From rick at openfortress.nl Wed Dec 2 12:27:30 2009 From: rick at openfortress.nl (Rick van Rein) Date: Wed, 2 Dec 2009 12:27:30 +0000 Subject: [Opendnssec-develop] Make the keys extractable from HSM? In-Reply-To: <983F17705339E24699AA251B458249B51F19679601@EXCHANGE2K7.office.nic.se> References: <983F17705339E24699AA251B458249B51F19679601@EXCHANGE2K7.office.nic.se> Message-ID: <20091202122730.GC9466@phantom.vanrein.org> Hey Rickard, You brought up a good point: > If a key is marked as extractable, you can export the key encrypted and then import it into another HSM. > > We currently have the extractable attribute set to false. > > We should still have the keys marked as sensitive, so that the key material cannot be revealed in plain text. But my question is whether we should have the key extractable or not? I agree that this makes sense. Even though HSM manufacturers may go under the PKCS #11 level to duplicate private keys, it is still good to support standards-compliant HSMs as well. Can you point me at the definition of "extractable"? I cannot seem to find it in the spec. If we do this, we should add CKA_ALWAYS_SENSITIVE to avoid that the newly imported key can ever get CKA_SENSITIVE reset. > Just want to discuss this topic, so that we do not lock the user down. Or is it better to protect against a potential threat of leaking keys? If properly implemented, it should not be a leak, right? And I doubt we want to protect users against bad implementations. Cheers, -Rick From roy at nominet.org.uk Wed Dec 2 13:33:47 2009 From: roy at nominet.org.uk (roy at nominet.org.uk) Date: Wed, 2 Dec 2009 14:33:47 +0100 Subject: [Opendnssec-develop] Make the keys extractable from HSM? In-Reply-To: <20091202122730.GC9466@phantom.vanrein.org> References: <983F17705339E24699AA251B458249B51F19679601@EXCHANGE2K7.office.nic.se> <20091202122730.GC9466@phantom.vanrein.org> Message-ID: Rick van Rein wrote on 12/02/2009 01:27:30 PM: > Hey Rickard, > > You brought up a good point: > > > If a key is marked as extractable, you can export the key > encrypted and then import it into another HSM. > > > > We currently have the extractable attribute set to false. > > > > We should still have the keys marked as sensitive, so that the key > material cannot be revealed in plain text. But my question is > whether we should have the key extractable or not? > > I agree that this makes sense. Even though HSM manufacturers may go under > the PKCS #11 level to duplicate private keys, it is still good to support > standards-compliant HSMs as well. > > Can you point me at the definition of "extractable"? I cannot seem to > find it in the spec. grep for CKA_EXTRACTABLE in the spec. > If we do this, we should add CKA_ALWAYS_SENSITIVE to avoid that the newly > imported key can ever get CKA_SENSITIVE reset. CKA_ALWAYS_SENSITIVE is not a safeguard (for future settings of CKA_SENSITIVE), but a signal (for past settings of CKA_SENSITIVE). If CKA_ALWAYS_SENSITIVE is set, you know that the CKA_SENSITIVE has never been false. I think you meant to say the same, apologies if you do. Roy From rickard.bellgrim at iis.se Wed Dec 2 14:12:51 2009 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Wed, 2 Dec 2009 15:12:51 +0100 Subject: [Opendnssec-develop] VB: Requirements for OpenDNSSEC v1.1/v1.2/v2 Message-ID: <983F17705339E24699AA251B458249B51F196DC1AE@EXCHANGE2K7.office.nic.se> FYI > Hello Rickard, > > please find my notes for the next version of OpenDNSSEC below. > > I have used scripting interfaces to communicate with OpenDNSSEC so far. > The Men & Mice Suite can fire an script whenever an object in the Men & > Mice Suite changes (for example a Zone is creared, the "use OpenDNSSEC" > flag is changes on a zone, or zone content (RRs) are being changed). > > External system (such as OpenDNSSEC) can use the Men & Mice CLI > (CommandLine Interface) or a SOAP Interface to report state and > information back to the Men & Mice Suite. I currently use both methods > and it works fine. > > Ideas for changes in the next version of OpenDNSSEC: > > 1) > There is currently a script hook in OpenDNSSEC to inform an external > system when a zone has been signed. The current target for this is to > reload a DNS Server. I use this hook to reload the signed zone into the > Men & Mice System, which send the DNSSEC signed zone to one or more DNS > Servers. > > It would be useful to have a similar hook just before the signing > starts. This could be used by an external system to fetch the recent > version of the zone and place it into the "unsigned" directory. This > would be similar to the zone-fetcher, but more generic. > > Also, I recommend to rename the "NotifyCommand" Hook into > "postSignCommand" (runs after zone is signed), and add a new hook > called > "preSignCommand" (runs just before zone is signed). These names are > more > generic, because the use can be also very generic. > > 2) (independent from Men & Mice Suite integration) > for a security relevant system such as OpenDNSSEC, acountability is > important for larger organisations (sometimes demanded by regulators or > the law). > > Every change to the system (policy, add/resign/remove zone, key > generation, ...) should be written to an audit log. This can be a table > in the sqlite DB that can be listed by a commandline tool (for example > ods-ksmutil history). Each audit history item should list > * timestamp > * user that has triggered the change (unix user id -> user name) > * old value of setting, if applicable > * new value of the setting, if applicable > * change comment of user (optional) > > it should be possible to write the audit log to different log-targets > in > addition to the local sqlite DB, such as: > * unix syslog > * file in filesystem > * call external process with log information as parameters > > for an external system, such as the Men & Mice Suite, it would be > useful > to be able to query history log entries. > > 3) > on the long run, I would like to try to port OpenDNSSEC to a Windows OS > (not because I like Windows, but there is a demand for easy to use > DNSSEC tools esp. in the Windows world). I haven't done any research > yet > on how easy or difficult a port might be, but if in general platform > portability is kept in mind when deciding on features it would be a > great help. > > These are my notes so far. I have not been able to work on OpenDNSSEC > since the beginning of november, as we had some heavy projects to > finish. > > I will pick it up later in December and Januar, and then I will likely > come up with some more requests and ideas. > > Best regards > > Carsten Strotmann > Men & Mice > > > On 11/30/09 11:20 AM, Rickard Bellgrim wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA256 > > Hi > > Hopefully we have a RC1 this Friday and if everything goes well, then > we > > have a v1.0.0 within two weeks. Once we have release version 1.0.0 > will > > we start working on some minor improvements and then v2. > > We would be happy if you could give your input on what you would like > to > > go into the requirements. This is from your perspective as a wrapper > > program around OpenDNSSEC. What hocks would you like? Interfaces? How > > the information is communicated? > > Thanks > > // Rickard > > -----BEGIN PGP SIGNATURE----- > > Version: 9.8.3 (Build 4028) > > Charset: utf-8 > > wsBVAwUBSxOcdOCjgaNTdVjaAQhl3gf/Rf2yZEx9/6tt4or0wXrF4h88gWpfbD3w > > v8osUqs2DATqflAbzKO4kKsKAeRYJYVixMbOMyRJef5YuqNdx8Qp1MPGOIrSPYHh > > 694c+DyuSYxsdyZWyjYm5OjLdxnuMWd/UtPnfzi+4Mg21oXRft35mCRDNmpMoISX > > Fi74VlXkfg98I6jWVnxO1Z7QjKOWlKQKzCIxqssL57pCIuHQwTp1x5rlx7kHmHSP > > HF2sMXy00sgXkDEjEB/TIzmmUIUAIOzVJo2ODFN7eTzq91cVbu8BAtQBI86naGj3 > > 614wPfv3WpAJuELWVIw83xXh8osR3E96y45WR/SnYR8966q7uAVcHg== > > =KRjy > > -----END PGP SIGNATURE----- From rickard.bellgrim at iis.se Wed Dec 2 14:24:32 2009 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Wed, 2 Dec 2009 15:24:32 +0100 Subject: [Opendnssec-develop] Make the keys extractable from HSM? In-Reply-To: <20091202122730.GC9466@phantom.vanrein.org> References: <983F17705339E24699AA251B458249B51F19679601@EXCHANGE2K7.office.nic.se> <20091202122730.GC9466@phantom.vanrein.org> Message-ID: <983F17705339E24699AA251B458249B51F196DC1BE@EXCHANGE2K7.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > Can you point me at the definition of "extractable"? I cannot seem to > find it in the spec. Pkcs-11v2-20.pdf: Page 82. Table 30. -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSxZ4oOCjgaNTdVjaAQjrswf+Omr8D/9DVqAzAwd6Y3h9b7WuvbgcZeGd OPTbtFeYFUqRX4DvwZLq0yE3GUac295BhG5xEjWPveH1ilA141l2i5nMBQSHCW3H RZ8mRpEKxBpYxOrXokBqGPgbKV5/sK6Em6sR7UwdWm1uIc63UwyKNAzskaeq7Y4h yn8iy7oH10rStpVafOg+F6+yYwwelIH0cIyijJoyFSjjZrT9KxOCishE6CYd96DX sBaTK1n9TIRI1AD+Sf7AmvujNXkI+t44ZgCxK1Y6dKakDhde2ts88ztkUPTYwAod izobu9iz2LUoRTcktwRDlOBlalP9J7QLeOjwiZXs855N4aUf1SKtPA== =xhiy -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From rick at openfortress.nl Wed Dec 2 14:32:54 2009 From: rick at openfortress.nl (Rick van Rein) Date: Wed, 2 Dec 2009 14:32:54 +0000 Subject: [Opendnssec-develop] Make the keys extractable from HSM? In-Reply-To: References: <983F17705339E24699AA251B458249B51F19679601@EXCHANGE2K7.office.nic.se> <20091202122730.GC9466@phantom.vanrein.org> Message-ID: <20091202143254.GA13306@phantom.vanrein.org> Hi, > > If we do this, we should add CKA_ALWAYS_SENSITIVE to avoid that the newly > > imported key can ever get CKA_SENSITIVE reset. > > CKA_ALWAYS_SENSITIVE is not a safeguard (for future settings of > CKA_SENSITIVE), but a signal (for past settings of CKA_SENSITIVE). If > CKA_ALWAYS_SENSITIVE is set, you know that the CKA_SENSITIVE has never been > false. I think you meant to say the same, apologies if you do. I seem to have misinterpreted the part of the spec dealing with CKA_ALWAYS_SENSITIVE as a writeable attribute. But indeed, they cannot be written upon object creation. Thanks for pointing that out. Unfortunately, then we could only tell if the key has never been jeapourdised on its current path of transport; a sideline might have been created on which the key is used insecurely. I suppose that is why C_UnwrapKey specifies: | The new key will have the CKA_ALWAYS_SENSITIVE attribute set to CK_FALSE In other words, the 2nd HSM will not be able to conclude that a key has always been handled securely. A pitty, but ah well... Note that according to the C_WrapKey specification, setting CKA_EXTRACTABLE on its own is insufficient for key wrapping; you also need to set CKA_WRAP on the key. Cheers, -Rick From rickard.bellgrim at iis.se Wed Dec 2 14:38:37 2009 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Wed, 2 Dec 2009 15:38:37 +0100 Subject: [Opendnssec-develop] Make the keys extractable from HSM? In-Reply-To: <20091202143254.GA13306@phantom.vanrein.org> References: <983F17705339E24699AA251B458249B51F19679601@EXCHANGE2K7.office.nic.se> <20091202122730.GC9466@phantom.vanrein.org> <20091202143254.GA13306@phantom.vanrein.org> Message-ID: <983F17705339E24699AA251B458249B51F196DC1CE@EXCHANGE2K7.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > Note that according to the C_WrapKey specification, setting > CKA_EXTRACTABLE > on its own is insufficient for key wrapping; you also need to set > CKA_WRAP > on the key. That is on the key that you want to wrap your private key with. OpenDNSSEC will not do any wrapping, but another application might do that. And it is that application that creates the wrapping key (which must have the CKA_WRAP set to true). -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSxZ77eCjgaNTdVjaAQhymAf/Roy4rr7wX7RpgV0JctXpzy7UC/+Gjt3Y bQVwG/6Yfq8oxJ20lXj8v+nea6889+rjOiQxEIeeQKZ4OKfImDoNfdBwM+SlR6cB 5BpfQ535vhzuEo1dSTSkLOkCyQPc0GyYPXZd5shHOJelPsPLSNHF2u0pmVUNrsmd vUgxPChsPMqgCymjV9i/SCM23TTYPm0YL06H+34vpK0UhnlPI6nOj5tfeuOJ1FhE mlMYimrud+yRKklt5G2qEpce6Hs5zxC82kTGgi+ziZ/1jwmzji7m8UI6vZBx5UIF SpDHSFy49C8w5qVyMjuYsO81556akCjYoiDfLv49ghsMPEKGUby6mw== =2A2j -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From Alexd at nominet.org.uk Wed Dec 2 15:52:43 2009 From: Alexd at nominet.org.uk (Alexd at nominet.org.uk) Date: Wed, 2 Dec 2009 15:52:43 +0000 Subject: [Opendnssec-develop] Code reviews Message-ID: Hi - Just a quick note to remind us all to perform code reviews before the final 1.0 release. Hopefully the code base will be stable enough after RC1 that it actually makes sense. Should we add this as a requirement for the release? Thanks, Alex. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Stephen.Morris at nominet.org.uk Wed Dec 2 19:24:02 2009 From: Stephen.Morris at nominet.org.uk (Stephen.Morris at nominet.org.uk) Date: Wed, 2 Dec 2009 19:24:02 +0000 Subject: [Opendnssec-develop] Minutes of teleconference, 2009-12-02 Message-ID: The minutes from today's meeting are available on the wiki: http://trac.opendnssec.org/wiki/Meetings/Minutes/2009-12-02 Stephen -------------- next part -------------- An HTML attachment was scrubbed... URL: From rickard.bellgrim at iis.se Fri Dec 4 14:55:54 2009 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Fri, 4 Dec 2009 15:55:54 +0100 Subject: [Opendnssec-develop] Invalid signature Message-ID: <983F17705339E24699AA251B458249B51F19733A0C@EXCHANGE2K7.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi As we said in the last meeting, I should start an email thread about the "Invalid signature" problem. At one point we got a bad signature, but we could not reproduce it. Signer Engine will now check all of the signatures. And SoftHSM has a compiler option to verify the signature before returning it. Both has output to syslog. Signer Engine: WARNING: HSM returned BOGUS signature! Abort signing, retry on next resign SoftHSM (in hexadecimal): SoftHSM: C_Sign: Error: Could not verify signature. Data: 54657874 Sign: 2E3C50CDFFFC39F146D67730A982DC17C9C5EBBC77394425F3524F8547CE26AC1E13CF13534FCE7BE7FCFF263C8CD2C4DE9EBB295C790C1F989C18A32EF0D0853F7E38222FA6ACBC29E27692D382FB4CE387C5F171F81567EC0678176EFDB43F Signer Engine also outputs the bad signature into the tmp zone, which does not get distributed: fprintf(output, "; signing failed: %s\n", ldns_get_errorstr_by_id(status)); ldns_rr_print(output, sig); I think Roy is setting up a test bed, right? What else can we do? And for how long should we keep the verifying on by default in the Signer Engine? // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSxki+uCjgaNTdVjaAQjTKwf/QIysYWM6aEKNRvxNHKmL7XsWBHnestDC vXzav+CD+AdhVH9w0RPCTd2TZafTixKm44A0un/e/Y7h1+OfdX8emoaANRHZ8/Rz TJ6svJynD4cRGGGVZFpqzCbI3sqJgkpqrgoU64MD1tIeXYuWi4UUJU0pauHjMAFU O0++MgRQ0mD2kDct9TUXCPhweeDzbPJe9dTC1DX+5lC/3l3uQ8R5VI0W6HKc1/La +D1K9qDSRjh9fqoAJlBqSbFEXdcb3qkRUpKE3q8hPfz8EgU+j/0/2v+EmqADn2Be BxnCoP1iCJmGOsF49lsTjVhsfRLm6wU+nIl7UU0LXwsE0bz5OWoNfg== =g/GM -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From owner-dnssec-trac at kirei.se Tue Dec 8 12:56:06 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 08 Dec 2009 12:56:06 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #60: Auditor croaks on APL RR Message-ID: <055.cdacd4792d5103ba08c4c9d96ce61184@kirei.se> #60: Auditor croaks on APL RR ------------------------------+--------------------------------------------- Reporter: olaf@? | Owner: rb Type: defect | Status: new Priority: major | Component: Unknown Version: trunk | Keywords: ------------------------------+--------------------------------------------- Signer produces apl.net-dns.org. 100 IN APL 1:192.168.42.0/26 1:192.168.42.64/26 1:192.168.42.128/25 1:224.0.0.0/4 2:ff00:0000:0000:0000:0000:0000:0000:0000/8 apl.net-dns.org. 100 IN RRSIG APL 7 3 100 20091215191930 20091208123452 13677 net-dns.org. fMWZLmO8KaMGVSlJDMUjiF/h+m3C/PFFgr9Cmg8SBb+5Kvt2ZDQbTE8weBoPLKQgTgDf1gh6gX5s6BwEIDOidJnvKDVX2A4nS4xRPVbj+QbJ1j6YnV2THpa2aphZGmbChD5yrZXEMdvezOSTmWPMVUHuAWgl5DbeWY41NgazfoU= ;{id = 13677} auditor croaks on: ERROR parsing line 22 : apl.net-dns.org. 100 IN APL 1:192.168.42.0/26 1:192.168.42.64/26 1:192.168.42.128/25 1:224.0.0.0/4 2:ff00:0000:0000:0000:0000:0000:0000:0000/8 -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Tue Dec 8 12:56:14 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 08 Dec 2009 12:56:14 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #61: Auditor croaks on APL RR Message-ID: <055.0b82965c5ef7722433eff6bee3a96a79@kirei.se> #61: Auditor croaks on APL RR ------------------------------+--------------------------------------------- Reporter: olaf@? | Owner: rb Type: defect | Status: new Priority: major | Component: Unknown Version: trunk | Keywords: ------------------------------+--------------------------------------------- Signer produces apl.net-dns.org. 100 IN APL 1:192.168.42.0/26 1:192.168.42.64/26 1:192.168.42.128/25 1:224.0.0.0/4 2:ff00:0000:0000:0000:0000:0000:0000:0000/8 apl.net-dns.org. 100 IN RRSIG APL 7 3 100 20091215191930 20091208123452 13677 net-dns.org. fMWZLmO8KaMGVSlJDMUjiF/h+m3C/PFFgr9Cmg8SBb+5Kvt2ZDQbTE8weBoPLKQgTgDf1gh6gX5s6BwEIDOidJnvKDVX2A4nS4xRPVbj+QbJ1j6YnV2THpa2aphZGmbChD5yrZXEMdvezOSTmWPMVUHuAWgl5DbeWY41NgazfoU= ;{id = 13677} auditor croaks on: ERROR parsing line 22 : apl.net-dns.org. 100 IN APL 1:192.168.42.0/26 1:192.168.42.64/26 1:192.168.42.128/25 1:224.0.0.0/4 2:ff00:0000:0000:0000:0000:0000:0000:0000/8 -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Tue Dec 8 13:14:09 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 08 Dec 2009 13:14:09 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #60: Auditor croaks on APL RR In-Reply-To: <055.cdacd4792d5103ba08c4c9d96ce61184@kirei.se> References: <055.cdacd4792d5103ba08c4c9d96ce61184@kirei.se> Message-ID: <064.9b92e16cc9195d9c26b887b42b4016d7@kirei.se> #60: Auditor croaks on APL RR ------------------------------+--------------------------------------------- Reporter: olaf@? | Owner: rb Type: defect | Status: new Priority: major | Component: Unknown Version: trunk | Keywords: ------------------------------+--------------------------------------------- Comment(by rb): APL is not supported: http://trac.opendnssec.org/wiki/Signer/Using/ZoneContent -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Tue Dec 8 13:16:05 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 08 Dec 2009 13:16:05 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #61: Auditor croaks on APL RR In-Reply-To: <055.0b82965c5ef7722433eff6bee3a96a79@kirei.se> References: <055.0b82965c5ef7722433eff6bee3a96a79@kirei.se> Message-ID: <064.40286705e2f21e22406a704c8995b89e@kirei.se> #61: Auditor croaks on APL RR ------------------------------+--------------------------------------------- Reporter: olaf@? | Owner: rb Type: defect | Status: closed Priority: major | Component: Unknown Version: trunk | Resolution: duplicate Keywords: | ------------------------------+--------------------------------------------- Changes (by rb): * status: new => closed * resolution: => duplicate -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Tue Dec 8 13:24:03 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 08 Dec 2009 13:24:03 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #60: Auditor croaks on APL RR In-Reply-To: <055.cdacd4792d5103ba08c4c9d96ce61184@kirei.se> References: <055.cdacd4792d5103ba08c4c9d96ce61184@kirei.se> Message-ID: <064.b7571ea6e956e928d4379ea6cbfb2b2a@kirei.se> #60: Auditor croaks on APL RR ------------------------------+--------------------------------------------- Reporter: olaf@? | Owner: rb Type: defect | Status: new Priority: major | Component: Unknown Version: trunk | Keywords: ------------------------------+--------------------------------------------- Comment(by rb): We tested the different RR that are available and got this list of supported/unsupported RR. APL was not implemented in dnsruby, since APL is experimental. Do you want OpenDNSSEC to support it? -- Ticket URL: OpenDNSSEC OpenDNSSEC From rickard.bellgrim at iis.se Tue Dec 8 14:11:44 2009 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Tue, 8 Dec 2009 15:11:44 +0100 Subject: [Opendnssec-develop] Support of APL in dnsruby Message-ID: <983F17705339E24699AA251B458249B51F1973431B@EXCHANGE2K7.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi We now got a request to implement support for APL in dnsruby from our "user" Olaf. Would it be difficult? And also that the Auditor should skip RR which it does not understand. But what would happen with NSEC/NSEC3 with this RR in its bitmap? // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSx5eoOCjgaNTdVjaAQhF3gf/YUUTVho6hvvGzSGiL5SwH6O2XTQc0fX9 BDaSLSENYGgndcIwGFyUAVCsSXQnVHi8DyGE3te0n0fEu7vBDN3QNpRlpz0TFwhR AqEKKrkNWdNF8xZc7NADS8Pu8M2ekUbOkCHjEwQFhL3ZwydlaVRdmenSqcCHCAsK WVuli4GLE68ayGqvlg+3WHIYa2o3uynGVh4nPuTuriZlXEC8miyFhIsQe61YrqPF PuodvmXQqMOHs/fRVxhrikO7gO1lRr5gVoVrsSWMemK/7YpbrowBvVGA7Db241oz tae3vQfuUzr6L7D4PPfd3tMZZm2UUE31TGJb8IOewu3j1ZQisAGSXg== =4KjB -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From Alexd at nominet.org.uk Tue Dec 8 14:30:21 2009 From: Alexd at nominet.org.uk (Alexd at nominet.org.uk) Date: Tue, 8 Dec 2009 14:30:21 +0000 Subject: [Opendnssec-develop] Support of APL in dnsruby In-Reply-To: <983F17705339E24699AA251B458249B51F1973431B@EXCHANGE2K7.office.nic.se> References: <983F17705339E24699AA251B458249B51F1973431B@EXCHANGE2K7.office.nic.se> Message-ID: > We now got a request to implement support for APL in dnsruby from > our "user" Olaf. Would it be difficult? It's possible to implement. While we're on the subject, we should also implement the HIP RR (signer support required), and possibly some/all other Experimental RRs. Do we want to keep the signer and auditor in step with regard to the RR types they support? > And also that the Auditor should skip RR which it does not > understand. But what would happen with NSEC/NSEC3 with this RR in its bitmap? The auditor should be able to note the type (which it didn't understand the RR for) as occurring at the name, and then expect that type to appear in the NSEC(3) bitmap, without understanding the RR itself. Of course, it would not be able to verify the RRSIG for the RRSet of the unsupported type - it would simply skip that check. I could add this functionality if it was desired? Thanks, Alex. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rickard.bellgrim at iis.se Tue Dec 8 14:29:37 2009 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Tue, 8 Dec 2009 15:29:37 +0100 Subject: [Opendnssec-develop] KSK rollover Message-ID: <983F17705339E24699AA251B458249B51F19734335@EXCHANGE2K7.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi As noted on the user's list, we got some suggestions that we should use double signatures for KSK rollover. Because most people would like to change the DS records only one time. Do we agree? Currently we do (something like this): ods-ksmutil key rollover --zone example.com --keytype KSK - - Publish new key ods-ksmutil key ksk-roll - - Make new key active. Retire old key. Suggested solution: ods-ksmutil key rollover --zone example.com --keytype KSK - - Publish new key. Make new key active (when key is ready). ods-ksmutil key ksk-roll - - Retire old key. Should we do this for version 1? Would it be difficult? // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSx5i0eCjgaNTdVjaAQh9Vgf/Ur7bsKZRHrx5cbxEVMkYSJrx1iDzaDy1 wbEQeRnMhVjBusfiU8tSN3DDZeebo10YVyc2lx5jWos0dz32ygO0vL+cxpEqTZcR G1NCDbw/vTlqq591AbY2nyAMGnnl6hyERRoB2LmEWnfU/pR9LJ6sZTj4o0vNrx1q +R9SxOvINnEDuQgbypUB/+5Tm/n0el1n4ozBbNh+C2xqd0sHE3rKJOs/CsCFzhnB eC+25/wZo0ZjA1nBMts6qPoElrwKa4JRTXbItp44H27RK2pPAoTAW5mjeIWaupJb znTzb6wdV5igA1fgLcfszKohyTbyzNnOUXGGkCwvtwY29tRP0Q5HQg== =oYDA -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From sion at nominet.org.uk Tue Dec 8 14:36:46 2009 From: sion at nominet.org.uk (sion at nominet.org.uk) Date: Tue, 8 Dec 2009 14:36:46 +0000 Subject: [Opendnssec-develop] zonefetcher Message-ID: I _think_ that I have a fix for the zonefetcher... As I do not like changing other peoples code could someone assure me that what I have done is sane? It seems too simple. All I do is close the output file before it is moved (I think that this is especially important on ext4 filesystems). sion at virtual-sion-9:~/temp/opendnssec/trunk/OpenDNSSEC/signer$ svn diff tools/zone_fetcher.c Index: tools/zone_fetcher.c =================================================================== --- tools/zone_fetcher.c (revision 2579) +++ tools/zone_fetcher.c (working copy) @@ -911,6 +911,7 @@ axfr_rr = ldns_axfr_next(config->xfrd); if (!axfr_rr) { log_msg(LOG_ERR, "zone fetcher AXFR for %s failed", zone->name); + fclose(fd); unlink(axfr_file); return -1; } @@ -930,6 +931,9 @@ log_msg(LOG_INFO, "zone fetcher transferred zone %s serial %u " "successfully", zone->name, new_serial); + /* Close file before moving it - Sion */ + fclose(fd); + /* moving and kicking */ strlength = strlen("mv ") + strlen(axfr_file) + 1 + strlen(zone->input_file) + strlen(".axfr"); @@ -981,7 +985,6 @@ } } free((void*)axfr_file); - fclose(fd); } else { log_msg(LOG_INFO, "zone fetcher zone %s is already up to date, " Also, are fixes going into trunk, or a branch at the moment? Cheers, Sion From rickard.bellgrim at iis.se Tue Dec 8 14:48:34 2009 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Tue, 8 Dec 2009 15:48:34 +0100 Subject: [Opendnssec-develop] Support of APL in dnsruby In-Reply-To: References: <983F17705339E24699AA251B458249B51F1973431B@EXCHANGE2K7.office.nic.se> Message-ID: <983F17705339E24699AA251B458249B51F1973434A@EXCHANGE2K7.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > It's possible to implement. While we're on the subject, we should also > implement the HIP RR (signer support required), and possibly some/all > other Experimental RRs. Do we want to keep the signer and auditor in > step with regard to the RR types they support? It would be desired that they support the same types of RR. And it would be desired that we support the experimental RRs + HIP. The support of RR types does not conflict with OpenDNSSEC release other than that the libraries and OpenDNSSEC share the same developers. So currently we can only implement support if we got an request and that we have time to do it. Alex, do you have time for APL? But after 1.0.0 we should try to sync dnsruby and ldns. > > And also that the Auditor should skip RR which it does not > > understand. But what would happen with NSEC/NSEC3 with this RR in its > bitmap? > > The auditor should be able to note the type (which it didn't understand > the RR for) as occurring at the name, and then expect that type to > appear in the NSEC(3) bitmap, without understanding the RR itself. Of > course, it would not be able to verify the RRSIG for the RRSet of the > unsupported type - it would simply skip that check. > > I could add this functionality if it was desired? I think it would be good, even if the dnsruby and ldns are in sync. It might be that the user has an old dnsruby installed. And a unknown RR type (not TYPExx) will now stop the auditing. But the code change is a little bit big, so perhaps do it after 1.0.0? -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSx5nQuCjgaNTdVjaAQhn2wgAqp72ka/+9JXnTdzywEF5PajoBAesczHy Eu6U3/0ZGn/uf6ozMXB41mnkIQo3kvhjSjUBc8hrsJxDzNjSx16VEWG4xvjxqI9A A1wiGFS17FO8PCG/QBkrNLuWjWgYPjf3HO4pSVMWU8nrgv6eKZ3hiZhSdIde6eAJ iAZnA0pJ9ecJkonXemU3F6i7f3GSnXwEl3N47HwyHsKi6HDyf83nmvaymyVnScIs plYNIuLgHJvgYv/P6n95xt24hBjZ7zwsqqbNFAyiLcsMVFShyQ6amQ60QwMLTKth ZHEYWjQplMPNWhCJcmw6Xk521JYcAft0VMqtTdDobsLKotDvmO9fdw== =0DQo -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From Antoin.Verschuren at sidn.nl Tue Dec 8 14:59:48 2009 From: Antoin.Verschuren at sidn.nl (Antoin Verschuren) Date: Tue, 8 Dec 2009 15:59:48 +0100 Subject: [Opendnssec-develop] KSK rollover References: <983F17705339E24699AA251B458249B51F19734335@EXCHANGE2K7.office.nic.se> Message-ID: <850A39016FA57A4887C0AA3C8085F94901623FEC@KAEVS1.SIDN.local> The method of double signatures is one that cannot be used when you transfer a zone between DNS operators, because either operator does not have one of the private keys to sign with. So the preferred way to facilitate this is pre-publish and multiple DS records at the parent. (or am I missing something). So since the parent should already be facilitating this method of rollover for transfers, why would they create a different process for a rollover where there is no transfer involved ? Same could be true for the child. If you make pre-publish your default rollover method, you don't need to invent (and for opendnssec to implement) a different BCP for transfers. So for transfers: In new zone: -Enter old and new public KSK -Sign keyset with new KSK In old zone: -Add new public KSK in zone next to old KSK -Sign keyset with old KSK At parent: -Add DS for new KSK -wait for propagation -Change NS set -wait for propagation -Delete old DS Only difference for a regular rollover is that you don't have to change and wait for propagation of the new NS set, but the process would stay the same. Only advantage I see in adding a different rollover method for regular transfers without NS changes is that there are less DS records in the parent zone. Antoin Verschuren Technical Policy Advisor SIDN Utrechtseweg 310, PO Box 5022, 6802 EA Arnhem, The Netherlands P: +31 26 3525500 F: +31 26 3525505 M: +31 6 23368970 mailto:antoin.verschuren at sidn.nl xmpp:antoin at jabber.sidn.nl http://www.sidn.nl/ > -----Original Message----- > From: opendnssec-develop-bounces at lists.opendnssec.org [mailto:opendnssec- > develop-bounces at lists.opendnssec.org] On Behalf Of Rickard Bellgrim > Sent: Tuesday, December 08, 2009 3:30 PM > To: opendnssec-develop at lists.opendnssec.org > Subject: [Opendnssec-develop] KSK rollover > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Hi > > As noted on the user's list, we got some suggestions that we should use > double signatures for KSK rollover. Because most people would like to > change the DS records only one time. Do we agree? > > Currently we do (something like this): > ods-ksmutil key rollover --zone example.com --keytype KSK > - - Publish new key > ods-ksmutil key ksk-roll > - - Make new key active. Retire old key. > > Suggested solution: > ods-ksmutil key rollover --zone example.com --keytype KSK > - - Publish new key. Make new key active (when key is ready). > ods-ksmutil key ksk-roll > - - Retire old key. > > Should we do this for version 1? Would it be difficult? > > // Rickard > > -----BEGIN PGP SIGNATURE----- > Version: 9.8.3 (Build 4028) > Charset: utf-8 > > wsBVAwUBSx5i0eCjgaNTdVjaAQh9Vgf/Ur7bsKZRHrx5cbxEVMkYSJrx1iDzaDy1 > wbEQeRnMhVjBusfiU8tSN3DDZeebo10YVyc2lx5jWos0dz32ygO0vL+cxpEqTZcR > G1NCDbw/vTlqq591AbY2nyAMGnnl6hyERRoB2LmEWnfU/pR9LJ6sZTj4o0vNrx1q > +R9SxOvINnEDuQgbypUB/+5Tm/n0el1n4ozBbNh+C2xqd0sHE3rKJOs/CsCFzhnB > eC+25/wZo0ZjA1nBMts6qPoElrwKa4JRTXbItp44H27RK2pPAoTAW5mjeIWaupJb > znTzb6wdV5igA1fgLcfszKohyTbyzNnOUXGGkCwvtwY29tRP0Q5HQg== > =oYDA > -----END PGP SIGNATURE----- > > From owner-dnssec-trac at kirei.se Tue Dec 8 18:32:37 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 08 Dec 2009 18:32:37 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #62: => conf.xml.sample Message-ID: <061.9253dc9b5a50cf7e19604b06c32492b5@kirei.se> #62: => conf.xml.sample ------------------------------------+--------------------------------------- Reporter: archi.laurent@? | Owner: rb Type: enhancement | Status: new Priority: trivial | Component: SoftHSM Version: trunk | Keywords: conf.xml.sample ------------------------------------+--------------------------------------- Hi all, it's just an detail but i think many dnsmaster use Bind and your exemple command in sample file is : /usr/local/bin/my_nameserver_reload_command it's really more better by this command (reload !) # For Bind only and rndc ( root) : NotifyCommand>rndc notify %zone; rndc reload %zone Only for perhaps help your best project... Best regards -- Ticket URL: OpenDNSSEC OpenDNSSEC From jakob at kirei.se Tue Dec 8 21:14:24 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Tue, 8 Dec 2009 22:14:24 +0100 Subject: [Opendnssec-develop] zonefetcher In-Reply-To: References: Message-ID: <4047FE85-BA8E-44C1-92BB-6A3CEC7E772A@kirei.se> On 8 dec 2009, at 15.36, sion at nominet.org.uk wrote: > As I do not like changing other peoples code could someone assure me that > what I have done is sane? It seems too simple. All I do is close the output > file before it is moved (I think that this is especially important on ext4 > filesystems). it seems fair to close before unlinking. btw, why isn't the move performed using "rename"? using system for this is just plain wrong and should be fixed. I'll add a ticket for this. jakob From owner-dnssec-trac at kirei.se Wed Dec 9 08:17:11 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Wed, 09 Dec 2009 08:17:11 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #62: => conf.xml.sample In-Reply-To: <061.9253dc9b5a50cf7e19604b06c32492b5@kirei.se> References: <061.9253dc9b5a50cf7e19604b06c32492b5@kirei.se> Message-ID: <070.b10a5649d621a6871068a0f8d559d458@kirei.se> #62: => conf.xml.sample ------------------------------------+--------------------------------------- Reporter: archi.laurent@? | Owner: jakob Type: enhancement | Status: assigned Priority: trivial | Component: Signer Version: trunk | Keywords: conf.xml.sample ------------------------------------+--------------------------------------- Changes (by rb): * owner: rb => jakob * status: new => assigned * component: SoftHSM => Signer -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Wed Dec 9 08:22:59 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Wed, 09 Dec 2009 08:22:59 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #62: => conf.xml.sample In-Reply-To: <061.9253dc9b5a50cf7e19604b06c32492b5@kirei.se> References: <061.9253dc9b5a50cf7e19604b06c32492b5@kirei.se> Message-ID: <070.70bc637b5f6db5e440daa5dd3ef5b8ef@kirei.se> #62: => conf.xml.sample ------------------------------------+--------------------------------------- Reporter: archi.laurent@? | Owner: jakob Type: enhancement | Status: closed Priority: trivial | Component: Signer Version: trunk | Resolution: fixed Keywords: conf.xml.sample | ------------------------------------+--------------------------------------- Changes (by jakob): * status: assigned => closed * resolution: => fixed Comment: We can only promise that the is one single command - not expanded by the shell (although in v1, it is indeed executed by the shell - in the next version we'll use spawn/exec). Given that, I suggest that we only use the rndc reload (as it also sends notify IIRC). Example added in r2583. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Wed Dec 9 08:25:35 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Wed, 09 Dec 2009 08:25:35 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #60: Auditor croaks on APL RR In-Reply-To: <055.cdacd4792d5103ba08c4c9d96ce61184@kirei.se> References: <055.cdacd4792d5103ba08c4c9d96ce61184@kirei.se> Message-ID: <064.5ba2989cffef7671975786403a5b9c53@kirei.se> #60: Auditor croaks on APL RR ------------------------------+--------------------------------------------- Reporter: olaf@? | Owner: alex Type: defect | Status: assigned Priority: major | Component: Auditor Version: trunk | Keywords: ------------------------------+--------------------------------------------- Changes (by rb): * owner: rb => alex * status: new => assigned * component: Unknown => Auditor -- Ticket URL: OpenDNSSEC OpenDNSSEC From rickard.bellgrim at iis.se Wed Dec 9 09:03:11 2009 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Wed, 9 Dec 2009 10:03:11 +0100 Subject: [Opendnssec-develop] Hanging singer processes Message-ID: <983F17705339E24699AA251B458249B51F19734440@EXCHANGE2K7.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi Is this patch ok? So that we do not start the signer process if we do not get a serial. Index: Zone.py =================================================================== - --- Zone.py (revision 2574) +++ Zone.py (working copy) @@ -758,6 +758,11 @@ cmd.append("-l") cmd.append(self.engine_config.syslog_facility_string) + soa_serial = self.find_serial() + if self.zone_config.soa_serial: + if soa_serial == None: + return False; + sign_p = Util.run_tool(cmd) if not sign_p: if not self.last_signed: @@ -771,13 +776,9 @@ Util.write_p(sign_p, self.zone_config.soa_minimum, ":soa_minimum ") if self.zone_config.soa_serial: - - soa_serial = self.find_serial() - - if not soa_serial == None: - - syslog.syslog(syslog.LOG_DEBUG, - - "set serial to " + str(soa_serial)) - - Util.write_p(sign_p, str(soa_serial), ":soa_serial ") - - else: - - return False + syslog.syslog(syslog.LOG_DEBUG, + "set serial to " + str(soa_serial)) + Util.write_p(sign_p, str(soa_serial), ":soa_serial ") if self.zone_config.soa_serial == "keep": Util.write_p(sign_p, "1", ":soa_serial_keep ") # nsec3 params -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSx9nz+CjgaNTdVjaAQg9rwf9HZ3KXD3X+XzuCEFgTcJQ+HZA1TBCqDhF 6rq0qAS/L6+tcqNW8y2Dz3XXdLrAZ1Cw7zDIwry9y8GIDpYsShq0C7x6V8+8ime9 E2xJeIICBK39QYW6IppzHVm/fDapa+2xBTefJCmzvzamsq92gChzcuD/aR0CKjWI +WP8Dx1qt6whQmjF7CshuvqqWlesAoevBmiUBLWOv8QTSh46t+UUbYT4TnyDCXWL mwokRqeeH9oYCybD8VvNlPRwfmcZuvb/3x9BZSrlnmeL6dM/twQzDPwE6aMjf+Ox avox/HIFTXFQff2ZaN4a91HOy6O0n6xWr5F1lyhbkEMisiZM/iPCNw== =7yMO -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From sion at nominet.org.uk Wed Dec 9 09:06:10 2009 From: sion at nominet.org.uk (sion at nominet.org.uk) Date: Wed, 9 Dec 2009 09:06:10 +0000 Subject: [Opendnssec-develop] KSK rollover In-Reply-To: <983F17705339E24699AA251B458249B51F19734335@EXCHANGE2K7.office.nic.se> References: <983F17705339E24699AA251B458249B51F19734335@EXCHANGE2K7.office.nic.se> Message-ID: > As noted on the user's list, we got some suggestions that we should > use double signatures for KSK rollover. Because most people would > like to change the DS records only one time. Do we agree? > > Currently we do (something like this): > ods-ksmutil key rollover --zone example.com --keytype KSK > - - Publish new key > ods-ksmutil key ksk-roll > - - Make new key active. Retire old key. > > Suggested solution: > ods-ksmutil key rollover --zone example.com --keytype KSK > - - Publish new key. Make new key active (when key is ready). > ods-ksmutil key ksk-roll > - - Retire old key. > > Should we do this for version 1? Would it be difficult? So personally I think that we should not be changing behaviour at this point unless what we are seeing is really broken. My preference would be to work on the different rolling schemes as a configuration option in version 1.1. Sion From jakob at kirei.se Wed Dec 9 09:07:57 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Wed, 9 Dec 2009 10:07:57 +0100 Subject: [Opendnssec-develop] KSK rollover In-Reply-To: References: <983F17705339E24699AA251B458249B51F19734335@EXCHANGE2K7.office.nic.se> Message-ID: <0ADA06F8-4050-47F9-9AF4-94BCBC8D6E2A@kirei.se> On 9 dec 2009, at 10.06, sion at nominet.org.uk wrote: > My preference would be to work on the different rolling schemes as a > configuration option in version 1.1. I agree. jakob From rickard.bellgrim at iis.se Wed Dec 9 09:14:41 2009 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Wed, 9 Dec 2009 10:14:41 +0100 Subject: [Opendnssec-develop] KSK rollover In-Reply-To: <0ADA06F8-4050-47F9-9AF4-94BCBC8D6E2A@kirei.se> References: <983F17705339E24699AA251B458249B51F19734335@EXCHANGE2K7.office.nic.se> <0ADA06F8-4050-47F9-9AF4-94BCBC8D6E2A@kirei.se> Message-ID: <983F17705339E24699AA251B458249B51F1973444B@EXCHANGE2K7.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > > My preference would be to work on the different rolling schemes as a > > configuration option in version 1.1. > > I agree. Seems fair. I will send a reply to the user list. -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSx9qgeCjgaNTdVjaAQiO2Qf/XOzglswalPDmu7CjIQ48Yet6t3LUkK+G ZXsN019uA2mfay76ggE8w24ZfCsLMpTy3ex7uI3PCfVMBoR7StT1PupWe+L4+zlE /P3OezIWSeQwKlULviUC3PbQycEbmKKab+wvPNrF7oihQaIRQrlpR7RCscEk2loO 1O47SOForu8ZG5OBevTYxr47P+uvzjhLtm/ynzNjIlTE2E9yZx1eLWhQ4yJSRscs sKHpuelYi+DPX7GWnK6hGD1zvZt8d0m1MwbzDf8uwW8JVh+Su/1+BlIax6ZGNeNd VAm86XXDcUb3mu3EQWlFuRNpEgnRtX3wNmiFocOfxqI0NA7jxoAf+g== =X2bC -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From rickard.bellgrim at iis.se Wed Dec 9 13:07:23 2009 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Wed, 9 Dec 2009 14:07:23 +0100 Subject: [Opendnssec-develop] Code reviews In-Reply-To: References: Message-ID: <983F17705339E24699AA251B458249B51F197344F5@EXCHANGE2K7.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > Just a quick note to remind us all to perform code reviews before the > final 1.0 release. Hopefully the code base will be stable enough after > RC1 that it actually makes sense. > > Should we add this as a requirement for the release? We do not want too much code change before 1.0. We would only do changes if there is some critical problem in the code. Previously, it was only you, me, and Sion that had time to do code reviewing. Is there someone else? -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSx+hC+CjgaNTdVjaAQiomgf+MrPDfzOS0jxgUdzNY6D+nxepIMyAeqby v3iRtUwha+lcG0gXFdpcEfRif8REzbySb13Vm18WFIzQS/V4QOjdFYsXtTvtxZ98 4/nXJtf8Rc2w9uKnSCU9b1AEgEdvStwzgxOr21SyigdPDgcPfLA84ydBl2z2p3aD /0IXiHuLViNxh6WCBGnvFIYd4N9swn+Uk50/VUFrtVPk65lWbNqrMhiwxHRcvhsE XekB3thHKDhyGJrstOHVgIgiaJOzjo3kbRKDL6ARTJh343umrU9lZKARbXFVI2gP QK6FVV5bQVm7bAC8tN8TtP1VkB34PjBz5ibCCThQxS6Ialky0xAPIA== =LL89 -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From rickard.bellgrim at iis.se Wed Dec 9 13:48:50 2009 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Wed, 9 Dec 2009 14:48:50 +0100 Subject: [Opendnssec-develop] Date for RC2 Message-ID: <983F17705339E24699AA251B458249B51F1973451F@EXCHANGE2K7.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi It looks like we are going to have a RC2. What date should we set? // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSx+qwuCjgaNTdVjaAQh1Fgf+Ojdod7eJ4vxtjA3iE+EtOE6ouOJgmhQo 7MBw7TmLuj8y10ZVcR3OjbxYfalYAjkK0RQ5l4PuUilStztIgm+wyblnitFHOmBx 99YUNjo4IGzXdV5GcG9ymymQjyvh73+gEnsElsmkUofzOdYHJ+YT0V2bxL1oTrfo 4QlL0OVyUVlitDPdcmzxYxTIF2dyRrpuGjKoS+/CYHePeChgGRPs9hXKL9NHRS1K fCM/Zo69fG1lE4dIznagvX1/SEUXqnSlFCTsKAomL6BKS0iUGGHARXWchJH2ehUf g2E2tPiI44/pRytnxmkmnMVXCBbPQKZcut6NogDUUaZhHAeVT6ORpg== =zDbd -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From jakob at kirei.se Wed Dec 9 13:52:58 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Wed, 9 Dec 2009 14:52:58 +0100 Subject: [Opendnssec-develop] Date for RC2 In-Reply-To: <983F17705339E24699AA251B458249B51F1973451F@EXCHANGE2K7.office.nic.se> References: <983F17705339E24699AA251B458249B51F1973451F@EXCHANGE2K7.office.nic.se> Message-ID: <532B39D7-D179-46F6-B416-E4B5CEFF6956@kirei.se> On 9 dec 2009, at 14.48, Rickard Bellgrim wrote: > It looks like we are going to have a RC2. What date should we set? rc2 @ december 16th? and release of 1.0 january 1st if everything is OK? or christmas eve? jakob From rickard.bellgrim at iis.se Wed Dec 9 14:15:54 2009 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Wed, 9 Dec 2009 15:15:54 +0100 Subject: [Opendnssec-develop] Date for RC2 In-Reply-To: <532B39D7-D179-46F6-B416-E4B5CEFF6956@kirei.se> References: <983F17705339E24699AA251B458249B51F1973451F@EXCHANGE2K7.office.nic.se> <532B39D7-D179-46F6-B416-E4B5CEFF6956@kirei.se> Message-ID: <983F17705339E24699AA251B458249B51F1973453A@EXCHANGE2K7.