0400 Vicky Risk <vicky@isc.org> - Given to Evan Hunt <Evan_Hunt@isc.org>
Fri, 06 Oct 2017 02:51:56 -0400 Evan Hunt <Evan_Hunt@isc.org> - Status changed from 'new' to 'review'
Fri, 06 Oct 2017 02:51:56 -0400 Evan Hunt <Evan_Hunt@isc.org> - Untaken
  Wed, 25 Oct 2017 01:45:07 -0400 Mark Andrews <marka@isc.org> - Correspondence added

It looks like we have python2 vs python3 issues. S:checkds:Wed 25 Oct 2017 16:43:54 AEDT T:checkds:1:A A:System test checkds I:checking for correct DS, looking up key via 'dig' (1) I:checking for correct DS, obtaining key from file (2) I:checking for correct DLV, looking up key via 'dig' (3) I:checking for correct DLV, obtaining key from file (4) I:checking for incorrect DS, lowronging up key via 'dig' (5) I:checking for incorrect DS, obtaining key from file (6) I:checking for incorrect DLV, lowronging up key via 'dig' (7) I:checking for incorrect DLV, obtaining key from file (8) I:checking for partially missing DS, looking up key via 'dig' (9) I:checking for partially missing DS, obtaining key from file (10) I:checking for partially missing DLV, looking up key via 'dig' (11) I:checking for partially missing DLV, obtaining key from file (12) I:checking for entirely missing DS, looking up key via 'dig' (13) I:checking for entirely missing DS, obtaining key from file (14) I:checking for entirely missing DLV, looking up key via 'dig' (15) I:checking for entirely missing DLV, obtaining key from file (16) I:checking with prepared dsset file (17) Traceback (most recent call last): File "/Users/marka/git/bind9/bin/python/dnssec-checkds", line 24, in <module> isc.checkds.main() File "/Users/marka/git/bind9/bin/python/isc/checkds.py", line 188, in main found = check(args.zone, args) File "/Users/marka/git/bind9/bin/python/isc/checkds.py", line 103, in check rrlist.append(SECRR(line, args.lookaside)) File "/Users/marka/git/bind9/bin/python/isc/checkds.py", line 37, in __init__ fields = rrtext.decode('ascii').split() AttributeError: 'str' object has no attribute 'decode' I:failed I:exit status: 1 R:FAIL
Wed, 25 Oct 2017 01:45:08 -0400 Mark Andrews <marka@isc.org> - Given to Evan Hunt <Evan_Hunt@isc.org>
  Wed, 25 Oct 2017 03:57:38 -0400 Niall O'Reilly <niall.oreilly@ucd.ie> - Correspondence added
To: "Mark Andrews via RT" <bind9-public@isc.org>
From: "Niall O'Reilly" <niall.oreilly@ucd.ie>
Subject: Re: [ISC-Bugs #44667] [PATCH] Suggested enhancement to dnssec-checkds
Date: Wed, 25 Oct 2017 08:57:19 +0100

On 25 Oct 2017, at 6:45, Mark Andrews via RT wrote: > It looks like we have python2 vs python3 issues. For some value of "we"; it's not clear to me whether this means "we at ISC", the proposer of the enhancement, or the union of the two. Is there something you're looking to me to do? Whichever it is, thanks for letting me know that my suggestion is the object of expert engagement. Thanks and best regards, Niall O'Reilly
signature.asc

Message body not shown because it is not plain text.

  Wed, 25 Oct 2017 14:24:07 -0400 Evan Hunt <Evan_Hunt@isc.org> - Correspondence added

Hi Niall, > > It looks like we have python2 vs python3 issues. > > For some value of "we"; it's not clear to me whether this means > "we at ISC", the proposer of the enhancement, or the union of the two. > Is there something you're looking to me to do? > > Whichever it is, thanks for letting me know that my suggestion is > the object of expert engagement. I recently pulled your suggestion off the queue, made a few minor modifications (adding documentation and a system test) and asked for a code review on those. I used an internal comment rather than email to make the request, so you didn't see it. Mark was replying to me, saying there's a python2/python3 incompatibility that I should address. This time you were included in the mail, and were understandably confused by the lack of context - sorry about that. There's nothing you need to do. Mark, what python version were you using? I have 2.7.12 and 3.5.2 and the test passes for me in both of them.
  Wed, 25 Oct 2017 16:29:35 -0400 Niall O'Reilly <niall.oreilly@ucd.ie> - Correspondence added
Date: Wed, 25 Oct 2017 21:29:24 +0100
To: "Evan Hunt via RT" <bind9-public@isc.org>
Subject: Re: [ISC-Bugs #44667] [PATCH] Suggested enhancement to dnssec-checkds
From: "Niall O'Reilly" <niall.oreilly@ucd.ie>

