From rickard.bondesson at iis.se Wed Jul 1 07:31:46 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Wed, 1 Jul 2009 09:31:46 +0200 Subject: [Opendnssec-develop] algorithm support In-Reply-To: <4A4A16A0.1090709@NLnetLabs.nl> References: <4A4A16A0.1090709@NLnetLabs.nl> Message-ID: <69830D4127201D4EBD146B9041199718D25682@EXCHANGE.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > Hi, > > the previous discussion raised a question for me, which has > been answered, but I have a bit of a cache miss. Did we want > RSA/MD5 support. (because ldns does not have that, and i'm > not going to add it for 1.6) I believe that we said that we could ignore MD5, since it is NOT RECOMMENDED. Are there any cases where you want to deploy DNSSEC with RSA/MD5 and not RSA/SHA1? Or must use MD5 since you can not use SHA1? This discussion was raised since we talked about using the build-in digesting functions in ldns. Thus getting less overhead when doing digesting (PKCS#11 adds complexity). And most (???) HSMs do the digesting in its library, thus no acceleration. The second point was if the HSM do not support a particular digesting function, like SHA256 in the SCA6K (on Solaris this is added by another support library, but not if you use e.g. Ubuntu). This is if DNSSEC is expanded with new algorithms in the future. Did we get a concensus that we should use ldns for hashing? If so then we should add a task to the Pivotal Tracker. // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSksQ4uCjgaNTdVjaAQi4HggAkscl64VN7UKIE7Nk2fslyhd87JyNi41q BVAi4PNu/MYjjgGv5CcLGvXzMfN5ihQXcWz4buU5m0CkwB5AvPhpqGoDlvjXd2qt e5zDKRwS7ZaRMpMbCZySYwL/00K0I8a+T+G3Mk1yjv6d2rHJEJv78qigPwGx6LcN VzZbfB3lAFezq09lQsBIdBSiLxTNSeRS8+pXiR/Mmi3piUzMz7WWRw1gdjRP3UBi 3fEOJX6zVSOaKJsOBSPa38ZyvHfbZCRYIo0M2spUQSZHWWETYZpyYimoaZNrBiG+ FiGPt/ZN0/WXNeGOVR7UxkkCW1Z6HoOdkuWi8DHL+saCvezKcGJk1w== =zkDc -----END PGP SIGNATURE----- From roy at nominet.org.uk Wed Jul 1 07:48:32 2009 From: roy at nominet.org.uk (roy at nominet.org.uk) Date: Wed, 1 Jul 2009 09:48:32 +0200 Subject: [Opendnssec-develop] algorithm support In-Reply-To: <69830D4127201D4EBD146B9041199718D25682@EXCHANGE.office.nic.se> References: <4A4A16A0.1090709@NLnetLabs.nl> <69830D4127201D4EBD146B9041199718D25682@EXCHANGE.office.nic.se> Message-ID: Rickard Bondesson wrote on 07/01/2009 09:31:46 AM: > > Hi, > > > > the previous discussion raised a question for me, which has > > been answered, but I have a bit of a cache miss. Did we want > > RSA/MD5 support. (because ldns does not have that, and i'm > > not going to add it for 1.6) > > I believe that we said that we could ignore MD5, since it is NOT > RECOMMENDED. Are there any cases where you want to deploy DNSSEC > with RSA/MD5 and not RSA/SHA1? Or must use MD5 since you can not use SHA1? No. > This discussion was raised since we talked about using the build-in > digesting functions in ldns. Thus getting less overhead when doing > digesting (PKCS#11 adds complexity). And most (???) HSMs do the > digesting in its library, thus no acceleration. The second point was > if the HSM do not support a particular digesting function, like > SHA256 in the SCA6K (on Solaris this is added by another support > library, but not if you use e.g. Ubuntu). This is if DNSSEC is > expanded with new algorithms in the future. > > Did we get a concensus that we should use ldns for hashing? If so > then we should add a task to the Pivotal Tracker. +1 for using ldns for hashing Roy From jelte at NLnetLabs.nl Wed Jul 1 07:50:21 2009 From: jelte at NLnetLabs.nl (Jelte Jansen) Date: Wed, 01 Jul 2009 09:50:21 +0200 Subject: [Opendnssec-develop] algorithm support In-Reply-To: References: <4A4A16A0.1090709@NLnetLabs.nl> <69830D4127201D4EBD146B9041199718D25682@EXCHANGE.office.nic.se> Message-ID: <4A4B153D.60309@NLnetLabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 roy at nominet.org.uk wrote: > Rickard Bondesson wrote on 07/01/2009 09:31:46 AM: > >>> Hi, >>> >>> the previous discussion raised a question for me, which has >>> been answered, but I have a bit of a cache miss. Did we want >>> RSA/MD5 support. (because ldns does not have that, and i'm >>> not going to add it for 1.6) >> I believe that we said that we could ignore MD5, since it is NOT >> RECOMMENDED. Are there any cases where you want to deploy DNSSEC >> with RSA/MD5 and not RSA/SHA1? Or must use MD5 since you can not use > SHA1? > > No. > ok, just wanted to make sure before i rip it out of libhsm :) Jelte -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkpLFTsACgkQ4nZCKsdOncWXSQCfQQzYP52uQL51iVWIwni5qvE3 arcAmwT8Qr76u2D5M/vJQoV5to1xXICS =hnmC -----END PGP SIGNATURE----- From sion at nominet.org.uk Wed Jul 1 11:16:01 2009 From: sion at nominet.org.uk (sion at nominet.org.uk) Date: Wed, 1 Jul 2009 12:16:01 +0100 Subject: [Opendnssec-develop] ksmutil Message-ID: I'm getting on with ksmutil now (the replacement for kaspimport and all of its perl dependencies). My question is, what do people expect from it? Currently the usage reports: usage: ksmutil [-f config_dir] setup [path_to_kasp.xml] Import config_dir into a database (deletes current contents) usage: ksmutil [-f config_dir] update [path_to_kasp.xml] Update database from config_dir usage: ksmutil [-f config_dir] addzone zone [policy] [path_to_signerconf.xml] [input] [output] Add a zone to the config_dir and database usage: ksmutil [-f config_dir] delzone zone Delete a zone from the config_dir and database usage: ksmutil [-f config_dir] rollzone zone [KSK|ZSK] Rollover a zone (may roll all zones on that policy) usage: ksmutil [-f config_dir] rollpolicy policy [KSK|ZSK] Rollover all zones on a policy (don't get excited, it doesn't do all of this yet) So, what else do we need it to do? Some ideas: "backup done" "add repository" "remove repository" "add policy" "remove policy" "copy policy" "edit policy" might need some sort of interactive command line interface, the code for which is lurking around out of subversion. "import keys" (keys created somewhere other than keygend) "list [keys|policies|etc]" Hmm, the more I think about it, the more 5 pivotal points doesn't seem anywhere near enough... I'll stop thinking. Sion From jakob at kirei.se Wed Jul 1 11:22:28 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Wed, 1 Jul 2009 07:22:28 -0400 Subject: [Opendnssec-develop] ksmutil In-Reply-To: References: Message-ID: On 1 jul 2009, at 07.16, sion at nominet.org.uk wrote: > I'm getting on with ksmutil now (the replacement for kaspimport and > all of > its perl dependencies). My question is, what do people expect from it? > > Currently the usage reports: > > usage: ksmutil [-f config_dir] setup [path_to_kasp.xml] > Import config_dir into a database (deletes current contents) > usage: ksmutil [-f config_dir] update [path_to_kasp.xml] > Update database from config_dir > usage: ksmutil [-f config_dir] addzone zone [policy] > [path_to_signerconf.xml] [input] [output] > Add a zone to the config_dir and database > usage: ksmutil [-f config_dir] delzone zone > Delete a zone from the config_dir and database > usage: ksmutil [-f config_dir] rollzone zone [KSK|ZSK] > Rollover a zone (may roll all zones on that policy) > usage: ksmutil [-f config_dir] rollpolicy policy [KSK|ZSK] > Rollover all zones on a policy -f config_dir is more like [-f config] for the main config file I hope. all other params can be derived from it. > > (don't get excited, it doesn't do all of this yet) > > So, what else do we need it to do? Some ideas: > > "backup done" yes. > "add repository" > "remove repository" these are all done by editing the main config file. > "add policy" > "remove policy" these are done by editing the KASP and reimported. IMHO, import should REPLACE all existing policies, i.e. the import is more of a one-way replace. > "copy policy" where to? "export policy", dumping the database as KASP, would be nice. as well. > "edit policy" might need some sort of interactive command line > interface, > the code for which is lurking around out of subversion. yes, we can do that later I believe. it might even be a separate program (or a rails app). > "import keys" (keys created somewhere other than keygend) yes, that is important. import should take a CKA_ID, a zone and a key type and state? > "list [keys|policies|etc]" yes, please. > Hmm, the more I think about it, the more 5 pivotal points doesn't seem > anywhere near enough... I'll stop thinking. just add additional stories - it's usually a bad idea to try to squeeze to much into one story. make one story per feature instead and you also get the feeling your're getting somewhere :-) jakob From rickard.bondesson at iis.se Wed Jul 1 12:27:06 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Wed, 1 Jul 2009 14:27:06 +0200 Subject: [Opendnssec-develop] ksmutil In-Reply-To: References: Message-ID: <69830D4127201D4EBD146B9041199718D256E1@EXCHANGE.