From rickard at opendnssec.org Thu Mar 1 08:29:56 2012 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Thu, 1 Mar 2012 09:29:56 +0100 Subject: [Opendnssec-develop] Removing leading zeroes Message-ID: Hi I have reviewed and edited the patch about DNSKEY with leading zeroes. It has been applied to 1.2, 1.3, and trunk. You can find the commit in r6191 (http://fisheye.opendnssec.org/changelog/opendnssec?cs=6191). It is difficult for us to detect any system running with this bug, so the following text was written for the NEWS-file: HSM SCA 6000 in combination with OpenCryptoki can return RSA key material with leading zeroes. DNSSEC does not allow leading zeroes in key data. You are affected by this bug if your DNSKEY RDATA e.g. begins with "BAABA". Normal keys begin with e.g. "AwEAA". OpenDNSSEC will now sanitize incoming data before adding it to the DNSKEY. Do not upgrade to this version if you are affected by the bug. You first need to go unsigned, then do the upgrade, and finally sign your zone again. SoftHSM and other HSM:s will not produce data with leading zeroes and the bug will thus not affect you. // Rickard From rickard at opendnssec.org Thu Mar 1 08:41:29 2012 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Thu, 1 Mar 2012 09:41:29 +0100 Subject: [Opendnssec-develop] SoftHSM 1.3.2 Message-ID: Hi SoftHSM is ready for release. Just missing the date in the NEWS-file. // Rickard From Roland.vanRijswijk at surfnet.nl Thu Mar 1 10:36:04 2012 From: Roland.vanRijswijk at surfnet.nl (Roland van Rijswijk) Date: Thu, 1 Mar 2012 11:36:04 +0100 Subject: [Opendnssec-develop] Enforcer NG minutes 20120301 online Message-ID: <52DEE57E-7B57-415D-AE0B-EB744A86ECD4@surfnet.nl> Hi guys, The meeting minutes for today's Enforcer NG telecon are online: https://wiki.opendnssec.org/display/OpenDNSSEC/2012-03-01+-+Enforcer+NG+telecon Please amend/update as you see fit. @Yuri: can you update the minutes with the issue number of the key rollover issue once you have created the story in JIRA? Cheers, Roland -- Roland M. van Rijswijk -- SURFnet Middleware Services -- t: +31-30-2305388 -- e: roland.vanrijswijk at surfnet.nl From rickard at opendnssec.org Thu Mar 1 10:51:54 2012 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Thu, 1 Mar 2012 11:51:54 +0100 Subject: [Opendnssec-develop] Enforcer NG minutes 20120301 online In-Reply-To: <52DEE57E-7B57-415D-AE0B-EB744A86ECD4@surfnet.nl> References: <52DEE57E-7B57-415D-AE0B-EB744A86ECD4@surfnet.nl> Message-ID: > Please amend/update as you see fit. I have created 2.0.0a3 and 2.0.0b1 in Jira. And re-assigned issues to them. // Rickard From Roland.vanRijswijk at surfnet.nl Thu Mar 1 10:54:03 2012 From: Roland.vanRijswijk at surfnet.nl (Roland van Rijswijk) Date: Thu, 1 Mar 2012 11:54:03 +0100 Subject: [Opendnssec-develop] Enforcer NG minutes 20120301 online In-Reply-To: References: <52DEE57E-7B57-415D-AE0B-EB744A86ECD4@surfnet.nl> Message-ID: Hi Rickard, On 1 mrt. 2012, at 11:51, Rickard Bellgrim wrote: >> Please amend/update as you see fit. > > I have created 2.0.0a3 and 2.0.0b1 in Jira. And re-assigned issues to them. Thanks! Cheers, Roland -- Roland M. van Rijswijk -- SURFnet Middleware Services -- t: +31-30-2305388 -- e: roland.vanrijswijk at surfnet.nl From sion at nominet.org.uk Mon Mar 5 10:26:48 2012 From: sion at nominet.org.uk (=?ISO-8859-1?Q?Si=F4n_Lloyd?