On 25 Oct 2017, at 19:24, Evan Hunt via RT wrote: > I recently pulled your suggestion off the queue, made a few minor modifications > (adding documentation and a system test) and asked for a code review on those. > I used an internal comment rather than email to make the request, so you didn't > see it. Thanks, Evan, for pulling it off the queue and working on it. Thanks also for explaining. > Mark was replying to me, saying there's a python2/python3 incompatibility > that I should address. This time you were included in the mail, and were > understandably confused by the lack of context > - sorry about that. No need. I'm always pleased to learn that Mark is dealing with something I've sent in. > There's nothing you need to do. Thanks for clarifying. I'm looking forward to the outcome. Best regards to you and Mark. Niall O'Reilly
signature.asc

Message body not shown because it is not plain text.

  Wed, 25 Oct 2017 19:27:42 -0400 Mark Andrews <marka@isc.org> - Correspondence added
Date: Thu, 26 Oct 2017 10:27:29 +1100
Subject: Re: [ISC-Bugs #44667] [PATCH] Suggested enhancement to dnssec-checkds
From: "Mark Andrews" <marka@isc.org>
To: bind9-public@isc.org

In message <rt-4.4.1-31452-1508955847-1200.44667-4-0@isc.org>, "Evan Hunt via RT" writes: > Mark, what python version were you using? I have 2.7.12 and 3.5.2 and > the test passes for me in both of them. [rock:~/git/bind9] marka% python --version Python 3.5.4 [rock:~/git/bind9] marka% -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
  Thu, 26 Oct 2017 22:56:57 -0400 Mark Andrews <marka@isc.org> - Correspondence added

On Wed Oct 25 13:27:42 2017, marka wrote: > > In message <rt-4.4.1-31452-1508955847-1200.44667-4-0@isc.org>, "Evan > Hunt via RT" writes: > > Mark, what python version were you using? I have 2.7.12 and 3.5.2 > > and > > the test passes for me in both of them. > > [rock:~/git/bind9] marka% python --version > Python 3.5.4 > [rock:~/git/bind9] marka% In python3 open().read() returns a str Popen().communicate() returns a bytearray. In python2 they both return str which is a aliased to bytearray. Anyway I've committed the following. diff --git a/bin/python/isc/checkds.py.in b/bin/python/isc/checkds.py.in index 6adb6dd06c..a1615543a4 100644 --- a/bin/python/isc/checkds.py.in +++ b/bin/python/isc/checkds.py.in @@ -34,7 +34,11 @@ class SECRR: if not rrtext: raise Exception - fields = rrtext.decode('ascii').split() + # 'str' does not have decode method in python3 + if type(rrtext) is not str: + fields = rrtext.decode('ascii').split() + else: + fields = rrtext.split() if len(fields) < 7: raise Exception
  Fri, 27 Oct 2017 00:07:03 -0400 Evan Hunt <Evan_Hunt@isc.org> - Correspondence added

4794. [func] "dnssec-checkds -s" specifies a file from which to read a DS set rather than querying the parent. [RT #44667] 9.12.0
Fri, 27 Oct 2017 00:07:04 -0400 Evan Hunt <Evan_Hunt@isc.org> - Status changed from 'review' to 'resolved'
Fri, 27 Oct 2017 00:07:04 -0400 Evan Hunt <Evan_Hunt@isc.org> - Version Fixed 9.12.0 added
  Fri, 27 Oct 2017 12:28:19 -0400 Niall O'Reilly <niall.oreilly@ucd.ie> - Correspondence added
Date: Fri, 27 Oct 2017 17:28:09 +0100
Subject: Re: [ISC-Bugs #44667] [PATCH] Suggested enhancement to dnssec-checkds
To: "Evan Hunt via RT" <bind9-public@isc.org>
From: "Niall O'Reilly" <niall.oreilly@ucd.ie>

Cool! Thanks. On 27 Oct 2017, at 5:07, Evan Hunt via RT wrote: > 4794. [func] "dnssec-checkds -s" specifies a file from which > to read a DS set rather than querying the parent. > [RT #44667] > > 9.12.0
signature.asc

Message body not shown because it is not plain text.

Fri, 27 Oct 2017 12:28:19 -0400 The RT System itself - Status changed from 'resolved' to 'open'
Fri, 27 Oct 2017 14:48:59 -0400 Evan Hunt <Evan_Hunt@isc.org> - Status changed from 'open' to 'resolved'