From sion at nominet.org.uk Fri Oct 1 07:43:36 2010 From: sion at nominet.org.uk (Sion Lloyd) Date: Fri, 1 Oct 2010 08:43:36 +0100 Subject: [Opendnssec-develop] ods-control hangs In-Reply-To: <201009291203.01863.sion@nominet.org.uk> References: <201009291203.01863.sion@nominet.org.uk> Message-ID: <201010010843.36495.sion@nominet.org.uk> I've had a second report of this now, is anyone _not_ happy for me to commit this code? Sion On Wednesday 29 Sep 2010 12:03:01 pm Sion Lloyd wrote: > Hi there. > > I've had this report from Matthijs: > http://www.pivotaltracker.com/story/show/5184282 > > Where I think that because ods-control is looking at the return value of > the parent process (not the forked one) it sees "success" even when, for > instance, the HSM PIN is wrong in conf.xml... > > My shell scripting is a bit rusty, and I don't have much experience in it > to start with. So can someone sanity-check this before I check it in? I > just want the start command to timeout. (Sorry about the indenting.) > > Cheers, > > Sion > > sion at sion:~/work/opendnssec/trunk/OpenDNSSEC$ svn diff tools/ods-control.in > Index: tools/ods-control.in > =================================================================== > --- tools/ods-control.in (revision 4024) > +++ tools/ods-control.in (working copy) > @@ -62,8 +62,14 @@ > "$sbindir/ods-enforcerd" > RETVAL=$? > if [ $RETVAL = 0 ]; then > + i=0 > while [ ! -r "$enforcer_pid_file" ]; do > sleep 1 > + i=$(( $i + 1 )) > + if [ $i -ge 10 ]; then > + RETVAL=1 > + break > + fi > done > fi > fi > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop From matthijs at NLnetLabs.nl Fri Oct 1 07:53:23 2010 From: matthijs at NLnetLabs.nl (Matthijs Mekking) Date: Fri, 01 Oct 2010 09:53:23 +0200 Subject: [Opendnssec-develop] ods-control hangs In-Reply-To: <201010010843.36495.sion@nominet.org.uk> References: <201009291203.01863.sion@nominet.org.uk> <201010010843.36495.sion@nominet.org.uk> Message-ID: <4CA59373.3040500@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 So ods-control stops hanging after 10 seconds? Maybe use a bit more shorter period, or give the user feedback of what is going on... Best regards, Matthijs On 10/01/2010 09:43 AM, Sion Lloyd wrote: > I've had a second report of this now, is anyone _not_ happy for me to commit > this code? > > Sion > > On Wednesday 29 Sep 2010 12:03:01 pm Sion Lloyd wrote: >> Hi there. >> >> I've had this report from Matthijs: >> http://www.pivotaltracker.com/story/show/5184282 >> >> Where I think that because ods-control is looking at the return value of >> the parent process (not the forked one) it sees "success" even when, for >> instance, the HSM PIN is wrong in conf.xml... >> >> My shell scripting is a bit rusty, and I don't have much experience in it >> to start with. So can someone sanity-check this before I check it in? I >> just want the start command to timeout. (Sorry about the indenting.) >> >> Cheers, >> >> Sion >> >> sion at sion:~/work/opendnssec/trunk/OpenDNSSEC$ svn diff tools/ods-control.in >> Index: tools/ods-control.in >> > =================================================================== >> --- tools/ods-control.in (revision 4024) >> +++ tools/ods-control.in (working copy) >> @@ -62,8 +62,14 @@ >> "$sbindir/ods-enforcerd" >> RETVAL=$? >> if [ $RETVAL = 0 ]; then >> + i=0 >> while [ ! -r "$enforcer_pid_file" ]; do >> sleep 1 >> + i=$(( $i + 1 )) >> + if [ $i -ge 10 ]; then >> + RETVAL=1 >> + break >> + fi >> done >> fi >> fi >> _______________________________________________ >> Opendnssec-develop mailing list >> Opendnssec-develop at lists.opendnssec.org >> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJMpZNzAAoJEA8yVCPsQCW55MIH/0n8F7b9KV0Aohb8lDLTKniU 6UOV0Pdyh9OMvIS1PhxOhVKXxcIgLlZGpwWoEsTMzGhA/WExOa+k8lNEAT47IbZI q0kLBGcBXveYvP4/cUqQm4+WbHHKP5hCDD50ogiIipH6e+TfmIc8CzZlhLApWwgO elj9XOP8orFr7XVLUuM5xz/1vjuN19j/bW2aDWIiNT6i0iW7lkx1dxVvIc5SdYVv wvIJOSXrGkchdrGO0hNvfOFPfjtHPylGi0EmC/Khv9zjFUjpug55ijRM5p8UVMYP etxcoq33++xjZ/c1iCm++CK/BRwqiDIKstxlmJb0Q4b63XbZfgc98bX1nENDr0k= =g9U1 -----END PGP SIGNATURE----- From sion at nominet.org.uk Fri Oct 1 13:26:19 2010 From: sion at nominet.org.uk (Sion Lloyd) Date: Fri, 1 Oct 2010 14:26:19 +0100 Subject: [Opendnssec-develop] too many open files In-Reply-To: References: <88B6E545-4A8F-4584-A797-65DA944C77CE@iis.se> Message-ID: <201010011426.19772.sion@nominet.org.uk> > > So this problem do still exist. It might be that the enforcer grabs all > > file descriptors, I don't know. But maybe the signer should be more > > resilient about it. So, we still have to find the file descriptor leak. Could you kill the enforcer and run the signer on its own? At least then we can isolate which process is at fault. Sion From sion at nominet.org.uk Fri Oct 1 13:31:30 2010 From: sion at nominet.org.uk (Sion Lloyd) Date: Fri, 1 Oct 2010 14:31:30 +0100 Subject: [Opendnssec-develop] too many open files In-Reply-To: <201010011426.19772.sion@nominet.org.uk> References: <88B6E545-4A8F-4584-A797-65DA944C77CE@iis.se> <201010011426.19772.sion@nominet.org.uk> Message-ID: <201010011431.30775.sion@nominet.org.uk> On Friday 01 Oct 2010 2:26:19 pm Sion Lloyd wrote: > > > So this problem do still exist. It might be that the enforcer grabs all > > > file descriptors, I don't know. But maybe the signer should be more > > > resilient about it. So, we still have to find the file descriptor leak. > > Could you kill the enforcer and run the signer on its own? At least then we > can isolate which process is at fault. Or compare "lsof | grep ods-enforcerd | wc -l" vs "lsof | grep ods-signerd | wc -l" From sion at nominet.org.uk Fri Oct 1 14:35:06 2010 From: sion at nominet.org.uk (Sion Lloyd) Date: Fri, 1 Oct 2010 15:35:06 +0100 Subject: [Opendnssec-develop] Indexes on tables Message-ID: <201010011535.06966.sion@nominet.org.uk> Hi there. It looks like the slow steps in a lot of the enforcer bulk transactions were not in the database. E.g. adding zones speeds up when you don't write to the zonelist xml file each time. I have a story to add indexes where needed... can anyone give me an example of an operation that gets slow when the kasp database grows large? Otherwise I don't really know where to start with this one. Cheers, Sion From patrik.wallstrom at iis.se Fri Oct 1 14:51:42 2010 From: patrik.wallstrom at iis.se (=?iso-8859-1?Q?Patrik_Wallstr=F6m?=) Date: Fri, 1 Oct 2010 16:51:42 +0200 Subject: [Opendnssec-develop] Indexes on tables In-Reply-To: <201010011535.06966.sion@nominet.org.uk> References: <201010011535.06966.sion@nominet.org.uk> Message-ID: <4A82EE3F-04EA-4131-BD98-DDA9564EC5B8@iis.se> On Oct 1, 2010, at 4:35 PM, Sion Lloyd wrote: > > Hi there. > > It looks like the slow steps in a lot of the enforcer bulk transactions were > not in the database. E.g. adding zones speeds up when you don't write to the > zonelist xml file each time. > > I have a story to add indexes where needed... can anyone give me an example of > an operation that gets slow when the kasp database grows large? Otherwise I > don't really know where to start with this one. Actually, what I feel is slow now is adding zones without the --no-xml flag when running a large number of domains. What might be slow is lots of keys, but I have only been running lots of zones with SharedKeys. But I will try to look for slow queries. Maybe do the same operation without SharedKeys. Anyway, you could just try to create lots of zones and turn on MySQL query logging, and find out what types of queries that are made during the lifetime of operations - and then do some benchmarking on those queries on a populated database. -- Patrik Wallstr?m Project Manager, R&D .SE (Stiftelsen f?r Internetinfrastruktur) E-mail: patrik.wallstrom at iis.se Web: http://www.iis.se/ From owner-dnssec-trac at kirei.se Mon Oct 4 07:48:31 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Mon, 04 Oct 2010 07:48:31 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #186: ZSK published/ready before backup -- breaks 2-phase commit Message-ID: <045.8a479ba3833fb0ce83d1254c7cc55bbd@kirei.se> #186: ZSK published/ready before backup -- breaks 2-phase commit --------------------+------------------------------------------------------- Reporter: vanrein | Owner: sion Type: defect | Status: new Priority: major | Component: Enforcer Version: 1.1.1 | Keywords: --------------------+------------------------------------------------------- During today's 2-phase backup procedure, we noticed an unexpected situation. The KASP had generated ZSK and already setup the published and ready state, before the key was backed up. I can see the harmlessness of doing this, but it was unexpected and it breaks (our) 2-phase backup procedure, which assumes that keys reside in the GENERATED state until they have been backed up. Sion: 1. Can you explain why the key already rolled on, and if we can suppress that behaviour? 