=) Date: Mon, 5 Mar 2012 10:26:48 +0000 Subject: [Opendnssec-develop] Meeting 20120228 In-Reply-To: References: Message-ID: <4F5494E8.9030102@nominet.org.uk> On 27/02/12 09:01, Rickard Bellgrim wrote: > Hi > > We have a meeting tomorrow. > > Date: Tuesday 28 February > Time: 14:00-15:00 CET, 13:00-14:00 GMT > > Agenda: > https://wiki.opendnssec.org/display/OpenDNSSEC/2012-02-28+Agenda > > // Rickard > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop Minutes are up now: https://wiki.opendnssec.org/display/OpenDNSSEC/2012-02-28+Minutes Sorry for the delay. Sion From matthijs at nlnetlabs.nl Mon Mar 5 14:47:38 2012 From: matthijs at nlnetlabs.nl (Matthijs Mekking) Date: Mon, 05 Mar 2012 15:47:38 +0100 Subject: [Opendnssec-develop] maintainers list Message-ID: <4F54D20A.8050805@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, It is nice that the upcoming releases for OpenDNSSEC and SoftHSM are announced, but the real benefit for such a list is if package maintainers can test the release. I think what we need to do with this list is: * Create a tarball release candidate (including checksum) * Announce it to the maintainers list, with the request to test it * Give it a week or so to receive feedback. * If no showstoppers are reported, do the actual release. Otherwise, fix stuff and make a new release candidate. Thoughts? Best regards, Matthijs -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPVNIKAAoJEA8yVCPsQCW5KvsH/2Pvn38UO1Kka/S0vpLmBEbo BIYneYJhBdusULyBNuIcXqm8tqqUWEpIf5lLe+LagOnTYt/z4buJnINPRsTm72NB v89PDeC7Lp5/jigGVvl1J/G9TsjqKfAoNay/xVZjYTxNsooqFrtob/u9D5g6L0dG VINjJl8d3VY66kLjpVUHFVCXPMtatYQjtcc2xRmPJLiHnaYT9dhw3K+wjvWCKkdr tBp2mJU1n3LV0Dt1xv0Mm6UgoCVBoQXwXAAjY5gfBAzcUmMUhHvKi7CDATghwM6V pGunmHQO6WsAUSZpNdYrItcqUcG11S1OWrdOSogZ9XxipKMrWvfaAgT3wsiUjiw= =WVOR -----END PGP SIGNATURE----- From jerry at opendnssec.org Mon Mar 5 15:23:29 2012 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Mon, 5 Mar 2012 16:23:29 +0100 Subject: [Opendnssec-develop] maintainers list In-Reply-To: <4F54D20A.8050805@nlnetlabs.nl> References: <4F54D20A.8050805@nlnetlabs.nl> Message-ID: <65457A42-81C9-40D2-89A2-B3537E5A6525@opendnssec.org> On Mar 5, 2012, at 15:47 , Matthijs Mekking wrote: > Thoughts? +1 absolutely ! -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ From matthijs at nlnetlabs.nl Thu Mar 8 14:03:52 2012 From: matthijs at nlnetlabs.nl (Matthijs Mekking) Date: Thu, 08 Mar 2012 15:03:52 +0100 Subject: [Opendnssec-develop] documentation updated for 1.4 Message-ID: <4F58BC48.8040701@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I have updated the trunk's documentation to match the upcoming 1.4 release. https://wiki.opendnssec.org/display/DOCSTRUNK/ Best regards, Matthijs -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPWLxIAAoJEA8yVCPsQCW5iiYIAM4f8iXNOpy5fdlTHM/dTHlS dc6LPsl+NgQgQ90Q22aVcu6KUg0JZn2cyAJgrya5f0VqrzZ8Ak4MLG0vGsFKJUyL g47mkuWpoWJuANrAq+JS0113c2kyiYnuNNtL07kgLjKi7ltP6YQtvgVTA11sZ1Eh xLP7DrELeh0l4B8EpKPGWs31lvXDfB2cRUgYhLpy9sXCTDT9QIQI/CTFbGIiUSOl /2bjR3mrC8BZMTRBHo8jTRS3CpjyjgMNgprysdleXGD/6d2wVf0uJWBaG6riLOzO rhoMgi6t7aUgYXs6KbtPGOAbrnIA0hcF4qnarcVuqsy6F5w/BLf48XL9JZp4bOc= =dDE9 -----END PGP SIGNATURE----- From jerry at opendnssec.org Fri Mar 9 06:53:45 2012 From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Fri, 9 Mar 2012 07:53:45 +0100 Subject: [Opendnssec-develop] maintainers list In-Reply-To: <4F54D20A.8050805@nlnetlabs.nl> References: <4F54D20A.8050805@nlnetlabs.nl> Message-ID: Hey all, On Mon, Mar 5, 2012 at 3:47 PM, Matthijs Mekking wrote: > > * Create a tarball release