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > rc2 @ december 16th? Yeah, RC2 could be tagged after our meeting. > and release of 1.0 january 1st if everything is OK? or christmas eve? If we want to send out a press release this year, then we should tag 1.0.0 the 22 December. And I think Nominet would like to have the software this year, right? // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSx+xGuCjgaNTdVjaAQj4/Qf/USxJNIV84pR3lb+K6XUv164qv0vZN/Fy J8lKdfQoKqRQdPY38PrizWShBd9RqLXnvxhK3pCPpwh4M5xWpfHRHYq76PINtmmf 3oR+gS303etVaSjcb5hjpb8TVEN+K2bt3srBtzdZlqOMxBkGfDtyprb8C/fsOaXH IjqGhcj649vmJrTtGvWs+W4YulbNr0iEJVlXjFMbbwkn5asXf95Ttou/QUynk00B ZEBBJas5tcnrtZVxXVWI72fbWhuEe9ypDZmuXO17AKTS4D/J3AAWxpYAcREXk7EH D+kdGR+tnlgUNOmhJttNTbyecVF/+OyEPqkI2cJPetPEJWLwk7Cryg== =Nm+J -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From owner-dnssec-trac at kirei.se Wed Dec 9 15:59:31 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Wed, 09 Dec 2009 15:59:31 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #60: Auditor croaks on APL RR In-Reply-To: <055.cdacd4792d5103ba08c4c9d96ce61184@kirei.se> References: <055.cdacd4792d5103ba08c4c9d96ce61184@kirei.se> Message-ID: <064.abc58e9536d8e459da3ac7d48601ffc2@kirei.se> #60: Auditor croaks on APL RR ------------------------------+--------------------------------------------- Reporter: olaf@? | Owner: alex Type: defect | Status: assigned Priority: major | Component: Auditor Version: trunk | Keywords: ------------------------------+--------------------------------------------- Comment(by alex): I should point out that all types are supported if they are written in RFC3597 unknown type format (e.g. TYPE42, etc.). A quick fix would be to rewrite the APL record as a TYPE42 record. -- Ticket URL: OpenDNSSEC OpenDNSSEC From olaf at NLnetLabs.nl Wed Dec 9 16:09:57 2009 From: olaf at NLnetLabs.nl (Olaf Kolkman) Date: Wed, 9 Dec 2009 17:09:57 +0100 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #60: Auditor croaks on APL RR In-Reply-To: <064.abc58e9536d8e459da3ac7d48601ffc2@kirei.se> References: <055.cdacd4792d5103ba08c4c9d96ce61184@kirei.se> <064.abc58e9536d8e459da3ac7d48601ffc2@kirei.se> Message-ID: <795FAA22-FD9A-4434-8339-A4569AEF1B7E@NLnetLabs.nl> On Dec 9, 2009, at 4:59 PM, OpenDNSSEC wrote: > #60: Auditor croaks on APL RR > ------------------------------+--------------------------------------------- > Reporter: olaf@? | Owner: alex > Type: defect | Status: assigned > Priority: major | Component: Auditor > Version: trunk | Keywords: > ------------------------------+--------------------------------------------- > > Comment(by alex): > > I should point out that all types are supported if they are written in > RFC3597 unknown type format (e.g. TYPE42, etc.). A quick fix would be to > rewrite the APL record as a TYPE42 record. > > - yes, but no. The reason for the APL being in the format it is was because of parsing/wire compatibility testing. More to the point the underlying request is to make the auditor more resilient against its library not supporting certain types when the signer library does support those types. I believe that the auditor should in those cases just skip the tests and/or do some heuristic checks. If it comes to the type bitmap of the NSEC, bad luck, you cannot check the signature, but you can check signature parameters. The auditor is there to help you, to prevent errors. Not to block you from getting things done. Obviously, strong warnings are OK. --Olaf ________________________________________________________ Olaf M. Kolkman NLnet Labs Science Park 140, http://www.nlnetlabs.nl/ 1098 XG Amsterdam From Alexd at nominet.org.uk Thu Dec 10 10:49:45 2009 From: Alexd at nominet.org.uk (Alexd at nominet.org.uk) Date: Thu, 10 Dec 2009 10:49:45 +0000 Subject: Fw: [Opendnssec-develop] Re: [OpenDNSSEC] #60: Auditor croaks on APL RR Message-ID: Hi - Olaf has asked for the auditor to ignore types it does not support. I've got code which does this (only changes about 20 lines of code) - but I'm not sure it will definitely work in all corner cases (e.g. unsigned file has type number, signed file has type name). Do people think this should be supported? If so, should it go in 1.0 or 1.1? Thanks, Alex. ----- Forwarded by Alex Dalitz/Nominet on 10/12/2009 09:55 ----- Olaf Kolkman Sent by: opendnssec-develop-bounces at lists.opendnssec.org 09/12/2009 16:09 To "OpenDNSSEC" cc opendnssec-develop at lists.opendnssec.org Subject Re: [Opendnssec-develop] Re: [OpenDNSSEC] #60: Auditor croaks on APL RR On Dec 9, 2009, at 4:59 PM, OpenDNSSEC wrote: > #60: Auditor croaks on APL RR > ------------------------------+--------------------------------------------- > Reporter: olaf@? | Owner: alex > Type: defect | Status: assigned > Priority: major | Component: Auditor > Version: trunk | Keywords: > ------------------------------+--------------------------------------------- > > Comment(by alex): > > I should point out that all types are supported if they are written in > RFC3597 unknown type format (e.g. TYPE42, etc.). A quick fix would be to > rewrite the APL record as a TYPE42 record. > > - yes, but no. The reason for the APL being in the format it is was because of parsing/wire compatibility testing. More to the point the underlying request is to make the auditor more resilient against its library not supporting certain types when the signer library does support those types. I believe that the auditor should in those cases just skip the tests and/or do some heuristic checks. If it comes to the type bitmap of the NSEC, bad luck, you cannot check the signature, but you can check signature parameters. The auditor is there to help you, to prevent errors. Not to block you from getting things done. Obviously, strong warnings are OK. --Olaf ________________________________________________________ Olaf M. Kolkman NLnet Labs Science Park 140, http://www.nlnetlabs.nl/ 1098 XG Amsterdam _______________________________________________ Opendnssec-develop mailing list Opendnssec-develop at lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -------------- next part -------------- An HTML attachment was scrubbed... URL: From owner-dnssec-trac at kirei.se Fri Dec 11 14:32:01 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 11 Dec 2009 14:32:01 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #63: typo in errormsg Message-ID: <055.65e59489a5cac20a0e25acb43e20e4ce@kirei.se> #63: typo in errormsg ------------------------------+--------------------------------------------- Reporter: olaf@? | Owner: rb Type: defect | Status: new Priority: trivial | Component: Unknown Version: trunk | Keywords: ------------------------------+--------------------------------------------- The following error msg: WARNING: KSK Retirement reached; please submit the new DS for net-dns.org and use ods-ksmutil ksk-roll to roll the key. should read ods-ksmutil key ksk-roll Oh, bugzilla version' dropdown doesn't show rc1 -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Fri Dec 11 15:01:16 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 11 Dec 2009 15:01:16 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #63: typo in errormsg In-Reply-To: <055.65e59489a5cac20a0e25acb43e20e4ce@kirei.se> References: <055.65e59489a5cac20a0e25acb43e20e4ce@kirei.se> Message-ID: <064.2d4d5a336cfd8d27fb071dbf1b2417e7@kirei.se> #63: typo in errormsg ------------------------------+--------------------------------------------- Reporter: olaf@? | Owner: rb Type: defect | Status: closed Priority: trivial | Component: Unknown Version: trunk | Resolution: fixed Keywords: | ------------------------------+--------------------------------------------- Changes (by jakob): * status: new => closed * resolution: => fixed Comment: Fixed in r2600. -- Ticket URL: OpenDNSSEC OpenDNSSEC From rickard.bellgrim at iis.se Mon Dec 14 09:26:04 2009 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Mon, 14 Dec 2009 10:26:04 +0100 Subject: [Opendnssec-develop] Meeting 20091216 Message-ID: <983F17705339E24699AA251B458249B51F1977D07D@EXCHANGE2K7.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi Next meeting is on: Date: Wednesday 16 December Time: 14:00-15:00 CET, 13:00-14:00 GMT Please update the agenda if you have any more topics: http://trac.opendnssec.org/wiki/Meetings/Agenda/2009-12-16 // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSyYErOCjgaNTdVjaAQgUdAf8CeGcO8sm0/2KIdyHMdhPNi396IIxXpcc 1C0aDQysCAXiyhw9oXfqcflLTvQAPEL12vpDaaKQB6rhluW8LTZfE7BCTwlLgKcH ddEXbWUhKJsAo3bx6HCdkSuw683H5xn9wdtwXAgJ7LBkqOLQhQdKKuUfRvhTGR4E gmyYVxKO47VHbtJMyKeC/DgEsEZdw+bxLriEEx8Iacu0qwms1JesdD9xSGmuqxP3 hpA8Vf9Wd9+8RXz+Ea3N8gzBBLIFtn6gndwq0ykeZvNMIusL+ElRe4vcCU7qrEIu 2j1SM5kM+Z9wh9nTlMaXV0F3IMoevKuTcmvF7ytzDDYOSF65TAaUfg== =JI6K -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From rickard.bellgrim at iis.se Mon Dec 14 09:28:24 2009 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Mon, 14 Dec 2009 10:28:24 +0100 Subject: [Opendnssec-develop] Re: Invalid signature In-Reply-To: <983F17705339E24699AA251B458249B51F19733A0C@EXCHANGE2K7.office.nic.se> References: <983F17705339E24699AA251B458249B51F19733A0C@EXCHANGE2K7.office.nic.se> Message-ID: <983F17705339E24699AA251B458249B51F1977D07E@EXCHANGE2K7.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Bump > Hi > > As we said in the last meeting, I should start an email thread about > the "Invalid signature" problem. At one point we got a bad signature, > but we could not reproduce it. > > Signer Engine will now check all of the signatures. And SoftHSM has a > compiler option to verify the signature before returning it. Both has > output to syslog. > > Signer Engine: > WARNING: HSM returned BOGUS signature! Abort signing, retry on next > resign > > SoftHSM (in hexadecimal): > SoftHSM: C_Sign: Error: Could not verify signature. Data: 54657874 > Sign: > 2E3C50CDFFFC39F146D67730A982DC17C9C5EBBC77394425F3524F8547CE26AC1E13CF1 > 3 > 534FCE7BE7FCFF263C8CD2C4DE9EBB295C790C1F989C18A32EF0D0853F7E38222FA6ACB > C > 29E27692D382FB4CE387C5F171F81567EC0678176EFDB43F > > Signer Engine also outputs the bad signature into the tmp zone, which > does not get distributed: > fprintf(output, "; signing failed: %s\n", > ldns_get_errorstr_by_id(status)); ldns_rr_print(output, sig); > > I think Roy is setting up a test bed, right? > > What else can we do? > > And for how long should we keep the verifying on by default in the > Signer Engine? > > // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSyYFN+CjgaNTdVjaAQhapAf/aVrP0PW307WkZyRcW6mhrdlgWDCLZtoF zOShaUc04jEvsi9m6n7K4RRP72AJewdQu5SXHE1Fqq/oSeL3N9XIC2rO0eGTelnR nUwKGGR+l9+d8uXBzvTH2ScEgCmNT2x4RQHtZ8QYLnN1CiIXRebkOVsyvcqqhtTb DUTiKxW+jJqe5dzlrE8WF/AcphfUsLZA1NFwy/RSzX2tzDLc1B1fE/tF/H6lqxvK uXfBPTH/mDR07vVhYnLk2JUNWLlNX1phg3muFdR6xF91CC8GeRaQn213LOYGrA9D gZJkuODXmHIWfec0Z24QpcmHRV3KpNavwTduWBWLPXEFyKfbEO+h3A== =sOhp -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From rickard.bellgrim at iis.se Mon Dec 14 09:45:05 2009 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Mon, 14 Dec 2009 10:45:05 +0100 Subject: [Opendnssec-develop] Auditor croaks on APL RR In-Reply-To: References: Message-ID: <983F17705339E24699AA251B458249B51F1977D08D@EXCHANGE2K7.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > Olaf has asked for the auditor to ignore types it does not support. > > I've got code which does this (only changes about 20 lines of code) - > but I'm not sure it will definitely work in all corner cases (e.g. > unsigned file has type number, signed file has type name). The Signer will convert any known type number in the unsigned zone to a type name in the signed zone. > Do people think this should be supported? Yes, but the best way is to sync ldns and dnsruby so that they support the same RR types. > If so, should it go in 1.0 or 1.1? If we want this fix, it would only be good to have this before we have synced the libraries (if we are not mentioning the case where the user haven't upgraded the libraries). So if we want ldns and dnsruby to be in sync for 1.1, then this fix should be in 1.0. // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSyYJIeCjgaNTdVjaAQhqxgf/SKH15v07ZlyFbL+Px0PsrJaWswRH8O9w PFA2Rc4sYGClq8lMexH8fYuYU5NbAnVFo0mHijKH/JipME6OVZ7mcp0LJQcnXgf4 GD/CGxf8qkWrgWFr4mCt8bZMrekfD5dpa59wbd8isQz2wtq7ra6Hpqm0oIDIsimS wZnVPYD76OO8Lc6sCIB/POb8XHM/TW2B2RRII8Hg/vvhBzn6+3j1LhAxI5AB6K7Y F1DJc6SilawngeYt4x4VFoQuF6PjepKF0l6GPnyLxUoj6A5vuQGXi72x/rfEOLO0 8t+R8fFBuLTgUTleQytp3y80Jkg5eCy+bacDHS5OwAzLISSR8nNhaQ== =3Wau -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From olaf at NLnetLabs.nl Mon Dec 14 10:24:54 2009 From: olaf at NLnetLabs.nl (Olaf Kolkman) Date: Mon, 14 Dec 2009 11:24:54 +0100 Subject: [Opendnssec-develop] Auditor croaks on APL RR In-Reply-To: <983F17705339E24699AA251B458249B51F1977D08D@EXCHANGE2K7.office.nic.se> References: <983F17705339E24699AA251B458249B51F1977D08D@EXCHANGE2K7.office.nic.se> Message-ID: <019DC92A-6D39-475E-B0A2-6B5C306C3FE1@NLnetLabs.nl> On Dec 14, 2009, at 10:45 AM, Rickard Bellgrim wrote: > > Do people think this should be supported? > > Yes, but the best way is to sync ldns and dnsruby so that they support the same RR types. But the problem is that you will not be able to guarantee that the libs are in sync. Most people will want to maintain these library through their port/pkg maint. systems. And those will at some point be out of sync. I would really like to see resiliency against that. > > > If so, should it go in 1.0 or 1.1? > > If we want this fix, it would only be good to have this before we have synced the libraries (if we are not mentioning the case where the user haven't upgraded the libraries). So if we want ldns and dnsruby to be in sync for 1.1, then this fix should be in 1.0. > Yep. --Olaf ________________________________________________________ Olaf M. Kolkman NLnet Labs Science Park 140, http://www.nlnetlabs.nl/ 1098 XG Amsterdam From roland.vanrijswijk at surfnet.nl Mon Dec 14 10:41:50 2009 From: roland.vanrijswijk at surfnet.nl (Roland van Rijswijk) Date: Mon, 14 Dec 2009 11:41:50 +0100 Subject: [Opendnssec-develop] Dependencies & stock distributions Message-ID: <4B26166E.2030508@surfnet.nl> Hi guys, We have started some preliminary tests as a preparation for the roll-out of OpenDNSSEC we are going to implement next year. All the tests we did so far we built most things from source, including the dependencies. Now though, we are using a stock distribution (Red Hat Enterprise Linux) and are running into some complications with dependencies. The biggest problem we have is that none of the packages that come with the distribution are the right version to work with OpenDNSSEC. In almost all cases (with just a few exceptions) OpenDNSSEC requires a newer version of the package concerned. As you are probably aware, most distributions seldomly come shipped with the latest-greatest version of a package (usually for stability reasons) and Red Hat commonly backports patches to keep the distribution stable rather than shining new. Since we are going to deploy OpenDNSSEC into production where the OS maintenance is going to be done by a third party, it is inconvenient not to be able to depend on regular OS updates from the distributor but instead having to rebuild all dependencies every time there is an update to one of them. This is also going to be an issue for the packagers who have volunteered to build OpenDNSSEC packages for several distributions. Summarising: I would like to advocate a check of dependencies on common distributions - I for instance would be happy to report the issues I run into on RHEL. Furthermore, I'd like to propose an "external feature freeze", i.e. not upgrading to newer versions of dependencies unless it is absolutely necessary; in my opinion, there is a real risk that this problem will stop people from deploying OpenDNSSEC in production environment because of the maintenance hassle (and the cost deriving from that). Your thoughts are welcome. P.S. I realise that this is quite a long e-mail; rest assured that it is not intended as a rant but rather as constructive criticism. Cheers, Roland -- -- Roland M. van Rijswijk -- SURFnet Middleware Services -- t: +31-30-2305388 -- e: roland.vanrijswijk at surfnet.nl From rickard.bellgrim at iis.se Mon Dec 14 11:14:47 2009 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Mon, 14 Dec 2009 12:14:47 +0100 Subject: [Opendnssec-develop] Dependencies & stock distributions In-Reply-To: <4B26166E.2030508@surfnet.nl> References: <4B26166E.2030508@surfnet.nl> Message-ID: <983F17705339E24699AA251B458249B51F1977D0F9@EXCHANGE2K7.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > Summarising: I would like to advocate a check of dependencies on common > distributions - I for instance would be happy to report the issues I > run > into on RHEL. Furthermore, I'd like to propose an "external feature > freeze", i.e. not upgrading to newer versions of dependencies unless it > is absolutely necessary; in my opinion, there is a real risk that this > problem will stop people from deploying OpenDNSSEC in production > environment because of the maintenance hassle (and the cost deriving > from that). > > Your thoughts are welcome. I think we require the latest versions (or almost latest versions) of dnsruby, ldns, and botan. These are the fundamental libraries that we use in OpenDNSSEC. We have found bugs in them that were critical to fix. You could also argue that OpenDNSSEC isn't packaged for RHEL, but when it is packaged then our dependencies also would get packaged. For now, we could add some more install notes for each OS on http://trac.opendnssec.org/wiki/Signer/Using/Installation/Dependencies .SE are running on Ubuntu 8.0.4, so we need to maintain our own package repository to lower the workload on the system administrators. And that is what you have to do in order to run new software on an old OS. // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSyYeJ+CjgaNTdVjaAQjsAAgApAT2SY+PlyOA+aqcWGUZieogB//o7dNr 95BUxWXjodfk4DPdLHF++zqFwVup2UpQM1jLLEd6RNlVnkufbBGr0zN9XXyrhHir ruLI5wOT/SqqnARHw9ucNIGvRlBgxC4F4hIYDrr4rStT8ntLTEIXQxN1Yn7yklxV vubVWg0gbq5IzdMQc3LkShDWyBJ/nYZpwIt+SLxtFkAqwQb6QtX7HGOX7dJVczRQ PEzJMIA+D4gGyXwNjxOkEhgo9Cpzk73b81NszjH44rqmy90ijkePDV2BeEGESW0V X33Y3s5pkKGlkuDuTuulahi/G36LnVkBMFHmaY2HTPDuqjDU5PmyYg== =TYk/ -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From roland.vanrijswijk at surfnet.nl Mon Dec 14 12:24:26 2009 From: roland.vanrijswijk at surfnet.nl (Roland van Rijswijk) Date: Mon, 14 Dec 2009 13:24:26 +0100 Subject: [Opendnssec-develop] Dependencies & stock distributions In-Reply-To: <983F17705339E24699AA251B458249B51F1977D0F9@EXCHANGE2K7.office.nic.se> References: <4B26166E.2030508@surfnet.nl> <983F17705339E24699AA251B458249B51F1977D0F9@EXCHANGE2K7.office.nic.se> Message-ID: <4B262E7A.2020000@surfnet.nl> Hi Rickard, Rickard Bellgrim wrote: > I think we require the latest versions (or almost latest versions) of > dnsruby, ldns, and botan. These are the fundamental libraries that we > use in OpenDNSSEC. We have found bugs in them that were critical to fix. If I remember correctly I had to upgrade or install the following packages: ldns ruby dnsruby rubygems 4SuiteXML (required by rubygems, I think) sqlite botan If I wanted to build from source, I also had to upgrade: autoconf automake m4 That's quite a lot of work that has to be done before I could even get started with OpenDNSSEC, and quite a lot of dependencies to maintain by hand rather than relying on the updates from the distro... > You could also argue that OpenDNSSEC isn't packaged for RHEL, but when > it is packaged then our dependencies also would get packaged. For now, > we could add some more install notes for each OS on > http://trac.opendnssec.org/wiki/Signer/Using/Installation/Dependencies I'd say the following dependencies should be packaged: ldns (NLnet Labs also does this for unbound) dnsruby botan In my opinion, the following dependencies should work with the OS-provided packages: sqlite ruby > .SE are running on Ubuntu 8.0.4, so we need to maintain our own package > repository to lower the workload on the system administrators. And that > is what you have to do in order to run new software on an old OS. We would be running the latest release of RHEL; I would not classify that as an old OS, rather as a stable OS. Ideally, it should not be necessary to maintain other packages in addition to OpenDNSSEC in order to be able to run OpenDNSSEC... Cheers, Roland -- -- Roland M. van Rijswijk -- SURFnet Middleware Services -- t: +31-30-2305388 -- e: roland.vanrijswijk at surfnet.nl From rickard.bellgrim at iis.se Mon Dec 14 12:48:45 2009 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Mon, 14 Dec 2009 13:48:45 +0100 Subject: [Opendnssec-develop] Dependencies & stock distributions In-Reply-To: <4B262E7A.2020000@surfnet.nl> References: <4B26166E.2030508@surfnet.nl> <983F17705339E24699AA251B458249B51F1977D0F9@EXCHANGE2K7.office.nic.se> <4B262E7A.2020000@surfnet.nl> Message-ID: <983F17705339E24699AA251B458249B51F1977D12B@EXCHANGE2K7.