[Opendnssec-user] Trouble with ods-enforcer policy import
Scott Colby
scott at scolby.com
Sun Feb 9 04:57:42 UTC 2020
Hello,
I am setting up a new installation of OpenDNSSEC 2.1.3 on Raspbian
(Debian) 10 Buster. On this platform, the ODS daemons are managed
by systemd. After editing the config files and removing the
`prevent-startup` file, I initialized the database with
`ods-enforcer-db-setup` and started the daemons with `systemctl
start opendnssec-enforcer opendnssec-signer`. The startup is
successful. Next, I ran `ods-enforcer policy import`:
# ods-enforcer policy import Unable to create policy default in the
database! Unable to create policy lab in the database!
The information in the database may have been changed during KASP
update and caused an update error, try rerunning policy import. If
the problem persists please check logs and database setup and after
correcting the problem rerun policy import.
A re-run didn't help. I increased the verbosity to 7 and ran the
command again. Here are the resulting logs:
[cmdhandler] accept client 11
received command policy import
[cmdhandler] policy import command
[policy_import_cmd] policy import command
SELECT policy.id, policy.rev, policy.name, policy.description, policy.signaturesResign, policy.signaturesRefresh, policy.signaturesJitter, policy.signaturesInceptionOffset, policy.signaturesValidityDefault, policy.signaturesValidityDenial, policy.signaturesValidityKeyset, policy.signaturesMaxZoneTtl, policy.denialType, policy.denialOptout, policy.denialTtl, policy.denialResalt, policy.denialAlgorithm, policy.denialIterations, policy.denialSaltLength, policy.denialSalt, policy.denialSaltLastChange, policy.keysTtl, policy.keysRetireSafety, policy.keysPublishSafety, policy.keysShared, policy.keysPurgeAfter, policy.zonePropagationDelay, policy.zoneSoaTtl, policy.zoneSoaMinimum, policy.zoneSoaSerial, policy.parentRegistrationDelay, policy.parentPropagationDelay, policy.parentDsTtl, policy.parentSoaTtl, policy.parentSoaMinimum, policy.passthrough FROM policy
INFO: The XML in /etc/opendnssec/kasp.xml is valid
[policy_key_*_from_xml] KSK
[policy_key_*_from_xml] algorithm length 2048
[policy_key_*_from_xml] algorithm 8
[policy_key_*_from_xml] lifetime P365D
[policy_key_*_from_xml] repository smartcardhsm
[policy_key_*_from_xml] - standby
[policy_key_*_from_xml] - manual rollover
[policy_key_*_from_xml] - minimize default KskDoubleSignature
[policy_key_*_from_xml] - rfc5011
[policy_key_*_from_xml] ZSK
[policy_key_*_from_xml] algorithm length 2048
[policy_key_*_from_xml] algorithm 8
[policy_key_*_from_xml] lifetime P90D
[policy_key_*_from_xml] repository smartcardhsm
[policy_key_*_from_xml] - standby
[policy_key_*_from_xml] - manual rollover
[policy_key_*_from_xml] - minimize default ZskPrePublication
[policy_key_*_from_xml] ZSK
[policy_key_*_from_xml] algorithm length 2048
[policy_key_*_from_xml] algorithm 8
[policy_key_*_from_xml] lifetime P90D
[policy_key_*_from_xml] repository smartcardhsm
[policy_key_*_from_xml] - standby
[policy_key_*_from_xml] - manual rollover
[policy_key_*_from_xml] - minimize default ZskPrePublication
[policy_key_*_from_xml] KSK
[policy_key_*_from_xml] algorithm length 2048
[policy_key_*_from_xml] algorithm 8
[policy_key_*_from_xml] lifetime P365D
[policy_key_*_from_xml] repository smartcardhsm
[policy_key_*_from_xml] - standby
[policy_key_*_from_xml] - manual rollover
[policy_key_*_from_xml] - minimize default KskDoubleSignature
[policy_key_*_from_xml] - rfc5011
[policy_key_*_from_xml] ZSK
[policy_key_*_from_xml] algorithm length 1024
[policy_key_*_from_xml] algorithm 8
[policy_key_*_from_xml] lifetime PT4H
[policy_key_*_from_xml] repository smartcardhsm
[policy_key_*_from_xml] - standby
[policy_key_*_from_xml] - manual rollover
[policy_key_*_from_xml] - minimize default ZskPrePublication
[policy_key_*_from_xml] ZSK
[policy_key_*_from_xml] algorithm length 1024
[policy_key_*_from_xml] algorithm 8