candidate (including checksum) > * Announce it to the maintainers list, with the request to test it > * Give it a week or so to receive feedback. > * If no showstoppers are reported, do the actual release. Otherwise, > fix stuff and make a new release candidate. I've been thinking about this some and would like to extend this suggestion with a two week QA process. I believe it would be relatively simple to setup a continues running setup of OpenDNSSEC on all build platforms, this would be a separate installation of OpenDNSSEC running signing on a few example zones. Jenkins could then be used to poke at OpenDNSSEC with normal operations like adding and deleting zones, resigning and key rollovers (I would need help writing these test cases). The process it would look something like this. - if any step fails we start over - if any changes are needed we start over, increase rc * Can we release 1.3.7 * Tag 1.3.7rc1, tarball, upload to site * Announce, link + checksum * Switch continues running setup (CRS) to tag 1.3.7rc1 * Wait 2 weeks * Copy tag 1.3.7rc1 to 1.3.7qa1 (or plain 1.3.7, but a QA tag might be nice) * Announce, link + checksum Thoughts? /Jerry From matthijs at nlnetlabs.nl Fri Mar 9 09:28:57 2012 From: matthijs at nlnetlabs.nl (Matthijs Mekking) Date: Fri, 09 Mar 2012 10:28:57 +0100 Subject: [Opendnssec-develop] maintainers list In-Reply-To: References: <4F54D20A.8050805@nlnetlabs.nl> Message-ID: <4F59CD59.1070901@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, On 03/09/2012 07:53 AM, Jerry Lundstr?m wrote: > Hey all, > > On Mon, Mar 5, 2012 at 3:47 PM, Matthijs Mekking wrote: >> >> * Create a tarball release candidate (including checksum) >> * Announce it to the maintainers list, with the request to test it >> * Give it a week or so to receive feedback. >> * If no showstoppers are reported, do the actual release. Otherwise, >> fix stuff and make a new release candidate. > > I've been thinking about this some and would like to extend this > suggestion with a two week QA process. > > I believe it would be relatively simple to setup a continues running > setup of OpenDNSSEC on all build platforms, this would be a separate > installation of OpenDNSSEC running signing on a few example zones. > Jenkins could then be used to poke at OpenDNSSEC with normal > operations like adding and deleting zones, resigning and key rollovers > (I would need help writing these test cases). > > The process it would look something like this. > - if any step fails we start over > - if any changes are needed we start over, increase rc > > * Can we release 1.3.7 > * Tag 1.3.7rc1, tarball, upload to site > * Announce, link + checksum > * Switch continues running setup (CRS) to tag 1.3.7rc1 > * Wait 2 weeks If the maintainers are okay with it, I would like to wait for one week maximum. That seems to be working for nsd/unbound/ldns. > * Copy tag 1.3.7rc1 to 1.3.7qa1 (or plain 1.3.7, but a QA tag might be nice) My preference would be plain 1.3.7. > * Announce, link + checksum > > Thoughts? > /Jerry -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPWc1ZAAoJEA8yVCPsQCW53ZIH/3fRrTlRZ9hIGdyXI0ycgitu K18nF1zeXkhGiePrcUazUmKJL5H0g8eV1vDhuFoTVw0Lx8h8kn77FfxLCnUpHTds QSRalXdYckaja2l3crSffmI11GB1vAPSmRuXDIOyhE4/xfVaIxHONNwCdximmBNI P9MeuCmJlxP/1fHDa47Jj2nVaarFodT25D6qGEGcOCJ33EDKmNZmZnrx1PYX8Rof 9fx4mhFsKwzyD/olo6LfDPdg3uPaVHAfz0mV9kqOmNE3cGjwLTGPGUN1pEkPeTay p4niz+uLWP9smJwwTrMpyfIcw6A2umgVnQRPtBWdHQqMiu7gDc/4BGlOGuXd0GE= =MvGc -----END PGP SIGNATURE----- From jerry at opendnssec.org Fri Mar 9 09:34:53 2012 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Fri, 9 Mar 2012 10:34:53 +0100 Subject: [Opendnssec-develop] maintainers list In-Reply-To: <4F59CD59.1070901@nlnetlabs.nl> References: <4F54D20A.8050805@nlnetlabs.nl> <4F59CD59.1070901@nlnetlabs.nl> Message-ID: <8B4F8919-1E59-4440-9B5B-6EEDF37E259B@opendnssec.org> On Mar 9, 2012, at 10:28 , Matthijs Mekking wrote: > > * Wait 2 weeks > > If the maintainers are okay with it, I would like to wait for one week > maximum. That seems to be working for nsd/unbound/ldns. It wasn't so much waiting for the maintainers, it was more we decide that we have a 2 week QA period in which the maintainers can prepare a new release on a release candidate that will be the same later on (code freeze for that tag). I took 2 weeks since we have a tele conference every 2 weeks, simpler to coordinate on those meetings. -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ From rickard at opendnssec.org Fri Mar 9 12:30:12 2012 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Fri, 9 Mar 2012 13:30:12 +0100 Subject: [Opendnssec-develop] maintainers list In-Reply-To: <4F59CD59.1070901@nlnetlabs.nl> References: <4F54D20A.8050805@nlnetlabs.nl> <4F59CD59.1070901@nlnetlabs.nl> Message-ID: > If the maintainers are okay with it, I would like to wait for one week > maximum. That seems to be working for nsd/unbound/ldns. > >> * Copy tag 1.3.7rc1 to 1.3.7qa1 (or plain 1.3.7, but a QA tag might be nice) > > My preference would be plain 1.3.7. +1 // Rickard From rickard at opendnssec.org Mon Mar 12 13:40:50 2012 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Mon, 12 Mar 2012 14:40:50 +0100 Subject: [Opendnssec-develop] Meeting 2012-03-13 Message-ID: Hi We have a telephone meeting tomorrow: Date: Tuesday 13 March Time: 14:00-15:00 CET, 13:00-14:00 GMT Agenda: https://wiki.opendnssec.org/display/OpenDNSSEC/2012-03-13+Agenda // Rickard From matthijs at nlnetlabs.nl Tue Mar 13 13:31:27 2012 From: matthijs at nlnetlabs.nl (Matthijs Mekking) Date: Tue, 13 Mar 2012 14:31:27 +0100 Subject: [Opendnssec-develop] Meeting 2012-03-13 In-Reply-To: References: Message-ID: <4F5F4C2F.6000608@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 And the minutes https://wiki.opendnssec.org/display/OpenDNSSEC/2012-03-13+Minutes On 03/12/2012 02:40 PM, Rickard Bellgrim wrote: > Hi > > We have a telephone meeting tomorrow: > > Date: Tuesday 13 March Time: 14:00-15:00 CET, 13:00-14:00 GMT > > Agenda: > https://wiki.opendnssec.org/display/OpenDNSSEC/2012-03-13+Agenda > > // Rickard _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPX0wuAAoJEA8yVCPsQCW5XfUH/iCVnLD/J/9ucH/gyGWQpqvH y+6MEyEfMrWflw587XoUqipbkZhRarvnfHOS2D4+cwI3/HgrXNKZpIp/pRTVlyQn ZqQjfPIIKesZtWqf++9nDs0YKHAVT89WWD5Ku4iNUPpG2Ea7YuhMR7SR4sw9Mglm u/5pIZyjZT++WeUIp2qejsC00V8DMZRW3VdTfbowdv2rDS1l1YBDrs7KgJmpkrvF aHz6ZEe2eYsIuFynv1TYUrSwPegFgeHRCnPBbQVzcZXCj04kEKwfx8p05zUrxuPU LATLQqt/YOAyYLRjkolxufWrpVdfvMEd5jEkJytPBk+dXslhMcwyEMDyFGzvB8I= =SGO+ -----END PGP SIGNATURE----- From sion at nominet.org.uk Wed Mar 14 09:35:47 2012 From: sion at nominet.org.uk (=?ISO-8859-1?Q?Si=F4n_Lloyd?