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > usage: ksmutil [-f config_dir] setup [path_to_kasp.xml] > Import config_dir into a database (deletes current contents) > usage: ksmutil [-f config_dir] update [path_to_kasp.xml] > Update database from config_dir > usage: ksmutil [-f config_dir] addzone zone [policy] > [path_to_signerconf.xml] [input] [output] > Add a zone to the config_dir and database > usage: ksmutil [-f config_dir] delzone zone > Delete a zone from the config_dir and database > usage: ksmutil [-f config_dir] rollzone zone [KSK|ZSK] > Rollover a zone (may roll all zones on that policy) > usage: ksmutil [-f config_dir] rollpolicy policy [KSK|ZSK] > Rollover all zones on a policy Isn't the path to the config_dir always the same on a machine? E.g. the conf.xml is located at $sysconfdir/opendnssec/conf.xml Both the Enforcer and the Signer Engine uses this fixed path. So my question is if we really need -f for all of the commands? The same with path_to_kasp.xml ? // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSktWGuCjgaNTdVjaAQj4vgf/b/nkCYhKBpEgTI/DzSMLhVjzGcBMSg19 +fNCdMRpbdmmyQDpgZMtmKT8ncWVry7ARGIxn/cxW5mW9WTviryvr/WT5wkl1gJx /DC82Fa09Od5vbMYRpKCDRLivWCv9Yg8qqJJ3VPe5HauaTJJcWWy6E23iepN2M/R EHkPJ/p4da7QnNaOokYsCEQWQ4HshZZSzbMsVcK99IiE/gaG3dZiZEDAXTxi6Hty Z6aPMLDmM4czHqYMgJBkKdrfZkhz5R4qC3eU6b0YUskwQ8+UCONgwtU3HTHKgZ8m rxvbxh3J94cyqalw3XYIIOUlK6yMFbPSftLc65+WucuWkKS7eYvfaQ== =2nTy -----END PGP SIGNATURE----- From rickard.bondesson at iis.se Wed Jul 1 12:29:46 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Wed, 1 Jul 2009 14:29:46 +0200 Subject: [Opendnssec-develop] ksmutil References: Message-ID: <69830D4127201D4EBD146B9041199718D256E3@EXCHANGE.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > Both the Enforcer and the Signer Engine uses this fixed path. OK, Signer Engine can be configured to use another config file. -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSktWueCjgaNTdVjaAQiujwf9HrDYYG1u3N5FLC5RA/y69gR2cl2orvQf 2JTTULlYPfcELTQh5p6rdkTTISAWw40VqWpzKCCIt1UGvPM0yANASxl5330kD0EA 9TxOsPgXXqkehOujnQx94DGoi5H528K3OSaQI+ypl6o6kTt7zmDtpU3vZBBGYcl+ 6sfyYDO9BRI1Q8OMIkKg6OplqvbJ8jkQWz//ubYEnGXEe6Gb0F+30hUs07Aop70Y a5hLeZ6VU4QkEw10hgL378imbSdhy9ihex0OpbdfI8wyqq9TC4fhXAxjXQkydPmi M0Q97U4waFOzZI8aBvN75y5t2TTPq++hl0L4WXbTJEb5AK3ph/pS0Q== =EUbO -----END PGP SIGNATURE----- From sion at nominet.org.uk Wed Jul 1 12:34:11 2009 From: sion at nominet.org.uk (sion at nominet.org.uk) Date: Wed, 1 Jul 2009 13:34:11 +0100 Subject: [Opendnssec-develop] ksmutil In-Reply-To: <69830D4127201D4EBD146B9041199718D256E3@EXCHANGE.office.nic.se> References: <69830D4127201D4EBD146B9041199718D256E3@EXCHANGE.office.nic.se> Message-ID: > > Both the Enforcer and the Signer Engine uses this fixed path. > > OK, Signer Engine can be configured to use another config file. And the enforcer should be able to (although it doesn't at the moment). From Stephen.Morris at nominet.org.uk Wed Jul 1 12:43:13 2009 From: Stephen.Morris at nominet.org.uk (Stephen.Morris at nominet.org.uk) Date: Wed, 1 Jul 2009 13:43:13 +0100 Subject: [Opendnssec-develop] ksmutil In-Reply-To: References: Message-ID: Jakob Schlyter wrote on 01/07/2009 12:22:28: > On 1 jul 2009, at 07.16, sion at nominet.org.uk wrote: > > > I'm getting on with ksmutil now (the replacement for kaspimport and > > all of > > its perl dependencies). My question is, what do people expect from it? > > > > Currently the usage reports: > > > > usage: ksmutil [-f config_dir] setup [path_to_kasp.xml] > > Import config_dir into a database (deletes current contents) > > usage: ksmutil [-f config_dir] update [path_to_kasp.xml] > > Update database from config_dir > > usage: ksmutil [-f config_dir] addzone zone [policy] > > [path_to_signerconf.xml] [input] [output] > > Add a zone to the config_dir and database > > usage: ksmutil [-f config_dir] delzone zone > > Delete a zone from the config_dir and database > > usage: ksmutil [-f config_dir] rollzone zone [KSK|ZSK] > > Rollover a zone (may roll all zones on that policy) > > usage: ksmutil [-f config_dir] rollpolicy policy [KSK|ZSK] > > Rollover all zones on a policy > > -f config_dir is more like [-f config] for the main config file I > hope. all other params can be derived from it. Some general observations: a) Would "ksm" be better than "ksmutil" (shorter to type)? b) What about an "interactive" mode, allowing a sequence of ksm(util) commands to be entered (and state to be carried across between commands)? c) Regarding "-f config_dir", is there a case for a search path: i) if "-f config_dir" is specified on the command line, use that. ii) Otherwise translate the environment variable "OPENDNSSEC_CONFIGDIR" (or something) and use that iii) Else look in a default location? d) The form of the command is: % ksm(util) ... where the verb is a single token. In the examples above, the command for rolling a zone is "rollzone " and the command for rolling a policy is "rollpolicy ". Do we want a more sophisticated parser that can take multiple words to determine the action, e.g. "roll zone " and "roll policy "? e) Should we allow the parser to recognise unambiguous abbreviations (e.g., "rollz" and "rollp" for the single token case, perhaps "r z" and "r p" for the multi-word case)? ... and one specific observation: a) If we have "addzone" and "delzone", we should also have "listzone". > > > > > (don't get excited, it doesn't do all of this yet) > > > > So, what else do we need it to do? Some ideas: > > > > "backup done" > > yes. Agreed, although I would modify this to: "backup done [date]" ... where the default is the date/time at which the command is issued. This just covers the case where a backup is done but the ksm command is not issued until some time later. It prevents keys created since the backup up being made available prematurely. We should also have "backup list" ... to list the date of last backup (dates of last backups?) > > > "add repository" > > "remove repository" > > these are all done by editing the main config file. > > > "add policy" > > "remove policy" > > these are done by editing the KASP and reimported. IMHO, import should > REPLACE all existing policies, i.e. the import is more of a one-way > replace. > > > "copy policy" > > where to? > > "export policy", dumping the database as KASP, would be nice. as well. This raises a question as to where the master copy of the policy should be. At the moment, the XML file is read into the database and all access to the policy is via the database. Why should we regard the XML as the master copy - why not the contents of the database? Assuming that import and export functions are provided, then editing a policy with a text editor would be the sequence: * export policy to XML * edit XML * import and replace policy ... whereas a more sophisticated editing tool might access the database directly. If we take this view, then I suggest we need: import [-r | -d] file Imports a policy file. "-r" forces replacement of policies with identical names. Without this, a duplicate policy name causes an error. "-d" deletes all policies before the import. (Importing a single policy without replacing others allows the possibility (for example) of the publication of example policies on the web site - people could download and import them without affecting their existing setup.) export file [policy [policy ...]] Exports the named policies to a file. If no policies are given, all policies are exported. list [-z] Lists a summary of the policies (e.g. names of the