2. Does your 2-phase backup procedure handle this properly? Thanks, -Rick -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Mon Oct 4 08:29:55 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Mon, 04 Oct 2010 08:29:55 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #186: ZSK published/ready before backup -- breaks 2-phase commit In-Reply-To: <045.8a479ba3833fb0ce83d1254c7cc55bbd@kirei.se> References: <045.8a479ba3833fb0ce83d1254c7cc55bbd@kirei.se> Message-ID: <054.e15d4a6556084b1121330d32c9629a38@kirei.se> #186: ZSK published/ready before backup -- breaks 2-phase commit --------------------+------------------------------------------------------- Reporter: vanrein | Owner: sion Type: defect | Status: new Priority: major | Component: Enforcer Version: 1.1.1 | Keywords: --------------------+------------------------------------------------------- Comment(by sion): We only stop keys from going active, because until then losing it is not a problem. So you should be prepared to backup all keys that have not been backed-up... regardless of their state. The idea is that you do not want the whole system to do nothing because a backup has not been run. I wouldn't like to change this behaviour, and the code in trunk makes no assumption about the key state. -- Ticket URL: OpenDNSSEC OpenDNSSEC From rickard.bellgrim at iis.se Mon Oct 4 08:58:48 2010 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Mon, 4 Oct 2010 10:58:48 +0200 Subject: [Opendnssec-develop] Minimize number of log messages Message-ID: Hi Currently you get two log messages per zone. One giving the stats when the signed zone has changed. Then a message telling when the SE will perform the next task. Oct 4 08:40:35 fou ods-signerd: [STATS] nz RR[count=0 time=0(sec)) NSEC3[count=0 time=0(sec)] RRSIG[new=29 reused=0 time=2(sec) avg=14(sig/sec)] TOTAL[time=2(sec)] Oct 4 08:40:35 fou ods-signerd: On Mon Oct 4 08:41:35 2010 I will sign zone nz Oct 4 08:41:35 fou ods-signerd: On Mon Oct 4 08:42:35 2010 I will sign zone nz Oct 4 08:42:35 fou ods-signerd: On Mon Oct 4 08:43:35 2010 I will sign zone nz Oct 4 08:43:35 fou ods-signerd: On Mon Oct 4 08:44:35 2010 I will sign zone nz Oct 4 08:44:35 fou ods-signerd: On Mon Oct 4 08:45:35 2010 I will sign zone nz Would it be ok to downgrade the task message from an info message to a debug message? Thus not showing up during normal operation with low verbosity. If you are signing thousands of zones, then you will only get one message per zone and that one contains the stats. You could find the time for the next task by using the following command: ods-signer queue // Rickard From owner-dnssec-trac at kirei.se Mon Oct 4 09:49:11 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Mon, 04 Oct 2010 09:49:11 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #186: ZSK published/ready before backup -- breaks 2-phase commit In-Reply-To: <045.8a479ba3833fb0ce83d1254c7cc55bbd@kirei.se> References: <045.8a479ba3833fb0ce83d1254c7cc55bbd@kirei.se> Message-ID: <054.c43e93ef84c79a9d7156abbfdc7b8a92@kirei.se> #186: ZSK published/ready before backup -- breaks 2-phase commit --------------------+------------------------------------------------------- Reporter: vanrein | Owner: sion Type: defect | Status: closed Priority: major | Component: Enforcer Version: 1.1.1 | Resolution: invalid Keywords: | --------------------+------------------------------------------------------- Changes (by vanrein): * status: new => closed * resolution: => invalid Comment: Understood, thanks for complaining. I will add a note to the trac issue that publishes our 2-phase commit patch. I am not requesting a change of behaviour, as it makes sense to me. It was a surprise, but it is good to hear that the upcoming 1.2 in trunk does not share this problem. Over here, we'll cope with it somehow. Thanks, -Rick -- Ticket URL: OpenDNSSEC OpenDNSSEC From matthijs at NLnetLabs.nl Mon Oct 4 12:23:49 2010 From: matthijs at NLnetLabs.nl (Matthijs Mekking) Date: Mon, 04 Oct 2010 14:23:49 +0200 Subject: [Opendnssec-develop] too many open files In-Reply-To: References: <88B6E545-4A8F-4584-A797-65DA944C77CE@iis.se> Message-ID: <4CA9C755.6010701@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/30/2010 09:02 PM, Patrik Wallstr?m wrote: The signer acts a little strange, so after restarting the signer, it signs all domains without too much problem. What is the strange behavior you noticed? Currently known "strange" behavior is that the signer does not pick up the newly added zones. The enforcer calls for example 'ods-signer update 19many.org', but the signer will ignore since it does not know about 19many.org. (A story is in Pivotal) Best regards, Matthijs -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJMqcdVAAoJEA8yVCPsQCW5MwEH/RggdAHUBPFUJDgtVQIu6s0R c0F/bzwIB0kdDxmAUbf+DM1CtowLNSKxVvaT0Eca0QM+HHLerywnsdIEIMXBLM7o hWSMbj8v82wmA5RDLmSoiFf0b5mCS4OhWnZopbnJm7MMFayL53ZLHV7mNB+DXJYE 5pIhCVPp4+99XeTJBpUL0b6cVfHShnJehc2jMEdyNPtKnBpEfpLYITLxckYBmX/n aJ3ZGQFa2xhGKS9xmsGO8UJGg3IaZEt/c3/Wby7XX95O7/iD221o66El//mLtaku jK8XaG4fSHyzyUVd1/gVflOIL/LkQX3aq8tTND4fymrsn633CQCM4CVzdmg7FmQ= =fmyQ -----END PGP SIGNATURE----- From matthijs at NLnetLabs.nl Mon Oct 4 12:37:40 2010 From: matthijs at NLnetLabs.nl (Matthijs Mekking) Date: Mon, 04 Oct 2010 14:37:40 +0200 Subject: [Opendnssec-develop] Indexes on tables In-Reply-To: <201010011535.06966.sion@nominet.org.uk> References: <201010011535.06966.sion@nominet.org.uk> Message-ID: <4CA9CA94.3060202@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Sion, Using sqlite3 and a purged softHSM, this is very slow: > ods-hsmutil purge softHSM > echo "yes" | ods-ksmutil setup > ods-control start > cd /svn/opendnssec/dnssec/trunk/testing > perl zonegen.pl --zonename dennisbier.nl --nzones 5000 --nrr 2 \ --pns 0 --pa 100 --paaaa 10 --addtoksm --no-xml --policy default \ --output ./unsigned --config ./signconf --signeroutput ./signed > ods-ksmutil zonelist export > zonelist.xml (move the zonelist file and unsigned, signed and signconf directories to the desired locations) > kill -HUP `cat enforcer.pid` About 2 new signer configurations per minute are outputted on Ubuntu 10.04 (2GB memory, 2x 1.6GHz processor). Best regards, Matthijs On 10/01/2010 04:35 PM, Sion Lloyd wrote: > Hi there. > > It looks like the slow steps in a lot of the enforcer bulk transactions were > not in the database. E.g. adding zones speeds up when you don't write to the > zonelist xml file each time. > > I have a story to add indexes where needed... can anyone give me an example of > an operation that gets slow when the kasp database grows large? Otherwise I > don't really know where to start with this one. > > Cheers, > > Sion > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJMqcqUAAoJEA8yVCPsQCW5/lIIANRV7beWXlLY7C7p/HFo5Ho3 VRlofX1wcno6ijLChQe1wmIBYfu/vUp+W8gz1inyxaBPs7vJbT+AMRysqduCIuGk 7B1iwU6Zu+mgs7UsiHeIkqYJilpXqQg8NnHUj1GCTQ8Rz5/O9CVphTdSTtI+Yh6M IXhYXss3bmCgSr4wzArfy6L4HQoR5/kJRXc11OUVZDohsTbiPZVdG/fBw61hodn7 YmBm5BCYK6QKla8DhYacdK8kO1VqJH+AFRyDVnmKebtP+138MzwhHrSlZ5AzDUxo 7RzF3xd2Q68wQzj407SfBKhasIg6gTEejhMFlfAuzyAyk7hO9kZBWO+OP7mABAI= =rjyR -----END PGP SIGNATURE----- From matthijs at NLnetLabs.nl Tue Oct 5 08:44:42 2010 From: matthijs at NLnetLabs.nl (Matthijs Mekking) Date: Tue, 05 Oct 2010 10:44:42 +0200 Subject: [Opendnssec-develop] too many open files In-Reply-To: References: <88B6E545-4A8F-4584-A797-65DA944C77CE@iis.se> Message-ID: <4CAAE57A.3060404@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 FYI, r4047 fixes one more file descriptor leak, as well as a segfault due to a parse error in the backed up unsorted file. Signing on my machine (2GB memory, 2x 1.6GHz processor, Ubuntu 10.04) is quite slow: Also created 5000 zones, using --no-xml (with sqlite3). When starting, the enforcer finds zone every half minute. So signer configurations are outputted every half minute. That was yesterday, about 15:30 CET. At this moment, the enforcer found 761 zones of the 5000. Intervals between finding zones have increased to 5 minutes. Could it be an entropy issue? The only call to random is when updating the NSEC3 salt. I tried with NSEC and that looks slow too... The signer does not pick up updates, since it does not reload the zone list yet when receiving 'ods-signer update thiszone' from the enforcer (It's a Pivotal story, working on that). When reloading the signer, signing is very fast. However, when 8 audit processes are started at the same time, auditing gets slow. Per zone, auditing takes about 85 seconds of the total time of 86 seconds. This is with ruby 1.8.7. To be continued... Matthijs On 09/30/2010 09:02 PM, Patrik Wallstr?m wrote: > On Sep 30, 2010, at 7:08 PM, Patrik Wallstr?m wrote: >> >> I am testing performance on a better machine now, with fast disks and a quad core xeon processor. Performance is much better. I seem to get 5000 signed domains without too much hassle. >> >> First, create 5000 domains, adding them using no-xml (with mysql), and exporting the xml zonelist. First problem here, the first three lines is not xml, it's the