<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<!--[if !mso]>
<style id=owaParaStyle>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.emailstyle17
{mso-style-name:emailstyle17;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page Section1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=NL link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>Hey all,<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>ODS (enforcer) is not
generating any new keys where I expect it to do. The situation:<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>I installed RC3 and
signed some zones with it. Afterwards stopped the engines and I deleted the
content of the following directories:<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>/var/opendnssec/tmp<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:#1F497D'>/var/opendnssec/signconf<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>/var/opendnssec/signed<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>Then ran the
following commands:<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>Ods-ksmutil zone
delete –all<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>Ods-ksmutil update
all<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>Ods-ksmutil zone add –z
nl<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>Ods-ksmutil update
all<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>Zonelist.xml shows
only nl with proper paths. “Ods-ksmutil key list” –v shows no
keys. <o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>This is the way I
always start a new test and it always worked out. The only difference is that
since RC3 I’m using the Luna SA instead of SoftHSM. The Luna contains 14
keypairs, shown in both ods-hsmutil and the Luna client software. <o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>But now it seems ODS
(enforcer) is unable to generate keys. There is still no signconf generated for
nl. This has been logged exactly like this for about 16 hours now:<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>May 20 11:00:02
signer1 ods-enforcerd: Reading config "/etc/opendnssec/conf.xml"<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>May 20 11:00:02
signer1 ods-enforcerd: Reading config schema
"/usr/local/share/opendnssec/conf.rng"<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>May 20 11:00:02
signer1 ods-enforcerd: Communication Interval: 3600<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>May 20 11:00:02
signer1 ods-enforcerd: No DS Submit command supplied<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>May 20 11:00:02
signer1 ods-enforcerd: SQLite database set to: /var/opendnssec/kasp.db<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>May 20 11:00:02
signer1 ods-enforcerd: Log User set to: local0<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>May 20 11:00:02
signer1 ods-enforcerd: Switched log facility to: local0<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>May 20 11:00:02
signer1 ods-enforcerd: Connecting to Database...<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>May 20 11:00:02
signer1 ods-enforcerd: Policy default found.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>May 20 11:00:02
signer1 ods-enforcerd: Key sharing is Off.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>May 20 11:00:02
signer1 ods-enforcerd: zonelist filename set to /etc/opendnssec/zonelist.xml.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>May 20 11:00:02
signer1 ods-enforcerd: Zone nl found.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>May 20 11:00:02
signer1 ods-enforcerd: Policy for nl set to default.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>May 20 11:00:02
signer1 ods-enforcerd: Config will be output to
/var/opendnssec/signconf/nl.xml.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>May 20 11:00:02
signer1 ods-enforcerd: Not enough keys to satisfy ksk policy for zone: nl<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>May 20 11:00:02
signer1 ods-enforcerd: ods-enforcerd will create some more keys on its next run<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>May 20 11:00:02
signer1 ods-enforcerd: Error allocating ksks to zone nl<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>May 20 11:00:02
signer1 ods-enforcerd: Disconnecting from Database...<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>May 20 11:00:02
signer1 ods-enforcerd: Sleeping for 3600 seconds.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>Generating keys in
the Luna SA manually works out fine. So it’s not full. I couldn’t
even imagine since there is only 14 keypairs in there right now. <o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>I checked the kasp.db
and there are traces of the old keys (previous signings) there. Should I try a
ods-ksmutil setup? Even though if that works.. in my opinion ODS should be able
to continue signing even with some traces of old keys.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>sqlite> select *
from keypairs;<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>2|f0aa22d8c7d2e84ca9645fabec41de1d|7|2048|1|10|2010-05-17
16:16:35|2010-05-17 22:28:08|2010-05-17 22:28:08|2010-05-18
12:28:08|||1|||2010-05-17 16:19:15|0<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>6|955506bafe1fbfac64454489f3189667|7|2048|1|10|2010-05-17
16:26:24|2010-05-17 22:28:09|2010-05-17 22:28:09|2010-05-18