policies and, if -z is specified, the zones associated with them). > > "edit policy" might need some sort of interactive command line > > interface, > > the code for which is lurking around out of subversion. > > yes, we can do that later I believe. it might even be a separate > program (or a rails app). > > > "import keys" (keys created somewhere other than keygend) > > yes, that is important. import should take a CKA_ID, a zone and a key > type and state? > > > "list [keys|policies|etc]" > > yes, please. > > > Hmm, the more I think about it, the more 5 pivotal points doesn't seem > > anywhere near enough... I'll stop thinking. > > just add additional stories - it's usually a bad idea to try to > squeeze to much into one story. make one story per feature instead and > you also get the feeling your're getting somewhere :-) > > jakob Another guideline I've always found useful: if you have "add " and "delete " commands, you are usually likely to want "list " and "modify " as well. Stephen -------------- next part -------------- An HTML attachment was scrubbed... URL: From rickard.bondesson at iis.se Wed Jul 1 13:06:38 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Wed, 1 Jul 2009 15:06:38 +0200 Subject: [Opendnssec-develop] ksmutil In-Reply-To: References: Message-ID: <69830D4127201D4EBD146B9041199718D256F3@EXCHANGE.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > Some general observations: > > a) Would "ksm" be better than "ksmutil" (shorter to type)? +1 But it might collide with other program names? Perhaps we should use a prefix for all of our binaries / scripts? E.g: - odd-ksm - opendnssec-ksm - od-ksm > b) What about an "interactive" mode, allowing a sequence of > ksm(util) commands to be entered (and state to be carried > across between commands)? Something for the future. > c) Regarding "-f config_dir", is there a case for a search path: > > i) if "-f config_dir" is specified on the command line, use that. > ii) Otherwise translate the environment variable > "OPENDNSSEC_CONFIGDIR" (or something) and use that > iii) Else look in a default location? +1 > d) The form of the command is: > > % ksm(util) > > ... where the verb is a single token. In the examples above, > the command for rolling a zone is "rollzone " and the > command for rolling a policy is "rollpolicy ". Do we > want a more sophisticated parser that can take multiple words > to determine the action, e.g. "roll zone " and "roll > policy "? > e) Should we allow the parser to recognise unambiguous > abbreviations (e.g., "rollz" and "rollp" for the single token > case, perhaps "r z" and "r p" for the multi-word case)? Keep it simple. I think we only should allow one format for each command. > ... and one specific observation: > > a) If we have "addzone" and "delzone", we should also have > "listzone". +1 > Agreed, although I would modify this to: > > "backup done [date]" > > ... where the default is the date/time at which the command > is issued. This just covers the case where a backup is done > but the ksm command is not issued until some time later. It > prevents keys created since the backup up being made > available prematurely. +1 > > We should also have > > "backup list" > > ... to list the date of last backup (dates of last backups?) > +1 > This raises a question as to where the master copy of the > policy should be. At the moment, the XML file is read into > the database and all access to the policy is via the > database. Why should we regard the XML as the master copy - > why not the contents of the database? The auditor wants a copy of the master copy. Is it wise to get the copy from the database? > Another guideline I've always found useful: if you have "add > " and "delete " commands, you are > usually likely to want "list " and "modify > " as well. +1 // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSktfXuCjgaNTdVjaAQix5QgAgvE7mhJnH03renbaIdxiC+TImgdeD18J bsl2jhc6rPKyxnVk6ltnqocD6UlQTjQiK0aIZ6KYGkaek5x3iC04sdsPx8nn158Y KgpEzk6N8nXcfx8xy1ABLbYZYh1H4bvEmiYpcb3bBYM76Ks4UCpgo8DvW5Rx82YN zmgPRvs0J84qY2uAbS5sINwYzgp6i6Qt8DaCdeKVkMwTHZczri4SHfKyNZlRVVxZ +D2xoab6MToUFYW1niCW/etzqv/AEN/n21KtoJCtxZDZTfF4Ko/ftFYeJuoB48Gj IWhHRv1veyIjVYM6hMGs3JeHsFYcTJMMyjvQTi7UeBMLUlpO9YQPTg== =PEss -----END PGP SIGNATURE----- From jakob at kirei.se Wed Jul 1 13:08:10 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Wed, 1 Jul 2009 09:08:10 -0400 Subject: [Opendnssec-develop] ksmutil In-Reply-To: References: Message-ID: <063F8B15-493C-4217-BF10-F4A0BE97FECE@kirei.se> On 1 jul 2009, at 08.43, Stephen.Morris at nominet.org.uk wrote: > a) Would "ksm" be better than "ksmutil" (shorter to type)? we named it ksmutil to match hsmutil. ksm/hsm is just too generic in my view. > b) What about an "interactive" mode, allowing a sequence of > ksm(util) commands to be entered (and state to be carried across > between commands)? could be. > c) Regarding "-f config_dir", is there a case for a search path: > > i) if "-f config_dir" is specified on the command line, use that. > ii) Otherwise translate the environment variable > "OPENDNSSEC_CONFIGDIR" (or something) and use that > iii) Else look in a default location? hsmutil will use the default config file if no -f config is specified on the command line. I believe that's enough. jakob From sion at nominet.org.uk Wed Jul 1 13:17:25 2009 From: sion at nominet.org.uk (sion at nominet.org.uk) Date: Wed, 1 Jul 2009 14:17:25 +0100 Subject: [Opendnssec-develop] ksmutil In-Reply-To: References: Message-ID: I'm replying to Jakob's and Stephen's comments in one... > > > Currently the usage reports: > > > > > > usage: ksmutil [-f config_dir] setup [path_to_kasp.xml] > > > Import config_dir into a database (deletes current contents) > > > usage: ksmutil [-f config_dir] update [path_to_kasp.xml] > > > Update database from config_dir > > > usage: ksmutil [-f config_dir] addzone zone [policy] > > > [path_to_signerconf.xml] [input] [output] > > > Add a zone to the config_dir and database > > > usage: ksmutil [-f config_dir] delzone zone > > > Delete a zone from the config_dir and database > > > usage: ksmutil [-f config_dir] rollzone zone [KSK|ZSK] > > > Rollover a zone (may roll all zones on that policy) > > > usage: ksmutil [-f config_dir] rollpolicy policy [KSK|ZSK] > > > Rollover all zones on a policy > > > > -f config_dir is more like [-f config] for the main config file I > > hope. all other params can be derived from it. Except for kasp.xml... either works, I was thinking that the directory is where all of the files (.xml and .rng) are. I am happy to change it so that you specify the conf.xml and it is assumed that everything else is in the same place. > Some general observations: > > a) Would "ksm" be better than "ksmutil" (shorter to type)? > b) What about an "interactive" mode, allowing a sequence of ksm > (util) commands to be entered (and state to be carried across > between commands)? > c) Regarding "-f config_dir", is there a case for a search path: > > i) if "-f config_dir" is specified on the command line, use that. > ii) Otherwise translate the environment variable > "OPENDNSSEC_CONFIGDIR" (or something) and use that > iii) Else look in a default location? > > d) The form of the command is: > > % ksm(util) > > ... where the verb is a single token. In the examples above, the > command for rolling a zone is "rollzone " and the command for > rolling a policy is "rollpolicy ". Do we want a more > sophisticated parser that can take multiple words to determine the > action, e.g. "roll zone " and "roll policy "? > e) Should we allow the parser to recognise unambiguous abbreviations > (e.g., "rollz" and "rollp" for the single token case, perhaps "r z" > and "r p" for the multi-word case)? I'm more concerned with getting the functionality covered, rather than the exact commands that will be typed. The interactive mode would come eventually (possibly as part of "edit policy"). > ... and one specific observation: > > a) If we have "addzone" and "delzone", we should also have "listzone". Yes. > > > "backup done" > > > > yes. > > Agreed, although I would modify this to: > > "backup done [date]" > > ... where the default is the date/time at which the