[policy_key_*_from_xml] lifetime PT4H
[policy_key_*_from_xml] repository smartcardhsm
[policy_key_*_from_xml] - standby
[policy_key_*_from_xml] - manual rollover
[policy_key_*_from_xml] - minimize default ZskPrePublication
SELECT policy.id, policy.rev, policy.name, policy.description, policy.signaturesResign, policy.signaturesRefresh, policy.signaturesJitter, policy.signaturesInceptionOffset, policy.signaturesValidityDefault, policy.signaturesValidityDenial, policy.signaturesValidityKeyset, policy.signaturesMaxZoneTtl, policy.denialType, policy.denialOptout, policy.denialTtl, policy.denialResalt, policy.denialAlgorithm, policy.denialIterations, policy.denialSaltLength, policy.denialSalt, policy.denialSaltLastChange, policy.keysTtl, policy.keysRetireSafety, policy.keysPublishSafety, policy.keysShared, policy.keysPurgeAfter, policy.zonePropagationDelay, policy.zoneSoaTtl, policy.zoneSoaMinimum, policy.zoneSoaSerial, policy.parentRegistrationDelay, policy.parentPropagationDelay, policy.parentDsTtl, policy.parentSoaTtl, policy.parentSoaMinimum, policy.passthrough FROM policy WHERE policy.name = ?
[policy_*_from_xml] policy default
[policy_*_from_xml] description A default policy that will amaze you and your friends
[policy_*_from_xml] signature resign PT2H
[policy_*_from_xml] signature refresh P3D
[policy_*_from_xml] signature validity default P14D
[policy_*_from_xml] signature validity denial P14D
[policy_*_from_xml] signature jitter PT12H
[policy_*_from_xml] signature inception offset PT3600S
[policy_*_from_xml] signature max zone ttl P1D
[policy_*_from_xml] denial nsec3
[policy_*_from_xml] denial ttl PT300S
[policy_*_from_xml] denial resalt P100D
[policy_*_from_xml] denial algorithm 1
[policy_*_from_xml] denial iterations 128
[policy_*_from_xml] denial salt length 15
[policy_*_from_xml] keys ttl PT3600S
[policy_*_from_xml] keys retire safety PT3600S
[policy_*_from_xml] keys publish safety PT3600S
[policy_*_from_xml] keys purge P14D
[policy_*_from_xml] zone propagation delay PT43200S
[policy_*_from_xml] zone soa ttl PT3600S
[policy_*_from_xml] zone soa minimum PT3600S
[policy_*_from_xml] zone soa serial unixtime
[policy_*_from_xml] parent propagation delay PT9999S
[policy_*_from_xml] parent ds ttl PT3600S
[policy_*_from_xml] parent soa ttl PT172800S
[policy_*_from_xml] parent soa minimum PT10800S
[policy_*_from_xml] - denial optout
[policy_*_from_xml] - keys shared keys
INSERT INTO policy ( name, description, signaturesResign, signaturesRefresh, signaturesJitter, signaturesInceptionOffset, signaturesValidityDefault, signaturesValidityDenial, signaturesValidityKeyset, signaturesMaxZoneTtl, denialType, denialOptout, denialTtl, denialResalt, denialAlgorithm, denialIterations, denialSaltLength, denialSalt, denialSaltLastChange, keysTtl, keysRetireSafety, keysPublishSafety, keysShared, keysPurgeAfter, zonePropagationDelay, zoneSoaTtl, zoneSoaMinimum, zoneSoaSerial, parentRegistrationDelay, parentPropagationDelay, parentDsTtl, parentSoaTtl, parentSoaMinimum, passthrough, rev ) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? )
SELECT policy.id, policy.rev, policy.name, policy.description, policy.signaturesResign, policy.signaturesRefresh, policy.signaturesJitter, policy.signaturesInceptionOffset, policy.signaturesValidityDefault, policy.signaturesValidityDenial, policy.signaturesValidityKeyset, policy.signaturesMaxZoneTtl, policy.denialType, policy.denialOptout, policy.denialTtl, policy.denialResalt, policy.denialAlgorithm, policy.denialIterations, policy.denialSaltLength, policy.denialSalt, policy.denialSaltLastChange, policy.keysTtl, policy.keysRetireSafety, policy.keysPublishSafety, policy.keysShared, policy.keysPurgeAfter, policy.zonePropagationDelay, policy.zoneSoaTtl, policy.zoneSoaMinimum, policy.zoneSoaSerial, policy.parentRegistrationDelay, policy.parentPropagationDelay, policy.parentDsTtl, policy.parentSoaTtl, policy.parentSoaMinimum, policy.passthrough FROM policy WHERE policy.name = ?