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > ldns > ruby > dnsruby > rubygems > 4SuiteXML (required by rubygems, I think) > sqlite > botan I can use the packages ruby 1.8.6, sqlite 3.4.2, rubygems 0.9.4, and python-4suite-xml 1.0.2 from Ubuntu 8.0.4. > If I wanted to build from source, I also had to upgrade: > > autoconf > automake > m4 I can use the packages autoconf 2.61, automake 1.10.1, and m4 1.4.10 from Ubuntu 8.0.4 (Everyone needs these in order to build from trunk. This applies to many open source projects.) > I'd say the following dependencies should be packaged: > > ldns (NLnet Labs also does this for unbound) > dnsruby > botan Yes, they will be whenever a package maintainer decides to package OpenDNSSEC. > In my opinion, the following dependencies should work with the > OS-provided packages: > > sqlite > ruby Yes, they should. > > .SE are running on Ubuntu 8.0.4, so we need to maintain our own > package > > repository to lower the workload on the system administrators. And > that > > is what you have to do in order to run new software on an old OS. > > We would be running the latest release of RHEL; I would not classify > that as an old OS, rather as a stable OS. Ideally, it should not be > necessary to maintain other packages in addition to OpenDNSSEC in order > to be able to run OpenDNSSEC... My conclusion for Ubuntu 8.0.4 is that I have to build from source for ldns, dnsruby, and botan. What versions of the other software do you have in RHEL as a RPM? Could you add some notes on RHEL to our wiki? // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSyY0LeCjgaNTdVjaAQit1AgAjOYE827dxhLxSWFc58SZR1DmLORwnyq5 oCWi8uWi7sEEpk5QFKl0cD2FxAGbpHYc+XucgLpracZoAACUcXrtw0S6Doc8IMoL X5MriBJdjhzg7o6An/Ip9+rnbBPF8G1yXUlju9jxE/jQaOlZnBvCEDkzQxZbXirr iZc4E8A02laSadHd+wnUgojZjJ5dAunlgllSa7KaeFfTfJEHoaHpUON582wP7/dZ EGS8JwRtmhDYprvMvFZRpRH3VvzTf+mPn2plo2c8gv5UtbGR0tXXA2HH9ZITw5Xj NSgXFVlYE72fpeVPIUf8p8+qa26X0tH60aSPisNELVqrrnQtjgbWXQ== =Z4My -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From owner-dnssec-trac at kirei.se Mon Dec 14 13:08:19 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Mon, 14 Dec 2009 13:08:19 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #60: Auditor croaks on APL RR In-Reply-To: <055.cdacd4792d5103ba08c4c9d96ce61184@kirei.se> References: <055.cdacd4792d5103ba08c4c9d96ce61184@kirei.se> Message-ID: <064.4c2319b5020739518a968d1f2a89a909@kirei.se> #60: Auditor croaks on APL RR ------------------------------+--------------------------------------------- Reporter: olaf@? | Owner: alex Type: defect | Status: assigned Priority: major | Component: Auditor Version: trunk | Keywords: ------------------------------+--------------------------------------------- Comment(by alex): This should be fixed in svn 2606. I'd be grateful if you had time to check this change before we make the next tagged release, please. Thanks, Alex. -- Ticket URL: OpenDNSSEC OpenDNSSEC From rick.zijlker at sidn.nl Mon Dec 14 13:21:50 2009 From: rick.zijlker at sidn.nl (Rick Zijlker) Date: Mon, 14 Dec 2009 14:21:50 +0100 Subject: [Opendnssec-develop] Dependencies & stock distributions References: <4B26166E.2030508@surfnet.nl><983F17705339E24699AA251B458249B51F1977D0F9@EXCHANGE2K7.office.nic.se><4B262E7A.2020000@surfnet.nl> <983F17705339E24699AA251B458249B51F1977D12B@EXCHANGE2K7.office.nic.se> Message-ID: <850A39016FA57A4887C0AA3C8085F949014D865E@KAEVS1.SIDN.local> Hello, I also had a little trouble installing on Red Hat because of lacking the newest versions, but after some days (I?m a newbie linux user) I got RC1 to work on Red Hat 5.4. Used the following versions: Rubygems 1.3.5 DNSruby 1.41 SQLite 3.4.2 Ldns 1.6.3 Botan 1.8.8 4Suite-XML 1.0.2 OpenDNSSEC-1.0.0RC1 tarball SoftHSM-1.1.1 tarball Installed these with Yum: Libxml2 Libxml2-devel Gcc-c++ Ruby Ruby-rdoc Python-devel Hopefully this amount will shrink and version-refreshing will settle a bit in the future versions. Cheers, Rick From: opendnssec-develop-bounces at lists.opendnssec.org [mailto:opendnssec-develop-bounces at lists.opendnssec.org] On Behalf Of Rickard Bellgrim Sent: maandag 14 december 2009 13:49 To: Roland van Rijswijk Cc: Opendnssec-develop at lists.opendnssec.org Subject: Re: [Opendnssec-develop] Dependencies & stock distributions -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > ldns > ruby > dnsruby > rubygems > 4SuiteXML (required by rubygems, I think) > sqlite > botan I can use the packages ruby 1.8.6, sqlite 3.4.2, rubygems 0.9.4, and python-4suite-xml 1.0.2 from Ubuntu 8.0.4. > If I wanted to build from source, I also had to upgrade: > > autoconf > automake > m4 I can use the packages autoconf 2.61, automake 1.10.1, and m4 1.4.10 from Ubuntu 8.0.4 (Everyone needs these in order to build from trunk. This applies to many open source projects.) > I'd say the following dependencies should be packaged: > > ldns (NLnet Labs also does this for unbound) > dnsruby > botan Yes, they will be whenever a package maintainer decides to package OpenDNSSEC. > In my opinion, the following dependencies should work with the > OS-provided packages: > > sqlite > ruby Yes, they should. > > .SE are running on Ubuntu 8.0.4, so we need to maintain our own > package > > repository to lower the workload on the system administrators. And > that > > is what you have to do in order to run new software on an old OS. > > We would be running the latest release of RHEL; I would not classify > that as an old OS, rather as a stable OS. Ideally, it should not be > necessary to maintain other packages in addition to OpenDNSSEC in order > to be able to run OpenDNSSEC... My conclusion for Ubuntu 8.0.4 is that I have to build from source for ldns, dnsruby, and botan. What versions of the other software do you have in RHEL as a RPM? Could you add some notes on RHEL to our wiki? // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSyY0LeCjgaNTdVjaAQit1AgAjOYE827dxhLxSWFc58SZR1DmLORwnyq5 oCWi8uWi7sEEpk5QFKl0cD2FxAGbpHYc+XucgLpracZoAACUcXrtw0S6Doc8IMoL X5MriBJdjhzg7o6An/Ip9+rnbBPF8G1yXUlju9jxE/jQaOlZnBvCEDkzQxZbXirr iZc4E8A02laSadHd+wnUgojZjJ5dAunlgllSa7KaeFfTfJEHoaHpUON582wP7/dZ EGS8JwRtmhDYprvMvFZRpRH3VvzTf+mPn2plo2c8gv5UtbGR0tXXA2HH9ZITw5Xj NSgXFVlYE72fpeVPIUf8p8+qa26X0tH60aSPisNELVqrrnQtjgbWXQ== =Z4My -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From jakob at kirei.se Tue Dec 15 10:15:18 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Tue, 15 Dec 2009 11:15:18 +0100 Subject: [Opendnssec-develop] remove key? Message-ID: if I have a key in publish state, and I want to remove it prematurely - can that be done? jakob From sion at nominet.org.uk Tue Dec 15 11:40:31 2009 From: sion at nominet.org.uk (sion at nominet.org.uk) Date: Tue, 15 Dec 2009 11:40:31 +0000 Subject: [Opendnssec-develop] remove key? In-Reply-To: References: Message-ID: > if I have a key in publish state, and I want to remove it > prematurely - can that be done? not with ods-ksmutil. If you are feeling brave then you could do something like: sqlite3 kasp.db update keypairs set state = 6 where HSMkey_id = ; (More correctly you would want to set the "dead" field to the current date also, but I don't think that this is required.) Sion From rick at openfortress.nl Tue Dec 15 15:33:44 2009 From: rick at openfortress.nl (Rick van Rein) Date: Tue, 15 Dec 2009 15:33:44 +0000 Subject: [Opendnssec-develop] Dependencies & stock distributions In-Reply-To: <850A39016FA57A4887C0AA3C8085F949014D865E@KAEVS1.SIDN.local> References: <983F17705339E24699AA251B458249B51F1977D12B@EXCHANGE2K7.office.nic.se> <850A39016FA57A4887C0AA3C8085F949014D865E@KAEVS1.SIDN.local> Message-ID: <20091215153344.GH6662@phantom.vanrein.org> Hey, > I also had a little trouble installing on Red Hat because of lacking the newest versions, but after some days (I?m a newbie linux user) I got RC1 to work on Red Hat 5.4. Used the following versions: One worry for me is that a given HSM will run on a particular platform, RHEL5 being a common example, and won't mix with all the dependencies needed to run OpenDNSSEC. The more software versions are limited to one particular version, the higher the chances of disturbing things in the versioning arena. All these things can of course be solved by installing dependencies in other prefixes, but that makes OpenDNSSEC deviate (strongly) from the push button ideal. Acute knowledge of the version ranges that work would be really useful, as well as constraining ourselves in the software facilities that we rely upon. Ruby is one factor that makes OpenDNSSEC deviate from the ideal of a pushbutton/turnkey solution. Many users may find it to be a new language and a new installation skillset. Hope this helps, Cheers, -Rick From rickard.bellgrim at iis.se Tue Dec 15 16:00:31 2009 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Tue, 15 Dec 2009 17:00:31 +0100 Subject: [Opendnssec-develop] Dependencies & stock distributions In-Reply-To: <20091215153344.GH6662@phantom.vanrein.org> References: <983F17705339E24699AA251B458249B51F1977D12B@EXCHANGE2K7.office.nic.se> <850A39016FA57A4887C0AA3C8085F949014D865E@KAEVS1.SIDN.local> <20091215153344.GH6662@phantom.vanrein.org> Message-ID: <983F17705339E24699AA251B458249B51F1977D3DD@EXCHANGE2K7.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > One worry for me is that a given HSM will run on a particular platform, > RHEL5 being a common example, and won't mix with all the dependencies > needed to run OpenDNSSEC. The more software versions are limited to > one particular version, the higher the chances of disturbing things in > the versioning arena. Let's face it. When developing new software, you want to use up-to-date libraries so that you do not stand still but evolve. The standards have not been here for years. We must thus use updated libraries. > All these things can of course be solved by installing dependencies in > other prefixes, but that makes OpenDNSSEC deviate (strongly) from the > push button ideal. Acute knowledge of the version ranges that work > would be really useful, as well as constraining ourselves in the > software facilities that we rely upon. No (advanced) software are push the button until they are packaged. Rome was not built in one day. > Ruby is one factor that makes OpenDNSSEC deviate from the ideal of a > pushbutton/turnkey solution. Many users may find it to be a new > language and a new installation skillset. (./configure --disable-auditor) // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSyeyn+CjgaNTdVjaAQg+mQgAjFUanUsix+SERkkf0jbgwAknfSHdkN5T Po3E8FnLjH9K7xOojlCPU9ifyFYVyy7Ydxdr1BkvDq5vsgX21dEDv/P3y8qCy3Wl AL2vgmqz5PkPisGTdDhWf+1MjJtxqT6gqAS4OWSgnWvEubydgMq6LD4VmGaZgznb kNJhM3Q13fdgsiKXadJu5KdpSF0hKJ6ZGXjGcHHgI5AUFCpY0+C3/ENS6WB2jlrp 8ZkcWCDKA38qLx5C5ShkDL+dNWTOjszKqV9piV1cCpIeF/YQw2TNsvESK95r4fLA 2MyrcmluIHPiRTQenMoPulOx8rKS3BKo6y5sm3BjnLIEIlRijl8ZMA== =NKvA -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From roland.vanrijswijk at surfnet.nl Tue Dec 15 20:18:06 2009 From: roland.vanrijswijk at surfnet.nl (Roland van Rijswijk) Date: Tue, 15 Dec 2009 21:18:06 +0100 Subject: [Opendnssec-develop] Dependencies & stock distributions In-Reply-To: <983F17705339E24699AA251B458249B51F1977D3DD@EXCHANGE2K7.office.nic.se> References: <983F17705339E24699AA251B458249B51F1977D12B@EXCHANGE2K7.office.nic.se> <850A39016FA57A4887C0AA3C8085F949014D865E@KAEVS1.SIDN.local> <20091215153344.GH6662@phantom.vanrein.org> <983F17705339E24699AA251B458249B51F1977D3DD@EXCHANGE2K7.office.nic.se> Message-ID: <4B27EEFE.4070905@surfnet.nl> Hi Rickard, > Let's face it. When developing new software, you want to use up-to-date > libraries so that you do not stand still but evolve. The standards have > not been here for years. We must thus use updated libraries. Agreed, but - IMHO - that only holds true for software that concerns DNSSEC specific features such as ldns. > (./configure --disable-auditor) That seems unwise to me :-). I don't have a quarrel with ruby, but I would prefer to keep the number of different scripting languages in use to a minimum (as I think Roy already said). Cheers, Roland -- -- Roland M. van Rijswijk -- SURFnet Middleware Services -- t: +31-30-2305388 -- e: roland.vanrijswijk at surfnet.nl From rick at openfortress.nl Wed Dec 16 08:36:29 2009 From: rick at openfortress.nl (Rick van Rein) Date: Wed, 16 Dec 2009 08:36:29 +0000 Subject: [Opendnssec-develop] Dependencies & stock distributions In-Reply-To: <983F17705339E24699AA251B458249B51F1977D0F9@EXCHANGE2K7.office.nic.se> References: <4B26166E.2030508@surfnet.nl> <983F17705339E24699AA251B458249B51F1977D0F9@EXCHANGE2K7.office.nic.se> Message-ID: <20091216083629.GA5981@phantom.vanrein.org> Hi, > I think we require the latest versions (or almost latest versions) of dnsruby, ldns, and botan. These are the fundamental libraries that we use in OpenDNSSEC. We have found bugs in them that were critical to fix. Good point... it's about bugfixes, not features. If it were for features only, an older version would do. These older versions would be easier for distro's. Given the option of backporting bugfixes into distro's, would it be an idea to list the following for all dependencies? 1. Older software version that has enough features 2. Bugfixes since then that are needed -> e.g. patchrefs, or quotes from dependency's changelogs This could greatly simplify the life of packagers and thus improve the chances of OpenDNSSEC being adopted into distributions and indeed becoming a turnkey solution for all those distro users. This in turn simplifies cooperation with an HSM that supports only certain distros. Hope this helps, Cheers, -Rick From matthijs at NLnetLabs.nl Wed Dec 16 08:38:13 2009 From: matthijs at NLnetLabs.nl (Matthijs Mekking) Date: Wed, 16 Dec 2009 09:38:13 +0100 Subject: [Opendnssec-develop] [Fwd: FreeBSD port for softHSM] Message-ID: <4B289C75.7050808@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I am forwarding this to let you know Jaap made a FreeBSD port for softHSM. The port has not yet been submitted to FreeBSD, Jaap is still running some tests. He did already gave me some feedback. Matthijs -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJLKJxyAAoJEA8yVCPsQCW5gpgH/iYaVB97rsKhy89G5aoWuH/N u3g5ItE6kPs4JUfPVe6MOQ/89AkrHzsze/axb1n2P2dhNAhZBZN8skIz5OjKKiyf 01l4OMbRnaEm0PGn0YWwMXfwgBauTEmFmDTJaaL1wSv1pbL//qvWoOo5VOK0zpsz I6gmvMOV13Sqq/M+8qiRa1cPmF8x80DPMy2aVMNoYl/AHLY3J8Gdcjr/LPFJw+q2 7jBKpDKrhxy+rrPv8yTmrDYzQZfO73VqMXwzLbNYoVq5zdsag9S5bAmsoF1Eo1Qo q8EJX0Lt3QQ/fxteksXBLHVTwbhYexT/btmSFrkt0tAd/n38rWPHyEuWBMs678o= =wdKo -----END PGP SIGNATURE----- -------------- next part -------------- An embedded message was scrubbed... From: Jaap Akkerhuis Subject: FreeBSD port voor softHSM Date: Tue, 15 Dec 2009 21:30:12 +0100 Size: 3374 URL: From rickard.bellgrim at iis.se Wed Dec 16 08:48:18 2009 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Wed, 16 Dec 2009 09:48:18 +0100 Subject: [Opendnssec-develop] [Fwd: FreeBSD port for softHSM] In-Reply-To: <4B289C75.7050808@nlnetlabs.nl> References: <4B289C75.7050808@nlnetlabs.nl> Message-ID: <983F17705339E24699AA251B458249B51F1977D474@EXCHANGE2K7.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > I am forwarding this to let you know Jaap made a FreeBSD port for > softHSM. The port has not yet been submitted to FreeBSD, Jaap is still > running some tests. He did already gave me some feedback. Thanks for the comments. Installation blues: Will have a look on the overwriting of the softhsm.conf file when installing. Documentation blues: There is a README in srcdir. Missing man pages: Will have a look on it when I have time. // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSyie0uCjgaNTdVjaAQjoXwgAg5EIkdeo9KhPL9ezhXE/aecD9/89Yk6X adw2rhbipWByDTvJ7grCQe0TqDDDx8H1DP4dfPHqjBtp2gxnnkUWf/7a+qr9UHjn 0QxgJkwC7CeJSUHUrqjf/FMW9w2f2DZI3vmQqnj2I65NjizoR1y1YrugpP5oRL0S qoYw/06t+e9mxLLb2SVWqf0756yIbVdQhUXrosPVm9ng4JbCI1lmrkV9kTfYGGXc TIe46yWKsQslOnTlLpQKWvCblzGeMLeIVXSkZS92U30YS+o/gEHgwDmXBuEIlLNW EVeAhZNCbgr2MMyn0aUpl0pvvFi1b6avTy+1BDHA1EHqw2V8qhjWoQ== =0Awk -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From rickard.bellgrim at iis.se Wed Dec 16 10:39:58 2009 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Wed, 16 Dec 2009 11:39:58 +0100 Subject: [Opendnssec-develop] [Fwd: FreeBSD port for softHSM] In-Reply-To: <983F17705339E24699AA251B458249B51F1977D474@EXCHANGE2K7.office.nic.se> References: <4B289C75.7050808@nlnetlabs.nl> <983F17705339E24699AA251B458249B51F1977D474@EXCHANGE2K7.office.nic.se> Message-ID: <983F17705339E24699AA251B458249B51F1977D527@EXCHANGE2K7.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > Installation blues: > Will have a look on the overwriting of the softhsm.conf file when > installing. I am looking on the install hook for the conf file and it looks like it should not overwrite any existing conf file. Did it do that for Jaap? It does not do that for me on Ubuntu. test -f ${sysconfdir}/softhsm.conf || \ ${INSTALL_DATA} ${top_builddir}/softhsm.conf ${DESTDIR}${sysconfdir} // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSyi4/uCjgaNTdVjaAQgZEgf+JmWCl3tNSW14OWvwru5P0+iUXYmO43oh lMD8Vd5pzUpUoT0UEBBiidNMQr+kf455dMz1t4URqD/VY2arz3cYdH3dBzFgn8wn REKFwYcqqIdoU/GhyXJXMDuRvDwsJzreVU9X7VBNE1gWOfoToFK2F+1NdFfKctdT LNpgetb7oHpVwsmRTbiYko69ZmIBna7lH7XLhoVaBV8YKqfycCTqPyTH/XlAEFR1 stAL8iL8EmD9HNPxzix+hPkco7eIpCqZp9vB+FxucUxvr/bt6XBvkzWZ/iGyW7Bi UhU7e7PKy83fJJQyPJvS4dUYIwO+oEO706MRi06BF3X+z4C81HZdKA== =I3jM -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From sion at nominet.org.uk Wed Dec 16 15:12:12 2009 From: sion at nominet.org.uk (sion at nominet.org.uk) Date: Wed, 16 Dec 2009 15:12:12 +0000 Subject: [Opendnssec-develop] Dependencies & stock distributions In-Reply-To: <20091216083629.GA5981@phantom.vanrein.org> References: <4B26166E.2030508@surfnet.nl> <983F17705339E24699AA251B458249B51F1977D0F9@EXCHANGE2K7.office.nic.se> <20091216083629.GA5981@phantom.vanrein.org> Message-ID: > > I think we require the latest versions (or almost latest versions) > of dnsruby, ldns, and botan. These are the fundamental libraries > that we use in OpenDNSSEC. We have found bugs in them that were > critical to fix. > > Good point... it's about bugfixes, not features. > > If it were for features only, an older version would do. These older > versions would be easier for distro's. Given the option of backporting > bugfixes into distro's, would it be an idea to list the following for > all dependencies? > > 1. Older software version that has enough features > 2. Bugfixes since then that are needed > -> e.g. patchrefs, or quotes from dependency's changelogs > > This could greatly simplify the life of packagers and thus improve the > chances of OpenDNSSEC being adopted into distributions and indeed > becoming a turnkey solution for all those distro users. This in turn > simplifies cooperation with an HSM that supports only certain distros. For the enforcer's sqlite dependency we test for the most recent API call that we make (sqlite_prepare_v2) but if this fails then we lie about the required version (it says 3.4.2 when 3.3.9 would be enough). As for bug fixes I'm not sure that it is possible to be certain which ones might effect us, or if there are inter-dependencies of bug fixes... (E.g. 3.3.10 and 3.3.11 both talk about bug fixes to sqlite_prepare_v2; but without testing these versions I don't know if they are required or not.) When you are talking about centos5.2 running sqlite 3.3.6 (from June 2006) the number of bug fixes is quite large. Sion From owner-dnssec-trac at kirei.se Wed Dec 16 18:05:59 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Wed, 16 Dec 2009 18:05:59 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #64: .signed does not exist Message-ID: <087.e18ca9b866c7d5cf0c024f3b53203684@kirei.se> #64: .signed does not exist --------------------------------------------------------------+------------- Reporter: archi.laurent@?> | Owner: matthijs Type: defect | Status: new Priority: blocker | Component: Signer Version: trunk | Keywords: .signed does not exist --------------------------------------------------------------+------------- Hi all, Opendnssec with my first machine = all it's ok And with for me, a similar installation for second PC, and same the same distribution all it's ok, except there is no file in directory "signed" (?) - And after many tests i don't known why... For your help : [syslog :]Dec 16 18:36:07 serveur ods-signerd: Run command: '/usr/local/bin/ods-auditor -c /etc/opendnssec/conf.xml -s /var/opendnssec/tmp/archi.amt.finalized -z archi.amt' Dec 16 18:36:08 serveur ods-auditor[13624]: Auditor started Dec 16 18:36:08 serveur ods-auditor[13624]: Auditor starting on archi.amt Dec 16 18:36:08 serveur ods-signerd: Auditor result: 1 and the same manual command : /usr/local/lib/opendnssec/kasp_auditor/preparser.rb:54:in `initialize': uninitialized constant Dnsruby::ZoneReader (NameError) from /usr/local/lib/opendnssec/kasp_auditor.rb:179:in `new' from /usr/local/lib/opendnssec/kasp_auditor.rb:179:in `normalise_and_sort' from /usr/local/lib/opendnssec/kasp_auditor.rb:133:in `run_with_syslog' from /usr/local/lib/opendnssec/kasp_auditor.rb:112:in `each' from /usr/local/lib/opendnssec/kasp_auditor.rb:112:in `run_with_syslog' from /usr/local/lib/opendnssec/kasp_auditor.rb:85:in `run' from /usr/local/lib/opendnssec/kasp_auditor.rb:83:in `open' from /usr/local/lib/opendnssec/kasp_auditor.rb:83:in `run' from /usr/local/bin/ods-auditor:112 Many thanks for your answer - Best regards "doctor" For versioning of Opendnssec + softhsm are all in last version, except trunk ... -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Wed Dec 16 20:21:51 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Wed, 16 Dec 2009 20:21:51 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #64: .signed does not exist In-Reply-To: <087.e18ca9b866c7d5cf0c024f3b53203684@kirei.se> References: <087.e18ca9b866c7d5cf0c024f3b53203684@kirei.se> Message-ID: <096.fbb966b78ec19078ae2f2a9cd6cb9b49@kirei.se> #64: .signed does not exist --------------------------------------------------------------+------------- Reporter: archi.laurent@?