Give clear error on problems with (private) keys for DNSsec

[nlmark]

• Program: Authoritative
• Issue type: Bug report

Short description

When there is a problem with the private key for a zone (regarding DNSec) at least pdnsutil does crash/give an error. It would be nice if the error was a bit more clear and did mention that the problem was with the (private) key for DNSsec. Maybe even mention a proposed solution: remove dnssec from the domain and sign it again and update dnssec related information at the registry/domain supplier. Also the domain with the problem is not mentioned.

Environment

• Operating system: CentOS Linux release 7.9.2009 (Core)
• Software version: 4.5.1
• Software source: PowerDNS repository

Steps to reproduce

Run one off the commands below (note I removed the real domain names):

pdnsutil check-zone

Error: basic_string::_S_construct null not valid

pdnsutil check-all-zones

Checked 11 records of '', 0 errors, 0 warnings.
Error: basic_string::_S_construct null not valid

Expected behaviour

Mention why the error happens and if possible continue with the next domain (if check-all-zones is run). But report it as an error. Also mention the domain with the problem (you now have to search to get the domain with the problem).

Actual behaviour

See steps to reproduce.

Other information

From IRC:
12:29 <@Habbie> 10:24:26 @Habbie | Error: Invalid DNS Private Key in file 'marks.key.1' (iqmp not inverse of q)
12:29 <@Habbie> debian 10
12:29 <@Habbie> 10:29:13 @Habbie | Error: basic_string::_S_construct null not valid
12:29 <@Habbie> centos 7

gdb output:
Starting program: /usr/bin/pdnsutil check-zone
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Catchpoint 1 (exception thrown), 0x00007ffff67adbe0 in __cxa_throw ()
from /lib64/libstdc++.so.6
(gdb) bt
#0 0x00007ffff67adbe0 in __cxa_throw () from /lib64/libstdc++.so.6
#1 0x00007ffff6802857 in std::__throw_logic_error(char const*) ()
from /lib64/libstdc++.so.6
#2 0x0000555555679408 in std::basic_string<char, std::char_traits, std::allocator >::basic_string(char const*, std::allocator const&) ()
#3 0x00005555557de915 in OpenSSLRSADNSCryptoKeyEngine::checkKey(std::vector<std::string, std::allocatorstd::string >) const ()
#4 0x00005555556b0942 in DNSSECKeeper::checkKeys(DNSName const&, std::vector<std::string, std::allocatorstd::string >) ()
#5 0x00005555557e9a28 in checkZone(DNSSECKeeper&, UeberBackend&, DNSName const&, std::vector<DNSResourceRecord, std::allocator > const*) ()
#6 0x000055555565a7b1 in main ()
(gdb)

[nlmark]

dig +dnssec works (and returns A and RRSIG records)
dnsviz.net and dnssec-analyzer.verisignlabs.com don't report any errors related to

From IRC:
< MarkS-> If more information for the bug report is needed please mention it so I can see if I can add it
< cmouse> missing null check i guess