mysql config. Remove this by hand. HUP the enforcer, and the enforcer creates signer configs reasonable fast. The signer acts a little strange, so after restarting the signer, it signs all domains without too much problem. >> >> Add another 5000 domains, that one is a little bit slower with the enforcer. Export and HUP, and it creates signer configs. Here somewhere (had some dinner), the signer loops with this: >> >> Sep 30 18:53:21 dnslab ods-signerd: command handler accept error: Too many open files >> >> So this problem do still exist. It might be that the enforcer grabs all file descriptors, I don't know. But maybe the signer should be more resilient about it. So, we still have to find the file descriptor leak. >> >> But it looks better and better, performance wise. > > > And after putting the kids to sleep, I just tried to start ods again. > > Lots of these, of course, but look at the end. > > Sep 30 21:00:50 dnslab ods-signerd: unable to open file 1908more.org.state for reading: No such file or directory > Sep 30 21:00:50 dnslab ods-signerd: On Thu Sep 30 19:04:42 2010 I will sign zone 1909many.org > Sep 30 21:00:50 dnslab ods-signerd: unable to open file 1909more.org.state for reading: No such file or directory > Sep 30 21:00:50 dnslab ods-signerd: On Thu Sep 30 19:04:42 2010 I will sign zone 190many.org > Sep 30 21:00:50 dnslab ods-signerd: unable to open file 190more.org.state for reading: No such file or directory > Sep 30 21:00:50 dnslab ods-signerd: On Thu Sep 30 19:04:42 2010 I will sign zone 1910many.org > Sep 30 21:00:50 dnslab ods-signerd: unable to open file 1910more.org.state for reading: No such file or directory > Sep 30 21:00:50 dnslab ods-signerd: On Thu Sep 30 19:04:42 2010 I will sign zone 1911many.org > Sep 30 21:00:50 dnslab ods-signerd: unable to open file 1911more.org.state for reading: No such file or directory > Sep 30 21:00:50 dnslab ods-signerd: On Thu Sep 30 19:04:42 2010 I will sign zone 1912many.org > Sep 30 21:00:50 dnslab ods-signerd: unable to open file 1912more.org.state for reading: No such file or directory > Sep 30 21:00:50 dnslab ods-signerd: On Thu Sep 30 19:04:42 2010 I will sign zone 1913many.org > Sep 30 21:00:50 dnslab ods-signerd: unable to open file 1913more.org.state for reading: No such file or directory > Sep 30 21:00:50 dnslab ods-signerd: unable to open file 1914many.org.unsorted for reading: Too many open files > Sep 30 21:00:50 dnslab ods-signerd: error reading zone 1914many.org from file 1914many.org.unsorted > Sep 30 21:00:50 dnslab ods-signerd: unable to recover unsorted zone from file 1914many.org.unsorted: parse error > Sep 30 21:00:50 dnslab ods-signerd: unable to open file 1914many.org.task for reading: Too many open files > Sep 30 21:00:50 dnslab kernel: [23674.642930] ods-signerd[16728]: segfault at 0 ip 0000000000416f80 sp 00007fffbb5a05f0 error 6 in ods-signerd[400000+33000] > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJMquV6AAoJEA8yVCPsQCW5XUQH/isM+NeKN/yA0GMZJ8c502/h pWzg9hDD/nawvLOJJglSYJ5No400TSY7CbB5s+ZDp4aViEhVmTYSscEYpzSqM2UG 7JKInLid1ZB0xwn79ATU3i1zH7L52VwzoC4Zy750OrwByDH7r6y1nJQ7k27AB5zK 21O7cGJoSFcOdpjyzjGQnDJDIR6FiMmuInD90GNHQ8R3+ZMtar3uLGCrcFlOy+Eq Z90LDd0Q2aPFr3JN1kk3w/KM65QZKzY6STtikXl75maMAz0ZsK6NH18VMj03x7Je p6SHBnL9X1BL86wM6zQZfXvOxAZItZPe5LiBeKMI3r1ZMO49d220kaJee3ZqG5s= =7fK+ -----END PGP SIGNATURE----- From AlexD at nominet.org.uk Wed Oct 6 12:13:57 2010 From: AlexD at nominet.org.uk (Alex Dalitz) Date: Wed, 6 Oct 2010 12:13:57 +0000 Subject: [Opendnssec-develop] Build error on OSX Message-ID: <6395D6D8-832F-4208-957D-85CA2BF14484@nominet.org.uk> Hi - Am I doing something wrong? Updated to revision 4061. alexs-macbook-pro-2:opendnssec alex$ cd OpenDNSSEC/ alexs-macbook-pro-2:OpenDNSSEC alex$ sh autogen.sh Creating auditor/version.m4 Creating plugins/eppclient/version.m4 Running autoreconf configure.ac:21: warning: AC_LANG_CONFTEST: no AC_LANG_SOURCE call detected in body ../../lib/autoconf/lang.m4:194: AC_LANG_CONFTEST is expanded from... ../../lib/autoconf/general.m4:2662: _AC_LINK_IFELSE is expanded from... ../../lib/autoconf/general.m4:2679: AC_LINK_IFELSE is expanded from... m4/libtool.m4:1084: _LT_SYS_MODULE_PATH_AIX is expanded from... m4/libtool.m4:4207: _LT_LINKER_SHLIBS is expanded from... m4/libtool.m4:5339: _LT_LANG_C_CONFIG is expanded from... m4/libtool.m4:143: _LT_SETUP is expanded from... m4/libtool.m4:69: LT_INIT is expanded from... m4/libtool.m4:107: AC_PROG_LIBTOOL is expanded from... configure.ac:21: the top level Thanks, Alex. From matthijs at NLnetLabs.nl Wed Oct 6 12:57:58 2010 From: matthijs at NLnetLabs.nl (Matthijs Mekking) Date: Wed, 06 Oct 2010 14:57:58 +0200 Subject: [Opendnssec-develop] review: Signature recycle etc. In-Reply-To: <2AB41453-EFDC-429B-9EFE-7AF0AD8888A6@kirei.se> References: <2AB41453-EFDC-429B-9EFE-7AF0AD8888A6@kirei.se> Message-ID: <4CAC7256.2090508@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I have now implemented the rules as described on the wiki, with the exception of Deactivate. So, existing signatures will be dropped if: - - Or Refresh is disabled (refresh value is 0) - - Or The RRset has changed - - Or The RRSIG inception has not yet passed - - Or The RRSIG expiration minus Refresh has passed - - Or The RRSIG is created by a key not present in the signconf If signatures have been recycled, we'll check if the RRset is signed by all known algorithms. If the RRset is not yet signed with this algorithm, it is signed with all active keys of that algorithm. Note that this can extend the duration of a rollover for quite a bit. If you don't recycle signatures of the post-publish key, resigning the zone with the new key (Dsgn) takes about 1 second up to 20 minutes for a TLD. If you do recycle signatures of the post-published key, Dsgn can will be increased with (expiration - refresh). For example, a signature validity of a month and a refresh of a day can increase Dsgn with 30 days. In general, it affects all ZSK rollovers, since zone data RRsets may remain unchanged. Thus, it affects OpenDNSSEC ZSK rollovers. In OpenDNSSEC, KSK rollovers are not affected, since the double-signature method changes the DNSKEY RRset, thus all existing signatures must be dropped. In general, it affects pre-publish KSK rollover, because the transition to making the new key active does not edit the DNSKEY RRset. Thus, if we want to enforce speeding things up, we need a new Element in the Signer Configuration. Jakob proposes . If the enforcer thinks it's better for this rollover that signatures of a certain key are not being recycled, it can add this Element to that key. (perhaps a better name would be ?). Best regards, Matthijs On 09/29/2010 02:48 PM, Jakob Schlyter wrote: > please review http://trac.opendnssec.org/wiki/Signer/Signatures. > > j > > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJMrHJVAAoJEA8yVCPsQCW5PMQH/1YTRpv/rdKIgWqhglMjSn9p tV4cvCJkt0fQwQmWgE3hsBVE5s6hZqEKhJGWYm9CLZJO3Vit9rgurknA8hsv6rmV Oae2+N29hIrN0aATwhsE2o1kA3C8wASD/cQPSSnv6cy0ZvfI2JCruYJValcxTu8t L8dwg98ZI4+hLOPVNwScx8666XAPMzBxsqiG3xAAna+9FLLlJbjL5WbiEHp+9gLI K801yS2YxeXBJuGq3LdDLbZuQRTUY6+km+ozrDWhF1OuBNsijciFTi+qu8A0N6qX VJUdd9uFHm9nPtfKPHZ+om753+pbz27dOkijiaM9hjmK+4hYlCNE1kQV6G0BqrE= =WrDw -----END PGP SIGNATURE----- From rickard.bellgrim at iis.se Mon Oct 11 06:42:12 2010 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Mon, 11 Oct 2010 08:42:12 +0200 Subject: [Opendnssec-develop] Beta release Message-ID: <68A7947F-E572-455C-AFEC-1594DB1D17A5@iis.se> Hi There are some points that we need to have a look on before we do a beta release of v1.2: * Accept a number of stories in PivotalTracker (Rickard, Rick, Alex, Matthijs, Jakob) * Update the documentation (http://trac.opendnssec.org/wiki/Signer/Using) * Update NEWS (explain what is new with this release) // Rickard From rickard.bellgrim at iis.se Mon Oct 11 06:53:14 2010 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Mon, 11 Oct 2010 08:53:14 +0200 Subject: [Opendnssec-develop] review: Signature recycle etc. In-Reply-To: <4CAC7256.2090508@nlnetlabs.nl> References: <2AB41453-EFDC-429B-9EFE-7AF0AD8888A6@kirei.se> <4CAC7256.2090508@nlnetlabs.nl> Message-ID: On 6 okt 2010, at 14.57, Matthijs Mekking wrote: > Note that this can extend the duration of a rollover for quite a bit. > If you don't recycle signatures of the post-publish key, resigning the > zone with the new key (Dsgn) takes about 1 second up to 20 minutes for a > TLD. If you do recycle signatures of the post-published key, Dsgn can > will be increased with (expiration - refresh). For example, a signature > validity of a month and a refresh of a day can increase Dsgn with 30 days. > > In general, it affects all ZSK rollovers, since zone data RRsets may > remain unchanged. Thus, it affects OpenDNSSEC ZSK rollovers. > > In OpenDNSSEC, KSK rollovers are not affected, since the > double-signature method changes the DNSKEY RRset, thus all existing > signatures must be dropped. In general, it affects