[policy_*_from_xml] policy lab
[policy_*_from_xml] description Quick turnaround policy for lab work
[policy_*_from_xml] signature resign PT10M
[policy_*_from_xml] signature refresh PT30M
[policy_*_from_xml] signature validity default PT1H
[policy_*_from_xml] signature validity denial PT1H
[policy_*_from_xml] signature jitter PT1M
[policy_*_from_xml] signature inception offset PT3600S
[policy_*_from_xml] signature max zone ttl PT300S
[policy_*_from_xml] denial nsec
[policy_*_from_xml] keys ttl PT300S
[policy_*_from_xml] keys retire safety PT360S
[policy_*_from_xml] keys publish safety PT360S
[policy_*_from_xml] keys purge P14D
[policy_*_from_xml] zone propagation delay PT300S
[policy_*_from_xml] zone soa ttl PT300S
[policy_*_from_xml] zone soa minimum PT300S
[policy_*_from_xml] zone soa serial unixtime
[policy_*_from_xml] parent propagation delay PT9999S
[policy_*_from_xml] parent ds ttl PT3600S
[policy_*_from_xml] parent soa ttl PT172800S
[policy_*_from_xml] parent soa minimum PT10800S
[policy_*_from_xml] - denial optout
[policy_*_from_xml] - keys shared keys
[policy_*_from_xml] - denial ttl
INSERT INTO policy ( name, description, signaturesResign, signaturesRefresh, signaturesJitter, signaturesInceptionOffset, signaturesValidityDefault, signaturesValidityDenial, signaturesValidityKeyset, signaturesMaxZoneTtl, denialType, denialOptout, denialTtl, denialResalt, denialAlgorithm, denialIterations, denialSaltLength, denialSalt, denialSaltLastChange, keysTtl, keysRetireSafety, keysPublishSafety, keysShared, keysPurgeAfter, zonePropagationDelay, zoneSoaTtl, zoneSoaMinimum, zoneSoaSerial, parentRegistrationDelay, parentPropagationDelay, parentDsTtl, parentSoaTtl, parentSoaMinimum, passthrough, rev ) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? )
SELECT zone.id, zone.rev, zone.policyId, zone.name, zone.signconfNeedsWriting, zone.signconfPath, zone.nextChange, zone.ttlEndDs, zone.ttlEndDk, zone.ttlEndRs, zone.rollKskNow, zone.rollZskNow, zone.rollCskNow, zone.inputAdapterType, zone.inputAdapterUri, zone.outputAdapterType, zone.outputAdapterUri, zone.nextKskRoll, zone.nextZskRoll, zone.nextCskRoll FROM zone
[cmdhandler] done handling command policy import
You can see I've made some small changes from the default values
in kasp.xml, but nothing major.
I also tried running `ods-kaspcheck`:
# ods-kaspcheck
INFO: The XML in /etc/opendnssec/conf.xml is valid
INFO: The XML in /etc/opendnssec/kasp.xml is valid
INFO: The XML in /etc/opendnssec/zonelist.xml is valid
None of the logs or diagnostic tools that I know of for OpenDNSSEC
are reporting any useful information other than "it didn't work."
How can I figure out what is going wrong here? How can I import my
policies?
Thank you,
Scott Colby
More information about the Opendnssec-user
mailing list