> | Owner: alex Type: defect | Status: assigned Priority: blocker | Component: Signer Version: trunk | Keywords: .signed does not exist --------------------------------------------------------------+------------- Changes (by alex): * owner: matthijs => alex * status: new => assigned Comment: Do you know if you are running the same version of dnsruby on both machines? What versions are you running? Thanks, Alex. -- Ticket URL: OpenDNSSEC OpenDNSSEC From rick at openfortress.nl Wed Dec 16 21:22:36 2009 From: rick at openfortress.nl (Rick van Rein) Date: Wed, 16 Dec 2009 21:22:36 +0000 Subject: [Opendnssec-develop] Ideas for improving documentation Message-ID: <20091216212236.GA17441@phantom.vanrein.org> Hello, As requested during the meeting, I would send a list of general and specific things that I think could make the (online) documentation more accessible. I hope it is useful -- I'll gladly edit whatever is considerd good stuff. * People can land on any page, and may miss background. For that reason, it is probably good to point back to general pages (such as Signer/Using) to indicate assumed prior reading. Without it, people will be left wondering what KASP is (if not spelled out in each file on first use) and similar things. * Scope on Signer/Using: This section should make the reader decide if it is worth reading on. "OpenDNSSEC covers most of it" is not helpful to decide if it is saving the reader all concerns that s/he doesn't understand. * Overview in Signer/Using: Here I am missing two things: 1. a list of software responsibilities and how they are assigned to components, which is really helpful to get an idea of what the terms mean; 2. a mapping of the components into how they are implemented (a few taken together as a daemon, a database like SQLite or MySQL, and so on). A quick brainstorm with the (user-experienced) responsibilities that could be useful to locate on components, as they constitute the path of a domain through the system (and tracing that would be helpful to see the flow for a new user): - knowledge of which zones are managed by OpenDNSSEC - knowledge of when each zone must be signed next time - generating, destroying and securely storing key pairs - managing key rollovers - responding to update notifications on a zone - fetching unsigned zone - controlling the timestamp in the SOA record - signing the records in a zone - inserting signed explicit holes (NSEC/NSEC3) - verifying if signing did not modify a domain - verifying if signing did not invalidate a domain - publishing the signed zone - submitting update notificates on a signed zone Also in Overview, it could help to introduce the term KSM as it is used in >1 other files without further indication of what it is. * The Signer/Using splitup Installation / Configuration / Running (and perhaps Debugging) is pleasantly common. I would suggest moving: - Platform support under Installation - Zone content under Configuration or Running - Command utilities under Running - FAQ and Reporting Bugs under Debugging I've assumed Signer/Using is prior reading for the other documents. * Using/Installation: No comments, very clear. This may be a better place for the Platform support list than the more general Signer/Using? After all, this is the file where one is working on "getting it going" whereas Signer/Using is about "what it means to be doing the OpenDNSSEC thing". * Date/time durations in Signer/Using/Configuration: This is important but very detailed, and it is not very inviting at the start of this file, as it confuses the overview of this file (which IMHO is about guiding the reader around available configfiles). I would have placed it at the bottom of the file, or even in a separate page for central reference. * kasp.xml in Signer/Using/Configuration: What is a policy? What sort of things can be configured in broad lines? The use of this information would be to know what configfile to turn to if one wants to get something done. The term "policy" is too general to new readers, I think, and so it could use a translation, a few examples, or both. Also in that section, "the hierarchical nature of XML allows the grouping of parameters into logical blocks" does not seem to add anything here. * *.xml in Signer/Using/Configuration: Could we use bullets where we list the sort of things set in these files? They're great guides for one's eyeballs, and help to quickly establish an overview of this rather complex set of facts. In-document references to other configfiles draw a bit more attention than they deserve; reading depth-first it made me stop to wonder if this is a link to bookmark or chase, which is distracting. Links to "here" show up in red, but they are not as useful as having the name of the configfile in red. Our eyeballs quickly spot those links, and having meaningful text in red is useful for navigation. Reference to ".rng" is not directly meaningful to the reader; actually, it is the underlying semantics that cause syntactic constraints, so why not replace "Some syntactic constraints...should be made" with "Not all possible configuration texts are meaningful however." (and skip the paragraph break). * Signer/Using/Configuration/conf: What does mean? (Twice) * Signer/Using/Configuration/kasp: The reference to ISO 8601 could be usefully expanded with a reference to the writeup of what it means, as currently detailed in Signer/Using. OTOH, since this refers to Wikipedia, one could wonder why there is a local copy of this information on our Wiki. Consistency in whether this is on our Wiki or on Wikipedia would be nice. What does mean? This file mentions ZSK for the first time. A reference to documentation explaining what it is / why it is useful could be handy here. Specifically because it is (principally) an implementation choice to use the ZSK/KSK distinction. A quick note would suffice: "OpenDNSSEC follows the commonly advised approach of signing resource records with a short-lived Zone Signing Key (ZSK) and signing that with a Key Signing Key (KSK) which is longer and can therefore safely be used over longer periods of time. For details, see RFC 4641." Why add this here? Because the reader I've had in mind is one who is aware of DNS, but not necessarily of DNSSEC -- it is precisely to avoid detailed knowledge of DNSSEC that OpenDNSSEC appeals to that reader. * ods-control in Signer/Using/Commands: I am missing "ods-control status" as a convenient check on the wellbeing of >1 daemons. But that's a feature. "It can pipe commands" is implementation detail that is not helpful to the reader who wants to know how to operate ods-control. Why are not all the following commands phrased in terms of ods-control instead of the various underlying utilities? This'd be clearer to the new user. "You can also start/stop the daemons ods-enforcerd and ods-signerd.": I didn't find those on our RC1 install. Instead, I found Engine.py and ods-enforcerd. If daemons are named, it sounds like I can ps|grep for them. * ods-ksmutil in Signer/Using/Commands: it is clearer if "zone delete" is also layed out as code. * Signer/Using/Commands in general: I would like to know why/what/how for each of the commands: why are they there (what does it accomplish in terms of getting your zones signed) and what is the approach (setup a zone list in the database, say) and how (the commands to run to get it done). Each of the commands would ideally link to the overview; what is its part in the signing flow of domains, what components does it play on and which responsibilities are fulfilled by it (and inhowfar)? After each command, it would be _very_ useful to have a way of checking up on the result, to ensure that it was successful. This will greatly aid in both understanding and debugging. Without this, all we can do is copy/paste examples and guess what they will do. * Signer/Using/Running: Most remarks on Signer/Using/Commands apply here too: - Why is a step needed in the grand scheme of the domain-signing flow, what responsibilities are (partly) taken care of - What is the method followed (inserting zones in a database, kicking the signer to sign right away or scheduling for later, etc.) - How is it accomplished (with what command, and how can its result be checked manually) * Signer/Using/Debugging: A missing page? - It does not work -- but how to trace the domain through the system and detect the spot where it goes wrong? - How does a system look when it is "operating within parameters"? - Where to look for errors -- which log facilities, which loglevels? - Where can one search and browse through experiences of other users? This is a list of things, as requested during the meeting. I did my best to find anything that could possibly help the newcomer. I don't mind picking up on either or all of these, when so requested. Just let me know if I am raising valid questions to be answered in the documents; I think there is room for improvement, even if what we have right now is not bad at all. Cheers, -Rick From owner-dnssec-trac at kirei.se Thu Dec 17 06:14:37 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Thu, 17 Dec 2009 06:14:37 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #64: .signed does not exist In-Reply-To: <087.e18ca9b866c7d5cf0c024f3b53203684@kirei.se> References: <087.e18ca9b866c7d5cf0c024f3b53203684@kirei.se> Message-ID: <096.dacfae75e3edbb2ac6cfd3320f27318e@kirei.se> #64: .signed does not exist --------------------------------------------------------------+------------- Reporter: archi.laurent@?> | Owner: alex Type: defect | Status: assigned Priority: blocker | Component: Signer Version: trunk | Keywords: .signed does not exist --------------------------------------------------------------+------------- Comment(by archi.laurent@?>): Hello, for dnsruby it's the last version "1.40". And my problem is already present (?), look this : /usr/local/bin/ods-auditor -c /etc/opendnssec/conf.xml -s /var/opendnssec/tmp/1.168.192.in-addr.arpa.finalized -z 1.168.192.in- addr.arpa Auditor started Auditor starting on 1.168.192.in-addr.arpa /usr/local/lib/opendnssec/kasp_auditor/preparser.rb:54:in `initialize': uninitialized constant Dnsruby::ZoneReader (NameError) from /usr/local/lib/opendnssec/kasp_auditor.rb:179:in `new' from /usr/local/lib/opendnssec/kasp_auditor.rb:179:in `normalise_and_sort' from /usr/local/lib/opendnssec/kasp_auditor.rb:133:in `run_with_syslog' from /usr/local/lib/opendnssec/kasp_auditor.rb:112:in `each' from /usr/local/lib/opendnssec/kasp_auditor.rb:112:in `run_with_syslog' from /usr/local/lib/opendnssec/kasp_auditor.rb:85:in `run' from /usr/local/lib/opendnssec/kasp_auditor.rb:83:in `open' from /usr/local/lib/opendnssec/kasp_auditor.rb:83:in `run' from /usr/local/bin/ods-auditor:112 root at serveur:/var/opendnssec# /usr/local/bin/ods-auditor Auditor started Auditor starting on archi.amt == Signed file /var/opendnssec/signed/archi.amt does not exist == Auditor starting on 1.168.192.in-addr.arpa == Signed file /var/opendnssec/signed/1.168.192.in-addr.arpa does not exist == Auditor found errors - check log for details Thanks a lot - Good day and best regards -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Thu Dec 17 08:56:17 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Thu, 17 Dec 2009 08:56:17 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #64: .signed does not exist In-Reply-To: <087.e18ca9b866c7d5cf0c024f3b53203684@kirei.se> References: <087.e18ca9b866c7d5cf0c024f3b53203684@kirei.se> Message-ID: <096.40687cb3e3f7e73d28065bd1bc39cc7d@kirei.se> #64: .signed does not exist --------------------------------------------------------------+------------- Reporter: archi.laurent@?> | Owner: alex Type: defect | Status: assigned Priority: blocker | Component: Signer Version: trunk | Keywords: .signed does not exist --------------------------------------------------------------+------------- Comment(by alex): This looks to be a versioning issue of some kind. Dnsruby::ZoneReader was introduced in dnsruby-1.40, so should be available for use. Is it possible that you have installed dnsruby in several different ways on this machine, and that an old version of dnsruby is actually being used? Thanks, Alex. -- Ticket URL: OpenDNSSEC OpenDNSSEC From matthijs at NLnetLabs.nl Thu Dec 17 09:27:38 2009 From: matthijs at NLnetLabs.nl (Matthijs Mekking) Date: Thu, 17 Dec 2009 10:27:38 +0100 Subject: [Opendnssec-develop] Ideas for improving documentation In-Reply-To: <20091216212236.GA17441@phantom.vanrein.org> References: <20091216212236.GA17441@phantom.vanrein.org> Message-ID: <4B29F98A.6070805@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In addition, * The documentation should really go onto the website, instead of the wiki. As it turns out, people get confused when going from website to wiki and back again. * (more website stuff) The home page does not provide enough information for users why they should use OpenDNSSEC. Perhaps add a new header 'Why OpenDNSSEC' with pointers to About and Features. * The documentation on the wiki appears to be not usable by users: - libopenssl-ruby seems not to be a requirement (at least not for ./configure) - is libsqlite3 needed? * The accompanying guide is only useful for Ubuntu users. * There is a installation TODO for mysql. Best regards, Matthijs Rick van Rein wrote: > Hello, > > As requested during the meeting, I would send a list of general and specific > things that I think could make the (online) documentation more accessible. > > I hope it is useful -- I'll gladly edit whatever is considerd good stuff. > > * People can land on any page, and may miss background. For that reason, > it is probably good to point back to general pages (such as Signer/Using) > to indicate assumed prior reading. Without it, people will be left > wondering what KASP is (if not spelled out in each file on first use) > and similar things. > > * Scope on Signer/Using: This section should make the reader decide if it > is worth reading on. "OpenDNSSEC covers most of it" is not helpful to > decide if it is saving the reader all concerns that s/he doesn't understand. > > * Overview in Signer/Using: Here I am missing two things: 1. a list of > software responsibilities and how they are assigned to components, which > is really helpful to get an idea of what the terms mean; 2. a mapping > of the components into how they are implemented (a few taken together > as a daemon, a database like SQLite or MySQL, and so on). > > A quick brainstorm with the (user-experienced) responsibilities that > could be useful to locate on components, as they constitute the path > of a domain through the system (and tracing that would be helpful to > see the flow for a new user): > > - knowledge of which zones are managed by OpenDNSSEC > - knowledge of when each zone must be signed next time > - generating, destroying and securely storing key pairs > - managing key rollovers > - responding to update notifications on a zone > - fetching unsigned zone > - controlling the timestamp in the SOA record > - signing the records in a zone > - inserting signed explicit holes (NSEC/NSEC3) > - verifying if signing did not modify a domain > - verifying if signing did not invalidate a domain > - publishing the signed zone > - submitting update notificates on a signed zone > > Also in Overview, it could help to introduce the term KSM as it is > used in >1 other files without further indication of what it is. > > * The Signer/Using splitup Installation / Configuration / Running (and > perhaps Debugging) is pleasantly common. I would suggest moving: > - Platform support under Installation > - Zone content under Configuration or Running > - Command utilities under Running > - FAQ and Reporting Bugs under Debugging > > I've assumed Signer/Using is prior reading for the other documents. > > * Using/Installation: No comments, very clear. This may be a better place > for the Platform support list than the more general Signer/Using? After > all, this is the file where one is working on "getting it going" whereas > Signer/Using is about "what it means to be doing the OpenDNSSEC thing". > > * Date/time durations in Signer/Using/Configuration: This is important but > very detailed, and it is not very inviting at the start of this file, as > it confuses the overview of this file (which IMHO is about guiding the > reader around available configfiles). I would have placed it at the > bottom of the file, or even in a separate page for central reference. > > * kasp.xml in Signer/Using/Configuration: What is a policy? What sort of > things can be configured in broad lines? The use of this information > would be to know what configfile to turn to if one wants to get something > done. The term "policy" is too general to new readers, I think, and so > it could use a translation, a few examples, or both. > > Also in that section, "the hierarchical nature of XML allows the grouping > of parameters into logical blocks" does not seem to add anything here. > > * *.xml in Signer/Using/Configuration: Could we use bullets where we list > the sort of things set in these files? They're great guides for one's > eyeballs, and help to quickly establish an overview of this rather > complex set of facts. > > In-document references to other configfiles draw a bit more attention > than they deserve; reading depth-first it made me stop to wonder if > this is a link to bookmark or chase, which is distracting. > > Links to "here" show up in red, but they are not as useful as having > the name of the configfile in red. Our eyeballs quickly spot those > links, and having meaningful text in red is useful for navigation. > > Reference to ".rng" is not directly meaningful to the reader; actually, > it is the underlying semantics that cause syntactic constraints, so why > not replace "Some syntactic constraints...should be made" with "Not all > possible configuration texts are meaningful however." (and skip the > paragraph break). > > * Signer/Using/Configuration/conf: What does mean? (Twice) > > * Signer/Using/Configuration/kasp: The reference to ISO 8601 could be > usefully expanded with a reference to the writeup of what it means, as > currently detailed in Signer/Using. OTOH, since this refers to Wikipedia, > one could wonder why there is a local copy of this information on our Wiki. > Consistency in whether this is on our Wiki or on Wikipedia would be nice. > > What does mean? > > This file mentions ZSK for the first time. A reference to documentation > explaining what it is / why it is useful could be handy here. Specifically > because it is (principally) an implementation choice to use the ZSK/KSK > distinction. A quick note would suffice: "OpenDNSSEC follows the commonly > advised approach of signing resource records with a short-lived > Zone Signing Key (ZSK) and signing that with a Key Signing Key (KSK) which > is longer and can therefore safely be used over longer periods of time. > For details, see RFC 4641." > Why add this here? Because the reader I've had in mind is one who is > aware of DNS, but not necessarily of DNSSEC -- it is precisely to avoid > detailed knowledge of DNSSEC that OpenDNSSEC appeals to that reader. > > * ods-control in Signer/Using/Commands: I am missing "ods-control status" > as a convenient check on the wellbeing of >1 daemons. But that's a feature. > > "It can pipe commands" is implementation detail that is not helpful to > the reader who wants to know how to operate ods-control. Why are not > all the following commands phrased in terms of ods-control instead of > the various underlying utilities? This'd be clearer to the new user. > > "You can also start/stop the daemons ods-enforcerd and ods-signerd.": > I didn't find those on our RC1 install. Instead, I found Engine.py > and ods-enforcerd. If daemons are named, it sounds like I can ps|grep > for them. > > * ods-ksmutil in Signer/Using/Commands: it is clearer if "zone delete" > is also layed out as code. > > * Signer/Using/Commands in general: I would like to know why/what/how > for each of the commands: why are they there (what does it accomplish > in terms of getting your zones signed) and what is the approach (setup > a zone list in the database, say) and how (the commands to run to get > it done). > > Each of the commands would ideally link to the overview; what is its > part in the signing flow of domains, what components does it play on > and which responsibilities are fulfilled by it (and inhowfar)? > > After each command, it would be _very_ useful to have a way of checking > up on the result, to ensure that it was successful. This will greatly > aid in both understanding and debugging. Without this, all we can do is > copy/paste examples and guess what they will do. > > * Signer/Using/Running: Most remarks on Signer/Using/Commands apply here > too: > > - Why is a step needed in the grand scheme of the domain-signing flow, > what responsibilities are (partly) taken care of > - What is the method followed (inserting zones in a database, kicking > the signer to sign right away or scheduling for later, etc.) > - How is it accomplished (with what command, and how can its result be > checked manually) > > * Signer/Using/Debugging: A missing page? > > - It does not work -- but how to trace the domain through the system > and detect the spot where it goes wrong? > - How does a system look when it is "operating within parameters"? > - Where to look for errors -- which log facilities, which loglevels? > - Where can one search and browse through experiences of other users? > > > This is a list of things, as requested during the meeting. I did my best > to find anything that could possibly help the newcomer. I don't mind > picking up on either or all of these, when so requested. Just let me > know if I am raising valid questions to be answered in the documents; I > think there is room for improvement, even if what we have right now is > not bad at all. > > > Cheers, > -Rick > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJLKfmIAAoJEA8yVCPsQCW5YscIALdoxn8aJz2upILXAV43gNRh qywKmQVVFukt7KjFWGxXWsPTc8/+PelB84y0QJjF8uRPy3gH208m5TZvfiRcN43o BMFwQhkP13t9jNFstynC0QQBHfF43s9y+aChIcmSIIMOWXVQzoyCv55Rlor4b3l8 tDWZoMaRxOP7JhGjARvky7QiT4FEJzWM0xgtL2Qs5WuxKtuRpGPnP+iICPp56WIl IPLfurVYciyMi68jEmiHTWAOJlq9vGLm9uukFHJL6sTwGcWWgfRnIpItdyFewICL X52VXdEcdbJWwXsUM6QkEkB0CtAA1OMiGl/d//0VGblYrdGpRnZpoMFDHauflsU= =ZA5x -----END PGP SIGNATURE----- From owner-dnssec-trac at kirei.se Thu Dec 17 09:31:15 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Thu, 17 Dec 2009 09:31:15 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #65: -k option for ksk-roll not working Message-ID: <058.81a2a69a4b79eedb25e39fa768d25ab5@kirei.se> #65: -k option for ksk-roll not working ---------------------------------+------------------------------------------ Reporter: andyh@? | Owner: rb Type: defect | Status: new Priority: major | Component: Unknown Version: trunk | Keywords: ---------------------------------+------------------------------------------ This was using rc1, not tested rc2 yet. I've just tried a ksk roll using the help from ods-ksmutil: key ksk-roll --zone aka -z --keytag | --cka_id aka -x / -k ods-ksmutil key ksk-roll -z uk -k3156 *WARNING* This will retire the currently active KSK; are you sure? [y/N] y SQLite database set to: /var/opendnssec/kasp.db Error: keytag "(null)"; should be numeric only the --keytag option works correctly: ods-ksmutil key ksk-roll -z uk --keytag 3156 *WARNING* This will retire the currently active KSK; are you sure? [y/N] y SQLite database set to: /var/opendnssec/kasp.db Found key with CKA_ID be353aedeadc33ce35eaadb875249d14 Key be353aedeadc33ce35eaadb875249d14 made active, old key retired -- Ticket URL: OpenDNSSEC OpenDNSSEC From rickard.bellgrim at iis.se Thu Dec 17 09:48:01 2009 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Thu, 17 Dec 2009 10:48:01 +0100 Subject: [Opendnssec-develop] Ideas for improving documentation In-Reply-To: <20091216212236.GA17441@phantom.vanrein.org> References: <20091216212236.GA17441@phantom.vanrein.org> Message-ID: <983F17705339E24699AA251B458249B51F1977D945@EXCHANGE2K7.