=) Date: Wed, 14 Mar 2012 09:35:47 +0000 Subject: [Opendnssec-develop] 1.4.0a xml migration Message-ID: <4F606673.3040603@nominet.org.uk> Morning, It occurred to me that we need to write a script to migrate a users xml files to be compatible with the new rng files. (I think that this just means dropping, or commenting out, all auditor tags... Is there anything else?) Do we need this for the alpha release? Or do we trust folk who use an alpha release to be able to comment these lines out themselves, and just mention it in the notes? Sion From rickard at opendnssec.org Wed Mar 14 11:44:37 2012 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Wed, 14 Mar 2012 12:44:37 +0100 Subject: [Opendnssec-develop] 1.4.0a xml migration In-Reply-To: <4F606673.3040603@nominet.org.uk> References: <4F606673.3040603@nominet.org.uk> Message-ID: > It occurred to me that we need to write a script to migrate a users xml > files to be compatible with the new rng files. (I think that this just means > dropping, or commenting out, all auditor tags... Is there anything else?) > > Do we need this for the alpha release? Or do we trust folk who use an alpha > release to be able to comment these lines out themselves, and just mention > it in the notes? We currently install sample files of the configuration. I think you usually never touch the users configuration. Isn't mostly up to them to correct any changes in the configuration? // Rickard From sion at nominet.org.uk Wed Mar 14 11:50:29 2012 From: sion at nominet.org.uk (=?ISO-8859-1?Q?Si=F4n_Lloyd?=) Date: Wed, 14 Mar 2012 11:50:29 +0000 Subject: [Opendnssec-develop] 1.4.0a xml migration In-Reply-To: References: <4F606673.3040603@nominet.org.uk> Message-ID: <4F608605.9080001@nominet.org.uk> On 14/03/12 11:44, Rickard Bellgrim wrote: >> It occurred to me that we need to write a script to migrate a users xml >> files to be compatible with the new rng files. (I think that this just means >> dropping, or commenting out, all auditor tags... Is there anything else?) >> >> Do we need this for the alpha release? Or do we trust folk who use an alpha >> release to be able to comment these lines out themselves, and just mention >> it in the notes? > We currently install sample files of the configuration. I think you > usually never touch the users configuration. Isn't mostly up to them > to correct any changes in the configuration? > So we just need some documentation to say which tags need to go? That works too; I had just thought of this as a migration like any other. From matthijs at nlnetlabs.nl Wed Mar 14 12:10:16 2012 From: matthijs at nlnetlabs.nl (Matthijs Mekking) Date: Wed, 14 Mar 2012 13:10:16 +0100 Subject: [Opendnssec-develop] 1.4.0a xml migration In-Reply-To: <4F608605.9080001@nominet.org.uk> References: <4F606673.3040603@nominet.org.uk> <4F608605.9080001@nominet.org.uk> Message-ID: <4F608AA8.5060009@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/14/2012 12:50 PM, Si?n Lloyd wrote: > On 14/03/12 11:44, Rickard Bellgrim wrote: >>> It occurred to me that we need to write a script to migrate a users xml >>> files to be compatible with the new rng files. (I think that this >>> just means >>> dropping, or commenting out, all auditor tags... Is there anything >>> else?) The following changes are made: conf: - -ZoneFetchFile - -ToolsDirectory - -Auditor +Listener (optional) kasp: - -Audit signconf: - -Audit and zonefetch is replaced with adddns. >>> >>> Do we need this for the alpha release? Or do we trust folk who use an >>> alpha >>> release to be able to comment these lines out themselves, and just >>> mention >>> it in the notes? >> We currently install sample files of the configuration. I think you >> usually never touch the users configuration. Isn't