pre-publish KSK > rollover, because the transition to making the new key active does not > edit the DNSKEY RRset. I think we talked about this during the meeting, but just to make sure again: Does the Enforcer handles this for the ZSK? > Thus, if we want to enforce speeding things up, we need a new Element in > the Signer Configuration. Jakob proposes . If the enforcer > thinks it's better for this rollover that signatures of a certain key > are not being recycled, it can add this Element to that key. > (perhaps a better name would be ?). When would you issue this command? When you know that your key has been broken? // Rickard From matthijs at NLnetLabs.nl Mon Oct 11 08:27:45 2010 From: matthijs at NLnetLabs.nl (Matthijs Mekking) Date: Mon, 11 Oct 2010 10:27:45 +0200 Subject: [Opendnssec-develop] review: Signature recycle etc. In-Reply-To: References: <2AB41453-EFDC-429B-9EFE-7AF0AD8888A6@kirei.se> <4CAC7256.2090508@nlnetlabs.nl> Message-ID: <4CB2CA81.2090101@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, On 10/11/2010 08:53 AM, Rickard Bellgrim wrote: > > On 6 okt 2010, at 14.57, Matthijs Mekking wrote: > >> Note that this can extend the duration of a rollover for quite a bit. >> If you don't recycle signatures of the post-publish key, resigning the >> zone with the new key (Dsgn) takes about 1 second up to 20 minutes for a >> TLD. If you do recycle signatures of the post-published key, Dsgn can >> will be increased with (expiration - refresh). For example, a signature >> validity of a month and a refresh of a day can increase Dsgn with 30 days. >> >> In general, it affects all ZSK rollovers, since zone data RRsets may >> remain unchanged. Thus, it affects OpenDNSSEC ZSK rollovers. >> >> In OpenDNSSEC, KSK rollovers are not affected, since the >> double-signature method changes the DNSKEY RRset, thus all existing >> signatures must be dropped. In general, it affects pre-publish KSK >> rollover, because the transition to making the new key active does not >> edit the DNSKEY RRset. > > I think we talked about this during the meeting, but just to make sure again: Does the Enforcer handles this for the ZSK? > >> Thus, if we want to enforce speeding things up, we need a new Element in >> the Signer Configuration. Jakob proposes . If the enforcer >> thinks it's better for this rollover that signatures of a certain key >> are not being recycled, it can add this Element to that key. >> (perhaps a better name would be ?). > > When would you issue this command? When you know that your key has been broken? It is not about whether a key is broken or not. It is about whether it is desirable to speed up the rollover at a cost recycling signatures. Currently, the enforcer does not have to implement this, because the current implemented rollovers are not affected. However, It might become interesting if we implement other (algorithm) rollovers. Something for when we discuss the successor versions of the enforcer... Best regards, Matthijs > > // Rickard > > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJMssqAAAoJEA8yVCPsQCW5Gb8H/Ro5egC4J6Tup9X9siKVWjdh oWe5p8xdCXwCEo455fFmiofG652roJ2H/3iV4ZWAdmr2u0HIy3ntOPBDETK8GuqQ NDA+Qkl4K4I5OkhgMtCT98WBSP5gFPn+S3OfFXL2vDi09YzIBnlunwZsZocJ2EcU zv0WICA2UzFDc/+JsfKhOvrDZjGEKSQX/snHbu6MyNE8WZcRs1toImaobdbAGNv2 kFRy0qJ0C2mv5cPdK587AahcFU1vDJCc/30yB1ylzWx1JDdr36mdQWaCNxgekAAj BWUy6yxDY1zDWpdWkRrA8Q3tgneBa2HtM+QyN0SAAxb3Sowxlgjs2GrXRgmfxio= =/xa7 -----END PGP SIGNATURE----- From matthijs at NLnetLabs.nl Mon Oct 11 10:30:55 2010 From: matthijs at NLnetLabs.nl (Matthijs Mekking) Date: Mon, 11 Oct 2010 12:30:55 +0200 Subject: [Opendnssec-develop] too many open files In-Reply-To: <4CAAE57A.3060404@nlnetlabs.nl> References: <88B6E545-4A8F-4584-A797-65DA944C77CE@iis.se> <4CAAE57A.3060404@nlnetlabs.nl> Message-ID: <4CB2E75F.9090406@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 As a follow up, mysql did not speed things up. The 5000 zones are stored in the database, but signer configurations are still outputted equally slow. Best regards, Matthijs On 10/05/2010 10:44 AM, Matthijs Mekking wrote: > FYI, > > r4047 fixes one more file descriptor leak, as well as a segfault due to > a parse error in the backed up unsorted file. > > Signing on my machine (2GB memory, 2x 1.6GHz processor, Ubuntu 10.04) is > quite slow: Also created 5000 zones, using --no-xml (with sqlite3). > > When starting, the enforcer finds zone every half minute. So signer > configurations are outputted every half minute. That was yesterday, > about 15:30 CET. At this moment, the enforcer found 761 zones of the > 5000. Intervals between finding zones have increased to 5 minutes. > Could it be an entropy issue? The only call to random is when updating > the NSEC3 salt. I tried with NSEC and that looks slow too... > > The signer does not pick up updates, since it does not reload the zone > list yet when receiving 'ods-signer update thiszone' from the enforcer > (It's a Pivotal story, working on that). > > When reloading the signer, signing is very fast. However, when 8 audit > processes are started at the same time, auditing gets slow. Per zone, > auditing takes about 85 seconds of the total time of 86 seconds. This is > with ruby 1.8.7. > > To be continued... > > Matthijs > > > > On 09/30/2010 09:02 PM, Patrik Wallstr?m wrote: >> On Sep 30, 2010, at 7:08 PM, Patrik Wallstr?m wrote: >>> >>> I am testing performance on a better machine now, with fast disks and a quad core xeon processor. Performance is much better. I seem to get 5000 signed domains without too much hassle. >>> >>> First, create 5000 domains, adding them using no-xml (with mysql), and exporting the xml zonelist. First problem here, the first three lines is not xml, it's the mysql config. Remove this by hand. HUP the enforcer, and the enforcer creates signer configs reasonable fast. The signer acts a little strange, so after restarting the signer, it signs all domains without too much problem. >>> >>> Add another 5000 domains, that one is a little bit slower with the enforcer. Export and HUP, and it creates signer configs. Here somewhere (had some dinner), the signer loops with this: >>> >>> Sep 30 18:53:21 dnslab ods-signerd: command handler accept error: Too many open files >>> >>> So this problem do still exist. It might be that the enforcer grabs all file descriptors, I don't know. But maybe the signer should be more resilient about it. So, we still have to find the file descriptor leak. >>> >>> But it looks better and better, performance wise. > > >> And after putting the kids to sleep, I just tried to start ods again. > >> Lots of these, of course, but look at the end. > >> Sep 30 21:00:50 dnslab ods-signerd: unable to open file 1908more.org.state for reading: No such file or directory >> Sep 30 21:00:50 dnslab ods-signerd: On Thu Sep 30 19:04:42 2010 I will sign zone 1909many.org >> Sep 30 21:00:50 dnslab ods-signerd: unable to open file 1909more.org.state for reading: No such file or directory >> Sep 30 21:00:50 dnslab ods-signerd: On Thu Sep 30 19:04:42 2010 I will sign zone 190many.org >> Sep 30 21:00:50 dnslab ods-signerd: unable to open file 190more.org.state for reading: No such file or directory >> Sep 30 21:00:50 dnslab ods-signerd: On Thu Sep 30 19:04:42 2010 I will sign zone 1910many.org >> Sep 30 21:00:50 dnslab ods-signerd: unable to open file 1910more.org.state for reading: No such file or directory >> Sep 30 21:00:50 dnslab ods-signerd: On Thu Sep 30 19:04:42 2010 I will sign zone 1911many.org >> Sep 30 21:00:50 dnslab ods-signerd: unable to open file 1911more.org.state for reading: No such file or directory >> Sep 30 21:00:50 dnslab ods-signerd: On Thu Sep 30 19:04:42 2010 I will sign zone 1912many.org >> Sep 30 21:00:50 dnslab ods-signerd: unable to open file 1912more.org.state for reading: No such file or directory >> Sep 30 21:00:50 dnslab ods-signerd: On Thu Sep 30 19:04:42 2010 I will sign zone 1913many.org >> Sep 30 21:00:50 dnslab ods-signerd: unable to open file 1913more.org.state for reading: No such file or directory >> Sep 30 21:00:50 dnslab ods-signerd: unable to open file 1914many.org.unsorted for reading: Too many open files >> Sep 30 21:00:50 dnslab ods-signerd: error reading zone 1914many.org from file 1914many.org.unsorted >> Sep 30 21:00:50 dnslab ods-signerd: unable to recover unsorted zone from file 1914many.org.unsorted: parse error >> Sep 30 21:00:50 dnslab ods-signerd: unable to open file 1914many.org.task for reading: Too many open files >> Sep 30 21:00:50 dnslab kernel: [23674.642930] ods-signerd[16728]: segfault at 0 ip 0000000000416f80 sp 00007fffbb5a05f0 error 6 in ods-signerd[400000+33000] > _______________________________________________ Opendnssec-develop mailing list Opendnssec-develop at lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJMsudeAAoJEA8yVCPsQCW5SXgH/iVav8GQ/VEU23iOboC96OTc oF85+YpGM94cJ9YL9pdjpSB/PEHVJ5vb5DFRvBn5qziE1d2vrALwmen9F9ixGjkA TP82ipSX+SX433XimV8h2cbrB7OT3KIbEqazxNU41fkjVZAzq2fmyw3bH60y3pIs VG4txMBncnvwsMuSep7t9DYXbXmraY6+o3fo+2mnbBJO9SLRj++wSIlb4pRMnntj 8sMoGizv9E10ODlcKmsSGjYbLPIBZ6FZnTTe484VgxmnRlSw3WX71UO5A9MJ/7hq Ll3gVIZovdshLQhVtm7KgDtzMOKzSpCQgaUleV4skwhTwTZlOYh1zx11C/2QpzI= =J3LN -----END PGP SIGNATURE----- From rickard.bellgrim at iis.se Tue Oct 12 14:39:25 2010 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Tue, 12 Oct 2010 16:39:25 +0200 Subject: [Opendnssec-develop] Next meeting 20101013 Message-ID: <15954B80-1B72-4EE0-8C05-A00C2E36D151@iis.se> Hi It is time for a new telephone meeting tomorrow. Date: Wednesday 13 October Time: 14:00-15:00 CEST, 13:00-14:00 BST Agenda: http://trac.opendnssec.org/wiki/Meetings/Agenda/2010-10-13 (Missing the minutes from the previous meeting) // Rickard From patrik.wallstrom at iis.se Fri Oct 15 07:20:39 2010 From: patrik.wallstrom at iis.se (=?iso-8859-1?Q?Patrik_Wallstr=F6m?