command is > issued. This just covers the case where a backup is done but the > ksm command is not issued until some time later. It prevents keys > created since the backup up being made available prematurely. > > We should also have > > "backup list" > > ... to list the date of last backup (dates of last backups?) Okay. > > > "add repository" > > > "remove repository" > > > > these are all done by editing the main config file. > > > > > "add policy" > > > "remove policy" > > > > these are done by editing the KASP and reimported. IMHO, import should > > REPLACE all existing policies, i.e. the import is more of a one-way > > replace. > > > > > "copy policy" > > > > where to? > > > > "export policy", dumping the database as KASP, would be nice. as well. So my idea was that "add [something]" would add it to both the xml and the database. Copy policy would make a new policy from an existing one, which could then be edited. Really just a way of getting most of it setup and allowing you to tweak just those parameters that you want to. > This raises a question as to where the master copy of the policy > should be. At the moment, the XML file is read into the database > and all access to the policy is via the database. Why should we > regard the XML as the master copy - why not the contents of the database? > > Assuming that import and export functions are provided, then editing > a policy with a text editor would be the sequence: > > * export policy to XML > * edit XML > * import and replace policy > > ... whereas a more sophisticated editing tool might access the > database directly. > > If we take this view, then I suggest we need: > > import [-r | -d] file > Imports a policy file. "-r" forces replacement of policies with > identical names. Without this, a duplicate policy name causes an > error. "-d" deletes all policies before the import. (Importing a > single policy without replacing others allows the possibility (for > example) of the publication of example policies on the web site - > people could download and import them without affecting their existing setup.) > > export file [policy [policy ...]] > Exports the named policies to a file. If no policies are given, all > policies are exported. > > list [-z] > Lists a summary of the policies (e.g. names of the policies and, if > -z is specified, the zones associated with them). > > > > > > "edit policy" might need some sort of interactive command line > > > interface, > > > the code for which is lurking around out of subversion. > > > > yes, we can do that later I believe. it might even be a separate > > program (or a rails app). This looks like a bigger can of worms than I thought. rails app implies that the database is the definitive copy of the policy, use of import implies that the xml is. Shall we say that until a GUI policy editor exists then the xml is definitive and editing the file and re-importing is okay. I'll add export policy to the wish list. > > > "import keys" (keys created somewhere other than keygend) > > > > yes, that is important. import should take a CKA_ID, a zone and a key > > type and state? important for alpha or beta? > > > "list [keys|policies|etc]" > > > > yes, please. Okay. > Another guideline I've always found useful: if you have "add > " and "delete " commands, you are usually > likely to want "list " and "modify " as well. Okay. Pivotal doesn't seem to have any concept of priority as far as I can see, or am I missing something? From sion at nominet.org.uk Wed Jul 1 13:24:29 2009 From: sion at nominet.org.uk (sion at nominet.org.uk) Date: Wed, 1 Jul 2009 14:24:29 +0100 Subject: [Opendnssec-develop] ksmutil In-Reply-To: <063F8B15-493C-4217-BF10-F4A0BE97FECE@kirei.se> References: <063F8B15-493C-4217-BF10-F4A0BE97FECE@kirei.se> Message-ID: > > c) Regarding "-f config_dir", is there a case for a search path: > > > > i) if "-f config_dir" is specified on the command line, use that. > > ii) Otherwise translate the environment variable > > "OPENDNSSEC_CONFIGDIR" (or something) and use that > > iii) Else look in a default location? > > hsmutil will use the default config file if no -f config is specified > on the command line. I believe that's enough. My personal view is that it is not good if running the same command from 2 different shells can give 2 different outcomes (because of environment settings). I am not a sysadmin though, so maybe that is just me? From roy at nominet.org.uk Wed Jul 1 13:30:05 2009 From: roy at nominet.org.uk (roy at nominet.org.uk) Date: Wed, 1 Jul 2009 15:30:05 +0200 Subject: [Opendnssec-develop] ksmutil In-Reply-To: References: <063F8B15-493C-4217-BF10-F4A0BE97FECE@kirei.se> Message-ID: Sion Lloyd wrote on 07/01/2009 03:24:29 PM: > Re: [Opendnssec-develop] ksmutil > > > > c) Regarding "-f config_dir", is there a case for a search path: > > > > > > i) if "-f config_dir" is specified on the command line, use that. > > > ii) Otherwise translate the environment variable > > > "OPENDNSSEC_CONFIGDIR" (or something) and use that > > > iii) Else look in a default location? > > > > hsmutil will use the default config file if no -f config is specified > > on the command line. I believe that's enough. > > My personal view is that it is not good if running the same command from 2 > different shells can give 2 different outcomes (because of environment > settings). > > I am not a sysadmin though, so maybe that is just me? I thought that happens all the time though. The idea is to adjust environment settings to your own liking, so you'd have the same overall homey feel from whichever terminal you're using. Roy From rickard.bondesson at iis.se Wed Jul 1 13:29:30 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Wed, 1 Jul 2009 15:29:30 +0200 Subject: [Opendnssec-develop] ksmutil In-Reply-To: References: <063F8B15-493C-4217-BF10-F4A0BE97FECE@kirei.se> Message-ID: <69830D4127201D4EBD146B9041199718D256FE@EXCHANGE.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > > > c) Regarding "-f config_dir", is there a case for a search path: > > > > > > i) if "-f config_dir" is specified on the command line, use that. > > > ii) Otherwise translate the environment variable > > > "OPENDNSSEC_CONFIGDIR" (or something) and use that > > > iii) Else look in a default location? > > > > hsmutil will use the default config file if no -f config is > specified > > on the command line. I believe that's enough. > > My personal view is that it is not good if running the same > command from 2 different shells can give 2 different outcomes > (because of environment settings). > > I am not a sysadmin though, so maybe that is just me? +1 no environment variable since you can talk directly to the utility (not a background library that needs to be configured) -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSktkuuCjgaNTdVjaAQhqMAf/Sk64+ubW+GEHghbJ6mtRKBbz6V6Ko82I CUzUVr4FKbxklT6q6MGNrT7mVELUBGA5RhNkXcHYjU5Psw8XU0nMWgF/PzvsY01s 4a5BlfgeEMAKV+v0G9IRy7g80sZ2Jgo6aMZnDmwHP/Nr3IbN5JfYhW6rramTYQ4o 1b7DBH/jx7JQ0SVdNj53laYS/E6ixm9bNchqXHO7XpoLVueoh19tqyK/xM4c0Mte QTM90gXOBfNjIBYqD528Yx4+OLJOCMiHyqlErYKes5w7YU2yp261YWsqu7L4BUvs B9HyaSR/x5mHHRZ7ecmipL1BSuaLxXWwzw4TEGvlfEB6pi5ajHNurA== =78u7 -----END PGP SIGNATURE----- From jakob at kirei.se Wed Jul 1 13:37:56 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Wed, 1 Jul 2009 09:37:56 -0400 Subject: [Opendnssec-develop] ksmutil In-Reply-To: <69830D4127201D4EBD146B9041199718D256FE@EXCHANGE.office.nic.se> References: <063F8B15-493C-4217-BF10-F4A0BE97FECE@kirei.se> <69830D4127201D4EBD146B9041199718D256FE@EXCHANGE.office.nic.se> Message-ID: <91F7C6BB-009E-4E63-A521-AE1F596402FF@kirei.se> On 1 jul 2009, at 09.29, Rickard Bondesson wrote: >> >> My personal view is that it is not good if running the same >> command from 2 different shells can give 2 different outcomes >> (because of environment settings). >> >> I am not a sysadmin though, so maybe that is just me? > > +1 no environment variable > since you can talk directly to the utility (not a background library > that needs to be configured) ++ j From Stephen.Morris at nominet.org.uk Thu Jul 2 11:39:58 2009 From: Stephen.Morris at nominet.org.uk (Stephen.Morris at nominet.org.uk) Date: Thu, 2 Jul 2009 12:39:58 +0100 Subject: [Opendnssec-develop] KSK Rollovers Message-ID: Have we implemented KSK rollovers yet? For each zone, I imagine the process to be: 1. KASP calculates when the current KSK should be rolled. If within some interval (the "KSK Warning interval", a parameter of the policy), it issues a warning that the key will be rolled at the calculated time. (This handles requirement 2.4.3.6 for warning about key rollovers.) 