mostly up to them >> to correct any changes in the configuration? So there is no clean upgrade from 1.3 to 1.4? (because the components will complain about the audit tag). >> > > So we just need some documentation to say which tags need to go? That > works too; I had just thought of this as a migration like any other. Is there a migration script for the kasp database (required) ? Best regards, Matthijs > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPYIqoAAoJEA8yVCPsQCW5oFUIAKnWqJCqO8cteHcyjBohVE84 amZdXIBP4omgi/jS1PtjA2dRhyU0Qnf+/cGecxYkLXN41bigriMZCwqE81g82hg4 BRLo6khWC31aMD3IrFfXf04ZrAWqbRQDkeZ7D9/CT2zgVkUr1lRCCtmbFRXNDXxb tDU2saU/4HbH6Xo1dOgIjoVvuUeeYpadwYV4yY+EmwEbrlpljLBvCY7P99/ytAsi C04FF2bvPGHI60IbtnLX0AiUibtkPvGNcuLVY3Ln2kf2LSIbLZTU4Oo6QaEFK7N8 bHCbhR2RKXDO53ypJC0/3pxJ+eYnTOZOPIzt2D5jdqI4brzJ/wURn2Rn3dpz+2k= =w8ux -----END PGP SIGNATURE----- From sion at nominet.org.uk Wed Mar 14 12:50:27 2012 From: sion at nominet.org.uk (=?ISO-8859-1?Q?Si=F4n_Lloyd?=) Date: Wed, 14 Mar 2012 12:50:27 +0000 Subject: [Opendnssec-develop] 1.4.0a xml migration In-Reply-To: <4F608AA8.5060009@nlnetlabs.nl> References: <4F606673.3040603@nominet.org.uk> <4F608605.9080001@nominet.org.uk> <4F608AA8.5060009@nlnetlabs.nl> Message-ID: <4F609413.6030907@nominet.org.uk> On 14/03/12 12:10, Matthijs Mekking wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 03/14/2012 12:50 PM, Si?n Lloyd wrote: >> On 14/03/12 11:44, Rickard Bellgrim wrote: >>>> It occurred to me that we need to write a script to migrate a users xml >>>> files to be compatible with the new rng files. (I think that this >>>> just means >>>> dropping, or commenting out, all auditor tags... Is there anything >>>> else?) > The following changes are made: > > conf: > - -ZoneFetchFile > - -ToolsDirectory > - -Auditor > +Listener (optional) > > kasp: > - -Audit > > signconf: > - -Audit > > and zonefetch is replaced with adddns. > >>>> Do we need this for the alpha release? Or do we trust folk who use an >>>> alpha >>>> release to be able to comment these lines out themselves, and just >>>> mention >>>> it in the notes? >>> We currently install sample files of the configuration. I think you >>> usually never touch the users configuration. Isn't mostly up to them >>> to correct any changes in the configuration? > So there is no clean upgrade from 1.3 to 1.4? (because the components > will complain about the audit tag). The enforcer will not run against the old xml as if the rng check fails it stops... So it is worse than just complaining. >> So we just need some documentation to say which tags need to go? That >> works too; I had just thought of this as a migration like any other. > Is there a migration script for the kasp database (required) ? > Yes, because new columns are added for the adapters. I think that documentation is okay for an alpha release; but when we actually go to 1.4.0 we should provide a migration script. Sion From jerry at opendnssec.org Thu Mar 22 14:39:52 2012 From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Thu, 22 Mar 2012 15:39:52 +0100 Subject: [Opendnssec-develop] Test platform: Added SUSE and 4 32bit dists Message-ID: Hi, Some updates has been made to the test platform: - Added SUSE Linux Enterprise Server 11 SR2 64bit - Added Ubuntu Server 10.04.3 32bit - Added CentOS 6.2 32bit - Added OpenSUSE 12.1 32bit - Added FreeBSD 9 32bit (still need to setup this) - Disabled test-opendnssec-trunk job Signer hangs on a test on OpenSUSE 