=) Date: Fri, 15 Oct 2010 09:20:39 +0200 Subject: [Opendnssec-develop] minutes from 2010-10-13 Message-ID: <8B8C5EF2-8270-4F41-8B38-DA2B9694DBDB@iis.se> http://trac.opendnssec.org/wiki/Meetings/Minutes/2010-10-13 Please review. -- Patrik Wallstr?m Project Manager, R&D .SE (Stiftelsen f?r Internetinfrastruktur) E-mail: patrik.wallstrom at iis.se Web: http://www.iis.se/ From rickard.bellgrim at iis.se Fri Oct 15 11:07:17 2010 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Fri, 15 Oct 2010 13:07:17 +0200 Subject: [Opendnssec-develop] Known issues Message-ID: <7E0267F5-218B-4BBE-A2FC-5B91CD299760@iis.se> Hi http://trac.opendnssec.org/browser/trunk/OpenDNSSEC/KNOWN_ISSUES Do we still have this issue: "Possible Issue between enforcer and signer"? // Rickard From matthijs at NLnetLabs.nl Fri Oct 15 11:59:33 2010 From: matthijs at NLnetLabs.nl (Matthijs Mekking) Date: Fri, 15 Oct 2010 13:59:33 +0200 Subject: [Opendnssec-develop] Known issues In-Reply-To: <7E0267F5-218B-4BBE-A2FC-5B91CD299760@iis.se> References: <7E0267F5-218B-4BBE-A2FC-5B91CD299760@iis.se> Message-ID: <4CB84225.3010708@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The story is still in Pivotal, so I guess that Sion has not tried it yet with the c signer on CentOS. Matthijs On 10/15/2010 01:07 PM, Rickard Bellgrim wrote: > Hi > > http://trac.opendnssec.org/browser/trunk/OpenDNSSEC/KNOWN_ISSUES > > Do we still have this issue: "Possible Issue between enforcer and signer"? > > // Rickard > > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJMuEIkAAoJEA8yVCPsQCW5O7AH/j6cKf2CWYAg/C2sbtqDWQVf SxWfEBRoJmmL7jXAVBNQmTkUbq39kwr3fhgKqG2ZO5QmHiKF2xjSKYKTvYEIT54x vGobJ1rNbqw02dYV4Y3TXGol4Kz785rhU6akzWMVdI/8veHSWm6dvZAPYjGaP0lm 2j7FOyfp+gtA33rg/qIvweRiBXIJvKG999nE6ZaV+PKf62NC++mYGrHYEgEAx49q oQPsIVStqs9tA4RH4QZGjR5zUy3sD+AZeGxBCRCT0xktXE7Tjfqnhr++R+7AN3vZ N2v3PwezHxrSR8m6qVF6t9/v+Cwxip+8ckcc+f2Nt7T9dN31g/lat9rn1SgnoYw= =Q8Yt -----END PGP SIGNATURE----- From sion at nominet.org.uk Fri Oct 15 13:27:07 2010 From: sion at nominet.org.uk (Sion Lloyd) Date: Fri, 15 Oct 2010 14:27:07 +0100 Subject: [Opendnssec-develop] Known issues In-Reply-To: <4CB84225.3010708@nlnetlabs.nl> References: <7E0267F5-218B-4BBE-A2FC-5B91CD299760@iis.se> <4CB84225.3010708@nlnetlabs.nl> Message-ID: <201010151427.07037.sion@nominet.org.uk> On Friday 15 Oct 2010 12:59:33 pm Matthijs Mekking wrote: > The story is still in Pivotal, so I guess that Sion has not tried it yet > with the c signer on CentOS. I have not tried it on centOS yet; I'll fire up my virtual machine and see how it goes. Sion From sion at nominet.org.uk Mon Oct 18 08:24:10 2010 From: sion at nominet.org.uk (Sion Lloyd) Date: Mon, 18 Oct 2010 09:24:10 +0100 Subject: [Opendnssec-develop] Known issues In-Reply-To: <201010151427.07037.sion@nominet.org.uk> References: <7E0267F5-218B-4BBE-A2FC-5B91CD299760@iis.se> <4CB84225.3010708@nlnetlabs.nl> <201010151427.07037.sion@nominet.org.uk> Message-ID: <201010180924.10259.sion@nominet.org.uk> On Friday 15 Oct 2010 2:27:07 pm Sion Lloyd wrote: > On Friday 15 Oct 2010 12:59:33 pm Matthijs Mekking wrote: > > The story is still in Pivotal, so I guess that Sion has not tried it yet > > with the c signer on CentOS. > > I have not tried it on centOS yet; I'll fire up my virtual machine and see > how it goes. That took longer than it should have, my centos image was not behaving itself... But I can confirm that with the c signer I do not have this issue, so I have removed the story from pivotal... I have not tried with the 1.1.X branch, so it may still be a problem there. Sion From owner-dnssec-trac at kirei.se Mon Oct 18 18:38:38 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Mon, 18 Oct 2010 18:38:38 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #187: signer Message-ID: <070.0e6c42ef7b6045265b3978f2dc1aaf96@kirei.se> #187: signer ---------------------------------------------+------------------------------ Reporter: Tom Hendrikx | Owner: matthijs Type: defect | Status: new Priority: major | Component: Signer Version: trunk | Keywords: ---------------------------------------------+------------------------------ After upgrading the ODS suite from 1.1.3 to 1.2.0b1, the signer does not start after issuing the command 'ods-signer start'. Calling 'ods-signer stop' yields: 'Unable to connect to engine: connect() failed: No such file or directory'. Although the man page suggests that all errors are sent to stderr, no error is seen and exit code is 0. Reviewing the syslog shows: Oct 18 20:16:01 stella ods-signerd: SoftHSM: init: Could not open token database. Probably wrong privileges: /var/lib/softhsm/slot0.db Oct 18 20:16:01 stella ods-signerd: SoftHSM: init: Wrong database schema version: /var/lib/opendnssec/softhsm_slot1.db Oct 18 20:16:01 stella ods-signerd: setup failed: error initializing libhsm (errno 268435457) Oct 18 20:16:01 stella ods-signerd: signer engine setup failed Oct 18 20:16:01 stella ods-signerd: shutdown signer engine This means that ods-signer does not start up but does not say so. This gives issues with init scripts that need to check if the signer is actually running. Proposal: add a ods-signer 'status' or 'running' command that nicely checks if the daemon is running. The 'start' command can use this routine internally to report if its own work was successfully. Note: 'ods-control enforcer start' already does something like this. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Mon Oct 18 23:19:36 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Mon, 18 Oct 2010 23:19:36 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #188: kasp2html doesn't include Keys/*/ManualRollover tag Message-ID: <059.f4d8ea74e8d7dc88f7a594c127404467@kirei.se> #188: kasp2html doesn't include Keys/*/ManualRollover tag ----------------------------------+----------------------------------------- Reporter: sebastian@? | Owner: rb Type: enhancement | Status: new Priority: trivial | Component: Unknown Version: trunk | Keywords: ----------------------------------+----------------------------------------- In OpenDNSSEC 1.2b1 r4130, the XSLT doesn't include an element for the ManualRollover tag. The attached patch prints out a line indicating if present or not in the policy. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Tue Oct 19 06:10:58 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 19 Oct 2010 06:10:58 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #188: kasp2html doesn't include Keys/*/ManualRollover tag In-Reply-To: <059.f4d8ea74e8d7dc88f7a594c127404467@kirei.se> References: <059.f4d8ea74e8d7dc88f7a594c127404467@kirei.se> Message-ID: <068.05727811f041d0aa926782c599aa4381@kirei.se> #188: kasp2html doesn't include Keys/*/ManualRollover tag ----------------------------------+----------------------------------------- Reporter: sebastian@? | Owner: rb Type: enhancement | Status: closed Priority: trivial | Component: Unknown Version: trunk | Resolution: fixed Keywords: | ----------------------------------+----------------------------------------- Changes (by jakob): * status: new => closed * resolution: => fixed Comment: Fixed in r4132. Thanks! -- Ticket URL: OpenDNSSEC OpenDNSSEC From antoin.verschuren at sidn.nl Thu Oct 21 16:10:11 2010 From: antoin.verschuren at sidn.nl (Antoin Verschuren) Date: Thu, 21 Oct 2010 18:10:11 +0200 Subject: [Opendnssec-develop] Enforcer died during production KSK rollover .nl Message-ID: <4CC065E3.20807@sidn.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi guys, I promissed I'd let you in on our details for the .nl key-rollover. As said, the enforcer died during key rollover on our production systems last week. We practiced a manual key-rollover for .nl before we send our DS to the root next week or so. The error for the enforcer was: CKR_TOKEN_NOT_PRESENT But it shouldn't die on this right ? After we started everything up again, the rollover continued normally, and the error did not occur again: [root at signera ~]# ods-ksmutil key list -v SQLite database set to: /usr/local/opendnssec-1.1.0/var/opendnssec/kasp.db Keys: Zone: Keytype: State: Date of next transition: CKA_ID: Repository: Keytag: nl KSK active 2016-08-09 15:49:10 f4593529defe81bdf50c91c9e4760ef4 HSM-HA 38420 nl ZSK active 2010-11-08 14:23:35 c8a075a8919a099d1f9b75e62433f95e HSM-HA 37408 [root at signera ~]# ods-ksmutil key rollover --zone nl --keytype KSK SQLite database set to: /usr/local/opendnssec-1.1.0/var/opendnssec/kasp.db INFO: 0 ksks available in 'generate' state (need 1) - unable to promote until more keys generated WARNING: key rollover not completed as there are no keys in the 'ready' state; ods-enforcerd will try again when it runs next [_root at signera:~^[\[root at signera ~]# ods-ksmutil key list -v SQLite database set to: /usr/local/opendnssec-1.1.0/var/opendnssec/kasp.db Keys: Zone: Keytype: State: Date of next transition: CKA_ID: Repository: Keytag: nl KSK active 2010-10-13 14:05:39 f4593529defe81bdf50c91c9e4760ef4 HSM-HA 38420 nl ZSK active 2010-11-08 14:23:35 c8a075a8919a099d1f9b75e62433f95e HSM-HA 37408 Oct 13 14:05:39 signera ods-enforcerd: Error creating key in repository HSM-HA Oct 13 14:05:39 signera ods-enforcerd: Find objects init: CKR_TOKEN_NOT_PRESENT [root at signera log]# ods-control start Starting signer engine... connecting to /usr/local/opendnssec-1.1.0/var/run/opendnssec/engine.sock OpenDNSSEC signer engine version 1.1.0 Zone list updated: 0 removed, 1 added, 0 updated running as pid 16810 Starting enforcer... OpenDNSSEC ods-enforcerd started (version 1.1.0), pid 16812 Oct 13 14:43:46 signera ods-enforcerd: Created key in repository HSM-HA Oct 13 14:43:46 signera ods-enforcerd: Created KSK size: 2048, alg: 8 with id: 682bb4a60ff3c2bb74e88d378861c34b in repository: HSM-HA and database [_root at signera:~^[\[root at signera ~]# ods-ksmutil key list -v SQLite database set to: /usr/local/opendnssec-1.1.0/var/opendnssec/kasp.db Keys: Zone: Keytype: State: Date of next transition: CKA_ID: Repository: Keytag: nl KSK active 2010-10-13 14:34:26 f4593529defe81bdf50c91c9e4760ef4 HSM-HA 38420 nl ZSK active 2010-11-08 14:23:35 c8a075a8919a099d1f9b75e62433f95e HSM-HA 37408 nl KSK publish 2010-10-13 20:43:46 682bb4a60ff3c2bb74e88d378861c34b HSM-HA 21362 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJMwGXUAAoJEDqHrM883AgnzQgIANe+Ddis/xXpFoqw3I4BHRQE 8CHygGgOG1I+d1lKQoWWYJN2iO+PcHdloPtFRWlnLO8p0wZJhnwEqAgSB5KNSVit E3LbqLbfUqFYTknsxfhjtyXxB0P0yDmPDUhBwwIXSvfAtoNpb8UoYOrYh8ZxA1m8 65UnZYRTx3qg8y+F3nMnU6cijEQ6MfE0Rn5cveHI+CgK7jNu7luSllNqFRgEKolB 4Kl3l2GDbiQVse4Qqq5BG+/BhSzEbuLg9MHkB0NuMK+zhIkHpXFNBHyon2ovvQ2t k66IvDoyuRnNvzy4bW4SJ496n+GS8+NO0dWprRTPNhh1NoibZnlcmaaknLzGFS4= =hH3o -----END PGP SIGNATURE----- From jakob at kirei.se Thu Oct 21 17:15:58 2010 From: jakob at kirei.se (Jakob Schlyter) Date: Thu, 21 Oct 2010 19:15:58 +0200 Subject: [Opendnssec-develop] Enforcer died during production KSK rollover .nl In-Reply-To: <4CC065E3.20807@sidn.nl> References: <4CC065E3.20807@sidn.nl> Message-ID: <781BDC0E-98D8-4957-806A-D26B871E0838@kirei.se> On 21 okt 2010, at 18.10, Antoin Verschuren wrote: > The error for the enforcer was: CKR_TOKEN_NOT_PRESENT Was the HSM on-line and enabled when the error occurred? jakob From Roland.vanRijswijk at surfnet.nl Fri Oct 22 06:40:04 2010 From: Roland.vanRijswijk at surfnet.nl (Roland van Rijswijk) Date: Fri, 22 Oct 2010 08:40:04 +0200 Subject: [Opendnssec-develop] Enforcer died during production KSK rollover .nl In-Reply-To: <781BDC0E-98D8-4957-806A-D26B871E0838@kirei.se> References: <4CC065E3.20807@sidn.nl> <781BDC0E-98D8-4957-806A-D26B871E0838@kirei.se> Message-ID: Hi guys, On 21 okt 2010, at 19:15, Jakob Schlyter wrote: > On 21 okt 2010, at 18.10, Antoin Verschuren wrote: > >> The error for the enforcer was: CKR_TOKEN_NOT_PRESENT > > Was the HSM on-line and enabled when the error occurred? To add to that: we are using the same brand HSMs as SIDN; I've seen this problem occur but only once and was unable to reproduce it. Unfortunately, there is nothing more sensible I can say about it :( Cheers, Roland -- Roland M. van Rijswijk -- SURFnet Middleware Services -- t: +31-30-2305388 -- e: roland.vanrijswijk at surfnet.nl From antoin.verschuren at sidn.nl Fri Oct 22 07:55:57 2010 From: antoin.verschuren at sidn.nl (Antoin Verschuren) Date: Fri, 22 Oct 2010 09:55:57 +0200 Subject: [Opendnssec-develop] Enforcer died during production KSK rollover .nl In-Reply-To: <781BDC0E-98D8-4957-806A-D26B871E0838@kirei.se> References: <4CC065E3.20807@sidn.nl> <781BDC0E-98D8-4957-806A-D26B871E0838@kirei.se> Message-ID: <4CC1438D.1040709@sidn.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 21-10-10 19:15, Jakob Schlyter wrote: > On 21 okt 2010, at 18.10, Antoin Verschuren wrote: > >> The error for the enforcer was: CKR_TOKEN_NOT_PRESENT > > Was the HSM on-line and enabled when the error occurred? Yes. I know from googling that this is a pkcs11 error that libhsm probably just relays. The strange thing however is that the only thing we did was restarting the ODS, but changed nothing to the hsm, to tokens or to the config, and it just resumed. I can imagine a temporary connection issue, but should it then die ? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJMwUONAAoJEDqHrM883AgntiwIAMgtZkbjJ+VhJ0mMYLDuJ93e LtvzLWpbqAevCvrLR40wAurLDMDiiXm+rhpRDNsfqSv+rvfUJKqKjVTyiVt5RkBZ lqrYlZXbc5/HJCoGi+zw8dPn9+0f2liSTM5khod8pA7eAl4obDyasaq86b2d+ZZy ttSuuvoJqzKhX9/RTHFguhJIHPO5MNXgURF56Qi2+ZN2POQ2ZX2imnGI2dPtWvTL kalomwK6/ojqzsJFwRW/aAD2e027h85bTRUknYPjJeiE+8tV+sCuJJs0bxTuV9tV YeOwq6asELoUenf5u6hwPoheC8rmJ+YmbumvmV2xD1YFKIw9621ov5Ix7IKLGus= =3k1f -----END PGP SIGNATURE----- From antoin.verschuren at sidn.nl Fri Oct 22 08:32:23 2010 From: antoin.verschuren at sidn.nl (Antoin Verschuren) Date: Fri, 22 Oct 2010 10:32:23 +0200 Subject: [Opendnssec-develop] Enforcer died during production KSK rollover .nl In-Reply-To: References: <4CC065E3.20807@sidn.nl> <781BDC0E-98D8-4957-806A-D26B871E0838@kirei.se> Message-ID: <4CC14C17.7010904@sidn.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 22-10-10 08:40, Roland van Rijswijk wrote: > Hi guys, > > On 21 okt 2010, at 19:15, Jakob Schlyter wrote: > >> On 21 okt 2010, at 18.10, Antoin Verschuren wrote: >> >>> The error for the enforcer was: CKR_TOKEN_NOT_PRESENT >> >> Was the HSM on-line and enabled when the error occurred? > > > To add to that: we are using the same brand HSMs as SIDN; I've seen this problem occur but only once and was unable to reproduce it. Unfortunately, there is nothing more sensible I can say about it :( And to add to that: We've obviously tested our procedures in a test enviroment multiple times, and did not get this error. Now that I hear from you that you get the same error with the same HSM, and that it's a pkcs11 error, I'm beginning to think it might also be an HSM issue, and we should perhaps look at the HSM vendor ? Only difference between the test and production setup is that the production setup is more idle, meaning that it runs untouched for a longer period of time, where we touch the test enviroment more often to practice our procedures. Antoin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJMwUwXAAoJEDqHrM883AgnLkkH/i9R2h4FUwNv6f4m0smIGv9A GkQ02V1aVEWcLzkR3FmQ4xYUa/ltXNhvcVX4XFL6Vcd3PrBQqfrwGN7WsA1Ep9Eo y1OcvaVz7IDnvGF7KxnPR4lb+EBlriYoOJcq3pMa+GhF5G5jQThVpqu9AiJZRC2e 9OiRaTg5nL7anlRac/XDjrpHZygj8zOg+Up7bHC/VjWZSzO+JU3x4wN+eF9aM0pd 3sRmdy2tLEj7UKF4aG2ldLdeMeO9xd4x9qwd+cn/pb7K/PvXy9S0el/1IYMDCm0s h82NtmiG7gZdbu0jgYpCSeSvybANekqn4TP1+GoHw9T12hHvvMBbBcjkESZSzVw= =pEjQ -----END PGP SIGNATURE----- From Roland.vanRijswijk at surfnet.nl Fri Oct 22 09:55:34 2010 From: Roland.vanRijswijk at surfnet.nl (Roland van Rijswijk) Date: Fri, 22 Oct 2010 11:55:34 +0200 Subject: [Opendnssec-develop] Enforcer died during production KSK rollover .nl In-Reply-To: <4CC1438D.1040709@sidn.nl> References: <4CC065E3.20807@sidn.nl> <781BDC0E-98D8-4957-806A-D26B871E0838@kirei.se> <4CC1438D.1040709@sidn.nl> Message-ID: Hi, On 22 okt 2010, at 09:55, Antoin Verschuren wrote: > On 21-10-10 19:15, Jakob Schlyter wrote: >> On 21 okt 2010, at 18.10, Antoin Verschuren wrote: >> >>> The error for the enforcer was: CKR_TOKEN_NOT_PRESENT >> >> Was the HSM on-line and enabled when the error occurred? > > Yes. I know from googling that this is a pkcs11 error that libhsm > probably just relays. The strange thing however is that the only thing > we did was restarting the ODS, but changed nothing to the hsm, to tokens > or to the config, and it just resumed. I can imagine a temporary > connection issue, but should it then die ? Perhaps safe behaviour would be for the enforcer to not terminate but rather report the error and sleep for another cycle. The problem - in our case - seemed to be ephemeral and went away when we restarted the enforcer. I think we (Antoin & I) probably need to talk to the HSM vendor about the cases in which this error can occur. Cheers, Roland -- Roland M. van Rijswijk -- SURFnet Middleware Services -- t: +31-30-2305388 -- e: roland.vanrijswijk at surfnet.nl From owner-dnssec-trac at kirei.se Mon Oct 25 10:10:32 