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > I hope it is useful -- I'll gladly edit whatever is considerd good > stuff. Very good pointers on what to do with our documentation. Will start to look into it next week. // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSyn+UOCjgaNTdVjaAQiqRgf+KjadqPsmttqG6E80RJi8bF+hyPzonA+b FX7uNmqqN3oqrPYuVk6ylfhS+BvOe03lIxjaSAGuwAzRffCflZWjZrRc1p04fjk5 my5We20+MtacsLIdWVDqS5RCMXRnje/hXaM+tu0SKJ94YUyHkBXs0b/xYYqFAARv m0A94vXVf7im8e4o7515Ab/FmDRLGBbqHJln0giFfBPQJsZQzzyZwZ+qyH1hbZuR +KPCHJiUf1w/ngdGWWeMwPGE2LOLU9tjLxjicAPF5/MaBj/YdP5yRBFAWV7w85W5 15kEb+rnlCyTwMAMQRY5Tg1iBzQAsNzcSc+U630ClhWCMuBkjmLPjQ== =MTGF -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From rick.zijlker at sidn.nl Thu Dec 17 10:44:21 2009 From: rick.zijlker at sidn.nl (Rick Zijlker) Date: Thu, 17 Dec 2009 11:44:21 +0100 Subject: [Opendnssec-develop] Ideas for improving documentation References: <20091216212236.GA17441@phantom.vanrein.org> <4B29F98A.6070805@nlnetlabs.nl> Message-ID: <850A39016FA57A4887C0AA3C8085F949014D8669@KAEVS1.SIDN.local> The points listed below would be a great addition. I would really welcome it as inexperienced user. I'm afraid it might cost much time to manage/moderate but in the future a forum with separate parts for several distributions would be really helpful. That way you will create an interactive and more responsive FAQ tailored towards the distributions. Instead of thinking about what the user wants to know, you give users a chance to exchange experiences. The mailing list hasn't got this more permanent and inter-exchangeable characteristic. Is there anything planned for this in the near future? Cheers, Rick -----Original Message----- From: opendnssec-develop-bounces at lists.opendnssec.org [mailto:opendnssec-develop-bounces at lists.opendnssec.org] On Behalf Of Matthijs Mekking Sent: donderdag 17 december 2009 10:28 To: Rick van Rein Cc: opendnssec-develop at lists.opendnssec.org Subject: Re: [Opendnssec-develop] Ideas for improving documentation -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In addition, * The documentation should really go onto the website, instead of the wiki. As it turns out, people get confused when going from website to wiki and back again. * (more website stuff) The home page does not provide enough information for users why they should use OpenDNSSEC. Perhaps add a new header 'Why OpenDNSSEC' with pointers to About and Features. * The documentation on the wiki appears to be not usable by users: - libopenssl-ruby seems not to be a requirement (at least not for ./configure) - is libsqlite3 needed? * The accompanying guide is only useful for Ubuntu users. * There is a installation TODO for mysql. Best regards, Matthijs Rick van Rein wrote: > Hello, > > As requested during the meeting, I would send a list of general and specific > things that I think could make the (online) documentation more accessible. > > I hope it is useful -- I'll gladly edit whatever is considerd good stuff. > > * People can land on any page, and may miss background. For that reason, > it is probably good to point back to general pages (such as Signer/Using) > to indicate assumed prior reading. Without it, people will be left > wondering what KASP is (if not spelled out in each file on first use) > and similar things. > > * Scope on Signer/Using: This section should make the reader decide if it > is worth reading on. "OpenDNSSEC covers most of it" is not helpful to > decide if it is saving the reader all concerns that s/he doesn't understand. > > * Overview in Signer/Using: Here I am missing two things: 1. a list of > software responsibilities and how they are assigned to components, which > is really helpful to get an idea of what the terms mean; 2. a mapping > of the components into how they are implemented (a few taken together > as a daemon, a database like SQLite or MySQL, and so on). > > A quick brainstorm with the (user-experienced) responsibilities that > could be useful to locate on components, as they constitute the path > of a domain through the system (and tracing that would be helpful to > see the flow for a new user): > > - knowledge of which zones are managed by OpenDNSSEC > - knowledge of when each zone must be signed next time > - generating, destroying and securely storing key pairs > - managing key rollovers > - responding to update notifications on a zone > - fetching unsigned zone > - controlling the timestamp in the SOA record > - signing the records in a zone > - inserting signed explicit holes (NSEC/NSEC3) > - verifying if signing did not modify a domain > - verifying if signing did not invalidate a domain > - publishing the signed zone > - submitting update notificates on a signed zone > > Also in Overview, it could help to introduce the term KSM as it is > used in >1 other files without further indication of what it is. > > * The Signer/Using splitup Installation / Configuration / Running (and > perhaps Debugging) is pleasantly common. I would suggest moving: > - Platform support under Installation > - Zone content under Configuration or Running > - Command utilities under Running > - FAQ and Reporting Bugs under Debugging > > I've assumed Signer/Using is prior reading for the other documents. > > * Using/Installation: No comments, very clear. This may be a better place > for the Platform support list than the more general Signer/Using? After > all, this is the file where one is working on "getting it going" whereas > Signer/Using is about "what it means to be doing the OpenDNSSEC thing". > > * Date/time durations in Signer/Using/Configuration: This is important but > very detailed, and it is not very inviting at the start of this file, as > it confuses the overview of this file (which IMHO is about guiding the > reader around available configfiles). I would have placed it at the > bottom of the file, or even in a separate page for central reference. > > * kasp.xml in Signer/Using/Configuration: What is a policy? What sort of > things can be configured in broad lines? The use of this information > would be to know what configfile to turn to if one wants to get something > done. The term "policy" is too general to new readers, I think, and so > it could use a translation, a few examples, or both. > > Also in that section, "the hierarchical nature of XML allows the grouping > of parameters into logical blocks" does not seem to add anything here. > > * *.xml in Signer/Using/Configuration: Could we use bullets where we list > the sort of things set in these files? They're great guides for one's > eyeballs, and help to quickly establish an overview of this rather > complex set of facts. > > In-document references to other configfiles draw a bit more attention > than they deserve; reading depth-first it made me stop to wonder if > this is a link to bookmark or chase, which is distracting. > > Links to "here" show up in red, but they are not as useful as having > the name of the configfile in red. Our eyeballs quickly spot those > links, and having meaningful text in red is useful for navigation. > > Reference to ".rng" is not directly meaningful to the reader; actually, > it is the underlying semantics that cause syntactic constraints, so why > not replace "Some syntactic constraints...should be made" with "Not all > possible configuration texts are meaningful however." (and skip the > paragraph break). > > * Signer/Using/Configuration/conf: What does mean? (Twice) > > * Signer/Using/Configuration/kasp: The reference to ISO 8601 could be > usefully expanded with a reference to the writeup of what it means, as > currently detailed in Signer/Using. OTOH, since this refers to Wikipedia, > one could wonder why there is a local copy of this information on our Wiki. > Consistency in whether this is on our Wiki or on Wikipedia would be nice. > > What does mean? > > This file mentions ZSK for the first time. A reference to documentation > explaining what it is / why it is useful could be handy here. Specifically > because it is (principally) an implementation choice to use the ZSK/KSK > distinction. A quick note would suffice: "OpenDNSSEC follows the commonly > advised approach of signing resource records with a short-lived > Zone Signing Key (ZSK) and signing that with a Key Signing Key (KSK) which > is longer and can therefore safely be used over longer periods of time. > For details, see RFC 4641." > Why add this here? Because the reader I've had in mind is one who is > aware of DNS, but not necessarily of DNSSEC -- it is precisely to avoid > detailed knowledge of DNSSEC that OpenDNSSEC appeals to that reader. > > * ods-control in Signer/Using/Commands: I am missing "ods-control status" > as a convenient check on the wellbeing of >1 daemons. But that's a feature. > > "It can pipe commands" is implementation detail that is not helpful to > the reader who wants to know how to operate ods-control. Why are not > all the following commands phrased in terms of ods-control instead of > the various underlying utilities? This'd be clearer to the new user. > > "You can also start/stop the daemons ods-enforcerd and ods-signerd.": > I didn't find those on our RC1 install. Instead, I found Engine.py > and ods-enforcerd. If daemons are named, it sounds like I can ps|grep > for them. > > * ods-ksmutil in Signer/Using/Commands: it is clearer if "zone delete" > is also layed out as code. > > * Signer/Using/Commands in general: I would like to know why/what/how > for each of the commands: why are they there (what does it accomplish > in terms of getting your zones signed) and what is the approach (setup > a zone list in the database, say) and how (the commands to run to get > it done). > > Each of the commands would ideally link to the overview; what is its > part in the signing flow of domains, what components does it play on > and which responsibilities are fulfilled by it (and inhowfar)? > > After each command, it would be _very_ useful to have a way of checking > up on the result, to ensure that it was successful. This will greatly > aid in both understanding and debugging. Without this, all we can do is > copy/paste examples and guess what they will do. > > * Signer/Using/Running: Most remarks on Signer/Using/Commands apply here > too: > > - Why is a step needed in the grand scheme of the domain-signing flow, > what responsibilities are (partly) taken care of > - What is the method followed (inserting zones in a database, kicking > the signer to sign right away or scheduling for later, etc.) > - How is it accomplished (with what command, and how can its result be > checked manually) > > * Signer/Using/Debugging: A missing page? > > - It does not work -- but how to trace the domain through the system > and detect the spot where it goes wrong? > - How does a system look when it is "operating within parameters"? > - Where to look for errors -- which log facilities, which loglevels? > - Where can one search and browse through experiences of other users? > > > This is a list of things, as requested during the meeting. I did my best > to find anything that could possibly help the newcomer. I don't mind > picking up on either or all of these, when so requested. Just let me > know if I am raising valid questions to be answered in the documents; I > think there is room for improvement, even if what we have right now is > not bad at all. > > > Cheers, > -Rick > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJLKfmIAAoJEA8yVCPsQCW5YscIALdoxn8aJz2upILXAV43gNRh qywKmQVVFukt7KjFWGxXWsPTc8/+PelB84y0QJjF8uRPy3gH208m5TZvfiRcN43o BMFwQhkP13t9jNFstynC0QQBHfF43s9y+aChIcmSIIMOWXVQzoyCv55Rlor4b3l8 tDWZoMaRxOP7JhGjARvky7QiT4FEJzWM0xgtL2Qs5WuxKtuRpGPnP+iICPp56WIl IPLfurVYciyMi68jEmiHTWAOJlq9vGLm9uukFHJL6sTwGcWWgfRnIpItdyFewICL X52VXdEcdbJWwXsUM6QkEkB0CtAA1OMiGl/d//0VGblYrdGpRnZpoMFDHauflsU= =ZA5x -----END PGP SIGNATURE----- _______________________________________________ Opendnssec-develop mailing list Opendnssec-develop at lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop From owner-dnssec-trac at kirei.se Thu Dec 17 11:32:45 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Thu, 17 Dec 2009 11:32:45 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #65: -k option for ksk-roll not working In-Reply-To: <058.81a2a69a4b79eedb25e39fa768d25ab5@kirei.se> References: <058.81a2a69a4b79eedb25e39fa768d25ab5@kirei.se> Message-ID: <067.4d90ebec9ec892344f927c695570e296@kirei.se> #65: -k option for ksk-roll not working ---------------------------------+------------------------------------------ Reporter: andyh@? | Owner: sion Type: defect | Status: assigned Priority: major | Component: Unknown Version: trunk | Keywords: ---------------------------------+------------------------------------------ Changes (by rb): * owner: rb => sion * status: new => assigned -- Ticket URL: OpenDNSSEC OpenDNSSEC From rick.zijlker at sidn.nl Thu Dec 17 12:03:42 2009 From: rick.zijlker at sidn.nl (Rick Zijlker) Date: Thu, 17 Dec 2009 13:03:42 +0100 Subject: [Opendnssec-develop] Signed zone not recognized as signed Message-ID: <850A39016FA57A4887C0AA3C8085F949014D866A@KAEVS1.SIDN.local> Hello all, After signing the nl zone (NSEC3 opt-in) and copying the succesfully signed zone from /var/opendnssec/signed to /var/opendnssec/unsigned and performing a key rollover the logging tells me the zone is unsigned. It is signing now. At 12:20 I copied the signed zone to the /unsigned directory and after that I issues the 'ods-control start' command. You see a new ZSK is generated. During this log I entered the 'ods-ksmutil backup done' command to able OpenDNSSEC to rollover the ZSK. Dec 17 12:36:43 signer2 ods-enforcerd: Reading config "/etc/opendnssec/conf.xml" Dec 17 12:36:43 signer2 ods-enforcerd: Reading config schema "/usr/local/share/opendnssec/conf.rng" Dec 17 12:36:43 signer2 ods-enforcerd: Reading config "/etc/opendnssec/conf.xml" Dec 17 12:36:43 signer2 ods-enforcerd: Reading config schema "/usr/local/share/opendnssec/conf.rng" Dec 17 12:36:43 signer2 ods-enforcerd: Communication Interval: 3600 Dec 17 12:36:43 signer2 ods-enforcerd: SQLite database set to: /var/opendnssec/kasp.db Dec 17 12:36:43 signer2 ods-enforcerd: Log User set to: local0 Dec 17 12:36:43 signer2 ods-enforcerd: Switched log facility to: local0 Dec 17 12:36:43 signer2 ods-enforcerd: Connecting to Database... Dec 17 12:36:43 signer2 ods-enforcerd: Reading config "/etc/opendnssec/conf.xml" Dec 17 12:36:43 signer2 ods-enforcerd: Reading config schema "/usr/local/share/opendnssec/conf.rng" Dec 17 12:36:43 signer2 ods-enforcerd: Communication Interval: 3600 Dec 17 12:36:43 signer2 ods-enforcerd: Policy default found. Dec 17 12:36:43 signer2 ods-enforcerd: SQLite database set to: /var/opendnssec/kasp.db Dec 17 12:36:43 signer2 ods-enforcerd: Communication Interval: 3600 Dec 17 12:36:43 signer2 ods-enforcerd: Key sharing is Off. Dec 17 12:36:43 signer2 ods-enforcerd: Log User set to: local0 Dec 17 12:36:43 signer2 ods-enforcerd: SQLite database set to: /var/opendnssec/kasp.db Dec 17 12:36:43 signer2 ods-enforcerd: Switched log facility to: local0 Dec 17 12:36:43 signer2 ods-enforcerd: Log User set to: local0 Dec 17 12:36:43 signer2 ods-enforcerd: /var/opendnssec/kasp.db.our_lock already locked, sleep Dec 17 12:36:43 signer2 ods-enforcerd: Switched log facility to: local0 Dec 17 12:36:43 signer2 ods-enforcerd: /var/opendnssec/kasp.db.our_lock already locked, sleep Dec 17 12:36:43 signer2 ods-enforcerd: Created ZSK size: 1024, alg: 7 with id: 20301656daf649d6fd31739a92a76f17 in repository: luna1 and database. Dec 17 12:36:43 signer2 ods-enforcerd: zonelist filename set to /etc/opendnssec/zonelist.xml. Dec 17 12:36:43 signer2 ods-enforcerd: Zone nl found. Dec 17 12:36:43 signer2 ods-enforcerd: Policy for nl set to default. Dec 17 12:36:43 signer2 ods-enforcerd: Config will be output to /var/opendnssec/signconf/nl.xml. Dec 17 12:36:43 signer2 ods-enforcerd: ERROR: Trying to make non-backed up ZSK active when RequireBackup flag is set Dec 17 12:36:43 signer2 ods-signerd: Received command: 'update nl' Dec 17 12:36:43 signer2 ods-signerd: Scheduling task to sign zone nl at 1261047772.03 with resign time 7200 Dec 17 12:36:43 signer2 ods-enforcerd: Could not call signer engine Dec 17 12:36:43 signer2 ods-enforcerd: Will continue: call 'ods-signer update' to manually update zones Dec 17 12:36:43 signer2 ods-enforcerd: Disconnecting from Database... Dec 17 12:36:43 signer2 ods-signerd: Client socket shut down Dec 17 12:36:43 signer2 ods-enforcerd: Sleeping for 3600 seconds. Dec 17 12:36:43 signer2 ods-signerd: Zone action to perform: 3 Dec 17 12:36:43 signer2 ods-signerd: Resorting signed zone: nl Dec 17 12:36:53 signer2 ods-enforcerd: Connecting to Database... Dec 17 12:36:53 signer2 ods-enforcerd: Policy default found. Dec 17 12:36:53 signer2 ods-enforcerd: Key sharing is Off. Dec 17 12:36:53 signer2 ods-enforcerd: zonelist filename set to /etc/opendnssec/zonelist.xml. Dec 17 12:36:53 signer2 ods-enforcerd: Zone nl found. Dec 17 12:36:53 signer2 ods-enforcerd: Policy for nl set to default. Dec 17 12:36:53 signer2 ods-enforcerd: Config will be output to /var/opendnssec/signconf/nl.xml. Dec 17 12:36:53 signer2 ods-enforcerd: ERROR: Trying to make non-backed up ZSK active when RequireBackup flag is set Dec 17 12:36:53 signer2 ods-enforcerd: /var/opendnssec/kasp.db.our_lock already locked, sleep Dec 17 12:36:53 signer2 ods-enforcerd: No change to: /var/opendnssec/signconf/nl.xml Dec 17 12:36:53 signer2 ods-enforcerd: Disconnecting from Database... Dec 17 12:36:53 signer2 ods-enforcerd: Sleeping for 3600 seconds. Dec 17 12:37:03 signer2 ods-enforcerd: Connecting to Database... Dec 17 12:37:03 signer2 ods-enforcerd: Policy default found. Dec 17 12:37:03 signer2 ods-enforcerd: Key sharing is Off. Dec 17 12:37:03 signer2 ods-enforcerd: zonelist filename set to /etc/opendnssec/zonelist.xml. Dec 17 12:37:03 signer2 ods-enforcerd: Zone nl found. Dec 17 12:37:03 signer2 ods-enforcerd: Policy for nl set to default. Dec 17 12:37:03 signer2 ods-enforcerd: Config will be output to /var/opendnssec/signconf/nl.xml. Dec 17 12:37:03 signer2 ods-enforcerd: ERROR: Trying to make non-backed up ZSK active when RequireBackup flag is set Dec 17 12:37:03 signer2 ods-enforcerd: No change to: /var/opendnssec/signconf/nl.xml Dec 17 12:37:03 signer2 ods-enforcerd: Disconnecting from Database... Dec 17 12:37:03 signer2 ods-enforcerd: Sleeping for 3600 seconds. Dec 17 12:44:21 signer2 ods-signerd: stderr from sorter: Number of records sorted: 8421033 Dec 17 12:44:21 signer2 ods-signerd: Preprocessing signed zone: nl Dec 17 12:44:21 signer2 ods-signerd: No signed zone yet Dec 17 12:44:21 signer2 ods-signerd: Sorting zone: nl Is there anything else I should do to let OpenDNSSEC know it's a signed zone? Or did something not go as intended here? This is my keylist prior to the rollover: Keys: Zone: Keytype: State: Date of next transition: CKA_ID: Repository: Keytag: nl KSK active 2010-12-15 16:57:12 40526f58ceda729b8e20dcb8fa78b5d9 softHSM 27996 nl KSK ready next rollover a60e3a9d993ec0baf2b58aae8cd2332c softHSM 