32bit and does not recover so it does not continue, would stall all tests on that platform if left enabled /Jerry From rickard at opendnssec.org Thu Mar 22 14:55:27 2012 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Thu, 22 Mar 2012 15:55:27 +0100 Subject: [Opendnssec-develop] Meeting 2012-03-27 Message-ID: Hi We have a meeting on Tuesday. Date: Tuesday 27 March Time: 14:00-15:00 CET, 13:00-14:00 GMT You can find the agenda here: https://wiki.opendnssec.org/display/OpenDNSSEC/2012-03-27+Agenda // Rickard From jerry at opendnssec.org Sun Mar 25 14:30:06 2012 From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Sun, 25 Mar 2012 16:30:06 +0200 Subject: [Opendnssec-develop] Re: Test platform: Added SUSE and 4 32bit dists In-Reply-To: References: Message-ID: FreeBSD 9 32bit is now online and 1.3/trunk compiled. On Thu, Mar 22, 2012 at 3:39 PM, Jerry Lundstr?m wrote: > Hi, > > Some updates has been made to the test platform: > > - Added SUSE Linux Enterprise Server 11 SR2 64bit > - Added Ubuntu Server 10.04.3 32bit > - Added CentOS 6.2 32bit > - Added OpenSUSE 12.1 32bit > - Added FreeBSD 9 32bit (still need to setup this) > > - Disabled test-opendnssec-trunk job > ?Signer hangs on a test on OpenSUSE 32bit and does not recover so it > does not continue, would stall all tests on that platform if left > enabled > > /Jerry From Roland.vanRijswijk at surfnet.nl Mon Mar 26 07:01:07 2012 From: Roland.vanRijswijk at surfnet.nl (Roland van Rijswijk) Date: Mon, 26 Mar 2012 09:01:07 +0200 Subject: [Opendnssec-develop] Enforcer NG telecon at 10:00h CEST, 9:00h BST Message-ID: Hi all, Just a friendly reminder that we have an Enforcer NG telecon scheduled for today at 10:00h CEST / 9:00h BST. Here are the conference details: Dial-in to +31-30-2040323 Conference PIN: 030003 Cheers, Roland -- Roland M. van Rijswijk -- SURFnet Middleware Services -- t: +31-30-2305388 -- e: roland.vanrijswijk at surfnet.nl From Roland.vanRijswijk at surfnet.nl Mon Mar 26 08:29:23 2012 From: Roland.vanRijswijk at surfnet.nl (Roland van Rijswijk) Date: Mon, 26 Mar 2012 10:29:23 +0200 Subject: [Opendnssec-develop] Meeting minutes for Enforcer NG telecon 2012-03-26 Message-ID: Hi guys, The meeting minutes for today's Enforcer NG telecon are online and can be found here: https://wiki.opendnssec.org/display/OpenDNSSEC/2012-03-26+-+Enforcer+NG+telecon Please update as needed. The next Enforcer NG telecon is planned for Tuesday April 10th at 14:00h CEST/13:00h BST, so please mark it in your calendars ;-) Cheers, Roland -- Roland M. van Rijswijk -- SURFnet Middleware Services -- t: +31-30-2305388 -- e: roland.vanrijswijk at surfnet.nl From jerry at opendnssec.org Mon Mar 26 09:59:36 2012 From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Mon, 26 Mar 2012 11:59:36 +0200 Subject: [Opendnssec-develop] 50.000 zones might not be such a problem with 1.3 after all... Message-ID: https://issues.opendnssec.org/browse/OPENDNSSEC-234 From rick at openfortress.nl Tue Mar 27 11:46:24 2012 From: rick at openfortress.nl (Rick van Rein) Date: Tue, 27 Mar 2012 11:46:24 +0000 Subject: [Opendnssec-develop] Multiple-view OpenDNSSEC thoughts Message-ID: <20120327114624.GA32612@newphantom.local> Hello, I've been thinking a bit about multiple-view options for OpenDNSSEC. The question comes up every now and then, and we currently cannot handle them in one instance. Applications are differing internal and external views, or time-dependent replies e.g. for ENUM, or