Package: dkim-rotate
Version: 0.4
Severity: important
X-Debbugs-Cc:
dx...@darkboxed.org
Hi Ian,
I'm trying to get started with dkim-rotate, but I hit an error during
initial provisioning with --new. I use knot for auth DNS so I don't
have the rndc, hence I tried to override dns_reload in the config.
The example config at /usr/share/doc/dkim-rotate/examples/example.zone has
;! mta_group -
so I copied that syntax for the dns_reload directive but it was
ineffective. Looking at the docs/code I figured out the prefix is
supposed to be just an exclamation mark. Honestly this is not very
intuitive because 1) the example config has it and 2) the SERIAL
directive also uses ';!'.
Example understandability aside with the broken config the resulting
error left the state file corrupted. Running --new (without rndc
installed) I get:
$ dkim-rotate --new dkim
dkim - +X reveal? no key
dkim - +N deadvertise? no key
dkim - -1 advance/use? no key
dkim l -1 generated.
sh: 1: rndc: not found
dkim-rotate: instance dkim: error: subprocess (DNS reload (rndc reload >/dev/null)) failed, exit status 127
Subsequent calls (say --status or --reinstall) will throw a state
corrupted errors:
$ sudo dkim-rotate --status dkim
dkim-rotate: instance dkim: error: state corrupted! /var/lib/dkim-rotate/dkim/state:5: bad key line
Looking at the state file the problem seems to be the 'DNS,MTA' bit in
the key line which isn't handled by read_config:
sel_offset 11
sel_limit 12
last_serial 2
status -1
key l DNS,MTA 797b760fd46ee2e01eb6c959ff3060af v=DKIM1; h=sha256; s=email; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwxzPdpwjhd+tnMooAWxEYAhVKPI2qHKGRwXpwfSEdaijUPKchNpM79HVB1+FKDmSlFR6w30qbPAdyzl4m/+Txzmv2J/So3jJbqmlSFfN85zXJ3uIdgfePWkHWTP2DAEYDeOsc3nbDNVDHQeoJHQrVyN5tBXQ/eaNTrg6qBzE5Qc1nC+Cd0LE4T9vd9PwZSSoRhYH2yprsEtLVvI+zSDqtDbx3QWAMUvDIILiWi5J/46Qw3/hI04gAFpimSoL9YVmkCNWr+arTA4g5jZatahlzkOOmNnMXZdgSRxVByAp5RtQr8EVEG0jV31re3cgXVwJnqvcJvJzDCzS6+caGjYmpQIDAQAB
status +0
status +N
status +X
Seems a bit of a usability problem for new users. I'd recommend not
commenting out directives in the example config without an
explaination and handling the intermediate DNS,MTA key state properly
even outside of key generation.
Thanks,
--Daniel
-- System Information:
Debian Release: 12.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.1.0-13-amd64 (SMP w/32 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages dkim-rotate depends on:
ii bash 5.2.15-2+b2
ii libgetopt-long-descriptive-perl 0.111-1
ii libmime-tools-perl 5.510-1
ii openssl 3.0.11-1~deb12u2
ii perl 5.36.0-7+deb12u1
Versions of packages dkim-rotate recommends:
ii curl 7.88.1-10+deb12u5
ii moreutils 0.67-1
dkim-rotate suggests no packages.
-- no debconf information