59425 nl ZSK retire 2009-12-23 20:05:22 e1edaee7a2e4a5753e9e0b7ec699d2fb softHSM 22607 nl ZSK retire 2009-12-23 23:19:16 f32c8e8b144a01f7d23cba89b0cb94c1 softHSM 18500 nl ZSK retire 2009-12-24 13:21:05 9ec98215a1ea0e6c22531299cac5f34a luna1 5135 nl ZSK active 2010-01-16 00:21:05 e0cb42739b2b9cc7cd62244753604bd0 luna1 25322 nl ZSK ready next rollover cb700dd8b460928c1cf89c29ed8a6e87 luna1 2723 This is my /tmp dir: drwxr-xr-x 2 root root 4096 Dec 17 10:44 . drwxr-xr-x 6 root root 4096 Dec 17 12:37 .. -rw-r--r-- 1 root root 802188537 Dec 17 01:17 nl.nsecced -rw-r--r-- 1 root root 39798162 Dec 17 13:00 nl.processed -rw-r--r-- 1 root root 10 Dec 17 04:33 nl.serial -rw-r--r-- 1 root root 1861768988 Dec 17 04:30 nl.signed -rw-r--r-- 1 root root 395836542 Dec 17 12:44 nl.signed.sorted -rw-r--r-- 1 root root 396952583 Dec 17 12:51 nl.sorted -rw-r--r-- 1 root root 1861567228 Dec 17 12:44 nl.unsorted Cheers, Rick -------------- next part -------------- An HTML attachment was scrubbed... URL: From jakob at kirei.se Thu Dec 17 12:18:24 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Thu, 17 Dec 2009 13:18:24 +0100 Subject: [Opendnssec-develop] Signed zone not recognized as signed In-Reply-To: <850A39016FA57A4887C0AA3C8085F949014D866A@KAEVS1.SIDN.local> References: <850A39016FA57A4887C0AA3C8085F949014D866A@KAEVS1.SIDN.local> Message-ID: <792CF148-918B-4B6A-B2F0-4E2F9FEFFF7C@kirei.se> On 17 dec 2009, at 13.03, Rick Zijlker wrote: > After signing the nl zone (NSEC3 opt-in) and copying the succesfully signed zone from /var/opendnssec/signed to /var/opendnssec/unsigned and performing a key rollover the logging tells me the zone is unsigned. It is signing now. why did you copy the zone from signed to unsigned? jakob From rick.zijlker at sidn.nl Thu Dec 17 12:20:25 2009 From: rick.zijlker at sidn.nl (Rick Zijlker) Date: Thu, 17 Dec 2009 13:20:25 +0100 Subject: [Opendnssec-develop] Signed zone not recognized as signed References: <850A39016FA57A4887C0AA3C8085F949014D866A@KAEVS1.SIDN.local> <792CF148-918B-4B6A-B2F0-4E2F9FEFFF7C@kirei.se> Message-ID: <850A39016FA57A4887C0AA3C8085F949014D866B@KAEVS1.SIDN.local> To see how signing a signed zone with a new key goes. -----Original Message----- From: Jakob Schlyter [mailto:jakob at kirei.se] Sent: donderdag 17 december 2009 13:18 To: Rick Zijlker Cc: opendnssec-develop at lists.opendnssec.org Subject: Re: [Opendnssec-develop] Signed zone not recognized as signed On 17 dec 2009, at 13.03, Rick Zijlker wrote: > After signing the nl zone (NSEC3 opt-in) and copying the succesfully signed zone from /var/opendnssec/signed to /var/opendnssec/unsigned and performing a key rollover the logging tells me the zone is unsigned. It is signing now. why did you copy the zone from signed to unsigned? jakob From jakob at kirei.se Thu Dec 17 12:22:43 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Thu, 17 Dec 2009 13:22:43 +0100 Subject: [Opendnssec-develop] Signed zone not recognized as signed In-Reply-To: <850A39016FA57A4887C0AA3C8085F949014D866B@KAEVS1.SIDN.local> References: <850A39016FA57A4887C0AA3C8085F949014D866A@KAEVS1.SIDN.local> <792CF148-918B-4B6A-B2F0-4E2F9FEFFF7C@kirei.se> <850A39016FA57A4887C0AA3C8085F949014D866B@KAEVS1.SIDN.local> Message-ID: On 17 dec 2009, at 13.20, Rick Zijlker wrote: > To see how signing a signed zone with a new key goes. old signatures will automatically be reused - you do not need to (and should not) copy the signed zone to the unsigned one. jakob From rick.zijlker at sidn.nl Thu Dec 17 12:26:53 2009 From: rick.zijlker at sidn.nl (Rick Zijlker) Date: Thu, 17 Dec 2009 13:26:53 +0100 Subject: [Opendnssec-develop] Signed zone not recognized as signed References: <850A39016FA57A4887C0AA3C8085F949014D866A@KAEVS1.SIDN.local> <792CF148-918B-4B6A-B2F0-4E2F9FEFFF7C@kirei.se> <850A39016FA57A4887C0AA3C8085F949014D866B@KAEVS1.SIDN.local> Message-ID: <850A39016FA57A4887C0AA3C8085F949014D866C@KAEVS1.SIDN.local> Ah ok. So the /unsigned directory is not like an "inbox" for a zone to be signed? Will OpenDNSSEC automatically grab the signed zone from /signed when performing a key rollover? Cheers, Rick -----Original Message----- From: Jakob Schlyter [mailto:jakob at kirei.se] Sent: donderdag 17 december 2009 13:23 To: Rick Zijlker Cc: opendnssec-develop at lists.opendnssec.org Subject: Re: [Opendnssec-develop] Signed zone not recognized as signed On 17 dec 2009, at 13.20, Rick Zijlker wrote: > To see how signing a signed zone with a new key goes. old signatures will automatically be reused - you do not need to (and should not) copy the signed zone to the unsigned one. jakob From matthijs at NLnetLabs.nl Thu Dec 17 12:46:34 2009 From: matthijs at NLnetLabs.nl (Matthijs Mekking) Date: Thu, 17 Dec 2009 13:46:34 +0100 Subject: [Opendnssec-develop] Signed zone not recognized as signed In-Reply-To: <850A39016FA57A4887C0AA3C8085F949014D866C@KAEVS1.SIDN.local> References: <850A39016FA57A4887C0AA3C8085F949014D866A@KAEVS1.SIDN.local> <792CF148-918B-4B6A-B2F0-4E2F9FEFFF7C@kirei.se> <850A39016FA57A4887C0AA3C8085F949014D866B@KAEVS1.SIDN.local> <850A39016FA57A4887C0AA3C8085F949014D866C@KAEVS1.SIDN.local> Message-ID: <4B2A282A.3060003@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It will grab the signed zone from /tmp/.signed Best regards, Matthijs Rick Zijlker wrote: > Ah ok. So the /unsigned directory is not like an "inbox" for a zone to > be signed? Will OpenDNSSEC automatically grab the signed zone from > /signed when performing a key rollover? > > Cheers, > Rick > > -----Original Message----- > From: Jakob Schlyter [mailto:jakob at kirei.se] > Sent: donderdag 17 december 2009 13:23 > To: Rick Zijlker > Cc: opendnssec-develop at lists.opendnssec.org > Subject: Re: [Opendnssec-develop] Signed zone not recognized as signed > > On 17 dec 2009, at 13.20, Rick Zijlker wrote: > >> To see how signing a signed zone with a new key goes. > > old signatures will automatically be reused - you do not need to (and > should not) copy the signed zone to the unsigned one. > > jakob > > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJLKigpAAoJEA8yVCPsQCW5sYEH/RK4QFYEDRd5yp/LLEdVzgNx Fc7+sPXdNEIJIxeWg0g47VwH3Bm5WjbxUYMOgdwZnvWkAq/NRgksEyiSWNzsGR1D 8ut+DmYrES1HKw7mjrdyBXpbRtK1XTZCjZf7nygu4LsodbgOnqj5rhCtXTbGNjAT EHpuBAkMS9yTs8/GtjMNVDmNNh0zibU+dFH0+2eFMRXPt3SD55/8SCJUqY3+fSzc H7ElLVOs5+4CkZbCuzb5g/NTNIureNnt8Bby0jwQbQ9p9E7q8PdeLqXlkRMa3wvX AxxpmSxjeoPj9RRCg4IlKSZXLGDDsg+5GNHH+EAzymD80wuuiGJeRz00a5YvkBY= =frgy -----END PGP SIGNATURE----- From matthijs at NLnetLabs.nl Thu Dec 17 14:37:31 2009 From: matthijs at NLnetLabs.nl (Matthijs Mekking) Date: Thu, 17 Dec 2009 15:37:31 +0100 Subject: [Opendnssec-develop] OpenDNSSEC freebsd port Message-ID: <4B2A422B.7070908@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, In addition to the softHSM port, Jaap is working on an OpenDNSSEC freebsd port. It turns out that ruby causes a problem to finalize the port. 1. The required dnsruby library 1.41 appears not to be public. You can install it with rubygems, but you won't have a clue where it fetches the binaries. The latest version on RubyForge is 1.40 2. Another thing is that the port maker errors on a private path during configuration. It could very well be the same issue as the first point, more investigation is needed. Best regards, Matthijs Matthijs -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJLKkIqAAoJEA8yVCPsQCW5Sh8H/0rR7eMKwBAOLGTg1i23r5eK hLhmEC5vbLau0imjpf4w6VVIhrnDaGG2eXVXi6l5vdIgLxbaiA82C9VFM+G+ngHa 9amax54vafwWwD/r0ppbHAk5OO/RPOsYvDgbuEcYn0XPKUKMlmtGjINOl1gWrUdm ZfPcu9YeJaWZ/wFOalWtGKwZ6tLmD/Yo3vvCnek6R0skA/SWXjlpbcu87TnsxYQu aZdAuVQ/XQNUPz5r6+PU1fZ3oq1k2ZopW2tXUmDbtcREvraFW80oV1YJdA/rGCMR 73zg2QgyRmRAcEXhCszWtDkoDFboRh7KxS5Hr/LojhbGm/wNUS61wHRbPsJQiUw= =NmH9 -----END PGP SIGNATURE----- From Alexd at nominet.org.uk Thu Dec 17 14:49:30 2009 From: Alexd at nominet.org.uk (Alexd at nominet.org.uk) Date: Thu, 17 Dec 2009 14:49:30 +0000 Subject: [Opendnssec-develop] OpenDNSSEC freebsd port In-Reply-To: <4B2A422B.7070908@nlnetlabs.nl> References: <4B2A422B.7070908@nlnetlabs.nl> Message-ID: > In addition to the softHSM port, Jaap is working on an OpenDNSSEC > freebsd port. It turns out that ruby causes a problem to finalize the port. > > 1. > The required dnsruby library 1.41 appears not to be public. You can > install it with rubygems, but you won't have a clue where it fetches the > binaries. The latest version on RubyForge is 1.40 Yes - the default distribution method for Ruby Gems changed recently. I've added the binaries to the Rubyforge page. FYI, the 1.41 release is also available in svn : svn list http://dnsruby.rubyforge.org/svn/tags/dnsruby-1.41/ the gem is : svn list http://dnsruby.rubyforge.org/svn/tags/dnsruby-1.41/dnsruby-1.41.gem > > 2. > Another thing is that the port maker errors on a private path during > configuration. It could very well be the same issue as the first point, > more investigation is needed. Perhaps you could ask Jaap to contact me if I can be of any help? Thanks, Alex. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rickard.bellgrim at iis.se Thu Dec 17 15:48:11 2009 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Thu, 17 Dec 2009 16:48:11 +0100 Subject: [Opendnssec-develop] OpenDNSSEC freebsd port In-Reply-To: References: <4B2A422B.7070908@nlnetlabs.nl> Message-ID: <983F17705339E24699AA251B458249B51F1977DC2B@EXCHANGE2K7.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > Yes - the default distribution method for Ruby Gems changed recently. > I've added the binaries to the Rubyforge page. FYI, the 1.41 release is > also available in svn : Do we need to update the install notes on the wiki? Could you do that? // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSypSu+CjgaNTdVjaAQjtIQf/eQQ0hVzUQ007bCLBIJzqFt0uIXjoIwyC zGKYfYvSJi8c7sGx99s6sa7OskX5ZAYOv4Jo8qntlMKIYndsSV24ixq0ZkCZtXV6 O2oGj2Y2MF3tPWeOyXclIohRFL/90dVAcIa12DEdslJkTTISxlnOdCDzING97ips OPprm7yqWP+lFwP4686edkXiH6ucQvfWogltcpp0MEmdcgZgPPHBgUhJxVOhxc7x VW6uRLrIyAiBxRDNxecgj0I0L+L2vW082WX+/NlJnMAedO6kN3opE96AU9WdHzyi DnDC5HwCvxMvHbrFi9xivLD2r3CQwYs25zPj/lPFCqbYSyo2/pmV+A== =9uCP -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From Alexd at nominet.org.uk Thu Dec 17 15:53:29 2009 From: Alexd at nominet.org.uk (Alexd at nominet.org.uk) Date: Thu, 17 Dec 2009 15:53:29 +0000 Subject: [Opendnssec-develop] OpenDNSSEC freebsd port In-Reply-To: <983F17705339E24699AA251B458249B51F1977DC2B@EXCHANGE2K7.office.nic.se> References: <4B2A422B.7070908@nlnetlabs.nl> <983F17705339E24699AA251B458249B51F1977DC2B@EXCHANGE2K7.office.nic.se> Message-ID: > > Yes - the default distribution method for Ruby Gems changed recently. > > I've added the binaries to the Rubyforge page. FYI, the 1.41 release is > > also available in svn : > > Do we need to update the install notes on the wiki? Could you do that? I don't think so. If I keep posting the binaries on Rubyforge and Gemcutter, then it's all transparent for users. I hadn't anticipated the requirement to download a binary file from a website - but it's covered now. Thanks, Alex. -------------- next part -------------- An HTML attachment was scrubbed... URL: From owner-dnssec-trac at kirei.se Thu Dec 17 17:45:10 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Thu, 17 Dec 2009 17:45:10 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #64: .signed does not exist In-Reply-To: <087.e18ca9b866c7d5cf0c024f3b53203684@kirei.se> References: <087.e18ca9b866c7d5cf0c024f3b53203684@kirei.se> Message-ID: <096.ab70f4582908e7e7ea48ed51cdf8dc4a@kirei.se> #64: .signed does not exist --------------------------------------------------------------+------------- Reporter: archi.laurent@?> | Owner: alex Type: defect | Status: assigned Priority: blocker | Component: Signer Version: trunk | Keywords: .signed does not exist --------------------------------------------------------------+------------- Comment(by archi.laurent@?>): Hello, Your have seen my real problem a probably mix dnsruby 1.39 / 1.40. Now it's good, thanks "Doctor" - Best regards - Dec 17 18:41:59 serveur ods-signerd: Output zone to /var/opendnssec/signed/archi.amt -- Ticket URL: OpenDNSSEC OpenDNSSEC From Stephen.Morris at nominet.org.uk Thu Dec 17 17:56:35 2009 From: Stephen.Morris at nominet.org.uk (Stephen.Morris at nominet.org.uk) Date: Thu, 17 Dec 2009 17:56:35 +0000 Subject: [Opendnssec-develop] Minutes of teleconference, 2009-12-16 Message-ID: Notes from yesterday's teleconference can be found on the wiki: http://trac.opendnssec.org/wiki/Meetings/Minutes/2009-12-16 Stephen -------------- next part -------------- An HTML attachment was scrubbed... URL: From owner-dnssec-trac at kirei.se Fri Dec 18 08:04:28 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 18 Dec 2009 08:04:28 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #64: .signed does not exist In-Reply-To: <087.e18ca9b866c7d5cf0c024f3b53203684@kirei.se> References: <087.e18ca9b866c7d5cf0c024f3b53203684@kirei.se> Message-ID: <096.e3e0044e0b723a2579cc6720081dd699@kirei.se> #64: .signed does not exist --------------------------------------------------------------+------------- Reporter: archi.laurent@?> | Owner: alex Type: defect | Status: closed Priority: blocker | Component: Signer Version: trunk | Resolution: invalid Keywords: .signed does not exist | --------------------------------------------------------------+------------- Changes (by alex): * status: assigned => closed * resolution: => invalid -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Sun Dec 20 17:54:35 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Sun, 20 Dec 2009 17:54:35 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #66: Difference Sqlite3 base... Message-ID: <087.6a39eecdc620631bb232fe962d178446@kirei.se> #66: Difference Sqlite3 base... --------------------------------------------------------------+------------- Reporter: archi.laurent@?> | Owner: rb Type: defect | Status: new Priority: trivial | Component: SoftHSM Version: trunk | Keywords: Difference size Sqlite3 --------------------------------------------------------------+------------- Hi all, I has seen this, and sorry for you, i will want to knonw why. When i has create a necessary "slot" for OpenDNSSEC the size of there slot are "5120"... and just after when i has make a update there slot by your "database_create.sqlite3". There files are a size of "27648". And just after when I run "ods-control start", there slot changed sized. And my zones are signed, nothing to repport... For this difference of size, is it normal and why (?) With automatic : -rw-r--r-- 1 root root '''5120''' 2009-12-20 18:29 kasp.db -rw-r--r-- 1 root root '''5120''' 2009-12-20 18:28 slot0.db And now with "database_create.sqlite3" in Sqlite3 : root at serveur:/var/opendnssec# sqlite3 kasp.db < opendnssec-1.0.0rc1/enforcer/utils/database_create.sqlite3 root at serveur:/var/opendnssec# sqlite3 slot0.db < opendnssec-1.0.0rc1/enforcer/utils/database_create.sqlite3 root at serveur:/var/opendnssec# ll -rw-r--r-- 1 root root '''27648''' 2009-12-20 18:29 kasp.db -rw-r--r-- 1 root root '''27648''' 2009-12-20 18:29 slot0.db After "ods-control start" and all it's ok : -rw-r--r-- 1 root root '''30720''' 2009-12-20 18:37 kasp.db -rw-r--r-- 1 root root '''47104''' 2009-12-20 18:37 slot0.db Many thanks for your answer - Best regards -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Sun Dec 20 18:19:47 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Sun, 20 Dec 2009 18:19:47 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #66: Difference Sqlite3 base... In-Reply-To: <087.6a39eecdc620631bb232fe962d178446@kirei.se> References: <087.6a39eecdc620631bb232fe962d178446@kirei.se> Message-ID: <096.42a16c14a8f15dc880b1eafa26b2c88e@kirei.se> #66: Difference Sqlite3 base... --------------------------------------------------------------+------------- Reporter: archi.laurent@?> | Owner: rb Type: defect | Status: closed Priority: trivial | Component: SoftHSM Version: trunk | Resolution: invalid Keywords: Difference size Sqlite3 | --------------------------------------------------------------+------------- Changes (by rb): * status: new => closed * resolution: => invalid Comment: Remember that OpenDNSSEC and SoftHSM is not the same. SoftHSM is just like another HSM. Please do not use the "database_create.sqlite3" on the database for SoftHSM. All the setup is handled by the softhsm.conf and the softhsm tool. And for OpenDNSSEC, you should not use the "database_create.sqlite3", use the command "ods-ksmutil setup". The "database_create.sqlite3" is something that OpenDNSSEC uses internally to create the KASP database. But we do not say anything about using this file. Use the "ods-ksmutil setup" command. Please read the documentation. You should use the available commands and not do any hacking. http://trac.opendnssec.org/wiki/Signer/Using Pay attention to the HSM part. Thanks // Rickard -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Sun Dec 20 18:31:31 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Sun, 20 Dec 2009 18:31:31 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #66: Difference Sqlite3 base... In-Reply-To: <087.6a39eecdc620631bb232fe962d178446@kirei.se> References: <087.6a39eecdc620631bb232fe962d178446@kirei.se> Message-ID: <096.a4c9b95356a60f90d09c3a6c1de8ae67@kirei.se> #66: Difference Sqlite3 base... --------------------------------------------------------------+------------- Reporter: archi.laurent@?> | Owner: rb Type: defect | Status: closed Priority: trivial | Component: SoftHSM Version: trunk | Resolution: invalid Keywords: Difference size Sqlite3 | --------------------------------------------------------------+------------- Comment(by rb): And since SoftHSM and OpenDNSSEC is not the same software, you will get different sizes on the databases. The reason you will get the same sizes in the beginning is because you are using the database init script (which is intended for internal use of OpenDNSSEC and not SoftHSM) for both of the databases. The OpenDNSSEC database will increase in size later on because new information is saved in it. The SoftHSM database will increase in size because new keys are created. After reading the documentation, do you now know why you need to use an HSM and why they are not part of OpenDNSSEC? And why should not mix SoftHSM with OpenDNSSEC? -- Ticket URL: OpenDNSSEC OpenDNSSEC From rickard.bellgrim at iis.se Mon Dec 21 14:29:53 2009 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Mon, 21 Dec 2009 15:29:53 +0100 Subject: [Opendnssec-develop] Meeting 20100107 Message-ID: <983F17705339E24699AA251B458249B51F197DE70A@EXCHANGE2K7.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi Next meeting: Date: Thursday 7 January Time: 14:00-15:00 CET, 13:00-14:00 GMT Please update the agenda if you have something extra to discuss. http://trac.opendnssec.org/wiki/Meetings/Agenda/2010-01-07 // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSy+GYeCjgaNTdVjaAQjQLwf9HXmWSopVVR2Pl4lFgAnKsZy8V5DAekEJ cKNanvZgyJH+O4lmhc6e7rXZSG7E5sB55wh/xqOx+PkomYI86NDju4Kr2/bEOLKN i9Cm0zL9OaWdoeDhDlVnQ4h447cGsmgJNXeE0eL118Lhla6dAbLlMqz4rNAcaVJU 4x9uWVaU5TmcoG5HxE7y8dsbUUqRBrcVc4LBtFct+Lk6RYPkT+9caF+X+Ue9UKC+ fmrXrWUfROC7L5TPZt0k8bZ7aWkfexlOWMvJZyfVrjImN3LsSbUgPdm/HEnwtL+B A/0Gcfrpx344DbRJuZGF53+36hFZRvra/VKidIsPXYlvFUoxh79RjA== =UgiZ -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From rickard.bellgrim at iis.se Mon Dec 21 14:50:01 2009 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Mon, 21 Dec 2009 15:50:01 +0100 Subject: [Opendnssec-develop] 28-29 January Planning of v1.1 and v2 Message-ID: <983F17705339E24699AA251B458249B51F197DE754@EXCHANGE2K7.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi It is time now time to start the planning of v1.1 and v2. We said during the last meeting that the planning will be hosted by NLnet Labs in Amsterdam. The date was set to the 28th, but the 29th could also be used if we get enough topics to discuss about. Our conclusion was that we probably will need both the 28th and the 29th. This will be decided during our meeting on the 7th of January. I am now requesting topics from you. Then I will write an agenda based on your topics and what I have in mind. // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSy+LGeCjgaNTdVjaAQj7zAgAijxDGMORzFesN1GwJgI/sGuwkSLIDTRw Aiajy3xGjwk8xzR0uAYRPQUyhkIMDq4HFcThhTxmYDg+x83Erb3t3mbwtz8LhwZx ikPob5y21jTIBPvlBYdDJcej1SvRJstr5sqkOl1tvaTKBK+YOBK8tsiNHW77fvVV AZQ4Pvacg55rR3vSxMA/LNtoUwGpXeZmmGsJfzNDHH6qJICU8fm74tQ9a0G/xAMM JsJXje3ZZ3m9RnK+9TsK34DQ7kDjwYdmm3wzpUDOYyF7lN2TK/B7LAeg4L2UC4ZD ZUkhO2u42SiO4H71hItJScVfvjfNySJ5PmxqD9zqwWE/rfwsXhANqQ== =8fUi -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From owner-dnssec-trac at kirei.se Tue Dec 22 14:06:04 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 22 Dec 2009 14:06:04 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #67: Opendnssec +DLV (lookaside) Message-ID: <061.73d876966995ade25252ce2a321294e7@kirei.se> #67: Opendnssec +DLV (lookaside) ------------------------------------+--------------------------------------- Reporter: archi.laurent@? | Owner: matthijs Type: enhancement | Status: new Priority: trivial | Component: Signer Version: trunk | Keywords: DLV (lookaside) ------------------------------------+--------------------------------------- Hello, After reading all your documentation, i known by 3 ticket from "Alex" that OpenDNSSEC is ready for DLV (and root too). But i don't see an option for this implementation. I search how make this by OpenDNSSEC. Many thanks for this - Best regards -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Tue Dec 22 14:27:35 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 22 Dec 2009 14:27:35 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #67: Opendnssec +DLV (lookaside) In-Reply-To: <061.73d876966995ade25252ce2a321294e7@kirei.se> References: <061.73d876966995ade25252ce2a321294e7@kirei.se> Message-ID: <070.931967f4a558f130a21d84e903993950@kirei.se> #67: Opendnssec +DLV (lookaside) ------------------------------------+--------------------------------------- Reporter: archi.laurent@? | Owner: matthijs Type: enhancement | Status: closed Priority: trivial | Component: Signer Version: trunk | Resolution: worksforme Keywords: DLV (lookaside) | ------------------------------------+--------------------------------------- Changes (by rb): * status: new => closed * resolution: => worksforme Comment: Hi Archi It is true that you can have a DLV record in your zone (as a resource record in your zone file). But OpenDNSSEC will not be used as a resolver. OpenDNSSEC will only be used for signing. So you do not need to do anything special to use DLV RR in your zone. From RFC5074: "DNSSEC Lookaside Validation (DLV) is a mechanism for publishing DNS Security (DNSSEC) trust anchors outside of the DNS delegation chain. It allows validating resolvers to validate DNSSEC-signed data from zones whose ancestors either aren't signed or don't publish Delegation Signer (DS) records for their children." From RFC4431: "The DLV resource record has exactly the same wire and presentation formats as the DS resource record, defined in RFC 4034, Section 5. It uses the same IANA-assigned values in the algorithm and digest type fields as the DS record. (Those IANA registries are known as the "DNS Security Algorithm Numbers" and "DS RR Type Algorithm Numbers" registries.) The DLV record is a normal DNS record type without any special processing requirements. In particular, the DLV record does not inherit any of the special processing or handling requirements of the DS record type (described in Section 3.1.4.1 of RFC 4035). Unlike the DS record, the DLV record may not appear on the parent's side of a zone cut. A DLV record may, however, appear at the apex of a zone." -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Mon Dec 28 04:08:07 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Mon, 28 Dec 2009 04:08:07 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #1: Dummy test ticket In-Reply-To: <043.7ec43215f16161a86348a8fcda154858@kirei.se> References: <043.7ec43215f16161a86348a8fcda154858@kirei.se> Message-ID: <052.ea0d0655564f272de33deea6a6e6d29d@kirei.se> #1: Dummy test ticket ------------------------+--------------------------------------------------- Reporter: jakob | Owner: jakob Type: enhancement | Status: closed Priority: major | Component: Unknown Version: | Resolution: invalid Keywords: | ------------------------+--------------------------------------------------- Comment(by Drivers Download): Notebook [http://www.bestdriversdownload.com/ Drivers Download]. All notebook for Acer, Apple, ASmobile, Asus, BenQ, Dell, Fujitsu, Gateway, HP, IBM, Lenovo, LG, MSI, SONY, Panasonic, Samsung, Toshiba have been listed in Best [http://www.bestdriversdownload.com/ Drivers Download]. Drivers for notebook have been categorized by device manufacturers. -- Ticket URL: OpenDNSSEC OpenDNSSEC From rick.zijlker at sidn.nl Mon Dec 28 14:59:08 2009 From: rick.zijlker at sidn.nl (Rick Zijlker) Date: Mon, 28 Dec 2009 15:59:08 +0100 Subject: [Opendnssec-develop] Unexpected behavior Message-ID: <850A39016FA57A4887C0AA3C8085F949014D867C@KAEVS1.SIDN.local> Hello, While trying to sign a zone with softHSM, I am getting note's and errors which belong to the hardware HSM. Even though the hardware HSM isn't being used at all. These are the repositories (conf.xml): /usr/local/lib/libsofthsm.so test 1111 /usr/lib/libCryptoki2_64.so signer1-ksk PR46-dH7b-9TSX-9pTX 1000 Part of the Policy which I attached to the zone I am signing (kasp.xml): 7 PT5H softHSM 1 7 PT2H softHSM 1 It looks like ODS is trying to use softHSM as repository since he is creating new keys in softHSM, but the ERROR, NOTE messages are referring to the luna1 (Error creating key in repository luna1) which isn't being used at all. I only have 1 zone in the zonelist and updated the KASP before starting the deamons. Also, I have signed nl before with the default policy and it was no problem. Now that I removed nl from the zonelist, it seems ODS tries to create 1000 KSK's for no obvious reason. Also the logging tells me (15:06:01 NOTE: keys generated in repository SoftHSM..) to backup the keys, but SoftHSM hasn't got added. Dec 28 15:05:59 signer2 ods-signerd: Error updating zone configuration for: rick.nl Dec 28 15:05:59 signer2 ods-signerd: [Errno 2] No such file or directory: u'/var/opendnssec/signconf/rick.nl.xml' Dec 28 15:05:59 signer2 ods-signerd: opening socket: /var/run/opendnssec/engine.sock Dec 28 15:05:59 signer2 ods-signerd: Engine running Dec 28 15:05:59 signer2 ods-enforcerd: opendnssec-enforcer starting... Dec 28 15:05:59 signer2 ods-enforcerd: opendnssec-enforcer Parent exiting... Dec 28 15:05:59 signer2 ods-enforcerd: opendnssec-enforcer forked OK... Dec 28 15:05:59 signer2 ods-enforcerd: opendnssec-enforcer started (version 1.0.0rc2), pid 1394 Dec 28 15:05:59 signer2 ods-enforcerd: SSL cipher list set to AES256-SHA Dec 28 15:05:59 signer2 ods-enforcerd: HSM opened successfully. Dec 28 15:05:59 signer2 ods-enforcerd: Reading config "/etc/opendnssec/conf.xml" Dec 28 15:05:59 signer2 ods-enforcerd: Reading config schema "/usr/local/share/opendnssec/conf.rng" Dec 28 15:05:59 signer2 ods-enforcerd: Communication Interval: 3600 Dec 28 15:05:59 signer2 ods-enforcerd: SQLite database set to: /var/opendnssec/kasp.db Dec 28 15:05:59 signer2 ods-enforcerd: Log User set to: local0 Dec 28 15:05:59 signer2 ods-enforcerd: Switched log facility to: local0 Dec 28 15:05:59 signer2 ods-enforcerd: Connecting to Database... Dec 28 15:05:59 signer2 ods-enforcerd: Policy default found. Dec 28 15:05:59 signer2 ods-enforcerd: Key sharing is Off. Dec 28 15:05:59 signer2 ods-enforcerd: NOTE: keys generated in repository luna1 will not become active until they have been backed up Dec 28 15:05:59 signer2 ods-enforcerd: Policy SCKR_S1T1 found. Dec 28 15:05:59 signer2 ods-enforcerd: Key sharing is On Dec 28 15:06:00 signer2 ods-enforcerd: SoftHSM: C_GenerateKeyPair: Key pair generated Dec 28 15:06:00 signer2 ods-enforcerd: Created KSK size: 2048, alg: 7 with id: d4b41a1c08cd125868d071d41f7eb11a in repository: softHSM and database. Dec 28 15:06:01 signer2 ods-enforcerd: SoftHSM: C_GenerateKeyPair: Key pair generated Dec 28 15:06:01 signer2 ods-enforcerd: Created KSK size: 2048, alg: 7 with id: 80c10f316ea259642f7714aceeece25a in repository: softHSM and database. Dec 28 15:06:01 signer2 ods-enforcerd: SoftHSM: C_GenerateKeyPair: Key pair generated Dec 28 15:06:01 signer2 ods-enforcerd: Created ZSK size: 1024, alg: 7 with id: 578b649144cc6dbd59c1a2d73477e7a7 in repository: softHSM and database. Dec 28 15:06:01 signer2 ods-enforcerd: SoftHSM: C_GenerateKeyPair: Key pair generated Dec 28 15:06:01 signer2 ods-enforcerd: Created ZSK size: 1024, alg: 7 with id: 7b831287fe74cc5d12277873fca0fa93 in repository: softHSM and database. Dec 28 15:06:01 signer2 ods-enforcerd: NOTE: keys generated in repository softHSM will not become active until they have been backed up Dec 28 15:06:01 signer2 ods-enforcerd: zonelist filename set to /etc/opendnssec/zonelist.xml. Dec 28 15:06:01 signer2 ods-enforcerd: Zone rick.nl found. Dec 28 15:06:01 signer2 ods-enforcerd: Policy for rick.nl set to SCKR_S1T1. Dec 28 15:06:01 signer2 ods-enforcerd: Config will be output to /var/opendnssec/signconf/rick.nl.xml. Dec 28 15:06:01 signer2 ods-enforcerd: INFO: Promoting KSK from publish to active as this is the first pass for the zone Dec 28 15:06:01 signer2 ods-enforcerd: ERROR: Trying to make non-backed up KSK active when RequireBackup flag is set Dec 28 15:06:01 signer2 ods-enforcerd: KsmRequestKeys returned: 65562 Dec 28 15:06:01 signer2 ods-enforcerd: Signconf not written for rick.nl Dec 28 15:06:01 signer2 ods-enforcerd: Disconnecting from Database... Dec 28 15:06:01 signer2 ods-enforcerd: Sleeping for 3600 seconds. Dec 28 15:37:18 signer2 ods-enforcerd: Reading config "/etc/opendnssec/conf.xml" Dec 28 15:37:18 signer2 ods-enforcerd: Reading config schema "/usr/local/share/opendnssec/conf.rng" Dec 28 15:37:18 signer2 ods-enforcerd: Communication Interval: 3600 Dec 28 15:37:18 signer2 ods-enforcerd: SQLite database set to: /var/opendnssec/kasp.db Dec 28 15:37:18 signer2 ods-enforcerd: Log User set to: local0 Dec 28 15:37:18 signer2 ods-enforcerd: Switched log facility to: local0 Dec 28 15:37:18 signer2 ods-enforcerd: Connecting to Database... Dec 28 15:37:18 signer2 ods-enforcerd: Policy default found. Dec 28 15:37:18 signer2 ods-enforcerd: Key sharing is Off. Dec 28 15:37:18 signer2 ods-enforcerd: Repository luna1 is nearly full, will create 1000 KSKs for policy default (reduced from -2) Dec 28 15:37:18 signer2 ods-enforcerd: Error creating key in repository luna1 Dec 28 15:37:18 signer2 ods-enforcerd: Find objects init: CKR_DEVICE_ERROR Dec 28 15:37:27 signer2 ods-enforcerd: Reading config "/etc/opendnssec/conf.xml" Dec 28 15:37:27 signer2 ods-enforcerd: Reading config schema "/usr/local/share/opendnssec/conf.rng" Dec 28 15:37:27 signer2 ods-enforcerd: Communication Interval: 3600 Dec 28 15:37:27 signer2 ods-enforcerd: SQLite database set to: /var/opendnssec/kasp.db Dec 28 15:37:27 signer2 ods-enforcerd: Log User set to: local0 Dec 28 15:37:27 signer2 ods-enforcerd: Switched log facility to: local0 Dec 28 15:37:27 signer2 ods-enforcerd: Connecting to Database... Dec 28 15:37:27 signer2 ods-enforcerd: Policy default found. Dec 28 15:37:27 signer2 ods-enforcerd: Key sharing is Off. Dec 28 15:37:27 signer2 ods-enforcerd: Repository luna1 is nearly full, will create 1000 KSKs for policy default (reduced from -2) Dec 28 15:37:27 signer2 ods-enforcerd: Error creating key in repository luna1 Dec 28 15:37:27 signer2 ods-enforcerd: Find objects init: CKR_DEVICE_ERROR Can anyone (if there is even anyone not having holiday) enlighten me? Cheers, Rick -------------- next part -------------- An HTML attachment was scrubbed... URL: From rick.zijlker at sidn.nl Tue Dec 29 13:08:35 2009 From: rick.zijlker at sidn.nl (Rick Zijlker) Date: Tue, 29 Dec 2009 14:08:35 +0100 Subject: [Opendnssec-develop] Unexpected behavior References: <850A39016FA57A4887C0AA3C8085F949014D867C@KAEVS1.SIDN.local> Message-ID: <850A39016FA57A4887C0AA3C8085F949014D867E@KAEVS1.SIDN.local> In addition to previous mail. I'm running RC2 and ODS is not using the assigned policy to sign my zone. It seems like it is using the repository of policy 'default' instead of policy 'SCKR_S1T1'. I'm getting this piece of logging every hour: Dec 29 13:06:05 signer2 ods-enforcerd: Reading config "/etc/opendnssec/conf.xml" Dec 29 13:06:05 signer2 ods-enforcerd: Reading config schema "/usr/local/share/opendnssec/conf.rng" Dec 29 13:06:05 signer2 ods-enforcerd: Communication Interval: 3600 Dec 29 13:06:05 signer2 ods-enforcerd: SQLite database set to: /var/opendnssec/kasp.db Dec 29 13:06:05 signer2 ods-enforcerd: Log User set to: local0 Dec 29 13:06:05 signer2 ods-enforcerd: Switched log facility to: local0 Dec 29 13:06:05 signer2 ods-enforcerd: Connecting to Database... Dec 29 13:06:05 signer2 ods-enforcerd: Policy default found. Dec 29 13:06:05 signer2 ods-enforcerd: Key sharing is Off. Dec 29 13:06:05 signer2 ods-enforcerd: NOTE: keys generated in repository luna1 will not become active until they have been backed up Dec 29 13:06:05 signer2 ods-enforcerd: Policy SCKR_S1T1 found. Dec 29 13:06:05 signer2 ods-enforcerd: Key sharing is On Dec 29 13:06:05 signer2 ods-enforcerd: zonelist filename set to /etc/opendnssec/zonelist.xml. Dec 29 13:06:05 signer2 ods-enforcerd: Zone rick.nl found. Dec 29 13:06:05 signer2 ods-enforcerd: Policy for rick.nl set to SCKR_S1T1. Dec 29 13:06:05 signer2 ods-enforcerd: Config will be output to /var/opendnssec/signconf/rick.nl.xml. Dec 29 13:06:05 signer2 ods-enforcerd: INFO: Promoting KSK from publish to active as this is the first pass for the zone Dec 29 13:06:05 signer2 ods-enforcerd: ERROR: Trying to make non-backed up KSK active when RequireBackup flag is set Dec 29 13:06:05 signer2 ods-enforcerd: KsmRequestKeys returned: 65562 Dec 29 13:06:05 signer2 ods-enforcerd: Signconf not written for rick.nl Dec 29 13:06:05 signer2 ods-enforcerd: Disconnecting from Database... Dec 29 13:06:05 signer2 ods-enforcerd: Sleeping for 3600 seconds. Zone list looks good: [root at signer2 ~]# ods-ksmutil zone list zonelist filename set to /etc/opendnssec/zonelist.xml. Found Zone: rick.nl; on policy SCKR_S1T1 A bit more of the SCKR_S1T1 policy: Default policy exceeding speed limits PT3M PT20M PT45M PT45M PT10M PT300S Cheers, Rick From: opendnssec-develop-bounces at lists.opendnssec.org [mailto:opendnssec-develop-bounces at lists.opendnssec.org] On Behalf Of Rick Zijlker Sent: maandag 28 december 2009 15:59 To: opendnssec-develop at lists.opendnssec.org Subject: [Opendnssec-develop] Unexpected behavior Hello, While trying to sign a zone with softHSM, I am getting note's and errors which belong to the hardware HSM. Even though the hardware HSM isn't being used at all. These are the repositories (conf.xml): /usr/local/lib/libsofthsm.so test 1111 /usr/lib/libCryptoki2_64.so signer1-ksk PR46-dH7b-9TSX-9pTX 1000 Part of the Policy which I attached to the zone I am signing (kasp.xml): 7 PT5H softHSM 1 7 PT2H softHSM 1 It looks like ODS is trying to use softHSM as repository since he is creating new keys in softHSM, but the ERROR, NOTE messages are referring to the luna1 (Error creating key in repository luna1) which isn't being used at all. I only have 1 zone in the zonelist and updated the KASP before starting the deamons. Also, I have signed nl before with the default policy and it was no problem. Now that I removed nl from the zonelist, it seems ODS tries to create 1000 KSK's for no obvious reason. Also the logging tells me (15:06:01 NOTE: keys generated in repository SoftHSM..) to backup the keys, but SoftHSM hasn't got added. Dec 28 15:05:59 signer2 ods-signerd: Error updating zone configuration for: rick.nl Dec 28 15:05:59 signer2 ods-signerd: [Errno 2] No such file or directory: u'/var/opendnssec/signconf/rick.nl.xml' Dec 28 15:05:59 signer2 ods-signerd: opening socket: /var/run/opendnssec/engine.sock Dec 28 15:05:59 signer2 ods-signerd: Engine running Dec 28 15:05:59 signer2 ods-enforcerd: opendnssec-enforcer starting... Dec 28 15:05:59 signer2 ods-enforcerd: opendnssec-enforcer Parent exiting... Dec 28 15:05:59 signer2 ods-enforcerd: opendnssec-enforcer forked OK... Dec 28 15:05:59 signer2 ods-enforcerd: opendnssec-enforcer started (version 1.0.0rc2), pid 1394 Dec 28 15:05:59 signer2 ods-enforcerd: SSL cipher list set to AES256-SHA Dec 28 15:05:59 signer2 ods-enforcerd: HSM opened successfully. Dec 28 15:05:59 signer2 ods-enforcerd: Reading config "/etc/opendnssec/conf.xml" Dec 28 15:05:59 signer2 ods-enforcerd: Reading config schema "/usr/local/share/opendnssec/conf.rng" Dec 28 15:05:59 signer2 ods-enforcerd: Communication Interval: 3600 Dec 28 15:05:59 signer2 ods-enforcerd: SQLite database set to: /var/opendnssec/kasp.db Dec 28 15:05:59 signer2 ods-enforcerd: Log User set to: local0 Dec 28 15:05:59 signer2 ods-enforcerd: Switched log facility to: local0 Dec 28 15:05:59 signer2 ods-enforcerd: Connecting to Database... Dec 28 15:05:59 signer2 ods-enforcerd: Policy default found. Dec 28 15:05:59 signer2 ods-enforcerd: Key sharing is Off. Dec 28 15:05:59 signer2 ods-enforcerd: NOTE: keys generated in repository luna1 will not become active until they have been backed up Dec 28 15:05:59 signer2 ods-enforcerd: Policy SCKR_S1T1 found. Dec 28 15:05:59 signer2 ods-enforcerd: Key sharing is On Dec 28 15:06:00 signer2 ods-enforcerd: SoftHSM: C_GenerateKeyPair: Key pair generated Dec 28 15:06:00 signer2 ods-enforcerd: Created KSK size: 2048, alg: 7 with id: d4b41a1c08cd125868d071d41f7eb11a in repository: softHSM and database. Dec 28 15:06:01 signer2 ods-enforcerd: SoftHSM: C_GenerateKeyPair: Key pair generated Dec 28 15:06:01 signer2 ods-enforcerd: Created KSK size: 2048, alg: 7 with id: 80c10f316ea259642f7714aceeece25a in repository: softHSM and database. Dec 28 15:06:01 signer2 ods-enforcerd: SoftHSM: C_GenerateKeyPair: Key pair generated Dec 28 15:06:01 signer2 ods-enforcerd: Created ZSK size: 1024, alg: 7 with id: 578b649144cc6dbd59c1a2d73477e7a7 in repository: softHSM and database. Dec 28 15:06:01 signer2 ods-enforcerd: SoftHSM: C_GenerateKeyPair: Key pair generated Dec 28 15:06:01 signer2 ods-enforcerd: Created ZSK size: 1024, alg: 7 with id: 7b831287fe74cc5d12277873fca0fa93 in repository: softHSM and database. Dec 28 15:06:01 signer2 ods-enforcerd: NOTE: keys generated in repository softHSM will not become active until they have been backed up Dec 28 15:06:01 signer2 ods-enforcerd: zonelist filename set to /etc/opendnssec/zonelist.xml. Dec 28 15:06:01 signer2 ods-enforcerd: Zone rick.nl found. Dec 28 15:06:01 signer2 ods-enforcerd: Policy for rick.nl set to SCKR_S1T1. Dec 28 15:06:01 signer2 ods-enforcerd: Config will be output to /var/opendnssec/signconf/rick.nl.xml. Dec 28 15:06:01 signer2 ods-enforcerd: INFO: Promoting KSK from publish to active as this is the first pass for the zone Dec 28 15:06:01 signer2 ods-enforcerd: ERROR: Trying to make non-backed up KSK active when RequireBackup flag is set Dec 28 15:06:01 signer2 ods-enforcerd: KsmRequestKeys returned: 65562 Dec 28 15:06:01 signer2 ods-enforcerd: Signconf not written for rick.nl Dec 28 15:06:01 signer2 ods-enforcerd: Disconnecting from Database... Dec 28 15:06:01 signer2 ods-enforcerd: Sleeping for 3600 seconds. Dec 28 15:37:18 signer2 ods-enforcerd: Reading config "/etc/opendnssec/conf.xml" Dec 28 15:37:18 signer2 ods-enforcerd: Reading config schema "/usr/local/share/opendnssec/conf.rng" Dec 28 15:37:18 signer2 ods-enforcerd: Communication Interval: 3600 Dec 28 15:37:18 signer2 ods-enforcerd: SQLite database set to: /var/opendnssec/kasp.db Dec 28 15:37:18 signer2 ods-enforcerd: Log User set to: local0 Dec 28 15:37:18 signer2 ods-enforcerd: Switched log facility to: local0 Dec 28 15:37:18 signer2 ods-enforcerd: Connecting to Database... Dec 28 15:37:18 signer2 ods-enforcerd: Policy default found. Dec 28 15:37:18 signer2 ods-enforcerd: Key sharing is Off. Dec 28 15:37:18 signer2 ods-enforcerd: Repository luna1 is nearly full, will create 1000 KSKs for policy default (reduced from -2) Dec 28 15:37:18 signer2 ods-enforcerd: Error creating key in repository luna1 Dec 28 15:37:18 signer2 ods-enforcerd: Find objects init: CKR_DEVICE_ERROR Dec 28 15:37:27 signer2 ods-enforcerd: Reading config "/etc/opendnssec/conf.xml" Dec 28 15:37:27 signer2 ods-enforcerd: Reading config schema "/usr/local/share/opendnssec/conf.rng" Dec 28 15:37:27 signer2 ods-enforcerd: Communication Interval: 3600 Dec 28 15:37:27 signer2 ods-enforcerd: SQLite database set to: /var/opendnssec/kasp.db Dec 28 15:37:27 signer2 ods-enforcerd: Log User set to: local0 Dec 28 15:37:27 signer2 ods-enforcerd: Switched log facility to: local0 Dec 28 15:37:27 signer2 ods-enforcerd: Connecting to Database... Dec 28 15:37:27 signer2 ods-enforcerd: Policy default found. Dec 28 15:37:27 signer2 ods-enforcerd: Key sharing is Off. Dec 28 15:37:27 signer2 ods-enforcerd: Repository luna1 is nearly full, will create 1000 KSKs for policy default (reduced from -2) Dec 28 15:37:27 signer2 ods-enforcerd: Error creating key in repository luna1 Dec 28 15:37:27 signer2 ods-enforcerd: Find objects init: CKR_DEVICE_ERROR Can anyone (if there is even anyone not having holiday) enlighten me? Cheers, Rick -------------- next part -------------- An HTML attachment was scrubbed... URL: From owner-dnssec-trac at kirei.se Wed Dec 30 07:27:50 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Wed, 30 Dec 2009 07:27:50 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #68: validity period passed, but no new signatures created Message-ID: <052.bb5f1d8d969be02a597982fec6d9b6b9@kirei.se> #68: validity period passed, but no new signatures created ---------------------------+------------------------------------------------ Reporter: lijia@? | Owner: matthijs Type: defect | Status: new Priority: major | Component: Signer Version: trunk | Keywords: resign, expire ---------------------------+------------------------------------------------ I have a zone signed by opendnssec, which I set , , all to PT5M, , to PT30S. After several hours elapsed, resign action of signer happened many times, but no new signatures created. Didn't signer resign when signatures are expired? -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Wed Dec 30 08:30:24 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Wed, 30 Dec 2009 08:30:24 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #68: validity period passed, but no new signatures created In-Reply-To: <052.bb5f1d8d969be02a597982fec6d9b6b9@kirei.se> References: <052.bb5f1d8d969be02a597982fec6d9b6b9@kirei.se> Message-ID: <061.bcd1c9ea33bd5ab8e21010091725acb9@kirei.se> #68: validity period passed, but no new signatures created ---------------------------+------------------------------------------------ Reporter: lijia@? | Owner: matthijs Type: defect | Status: new Priority: major | Component: Signer Version: trunk | Keywords: resign, expire ---------------------------+------------------------------------------------ Comment(by alex): Have you looked through the logs? Are there any errors or warnings there? -- Ticket URL: OpenDNSSEC OpenDNSSEC