perhaps IPv4 and IPv6 views for various transitioning techniques. The principle problem as I understand it, is that the identity of a signed zone in OpenDNSSEC matches that of a zone in DNS. Since there is a possibility to provide various views on the latter, a better identity for a signed zone in OpenDNSSEC would be a tuple holding the zone's DNS name and some admin-picked label for the view, so (zonename,viewlabel) or in XML: In non-XML prints, a default for the option view could be to not print a view, but distinguish views with labels through an addition like Found Zone: example.com; view intern; on policy default Found Zone: example.com; view extern; on policy default The result of this identity-tuple would be that the zones are treated entirely differently. It is a matter of choice whether the same keys would be used, in a sort of shared mode. This would avoid revealing keys for all views to each user (saving bandwidth, and perhaps being more secure). Any thoughts on this kind of facility? Cheers, -Rick From rick at openfortress.nl Tue Mar 27 13:12:58 2012 From: rick at openfortress.nl (Rick van Rein) Date: Tue, 27 Mar 2012 13:12:58 +0000 Subject: [Opendnssec-develop] Meeting notes 2012-03-27 Message-ID: <20120327131258.GB17573@newphantom.local> Hello, The meeting notes of just yet are now online, https://wiki.opendnssec.org/display/OpenDNSSEC/2012-03-27+Minutes As always, it's a Wiki, change it as you see fit. Cheers, -Rick From jerry at opendnssec.org Tue Mar 27 13:21:48 2012 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Tue, 27 Mar 2012 15:21:48 +0200 Subject: [Opendnssec-develop] Meeting notes 2012-03-27 In-Reply-To: <20120327131258.GB17573@newphantom.local> References: <20120327131258.GB17573@newphantom.local> Message-ID: On Mar 27, 2012, at 15:12 , Rick van Rein wrote: > The meeting notes of just yet are now online, I've removed the mysql is experimental, it was in the conf.xml on the wiki. Added two issues for the testing, a parent/placeholder [1] for all issues I will find as I migrate the test cases to 1.4 and a issue [2] for migrating from SIDN to 1.3 branch. [1] https://issues.opendnssec.org/browse/OPENDNSSEC-236 [2] https://issues.opendnssec.org/browse/OPENDNSSEC-237 -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ From rickard at opendnssec.org Tue Mar 27 14:47:23 2012 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Tue, 27 Mar 2012 16:47:23 +0200 Subject: [Opendnssec-develop] Multiple-view OpenDNSSEC thoughts In-Reply-To: <20120327114624.GA32612@newphantom.local> References: <20120327114624.GA32612@newphantom.local> Message-ID: > Any thoughts on this kind of facility? For the record: We discussed Rick's email during the last meeting and the idea was considered good. The text was added to the corresponding Jira issue. // Rickard From matthijs at nlnetlabs.nl Tue Mar 27 14:51:25 2012 From: matthijs at nlnetlabs.nl (Matthijs Mekking) Date: Tue, 27 Mar 2012 16:51:25 +0200 (CEST) Subject: [Opendnssec-develop] Multiple-view OpenDNSSEC thoughts In-Reply-To: References: <20120327114624.GA32612@newphantom.local> Message-ID: I just saw Rick's e-mail and +1 Matthijs On Tue, 27 Mar 2012, Rickard Bellgrim wrote: >> Any thoughts on this kind of facility? > > For the record: We discussed Rick's email during the last meeting and > the idea was considered good. The text was added to the corresponding > Jira issue. > > // Rickard > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop >