Bug 45063

Summary: При изменении имени компьютера создаётся некорректный ddns-key.conf
Product: Sisyphus Reporter: jqt4 <jqt4>
Component: alterator-bindAssignee: Anton V. Boyarshinov <boyarsh>
Status: CLOSED FIXED QA Contact: qa-sisyphus
Severity: normal    
Priority: P5 CC: boyarsh
Version: unstable   
Hardware: x86_64   
OS: Linux   

Description jqt4@altlinux.org 2023-01-27 19:22:50 MSK 
Система установлена из образа http://beta.altlinux.org/server/x86_64/alt-server-10.1-rc2-x86_64.iso и обновлена до Сизифа.

rpm -q bind alterator-bind
bind-9.16.37-alt1.x86_64
alterator-bind-0.9.5-alt1.1.1.x86_64

При изменении имени компьютера в acc (вкладка Ethernet-интерфейсы) создаётся файл:

cat /var/lib/bind/etc/ddns-key.conf
key ddns-key {
    algorithm hmac-md5;
    secret "";
};

При этом в лог /var/run/alteratord/alteratord.log выдаётся:

recreate domain...
Cleaning up resolvconf zones...
dnssec-keygen: fatal: The -r option has been deprecated.
System random data is always used.

sed: невозможно прочитать .private: Нет такого файла или каталога
dnssec-keygen: fatal: The -r option has been deprecated.
System random data is always used.

sed: невозможно прочитать .private: Нет такого файла или каталога
/usr/bin/ddns-sh-functions: строка 450: out: не заданы границы переменной
could not read key from /var/lib/bind/etc/Kddns-key.+157+*.{private,key}: file not found
update failed: REFUSED

DHCP не работает с таким файлом:

dhcpd -t -cf /var/lib/bind/etc/ddns-key.conf ; echo $?
Internet Systems Consortium DHCP Server 4.4.3-P1
Copyright 2004-2022 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
/var/lib/bind/etc/ddns-key.conf line 4: expecting a parameter or declaration
};
 ^
Configuration file errors encountered -- exiting
Please note the following before requesting help:
This software is a part of the Internet Software Consortium's DHCP suite
with modifications for ALT Linux.
The ISC folks quite reasonably require that you do not bother them with
questions on software that includes third-party modifications and might
not be based off their latest code.  Hence, please direct any questions
to the community@ mailing list instead; the subscription instructions
are given at http://lists.altlinux.org/mailman/listinfo/community .
Please also read the SUPPORT section on the README about
submitting bug reports and requests for help.
exiting.
1

Причина проблемы в том, что интерфейс командной строки утилиты dnssec-keygen из bind изменился и строки скрипта ddns-sh-functions из alterator-bind:

local key="$(/usr/sbin/dnssec-keygen -r /dev/urandom -a HMAC-MD5 -b 512 -n USER "$name")"
local secret="$(sed -n 's/Key:[[:space:]]\+\([^[:space:]]\+\)/\1/p' "$key.private")"

работают неправильно.

Прошу исправить.
Comment 1 jqt4@altlinux.org 2023-01-30 17:54:41 MSK 
Лог сравнения help'ов старого и нового bind'ов:

$ diff -u ../../help-9.11.log ../../help-9.16.log
--- ../../help-9.11.log    2023-01-30 17:52:16.743546892 +0400
+++ ../../help-9.16.log    2023-01-30 17:53:05.858303207 +0400
@@ -2,41 +2,30 @@
 Usage:
     dnssec-keygen [options] name

-Version: 9.11.37
+Version: 9.16.35
     name: owner of the key
 Options:
     -K <directory>: write keys into directory
+    -k <policy>: generate keys for dnssec-policy
+    -l <file>: configuration file with dnssec-policy statement
     -a <algorithm>:
-        RSA | RSAMD5 | DSA | RSASHA1 | NSEC3RSASHA1 | NSEC3DSA |
-        RSASHA256 | RSASHA512 | ECCGOST |
+        RSASHA1 | NSEC3RSASHA1 |
+        RSASHA256 | RSASHA512 |
         ECDSAP256SHA256 | ECDSAP384SHA384 |
-        ED25519 | ED448 | DH |
-        HMAC-MD5 | HMAC-SHA1 | HMAC-SHA224 | HMAC-SHA256 | 
-        HMAC-SHA384 | HMAC-SHA512
-       (default: RSASHA1, or NSEC3RSASHA1 if using -3)
+        ED25519 | ED448 | DH
     -3: use NSEC3-capable algorithm
     -b <key size in bits>:
-        RSAMD5:    [512..4096]
-        RSASHA1:    [512..4096]
-        NSEC3RSASHA1:    [512..4096]
-        RSASHA256:    [512..4096]
+        RSASHA1:    [1024..4096]
+        NSEC3RSASHA1:    [1024..4096]
+        RSASHA256:    [1024..4096]
         RSASHA512:    [1024..4096]
         DH:        [128..4096]
-        DSA:        [512..1024] and divisible by 64
-        NSEC3DSA:    [512..1024] and divisible by 64
-        ECCGOST:    ignored
         ECDSAP256SHA256:    ignored
         ECDSAP384SHA384:    ignored
         ED25519:    ignored
         ED448:    ignored
-        HMAC-MD5:    [1..512]
-        HMAC-SHA1:    [1..160]
-        HMAC-SHA224:    [1..224]
-        HMAC-SHA256:    [1..256]
-        HMAC-SHA384:    [1..384]
-        HMAC-SHA512:    [1..512]
-        (if using the default algorithm, key size
-        defaults to 2048 for KSK, or 1024 for all others)
+        (key size defaults are set according to
+        algorithm and usage (ZSK or KSK)
     -n <nametype>: ZONE | HOST | ENTITY | USER | OTHER
         (DNSKEY generation defaults to ZONE)
     -c <class>: (default: IN)
@@ -47,7 +36,6 @@
     -g <generator>: use specified generator (DH only)
     -L <ttl>: default key TTL
     -p <protocol>: (default: 3 [dnssec])
-    -r <randomdev>: a file containing random data
     -s <strength>: strength value this key signs DNS records with (default: 0)
     -T <rrtype>: DNSKEY | KEY (default: DNSKEY; use KEY for SIG(0))
     -t <type>: AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF (default: AUTHCONF)
Comment 2 Repository Robot 2023-02-01 10:15:36 MSK 
alterator-bind-0.9.6-alt1 -> sisyphus:

 Tue Jan 31 2023 Dmitry Terekhin <jqt4@altlinux> 0.9.6-alt1
 - ddns-sh-functions: Use tsig-keygen instead of dnssec-keygen (closes: #45063).