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Mon, 25 Oct 2010 10:10:32 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #187: signer In-Reply-To: <070.0e6c42ef7b6045265b3978f2dc1aaf96@kirei.se> References: <070.0e6c42ef7b6045265b3978f2dc1aaf96@kirei.se> Message-ID: <079.8b871d515bed50bcb0b3e3d7f9010e8a@kirei.se> #187: signer ---------------------------------------------+------------------------------ Reporter: Tom Hendrikx | Owner: matthijs Type: defect | Status: closed Priority: major | Component: Signer Version: trunk | Resolution: fixed Keywords: | ---------------------------------------------+------------------------------ Changes (by matthijs): * status: new => closed * resolution: => fixed Comment: Hi, fixed in trunk r4135. Thanks! -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Tue Oct 26 01:19:50 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 26 Oct 2010 01:19:50 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #97: How to see the GENERATED keys? In-Reply-To: <087.0a891918cc85b7a056513d2ec376e59a@kirei.se> References: <087.0a891918cc85b7a056513d2ec376e59a@kirei.se> Message-ID: <096.f79d16a6454d276e89fb8300db5e0898@kirei.se> #97: How to see the GENERATED keys? ---------------------------------------------------------------+------------ Reporter: St?phane Bortzmeyer | Owner: sion Type: defect | Status: accepted Priority: major | Component: Enforcer Version: 1.0.0 | Keywords: ---------------------------------------------------------------+------------ Comment(by sebastian@?): An extra vote for this functionality, could be particularly useful to detect when the system will run out of keys with an HSM running a Manual Key Generation policy. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Wed Oct 27 05:40:44 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Wed, 27 Oct 2010 05:40:44 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #97: How to see the GENERATED keys? In-Reply-To: <087.0a891918cc85b7a056513d2ec376e59a@kirei.se> References: <087.0a891918cc85b7a056513d2ec376e59a@kirei.se> Message-ID: <096.717d384b568d778eda417bdb335a6c87@kirei.se> #97: How to see the GENERATED keys? ---------------------------------------------------------------+------------ Reporter: St?phane Bortzmeyer | Owner: sion Type: defect | Status: accepted Priority: major | Component: Enforcer Version: 1.0.0 | Keywords: ---------------------------------------------------------------+------------ Comment(by rb): Thanks, will be taken into consideration for v1.3 -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Wed Oct 27 05:42:45 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Wed, 27 Oct 2010 05:42:45 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #141: Signer discarding the remaining zones if it has an issue with one zone In-Reply-To: <060.bb4ad74136ff80b504801c3a8ad887ab@kirei.se> References: <060.bb4ad74136ff80b504801c3a8ad887ab@kirei.se> Message-ID: <069.207be175207f8dd083b9865780b29280@kirei.se> #141: Signer discarding the remaining zones if it has an issue with one zone -----------------------------------+---------------------------------------- Reporter: sunil.kakita@? | Owner: matthijs Type: defect | Status: assigned Priority: major | Component: Unknown Version: trunk | Keywords: -----------------------------------+---------------------------------------- Comment(by rb): Matthijs, this is not valid anymore with the new signer, right? -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Wed Oct 27 08:49:26 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Wed, 27 Oct 2010 08:49:26 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #141: Signer discarding the remaining zones if it has an issue with one zone In-Reply-To: <060.bb4ad74136ff80b504801c3a8ad887ab@kirei.se> References: <060.bb4ad74136ff80b504801c3a8ad887ab@kirei.se> Message-ID: <069.90100fb84f561ebbf79e9e1859bd06b1@kirei.se> #141: Signer discarding the remaining zones if it has an issue with one zone -----------------------------------+---------------------------------------- Reporter: sunil.kakita@? | Owner: matthijs Type: defect | Status: closed Priority: major | Component: Unknown Version: trunk | Resolution: fixed Keywords: | -----------------------------------+---------------------------------------- Changes (by matthijs): * status: assigned => closed * resolution: => fixed Comment: Yes, should not occur anymore with the c-based signer engine. Closing this down. -- Ticket URL: OpenDNSSEC OpenDNSSEC From rick at openfortress.nl Wed Oct 27 09:37:04 2010 From: rick at openfortress.nl (Rick van Rein) Date: Wed, 27 Oct 2010 09:37:04 +0000 Subject: [Opendnssec-develop] Notes of 20-to-22 KASP 1.3+ meeting Message-ID: <20101027093704.GH23943@phantom.vanrein.org> Hello, I've just added the notes of last week's meeting on KASP 1.3 and beyond to the Wiki. Our intention (at which we failed, as it grew larger than expected) was to discuss possible future directions in a small group, so as to avoid design by committee. All those present in these days are interested in redesigning the Enforcer and make it more fit for its dependable role. Given the not-everyone-present group at these meetings, everything written in the minutes must be read as a proposal, albeit an actively prepared one. The minutes are also explicit in that, of course. Any comments on the contents are welcome on the list and/or on the next meeting. Cheers, -Rick From rickard.bellgrim at iis.se Wed Oct 27 20:29:08 2010 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Wed, 27 Oct 2010 22:29:08 +0200 Subject: [Opendnssec-develop] Meeting 2010-10-29 Message-ID: <93DE8086-CA80-4AC7-9DC3-FC5B5B693D10@iis.se> Hi The next meeting is on Friday. I will not be able to attend the meeting, but Patrik can speak for me. I have added a draft agenda on the wiki that you can fill with topics that you would like to discuss: http://trac.opendnssec.org/wiki/Meetings/Agenda/2010-10-29 Cheers Rickard From sion at nominet.org.uk Thu Oct 28 10:17:15 2010 From: sion at nominet.org.uk (Sion Lloyd) Date: Thu, 28 Oct 2010 11:17:15 +0100 Subject: [Opendnssec-develop] Meeting 2010-10-29 In-Reply-To: <93DE8086-CA80-4AC7-9DC3-FC5B5B693D10@iis.se> References: <93DE8086-CA80-4AC7-9DC3-FC5B5B693D10@iis.se> Message-ID: <201010281117.16032.sion@nominet.org.uk> > The next meeting is on Friday. I will not be able to attend the meeting, > but Patrik can speak for me. Do we know who is chairing the meeting? From rickard.bellgrim at iis.se Thu Oct 28 11:03:47 2010 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Thu, 28 Oct 2010 13:03:47 +0200 Subject: [Opendnssec-develop] Meeting 2010-10-29 In-Reply-To: <201010281117.16032.sion@nominet.org.uk> References: <93DE8086-CA80-4AC7-9DC3-FC5B5B693D10@iis.se> <201010281117.16032.sion@nominet.org.uk> Message-ID: Yeah, I tried to imply that it is Patrik :) 28 okt 2010 kl. 12:17 skrev "Sion Lloyd" : >> The next meeting is on Friday. I will not be able to attend the meeting, >> but Patrik can speak for me. > > Do we know who is chairing the meeting? > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop From owner-dnssec-trac at kirei.se Thu Oct 28 21:13:27 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Thu, 28 Oct 2010 21:13:27 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #156: ods-control ksm {start|stop} doesn't work In-Reply-To: <061.9721ad3311e47055fddc721be71f2301@kirei.se> References: <061.9721ad3311e47055fddc721be71f2301@kirei.se> Message-ID: <070.6b08bc3a22b8bd7f4fd33b93a811cd3e@kirei.se> #156: ods-control ksm {start|stop} doesn't work ------------------------------------+--------------------------------------- Reporter: robert@? | Owner: sion Type: defect | Status: closed Priority: minor | Component: Enforcer Version: trunk | Resolution: fixed Keywords: ksm stop doesn't work | ------------------------------------+--------------------------------------- Changes (by rb): * status: new => closed * resolution: => fixed Comment: There are now a two-step backup and better start and stop handling. Included in v1.2.0b1 -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Thu Oct 28 22:23:44 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Thu, 28 Oct 2010 22:23:44 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #115: ods-ksmutil setup with MySQL ignores port In-Reply-To: <044.342d9f8d1f49af328cb5f177d829e3e9@kirei.se> References: <044.342d9f8d1f49af328cb5f177d829e3e9@kirei.se> Message-ID: <053.66279669eb83bdca5471b8fe2ac02bb5@kirei.se> #115: ods-ksmutil setup with MySQL ignores port ------------------------+--------------------------------------------------- Reporter: Gilles | Owner: rb Type: defect | Status: closed Priority: minor | Component: Unknown Version: 1.0.0 | Resolution: fixed Keywords: mysql setup | ------------------------+--------------------------------------------------- Changes (by rb): * status: new => closed * resolution: => fixed Comment: Fixed in r4145 -- Ticket URL: OpenDNSSEC OpenDNSSEC From rick at openfortress.nl Fri Oct 29 12:03:29 2010 From: rick at openfortress.nl (Rick van Rein) Date: Fri, 29 Oct 2010 12:03:29 +0000 Subject: [Opendnssec-develop] Notes of 20-to-22 KASP 1.3+ meeting In-Reply-To: <20101027093704.GH23943@phantom.vanrein.org> References: <20101027093704.GH23943@phantom.vanrein.org> Message-ID: <20101029120329.GA14503@phantom.vanrein.org> Hi, > I've just added the notes of last week's meeting on KASP 1.3 and beyond > to the Wiki. Although we usually post meeting notes on a default location, not everyone knows where to find them. This particular note is on: http://trac.opendnssec.org/wiki/Meetings/Minutes/2010-10-20to22 The general notes are on trac.opendnssec.org -> meeting notes. Cheers, -Rick From AlexD at nominet.org.uk Fri Oct 29 12:49:56 2010 From: AlexD at nominet.org.uk (Alex Dalitz) Date: Fri, 29 Oct 2010 12:49:56 +0000 Subject: [Opendnssec-develop] Minutes posted Message-ID: <68846DCF-8F58-4C9F-907E-734B58B2D546@nominet.org.uk> Please correct any errors From owner-dnssec-trac at kirei.se Sun Oct 31 01:54:03 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Sun, 31 Oct 2010 01:54:03 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #189: Auditor fails to validate CERT RR Message-ID: <077.57a2bee7d0dd82b46fbbefd933ac0af1@kirei.se> #189: Auditor fails to validate CERT RR -----------------------------------------------------+---------------------- Reporter: Marc Dequ?nes (Duck) | Owner: alex Type: defect | Status: new Priority: critical | Component: Auditor Version: trunk | Keywords: -----------------------------------------------------+---------------------- I've got a CERT entry in my zone: host -t cert orfeo.duckcorp.org The zone has been freshly created and cannot be published because of a reject from the auditor. Apparently, it uses a buffer too short, resulting in a truncated RR content and failed comparison of the unsigned/signed zone. The file '/var/lib/opendnssec/tmp/duckcorp.org.finalized' contains a CERT entry which is not truncated, that's why i think the auditor is at fault. The corresponding log follows: {{{ Oct 31 02:28:12 Orfeo ods-signerd: signer stderr: Warning: unable to open /var/lib/opendnssec/tmp/duckcorp.org.signed: No such file or directory, performing full zone sign Oct 31 02:28:12 Orfeo ods-signerd: signer stderr: signer: number of signatures created: 230 (230 rr/sec) Oct 31 02:28:12 Orfeo ods-signerd: Created 230 new signatures Oct 31 02:28:12 Orfeo ods-signerd: Run command: '/usr/lib/opendnssec/opendnssec/finalizer -f /var/lib/opendnssec/tmp/duckcorp.org.signed -x /var/lib/opendnssec/tmp/duckcorp.org.optout' Oct 31 02:28:12 Orfeo ods-signerd: Running auditor on zone Oct 31 02:28:12 Orfeo ods-signerd: Run command: '/usr/bin/ods-auditor -c /etc/opendnssec/conf.xml -s /var/lib/opendnssec/tmp/duckcorp.org.finalized -z duckcorp.org' Oct 31 02:28:12 Orfeo ods-auditor[1861]: Auditor started Oct 31 02:28:12 Orfeo ods-auditor[1861]: Auditor starting on duckcorp.org Oct 31 02:28:12 Orfeo ods-auditor[1861]: SOA differs : from 2010102900 to 2010103100 Oct 31 02:28:12 Orfeo ods-auditor[1861]: Auditing duckcorp.org zone : NSEC3 SIGNED Oct 31 02:28:13 Orfeo ods-auditor[1861]: non-DNSSEC RRSet CERT included in Output that was not present in Input : orfeo.duckcorp.org.#0113600#011IN#011CERT#011PKIX 0 RESERVED MIICozCCAgygAwIBAgIJANIuJ9N8HJH5MA0GCSqGSIb3DQEBBAUAMH4xCzAJBgNVBAYTAkRMMREwDwYDVQQIEwhEdWNrTGFuZDERMA8GA1UEBxMIRHVja0NpdHkxETAPBgNVBAoTCER1Y2tDb3JwMRQwEgYDVQQDEwtEdWNrQ29ycCBDQTEgMB4GCSqGSIb3DQEJARYRcm9vdEBkdWNrY29ycC5vcmcwHhcNMDUwNzE0MTUxMDM0WhcNMDYwNzE0MTUxMDM0WjCBqDELMAkGA1UEBhMCREwxETAPBgNVBAgTCER1Y2tMYW5kMREwDwYDVQQHEwhEdWNrQ2l0eTERMA8GA1UEChMIRHVja0NvcnAxITAfBgNVBAsTGER1Y2tDb3JwIE1hc3RlciBWUE4gTm9kZTEbMBkGA1UEAxMSb3JmZW8uZHVja2NvcnAub3JnMSAwHgYJKoZIhvcNAQkBFhFyb290QGR1Y2tjb3JwLm9yZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAp8P7+niUl1jD9EGEMkkyY/TCGpWotXORWMdIQhL34MOWievTjNPPfuU+p42VqjAYOcGyUYPDDcMLIsII0eIVbn4lUr+oi0MFJR7DeyoZCdnVi3k6mudtU51I1+2MfUQtUcTeSZ+9363ylfdp0XX+pedX1ojqK4nRaMe0yi01XY0CAwEAATANBgkqhkiG9w0BAQQFAAOBgQA4j1eUO2A4/Pc37hNgcPqrHJmhRIagps9kQOn9ENf8j1cHjis73kIbR+31ZW6W5nOlcFXUAqXeELjfbdWO0eRBjw9Op9aZ0PEWRSXUduMnU3HE6dsyAEQ5eXfYQSxJ+E5pgxTf5kC4OFBFom30Ept9GM6cKGBxDVyP4/7IbmErUg== Oct 31 02:28:13 Orfeo ods-auditor[1861]: Output zone does not contain non- DNSSEC RRSet : CERT, orfeo.duckcorp.org.#0113600#011IN#011CERT#011PKIX 0 RESERVED MIICozCCAgygAwIBAgIJANIuJ9N8HJH5MA0GCSqGSIb3DQEBBAUAMH4xCzAJBgNV Oct 31 02:28:13 Orfeo ods-auditor[1861]: Finished auditing duckcorp.org zone }}} DNSSEC is most useful to protect security information, like CERT and SSHFP entries, that's why i consider this problem defeats the software's purpose and raised the severity to critical. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Sun Oct 31 11:21:04 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Sun, 31 Oct 2010 11:21:04 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #190: Auditor does not handle case correctly Message-ID: <077.b6efec6ceaccc4547ba0dc59436222ae@kirei.se> #190: Auditor does not handle case correctly -----------------------------------------------------+---------------------- Reporter: Marc Dequ?nes (Duck) | Owner: alex Type: defect | Status: new Priority: major | Component: Auditor Version: trunk | Keywords: -----------------------------------------------------+---------------------- If i understand well what is going on, the auditor is lost when zone name contains upper case letters, and perhaps also when the zone name case does not match the in-zone case. This results in the following error: {{{ Oct 31 12:11:02 Orfeo ods-auditor[29604]: Auditing F.1.8.0.8.A.7.0.1.0.0.2.ip6.arpa zone : NSEC3 SIGNED Oct 31 12:11:02 Orfeo ods-auditor[29606]: RRSet (f.1.8.0.8.a.7.0.1.0.0.2.ip6.arpa, SOA) failed verification : Signature failed to cryptographically verify, tag = 63717 Oct 31 12:11:02 Orfeo ods-auditor[29606]: RRSet (f.1.8.0.8.a.7.0.1.0.0.2.ip6.arpa, NS) failed verification : Signature failed to cryptographically verify, tag = 63717 Oct 31 12:11:02 Orfeo ods-auditor[29606]: RRSet (f.1.8.0.8.a.7.0.1.0.0.2.ip6.arpa, MX) failed verification : Signature failed to cryptographically verify, tag = 63717 Oct 31 12:11:02 Orfeo ods-auditor[29606]: RRSet (f.1.8.0.8.a.7.0.1.0.0.2.ip6.arpa, TXT) failed verification : Signature failed to cryptographically verify, tag = 63717 Oct 31 12:11:02 Orfeo ods-auditor[29606]: RRSet (f.1.8.0.8.a.7.0.1.0.0.2.ip6.arpa, RRSIG) failed verification : No RRSet to verify, tag = 4816 Oct 31 12:11:02 Orfeo ods-auditor[29606]: RRSet (f.1.8.0.8.a.7.0.1.0.0.2.ip6.arpa, RRSIG) failed verification : No RRSet to verify, tag = 63717 Oct 31 12:11:02 Orfeo ods-auditor[29604]: SOA differs : from 2010103100 to 2010103101 Oct 31 12:11:02 Orfeo ods-auditor[29604]: Number of non-DNSSEC resource records differs : 21 in /var/lib/opendnssec/tmp/F.1.8.0.8.A.7.0.1.0.0.2.ip6.arpa.unsorted, and 24 in /var/lib/opendnssec/tmp/F.1.8.0.8.A.7.0.1.0.0.2.ip6.arpa.finalized }}} After playing with case with no good result, I ended up deleting the zone, and recreating it with a lower case name and lowering everything the in- zone zone name too. It works now, but it is quite annoying as it breaks publishing the zone even when using the partial auditor mode. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Sun Oct 31 11:23:49 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Sun, 31 Oct 2010 11:23:49 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #190: Auditor does not handle case correctly In-Reply-To: <077.b6efec6ceaccc4547ba0dc59436222ae@kirei.se> References: <077.b6efec6ceaccc4547ba0dc59436222ae@kirei.se> Message-ID: <086.9b88c36626defae6de3dc6744d803c78@kirei.se> #190: Auditor does not handle case correctly -----------------------------------------------------+---------------------- Reporter: Marc Dequ?nes (Duck) | Owner: alex Type: defect | Status: new Priority: major | Component: Auditor Version: trunk | Keywords: -----------------------------------------------------+---------------------- Comment(by Marc Dequ?nes (Duck) ): I forgot to say i'm using 1.1.3 (not available in the form). -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Sun Oct 31 11:24:29 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Sun, 31 Oct 2010 11:24:29 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #189: Auditor fails to validate CERT RR In-Reply-To: <077.57a2bee7d0dd82b46fbbefd933ac0af1@kirei.se> References: <077.57a2bee7d0dd82b46fbbefd933ac0af1@kirei.se> Message-ID: <086.f6dc8e32c89654deb1e68bfc1201154e@kirei.se> #189: Auditor fails to validate CERT RR -----------------------------------------------------+---------------------- Reporter: Marc Dequ?nes (Duck) | Owner: alex Type: defect | Status: new Priority: critical | Component: Auditor Version: trunk | Keywords: -----------------------------------------------------+---------------------- Comment(by Marc Dequ?nes (Duck) ): I forgot to say i'm using 1.1.3 (not available in the form). -- Ticket URL: OpenDNSSEC OpenDNSSEC