The upgrade of dns/knot2 from 2.4.3 to 2.5.1 brings an important change with it: The DNSSEC key database format changes. 2.5 ships with a script to upgrade the database from JSON to LMDB [1], pykeymgr. However, pykeymgr requires the python module lmdb, which is missing, or otherwise not recongized on my system: root@alpha ~ # ❯❯❯ pykeymgr Traceback (most recent call last): File "/usr/local/sbin/pykeymgr", line 9, in <module> import lmdb ImportError: No module named lmdb This is problematic for people who use knots automatic DNSSEC key management, because new keys will be silently generated and used forthwith to update the zones, breaking DNSSEC lookups. 1: https://www.knot-dns.cz/docs/2.5/html/migration.html#upgrade-2-4-x-to-2-5-x
Strange; lmdb is included in the source, but linking against the system is preferred. After installing/upgrading knot2, do you happen to have a /usr/local/lib/liblmdb.so.0 AND the lmdb port?
Created attachment 183767 [details] script runs with pip installed lmdb
Indeed, databases/lmdb is installed and /usr/local/lib/liblmdb.so.0 is present. What seems to be missing is the lmdb python egg, after installing it temporarily with pip, the script at least starts, I coulnd't test yet if it actually can upgrade the key databases.
I can now verify that installing lmdb via pip is enough to run the script, and that the resulting lmdb file actually contains the imported keys.
I would also recommend a pkg-message with the migration path from 2.4 to 2.5, because, as previously metioned, in my setup knot would silently generate new keys and automatically sign the configured zones with them, invalidating DNSSEC. To my understanding, this is only a problem if people opted for the fully-automatic DNSSEC key management of knot.
I suspected a minimum version issue, so I tried with python:3.0+ and... then I the lmdb module seems to be OK, but then I still run in a indenting problem inside pykeymgr. Yesterday 2.5.2 already came out, which doesn't seem to have any problem. Will fix the port a.s.a.p.
You are right, the current version of the pykeymgr script has python3 ompatibility: https://gitlab.labs.nic.cz/labs/knot/blob/master/src/utils/pykeymgr/pykeymgr.in The version of pykeymgr in 2.5.1 is obviously designed for py2: # workarounding that python 2 doesn't have int.to_bytes() in /usr/local/sbin/pykeymgr line 22
Upgrading to 2.5.2 seems to solve it, so I've just submitted PR 220258 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=220258
A commit references this bug: Author: matthew Date: Sun Jun 25 11:18:51 UTC 2017 New revision: 444261 URL: https://svnweb.freebsd.org/changeset/ports/444261 Log: Update to 2.5.2 This solves a problem with pykeymgr being unable to load the lmdb module. PR: 220241, 220258 Submitted by: freebsd@dns-lab.com (maintainer) Changes: head/dns/knot2/Makefile head/dns/knot2/distinfo head/dns/knot2/files/pkg-message.in
This should be fixed with knot-2.5.2
Works, thanks for the quick response and patch!