12:28:09|||1|||2010-05-17 16:28:00|0<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>9|d1b3af3e062ed1413c7785df7197228b|7|2048|1|7|2010-05-17
23:28:09|2010-05-17 23:28:10|||||1||||0<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>10|61a39bbb3dc9287509c7955ffcd8a8d3|7|2048|1|7|2010-05-17
23:28:09|2010-05-17 23:28:10|||||1||||0<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>11|e5bd27be08ab78c1cebe152b91aa4620|7|1024|1|1|2010-05-18
10:49:37||||||1||||0<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>12|5ed8fbe39e752e7760fdf4c7580e24dd|7|1024|1|1|2010-05-18
10:49:37||||||1||||0<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>Keys part of the policy
if it might be of any interest:<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'> <Keys><o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>
<!-- Parameters for both KSK and ZSK --><o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>
<TTL>PT1H</TTL><o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>
<RetireSafety>PT1H</RetireSafety><o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>
<PublishSafety>PT1H</PublishSafety><o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>
<!--
<ShareKeys/> --><o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>
<Purge>P1D</Purge><o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>
<!-- Parameters for KSK only --><o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>
<KSK><o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>
<Algorithm length="2048">7</Algorithm><o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>
<Lifetime>PT24H</Lifetime><o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>
<Repository>luna</Repository><o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>
<Standby>1</Standby><o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>
</KSK><o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>
<!-- Parameters for ZSK only --><o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>
<ZSK><o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>
<Algorithm length="1024">7</Algorithm><o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>
<Lifetime>PT8H</Lifetime><o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>
<Repository>luna</Repository><o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>
<Standby>1</Standby><o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>
<!-- <ManualRollover/> --><o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>
</ZSK><o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>
</Keys><o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>Who can help me out
or confirm this is an issue?<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>Cheers,<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'>Rick<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:#1F497D'><o:p> </o:p></span></p>
<div>
<div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'>
<p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:
"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;
font-family:"Tahoma","sans-serif"'> Sion Lloyd [mailto:sion@nominet.org.uk] <br>
<b>Sent:</b> Tuesday, May 18, 2010 2:10 PM<br>
<b>To:</b> Rick Zijlker; Opendnssec-develop@lists.opendnssec.org<br>
<b>Subject:</b> RE: Signconf<o:p></o:p></span></p>
</div>
</div>
<p class=MsoNormal><o:p> </o:p></p>
<div>
<div>
<p class=MsoNormal style='margin-bottom:12.0pt'><span style='font-size:10.0pt;
font-family:"Tahoma","sans-serif";color:black'>The signconfs are generated by
the enforcer.<br>
<br>
The enforcer runs on a scheduled basis as configured in the conf.xml
<Enforcer><Interval> tag.This is actually how long the enforcer
will sleep for between runs.<br>
<br>
If you want the enforcer to wake up out-of-sequence then send it a SIGHUP.<br>
<br>
Sion<o:p></o:p></span></p>
</div>
<div>
<div class=MsoNormal align=center style='text-align:center'><span
style='font-size:12.0pt;font-family:"Times New Roman","serif";color:black'>
<hr size=2 width="100%" align=center>
</span></div>
<div id=divRpF540229>
<p class=MsoNormal style='margin-bottom:12.0pt'><b><span style='font-size:10.0pt;
font-family:"Tahoma","sans-serif";color:black'>From:</span></b><span
style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>
opendnssec-develop-bounces@lists.opendnssec.org
[opendnssec-develop-bounces@lists.opendnssec.org] on behalf of Rick Zijlker
[rick.zijlker@sidn.nl]<br>
<b>Sent:</b> 18 May 2010 12:28<br>
<b>To:</b> Opendnssec-develop@lists.opendnssec.org<br>
<b>Subject:</b> [Opendnssec-develop] Signconf</span><span style='font-size:
12.0pt;font-family:"Times New Roman","serif";color:black'><o:p></o:p></span></p>
</div>
<div>
<div>
<p class=MsoNormal><span style='color:black'>Hey,<o:p></o:p></span></p>
<p class=MsoNormal><span style='color:black'> <o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:black'>Can anyone explain to
me when and by whom the signconf of a zone is created? I’m am often
running into situations where ODS is waiting/searching for a signconf and often
I need to restart or just wait and suddenly it’s there. I would like to
know in more detail what happens.</span><span style='color:black'><o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:black'> </span><span
style='color:black'><o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:black'>Thanks,</span><span
style='color:black'><o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US style='color:black'>Rick</span><span
style='color:black'><o:p></o:p></span></p>
</div>
</div>
</div>
</div>
</div>
</body>
</html>