2. When KASP is run at or after the calculated time, it will (a) introduce a new KSK into the zone, (b) identify a KSK (not the one just introduced) to be used for signing. It will also output a message stating that the DS record for the new key should be installed in the parent zone. 3. The signer, when run, will also generate files containing the DS records for all KSKs and place them into a separate directory. The file names will be based on zone name and include the identification that KASP has included in the message output in the previous step. 4. It is then up to the operator what they do. They can either (a) just pass the identified DS file to the parent zone and ask it to be included or (b) pass all KSK files to the parent zone, requesting that all current DS records be removed and the DS records in the files be added. 5. At some time after a KSK rollover, the old KSK is removed from the zone (i.e. when KASP is next run, the KSK will not be in the list of keys passed to the signer). KASP will output a message to the log file stating that the identified key can be removed. It is then up to the operator what they do - they can either (a) request the parent zone to remove the DS record, or (b) wait until the next KSK rollover when, if they follow the logic of step 4, option b, it will be automatically removed. The questions I have are: a) Does KASP warn about a rollover? b) Does KASP notify the user when a KSK rollover is happening? And does it identify the DS record(s) that should be added to the parent zone? c) Does the signer create the DS record in a way that it can be easily found? d) Does KASP notify the user when a DS record should be removed from the parent zone? And how does it identify the key to be removed? In the longer term, do we also want to add the ability for OpenDNSSEC to check whether a DS record of a KSK is in the parent zone before we actually start signing the zone with the new key (as suggest in the KSK rollover algorithm in the key timing draft?) At present, I believe the assumption is that the DS record will appear in the parent zone within some (configurable) interval of it be available to the operator. Stephen -------------- next part -------------- An HTML attachment was scrubbed... URL: From roy at nominet.org.uk Thu Jul 2 14:35:02 2009 From: roy at nominet.org.uk (roy at nominet.org.uk) Date: Thu, 2 Jul 2009 16:35:02 +0200 Subject: [Opendnssec-develop] Surprise!!! Message-ID: dig +norec +dnssec @a2.org.afilias-nst.info. opendnssec.org ds ; <<>> +norec +dnssec @a2.org.afilias-nst.info. opendnssec.org ds ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63839 ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 5 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;opendnssec.org. IN DS ;; ANSWER SECTION: opendnssec.org. 86400 IN DS 40957 5 1 CE54023878844A2D728B8CB66F733AD1F2B53D30 opendnssec.org. 86400 IN RRSIG DS 7 2 86400 20090716140611 20090702130611 37493 org. WZkp+q2FCmmRmNsCQZvG1ESBBCrnG0qRqlC09ZldYWmfVTXzQ6J2IZDD nHt+829vWiy/1X0LxmelCK2HyyjyzA9+tUCj6sBGlSiZM/nWksuhiEIu s2iYobeiFki9hR6fkohFfsWarhDuLToHcCab/Bsv80tb2t5XPn6PAEAn Lb8= ;; AUTHORITY SECTION: org. 86400 IN NS a0.org.afilias-nst.info. org. 86400 IN NS a2.org.afilias-nst.info. org. 86400 IN NS b0.org.afilias-nst.org. org. 86400 IN NS b2.org.afilias-nst.org. org. 86400 IN NS c0.org.afilias-nst.info. org. 86400 IN NS d0.org.afilias-nst.org. org. 86400 IN RRSIG NS 7 1 86400 20090709154514 20090625144514 37493 org. mrsSBGXYQG8uLhqbvVAqNB/AZRRPfApejiHDzA+Z4kYg/ubXKh3diFvJ nuoLiXC4WM1lITRDa7y0pnHTcY9T6qa1YauChEveST7z36NsEsS2dC7Y Np3yspfcn99KbCKaciCsQJAe3DGv5+wVrvQtmJZIAgVSKE2BE3xwTZ0p FUk= ;; ADDITIONAL SECTION: b0.org.afilias-nst.org. 86400 IN A 199.19.54.1 d0.org.afilias-nst.org. 86400 IN A 199.19.57.1 b0.org.afilias-nst.org. 86400 IN AAAA 2001:500:c::1 d0.org.afilias-nst.org. 86400 IN AAAA 2001:500:f::1 ;; Query time: 29 msec ;; SERVER: 199.249.112.1#53(199.249.112.1) ;; WHEN: Thu Jul 2 16:33:35 2009 ;; MSG SIZE rcvd: 631 From roland.vanrijswijk at surfnet.nl Thu Jul 2 15:39:35 2009 From: roland.vanrijswijk at surfnet.nl (Roland van Rijswijk) Date: Thu, 02 Jul 2009 17:39:35 +0200 Subject: [Opendnssec-develop] Surprise!!! In-Reply-To: References: Message-ID: <4A4CD4B7.10200@surfnet.nl> Good work! Does this mean that secure delegations are now possible for .org? I've got a wishlist of my own (one of which is eduroam.org)... Cheers, Roland roy at nominet.org.uk wrote: > dig +norec +dnssec @a2.org.afilias-nst.info. opendnssec.org ds > > ; <<>> +norec +dnssec @a2.org.afilias-nst.info. opendnssec.org ds > ; (1 server found) > ;; global options: printcmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63839 > ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 5 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;opendnssec.org. IN DS > > ;; ANSWER SECTION: > opendnssec.org. 86400 IN DS 40957 5 1 > CE54023878844A2D728B8CB66F733AD1F2B53D30 > opendnssec.org. 86400 IN RRSIG DS 7 2 86400 20090716140611 > 20090702130611 37493 org. > WZkp+q2FCmmRmNsCQZvG1ESBBCrnG0qRqlC09ZldYWmfVTXzQ6J2IZDD > nHt+829vWiy/1X0LxmelCK2HyyjyzA9+tUCj6sBGlSiZM/nWksuhiEIu > s2iYobeiFki9hR6fkohFfsWarhDuLToHcCab/Bsv80tb2t5XPn6PAEAn Lb8= > > ;; AUTHORITY SECTION: > org. 86400 IN NS a0.org.afilias-nst.info. > org. 86400 IN NS a2.org.afilias-nst.info. > org. 86400 IN NS b0.org.afilias-nst.org. > org. 86400 IN NS b2.org.afilias-nst.org. > org. 86400 IN NS c0.org.afilias-nst.info. > org. 86400 IN NS d0.org.afilias-nst.org. > org. 86400 IN RRSIG NS 7 1 86400 20090709154514 > 20090625144514 37493 org. > mrsSBGXYQG8uLhqbvVAqNB/AZRRPfApejiHDzA+Z4kYg/ubXKh3diFvJ > nuoLiXC4WM1lITRDa7y0pnHTcY9T6qa1YauChEveST7z36NsEsS2dC7Y > Np3yspfcn99KbCKaciCsQJAe3DGv5+wVrvQtmJZIAgVSKE2BE3xwTZ0p FUk= > > ;; ADDITIONAL SECTION: > b0.org.afilias-nst.org. 86400 IN A 199.19.54.1 > d0.org.afilias-nst.org. 86400 IN A 199.19.57.1 > b0.org.afilias-nst.org. 86400 IN AAAA 2001:500:c::1 > d0.org.afilias-nst.org. 86400 IN AAAA 2001:500:f::1 > > ;; Query time: 29 msec > ;; SERVER: 199.249.112.1#53(199.249.112.1) > ;; WHEN: Thu Jul 2 16:33:35 2009 > ;; MSG SIZE rcvd: 631 > > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -- -- Roland M. van Rijswijk -- SURFnet Middleware Services -- t: +31-30-2305388 -- e: roland.vanrijswijk at surfnet.nl From joao at bondis.org Thu Jul 2 16:41:03 2009 From: joao at bondis.org (=?ISO-8859-1?Q?Jo=E3o_Damas?=) Date: Thu, 2 Jul 2009 18:41:03 +0200 Subject: [Opendnssec-develop] Surprise!!! In-Reply-To: <4A4CD4B7.10200@surfnet.nl> References: <4A4CD4B7.10200@surfnet.nl> Message-ID: <086D5323-88DA-4D09-8891-3D929D2F731B@bondis.org> friends and family is how this stage is called. Need to send the DS records to afilias directly. eduroam.org would easily be amongst friends and family. Joao On 2 Jul 2009, at 17:39, Roland van Rijswijk wrote: > Good work! Does this mean that secure delegations are now possible for > .org? I've got a wishlist of my own (one of which is eduroam.org)... > > Cheers, > > Roland > > roy at nominet.org.uk wrote: >> dig +norec +dnssec @a2.org.afilias-nst.info. opendnssec.org ds >> >> ; <<>> +norec +dnssec @a2.org.afilias-nst.info. opendnssec.org ds >> ; (1 server found) >> ;; global options: printcmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63839 >> ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 5 >> >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags:; udp: 4096 >> ;; QUESTION SECTION: >> ;opendnssec.org. IN DS >> >> ;; ANSWER SECTION: >> opendnssec.org. 86400 IN DS 40957 5 1 >> CE54023878844A2D728B8CB66F733AD1F2B53D30 >> opendnssec.org. 86400 IN RRSIG DS 7 2 86400 20090716140611 >> 20090702130611 37493 org. >> WZkp+q2FCmmRmNsCQZvG1ESBBCrnG0qRqlC09ZldYWmfVTXzQ6J2IZDD >> nHt+829vWiy/1X0LxmelCK2HyyjyzA9+tUCj6sBGlSiZM/nWksuhiEIu >> s2iYobeiFki9hR6fkohFfsWarhDuLToHcCab/Bsv80tb2t5XPn6PAEAn Lb8= >> >> ;; AUTHORITY SECTION: >> org. 86400 IN NS a0.org.afilias-nst.info. >> org. 86400 IN NS a2.org.afilias-nst.info. >> org. 86400 IN NS b0.org.afilias-nst.org. >> org. 86400 IN NS b2.org.afilias-nst.org. >> org. 86400 IN NS c0.org.afilias-nst.info. >> org. 86400 IN NS d0.org.afilias-nst.org. >> org. 86400 IN RRSIG NS 7 1 86400 20090709154514 >> 20090625144514 37493 org. >> mrsSBGXYQG8uLhqbvVAqNB/AZRRPfApejiHDzA+Z4kYg/ubXKh3diFvJ >> nuoLiXC4WM1lITRDa7y0pnHTcY9T6qa1YauChEveST7z36NsEsS2dC7Y >> Np3yspfcn99KbCKaciCsQJAe3DGv5+wVrvQtmJZIAgVSKE2BE3xwTZ0p FUk= >> >> ;; ADDITIONAL SECTION: >> b0.org.afilias-nst.org. 86400 IN A 199.19.54.1 >> d0.org.afilias-nst.org. 86400 IN A 199.19.57.1 >> b0.org.afilias-nst.org. 86400 IN AAAA 2001:500:c::1 >> d0.org.afilias-nst.org. 86400 IN AAAA 2001:500:f::1 >> >> ;; Query time: 29 msec >> ;; SERVER: 199.249.112.1#53(199.249.112.1) >> ;; WHEN: Thu Jul 2 16:33:35 2009 >> ;; MSG SIZE rcvd: 631 >> >> _______________________________________________ >> Opendnssec-develop mailing list >> Opendnssec-develop at lists.opendnssec.org >> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop > > > -- > > -- Roland M. van Rijswijk > -- SURFnet Middleware Services > -- t: +31-30-2305388 > -- e: roland.vanrijswijk at surfnet.nl > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop From jakob at kirei.se Thu Jul 2 18:26:27 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Thu, 2 Jul 2009 20:26:27 +0200 Subject: [Opendnssec-develop] KSK Rollovers In-Reply-To: References: Message-ID: On 2 jul 2009, at 13.39, Stephen.Morris at nominet.org.uk wrote: > a) Does KASP warn about a rollover? I believe we should warn via syslog. > b) Does KASP notify the user when a KSK rollover is happening? I believe we should warn via syslog here as well. > And does it identify the DS record(s) that should be added to the > parent zone? it might be nice to log the keytag of the new KSK(s). > c) Does the signer create the DS record in a way that it can be > easily found? at the last meeting in Amsterdam we decided that the signer should not save the DS records in any file - the user can use drill or similar to get data needed to send to the parent. > d) Does KASP notify the user when a DS record should be removed from > the parent zone? And how does it identify the key to be removed? as soon as the new KSK gone active and all signatures been regenerated, it could log this as well? > > In the longer term, do we also want to add the ability for > OpenDNSSEC to check whether a DS record of a KSK is in the parent > zone before we actually start signing the zone with the new key (as > suggest in the KSK rollover algorithm in the key timing draft?) At > present, I believe the assumption is that the DS record will appear > in the parent zone within some (configurable) interval of it be > available to the operator. right. jakob From roy at nominet.org.uk Thu Jul 2 19:47:57 2009 From: roy at nominet.org.uk (roy at nominet.org.uk) Date: Thu, 2 Jul 2009 21:47:57 +0200 Subject: [Opendnssec-develop] Surprise!!! In-Reply-To: <086D5323-88DA-4D09-8891-3D929D2F731B@bondis.org> References: <4A4CD4B7.10200@surfnet.nl> <086D5323-88DA-4D09-8891-3D929D2F731B@bondis.org> Message-ID: Jo?o Damas wrote on 07/02/2009 06:41:03 PM: > friends and family is how this stage is called. Need to send the DS > records to afilias directly. > eduroam.org would easily be amongst friends and family. Better sign eduroam.org first though. Roy From jelte at NLnetLabs.nl Thu Jul 2 20:03:57 2009 From: jelte at NLnetLabs.nl (Jelte Jansen) Date: Thu, 02 Jul 2009 22:03:57 +0200 Subject: [Opendnssec-develop] KSK Rollovers In-Reply-To: References: Message-ID: <4A4D12AD.6080809@NLnetLabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jakob Schlyter wrote: > >> c) Does the signer create the DS record in a way that it can be easily >> found? > > at the last meeting in Amsterdam we decided that the signer should not > save the DS records in any file - the user can use drill or similar to > get data needed to send to the parent. > btw, could there be an operational policy where administrators might want to have the DS record for a key that is not yet in a zone (i.e. before it is even pre-published)? btw2. if we ever generate the DS automatically we will need a configuration option about what type of DS to produce Jelte -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkpNEq0ACgkQ4nZCKsdOncVNBwCfQI+B6C54Kd6cskn2bK1AUQLT 9LoAn1C6D+kyby1vicFFSUKZ1Fwpbryc =DRbY -----END PGP SIGNATURE----- From olaf at NLnetLabs.nl Thu Jul 2 16:06:43 2009 From: olaf at NLnetLabs.nl (Olaf Kolkman) Date: Thu, 2 Jul 2009 18:06:43 +0200 Subject: [Opendnssec-develop] Surprise!!! In-Reply-To: <4A4CD4B7.10200@surfnet.nl> References: <4A4CD4B7.10200@surfnet.nl> Message-ID: <61DFA5C4-7ECD-405D-B017-DB38E9CF4B1C@NLnetLabs.nl> ietf and iab .org have a secure delegation as of a few hours ago. Under a friends and family program Sent from a phone; appologies for the telegram style this message might have. On 2 jul 2009, at 17:39, Roland van Rijswijk wrote: > Good work! Does this mean that secure delegations are now possible for > .org? I've got a wishlist of my own (one of which is eduroam.org)... > > Cheers, > > Roland > > roy at nominet.org.uk wrote: >> dig +norec +dnssec @a2.org.afilias-nst.info. opendnssec.org ds >> >> ; <<>> +norec +dnssec @a2.org.afilias-nst.info. opendnssec.org ds >> ; (1 server found) >> ;; global options: printcmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63839 >> ;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 5 >> >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags:; udp: 4096 >> ;; QUESTION SECTION: >> ;opendnssec.org. IN DS >> >> ;; ANSWER SECTION: >> opendnssec.org. 86400 IN DS 40957 5 1 >> CE54023878844A2D728B8CB66F733AD1F2B53D30 >> opendnssec.org. 86400 IN RRSIG DS 7 2 86400 20090716140611 >> 20090702130611 37493 org. >> WZkp+q2FCmmRmNsCQZvG1ESBBCrnG0qRqlC09ZldYWmfVTXzQ6J2IZDD >> nHt+829vWiy/1X0LxmelCK2HyyjyzA9+tUCj6sBGlSiZM/nWksuhiEIu >> s2iYobeiFki9hR6fkohFfsWarhDuLToHcCab/Bsv80tb2t5XPn6PAEAn Lb8= >> >> ;; AUTHORITY SECTION: >> org. 86400 IN NS a0.org.afilias-nst.info. >> org. 86400 IN NS a2.org.afilias-nst.info. >> org. 86400 IN NS b0.org.afilias-nst.org. >> org. 86400 IN NS b2.org.afilias-nst.org. >> org. 86400 IN NS c0.org.afilias-nst.info. >> org. 86400 IN NS d0.org.afilias-nst.org. >> org. 86400 IN RRSIG NS 7 1 86400 20090709154514 >> 20090625144514 37493 org. >> mrsSBGXYQG8uLhqbvVAqNB/AZRRPfApejiHDzA+Z4kYg/ubXKh3diFvJ >> nuoLiXC4WM1lITRDa7y0pnHTcY9T6qa1YauChEveST7z36NsEsS2dC7Y >> Np3yspfcn99KbCKaciCsQJAe3DGv5+wVrvQtmJZIAgVSKE2BE3xwTZ0p FUk= >> >> ;; ADDITIONAL SECTION: >> b0.org.afilias-nst.org. 86400 IN A 199.19.54.1 >> d0.org.afilias-nst.org. 86400 IN A 199.19.57.1 >> b0.org.afilias-nst.org. 86400 IN AAAA 2001:500:c::1 >> d0.org.afilias-nst.org. 86400 IN AAAA 2001:500:f::1 >> >> ;; Query time: 29 msec >> ;; SERVER: 199.249.112.1#53(199.249.112.1) >> ;; WHEN: Thu Jul 2 16:33:35 2009 >> ;; MSG SIZE rcvd: 631 >> >> _______________________________________________ >> Opendnssec-develop mailing list >> Opendnssec-develop at lists.opendnssec.org >> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop > > > -- > > -- Roland M. van Rijswijk > -- SURFnet Middleware Services > -- t: +31-30-2305388 > -- e: roland.vanrijswijk at surfnet.nl > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop From roland.vanrijswijk at surfnet.nl Fri Jul 3 06:27:12 2009 From: roland.vanrijswijk at surfnet.nl (Roland van Rijswijk) Date: Fri, 03 Jul 2009 08:27:12 +0200 Subject: [Opendnssec-develop] Surprise!!! In-Reply-To: References: <4A4CD4B7.10200@surfnet.nl> <086D5323-88DA-4D09-8891-3D929D2F731B@bondis.org> Message-ID: <4A4DA4C0.3090708@surfnet.nl> Of course Roy :-) once OpenDNSSEC 1.0 is out we'll give it a go roy at nominet.org.uk wrote: > Jo?o Damas wrote on 07/02/2009 06:41:03 PM: > >> friends and family is how this stage is called. Need to send the DS >> records to afilias directly. >> eduroam.org would easily be amongst friends and family. > > Better sign eduroam.org first though. > > Roy > -- -- Roland M. van Rijswijk -- SURFnet Middleware Services -- t: +31-30-2305388 -- e: roland.vanrijswijk at surfnet.nl From Stephen.Morris at nominet.org.uk Fri Jul 3 12:46:16 2009 From: Stephen.Morris at nominet.org.uk (Stephen.Morris at nominet.org.uk) Date: Fri, 3 Jul 2009 13:46:16 +0100 Subject: [Opendnssec-develop] KSK Rollovers In-Reply-To: References: Message-ID: Jakob Schlyter wrote on 02/07/2009 19:26:27: >> On 2 jul 2009, at 13.39, Stephen.Morris at nominet.org.uk wrote: > > > a) Does KASP warn about a rollover? > > I believe we should warn via syslog. That will be fine, I asked the question just to ensure that this is done. > > b) Does KASP notify the user when a KSK rollover is happening? > > I believe we should warn via syslog here as well. Again, that is OK. > > And does it identify the DS record(s) that should be added to the > > parent zone? > > it might be nice to log the keytag of the new KSK(s). > > > c) Does the signer create the DS record in a way that it can be > > easily found? > > at the last meeting in Amsterdam we decided that the signer should not > save the DS records in any file - the user can use drill or similar to > get data needed to send to the parent. The DS record was my first thought. Reading RFC 4310, I see that to create a DS record, EPP requires: key tag algorithm digest type digest optional max sig lifetime optional keydata It is certainly not OpenDNSSEC's place to interface to EPP, but it is its responsibility to make the information easily available. Asking the user to use a tool like "drill" feels like a step too far, although it is acceptable for the technology preview. Instead, could KASP or the signer log the information in syslog? If this is in the form of an easily identifiable message, the user's systems could intercept those messages and automatically generate an EPP request to the parent. (Which leads to a definition question: should it be KASP or should it be the signer that generates the message?) > > d) Does KASP notify the user when a DS record should be removed from > > the parent zone? And how does it identify the key to be removed? > > as soon as the new KSK gone active and all signatures been > regenerated, it could log this as well? If it logs when a DS record (presumably identified by key tag) should be removed from the parent, the user's systems could intercept the message and issue the appropriate EPP update command. > > In the longer term, do we also want to add the ability for > > OpenDNSSEC to check whether a DS record of a KSK is in the parent > > zone before we actually start signing the zone with the new key (as > > suggest in the KSK rollover algorithm in the key timing draft?) At > > present, I believe the assumption is that the DS record will appear > > in the parent zone within some (configurable) interval of it be > > available to the operator. > > right. > > jakob > Stephen -------------- next part -------------- An HTML attachment was scrubbed... URL: From Ray.Bellis at nominet.org.uk Fri Jul 3 13:10:58 2009 From: Ray.Bellis at nominet.org.uk (Ray.Bellis at nominet.org.uk) Date: Fri, 3 Jul 2009 14:10:58 +0100 Subject: [Opendnssec-develop] KSK Rollovers In-Reply-To: References: Message-ID: > Instead, > could KASP or the signer log the information in syslog? If this is > in the form of an easily identifiable message, the user's systems > could intercept those messages and automatically generate an EPP > request to the parent. (Which leads to a definition question: > should it be KASP or should it be the signer that generates the message?) I'm personally not in favour of using syslog for this sort of thing. Primarily syslog is designed as a logging mechanism, not as an IPC mechanism. It's not designed to be 100% secure or reliable (although newer versions do attempt to address this). My preference would be for KASP to automatically invoke (end-user specified) programs as necessary, so that EPP and/or whatever else can be supplied by third parties. Alternately use a reliable IPC mechanism (such as a specific named-pipe) that's dedicated for KASP's use, and not shared with any other part of the system. Ray -------------- next part -------------- An HTML attachment was scrubbed... URL: From rick at openfortress.nl Mon Jul 6 12:12:58 2009 From: rick at openfortress.nl (Rick van Rein) Date: Mon, 6 Jul 2009 12:12:58 +0000 Subject: [Opendnssec-develop] Minutes 2009-07-16 Message-ID: <20090706121258.GA3844@phantom.vanrein.org> Hi, Better late then never...? I returned from a bit of travelling, and remembered that I hadn't put the notes for our last telephone meeting online. My apologies. They have just been added. OpenDNSSEC phone meeting 17-06-2009 -Rick From Stephen.Morris at nominet.org.uk Mon Jul 6 18:14:46 2009 From: Stephen.Morris at nominet.org.uk (Stephen.Morris at nominet.org.uk) Date: Mon, 6 Jul 2009 19:14:46 +0100 Subject: [Opendnssec-develop] KASP Configuration Documentation Message-ID: As part of writing system tests, I felt that I had to understand the KASP configuration file. For this reason, and at the risk of pre-empting the documentation Patrik is going to write, I have written a guide to KASP configuration - see http://trac.opendnssec.org/wiki/Signer/Configuration/ExampleKaspXml There are a number of questions in that page (in italics) - answers welcome. Stephen -------------- next part -------------- An HTML attachment was scrubbed... URL: From Greg.Rabil at ins.com Mon Jul 6 20:52:30 2009 From: Greg.Rabil at ins.com (Greg.Rabil at ins.com) Date: Mon, 6 Jul 2009 15:52:30 -0500 Subject: [Opendnssec-develop] Building SoftHSM RC 1 Message-ID: <1E4636828B4AD841900A31378A9FE3CD0125950C6C@usemp11.ins.com> Hello OpenDNSSEC folks, I am trying to build the SoftHSM on RHEL 5. I have installed the required Botan 1.8.2 and SQLite 3.6.16, but I receive the following error when trying to "make" the softhsm: [root at onyx libsofthsm-1.0.0-RC1]# make Making all in src make[1]: Entering directory `/tmp/libsofthsm-1.0.0-RC1/src' Making all in bin make[2]: Entering directory `/tmp/libsofthsm-1.0.0-RC1/src/bin' g++ -DPACKAGE_NAME=\"libsofthsm\" -DPACKAGE_TARNAME=\"libsofthsm\" -DPACKAGE_VERSION=\"1.0.0-RC1\" -DPACKAGE_STRING=\"libsofthsm\ 1.0.0-RC1\" -DPACKAGE_BUGREPORT=\"\" -DPACKAGE=\"libsofthsm\" -DVERSION=\"1.0.0-RC1\" -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1 -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -DHAVE_SYS_TIME_H=1 -DHAVE_SYS_STAT_H=1 -DSOFTLOGLEVEL=3 -DHAVE_LIBSQLITE3=1 -DVERSION_MAJOR=1 -DVERSION_MINOR=0 -DHAVE_DLFCN_H=1 -I. -I. -g -O2 -I/usr/local/include -I/usr/local/include -MT softhsm-softhsm.o -MD -MP -MF .deps/softhsm-softhsm.Tpo -c -o softhsm-softhsm.o `test -f 'softhsm.cpp' || echo './'`softhsm.cpp mv -f .deps/softhsm-softhsm.Tpo .deps/softhsm-softhsm.Po /bin/sh ../../libtool --tag=CXX --mode=link g++ -g -O2 -I/usr/local/include -I/usr/local/include -L/usr/local/lib -R/usr/local/lib -L/usr/local/lib -R/usr/local/lib -o softhsm softhsm-softhsm.o -lsqlite3 -lbotan mkdir .libs g++ -g -O2 -I/usr/local/include -I/usr/local/include -o softhsm softhsm-softhsm.o -L/usr/local/lib /usr/local/lib/libsqlite3.so -lbotan -Wl,--rpath -Wl,/usr/local/lib -Wl,--rpath -Wl,/usr/local/lib make[2]: Leaving directory `/tmp/libsofthsm-1.0.0-RC1/src/bin' Making all in lib make[2]: Entering directory `/tmp/libsofthsm-1.0.0-RC1/src/lib' /bin/sh ../../libtool --tag=CXX --mode=compile g++ -DPACKAGE_NAME=\"libsofthsm\" -DPACKAGE_TARNAME=\"libsofthsm\" -DPACKAGE_VERSION=\"1.0.0-RC1\" -DPACKAGE_STRING=\"libsofthsm\ 1.0.0-RC1\" -DPACKAGE_BUGREPORT=\"\" -DPACKAGE=\"libsofthsm\" -DVERSION=\"1.0.0-RC1\" -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1 -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -DHAVE_SYS_TIME_H=1 -DHAVE_SYS_STAT_H=1 -DSOFTLOGLEVEL=3 -DHAVE_LIBSQLITE3=1 -DVERSION_MAJOR=1 -DVERSION_MINOR=0 -DHAVE_DLFCN_H=1 -I. -I. -g -O2 -I/usr/local/include -I/usr/local/include -MT libsofthsm_la-main.lo -MD -MP -MF .deps/libsofthsm_la-main.Tpo -c -o libsofthsm_la-main.lo `test -f 'main.cpp' || echo './'`main.cpp mkdir .libs g++ -DPACKAGE_NAME=\"libsofthsm\" -DPACKAGE_TARNAME=\"libsofthsm\" -DPACKAGE_VERSION=\"1.0.0-RC1\" "-DPACKAGE_STRING=\"libsofthsm 1.0.0-RC1\"" -DPACKAGE_BUGREPORT=\"\" -DPACKAGE=\"libsofthsm\" -DVERSION=\"1.0.0-RC1\" -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1 -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 -DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1 -DHAVE_INTTYPES_H=1 -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -DHAVE_SYS_TIME_H=1 -DHAVE_SYS_STAT_H=1 -DSOFTLOGLEVEL=3 -DHAVE_LIBSQLITE3=1 -DVERSION_MAJOR=1 -DVERSION_MINOR=0 -DHAVE_DLFCN_H=1 -I. -I. -g -O2 -I/usr/local/include -I/usr/local/include -MT libsofthsm_la-main.lo -MD -MP -MF .deps/libsofthsm_la-main.Tpo -c main.cpp -fPIC -DPIC -o .libs/libsofthsm_la-main.o main.cpp: In function ?CK_RV C_SeedRandom(CK_SESSION_HANDLE, CK_BYTE*, CK_ULONG)?: main.cpp:2725: error: no matching function for call to ?Botan::AutoSeeded_RNG::reseed()? /usr/local/include/botan/auto_rng.h:30: note: candidates are: virtual void Botan::AutoSeeded_RNG::reseed(Botan::u32bit) make[2]: *** [libsofthsm_la-main.lo] Error 1 make[2]: Leaving directory `/tmp/libsofthsm-1.0.0-RC1/src/lib' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/tmp/libsofthsm-1.0.0-RC1/src' make: *** [all-recursive] Error 1 Any suggestions on how I might resolve this issue with "no matching function call to Botan::AutoSeeded_RNG::reseed()? Regards, Greg Rabil A. Gregory Rabil | Lead Software Architect | BT Diamond IP | Tel: +1 (610) 423-4770 | Fax: +1 (610) 423-4774 | Greg.Rabil at bt.com | http://bt.diamondip.com This electronic message contains information from BT INS, Inc, which may be privileged or confidential. The information is intended for use only by the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is strictly prohibited. If you have received this electronic message in error, please notify me by telephone or email (to the number or email address above) immediately. Activity and use of the BT INS, Inc e-mail system is monitored to secure its effective operation and for other lawful business purposes. Communications using this system will also be monitored and may be recorded to secure effective operation and for other lawful business purposes. BT INS Inc, 1600 Memorex Drive, Suite 200, Santa Clara California 95050-2842 ,United States -------------- next part -------------- An HTML attachment was scrubbed... URL: From rickard.bondesson at iis.se Tue Jul 7 07:12:37 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Tue, 7 Jul 2009 09:12:37 +0200 Subject: [Opendnssec-develop] Building SoftHSM RC 1 In-Reply-To: <1E4636828B4AD841900A31378A9FE3CD0125950C6C@usemp11.ins.com> References: <1E4636828B4AD841900A31378A9FE3CD0125950C6C@usemp11.ins.com> Message-ID: <69830D4127201D4EBD146B9041199718E1DEA7@EXCHANGE.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Yeah, RC1 is an old release by now. Sorry about that. Will create a RC2 asap (1 hour). You will find the link on http://trac.opendnssec.org/wiki/SoftHSM // Rickard > -----Ursprungligt meddelande----- > Fr?n: opendnssec-develop-bounces at lists.opendnssec.org > [mailto:opendnssec-develop-bounces at lists.opendnssec.org] F?r > Greg.Rabil at ins.com > Skickat: den 6 juli 2009 22:53 > Till: opendnssec-develop at lists.opendnssec.org > ?mne: [Opendnssec-develop] Building SoftHSM RC 1 > > Hello OpenDNSSEC folks, > > I am trying to build the SoftHSM on RHEL 5. I have installed > the required Botan 1.8.2 and SQLite 3.6.16, but I receive the > following error when trying to ?make? the softhsm: > > > > [root at onyx libsofthsm-1.0.0-RC1]# make > > Making all in src > > make[1]: Entering directory `/tmp/libsofthsm-1.0.0-RC1/src' > > Making all in bin > > make[2]: Entering directory `/tmp/libsofthsm-1.0.0-RC1/src/bin' > > g++ -DPACKAGE_NAME=\"libsofthsm\" > -DPACKAGE_TARNAME=\"libsofthsm\" > -DPACKAGE_VERSION=\"1.0.0-RC1\" > -DPACKAGE_STRING=\"libsofthsm\ 1.0.0-RC1\" > -DPACKAGE_BUGREPORT=\"\" -DPACKAGE=\"libsofthsm\" > -DVERSION=\"1.0.0-RC1\" -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1 > -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 > -DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1 -DHAVE_INTTYPES_H=1 > -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -DHAVE_SYS_TIME_H=1 > -DHAVE_SYS_STAT_H=1 -DSOFTLOGLEVEL=3 -DHAVE_LIBSQLITE3=1 > -DVERSION_MAJOR=1 -DVERSION_MINOR=0 -DHAVE_DLFCN_H=1 -I. -I. > -g -O2 -I/usr/local/include -I/usr/local/include -MT > softhsm-softhsm.o -MD -MP -MF .deps/softhsm-softhsm.Tpo -c -o > softhsm-softhsm.o `test -f 'softhsm.cpp' || echo './'`softhsm.cpp > > mv -f .deps/softhsm-softhsm.Tpo .deps/softhsm-softhsm.Po > > /bin/sh ../../libtool --tag=CXX --mode=link g++ -g -O2 > -I/usr/local/include -I/usr/local/include -L/usr/local/lib > -R/usr/local/lib -L/usr/local/lib -R/usr/local/lib -o softhsm > softhsm-softhsm.o -lsqlite3 -lbotan > > mkdir .libs > > g++ -g -O2 -I/usr/local/include -I/usr/local/include -o > softhsm softhsm-softhsm.o -L/usr/local/lib > /usr/local/lib/libsqlite3.so -lbotan -Wl,--rpath > -Wl,/usr/local/lib -Wl,--rpath -Wl,/usr/local/lib > > make[2]: Leaving directory `/tmp/libsofthsm-1.0.0-RC1/src/bin' > > Making all in lib > > make[2]: Entering directory `/tmp/libsofthsm-1.0.0-RC1/src/lib' > > /bin/sh ../../libtool --tag=CXX --mode=compile g++ > -DPACKAGE_NAME=\"libsofthsm\" > -DPACKAGE_TARNAME=\"libsofthsm\" > -DPACKAGE_VERSION=\"1.0.0-RC1\" > -DPACKAGE_STRING=\"libsofthsm\ 1.0.0-RC1\" > -DPACKAGE_BUGREPORT=\"\" -DPACKAGE=\"libsofthsm\" > -DVERSION=\"1.0.0-RC1\" -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1 > -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 > -DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1 -DHAVE_INTTYPES_H=1 > -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -DHAVE_SYS_TIME_H=1 > -DHAVE_SYS_STAT_H=1 -DSOFTLOGLEVEL=3 -DHAVE_LIBSQLITE3=1 > -DVERSION_MAJOR=1 -DVERSION_MINOR=0 -DHAVE_DLFCN_H=1 -I. -I. > -g -O2 -I/usr/local/include -I/usr/local/include -MT > libsofthsm_la-main.lo -MD -MP -MF > .deps/libsofthsm_la-main.Tpo -c -o libsofthsm_la-main.lo > `test -f 'main.cpp' || echo './'`main.cpp > > mkdir .libs > > g++ -DPACKAGE_NAME=\"libsofthsm\" > -DPACKAGE_TARNAME=\"libsofthsm\" > -DPACKAGE_VERSION=\"1.0.0-RC1\" > "-DPACKAGE_STRING=\"libsofthsm 1.0.0-RC1\"" > -DPACKAGE_BUGREPORT=\"\" -DPACKAGE=\"libsofthsm\" > -DVERSION=\"1.0.0-RC1\" -DSTDC_HEADERS=1 -DHAVE_SYS_TYPES_H=1 > -DHAVE_SYS_STAT_H=1 -DHAVE_STDLIB_H=1 -DHAVE_STRING_H=1 > -DHAVE_MEMORY_H=1 -DHAVE_STRINGS_H=1 -DHAVE_INTTYPES_H=1 > -DHAVE_STDINT_H=1 -DHAVE_UNISTD_H=1 -DHAVE_SYS_TIME_H=1 > -DHAVE_SYS_STAT_H=1 -DSOFTLOGLEVEL=3 -DHAVE_LIBSQLITE3=1 > -DVERSION_MAJOR=1 -DVERSION_MINOR=0 -DHAVE_DLFCN_H=1 -I. -I. > -g -O2 -I/usr/local/include -I/usr/local/include -MT > libsofthsm_la-main.lo -MD -MP -MF > .deps/libsofthsm_la-main.Tpo -c main.cpp -fPIC -DPIC -o > .libs/libsofthsm_la-main.o > > main.cpp: In function ?CK_RV C_SeedRandom(CK_SESSION_HANDLE, > CK_BYTE*, CK_ULONG)?: > > main.cpp:2725: error: no matching function for call to > ?Botan::AutoSeeded_RNG::reseed()? > > /usr/local/include/botan/auto_rng.h:30: note: candidates are: > virtual void Botan::AutoSeeded_RNG::reseed(Botan::u32bit) > > make[2]: *** [libsofthsm_la-main.lo] Error 1 > > make[2]: Leaving directory `/tmp/libsofthsm-1.0.0-RC1/src/lib' > > make[1]: *** [all-recursive] Error 1 > > make[1]: Leaving directory `/tmp/libsofthsm-1.0.0-RC1/src' > > make: *** [all-recursive] Error 1 > > > > Any suggestions on how I might resolve this issue with ?no > matching function call to Botan::AutoSeeded_RNG::reseed()? > > > > Regards, > > Greg Rabil > > > > A. Gregory Rabil | Lead Software Architect | BT Diamond IP | > > Tel: +1 (610) 423-4770 | Fax: +1 (610) 423-4774 | > Greg.Rabil at bt.com | > http://bt.diamondip.com > > > > This electronic message contains information from BT INS, > Inc, which may be privileged > > or confidential. The information is intended for use only by > the individual(s) or entity named above. If you > > are not the intended recipient, be aware that any disclosure, > copying, distribution or use of the contents of > > this information is strictly prohibited. If you have > received this electronic message in error, please notify > > me by telephone or email (to the number or email address > above) immediately. > > > > Activity and use of the BT INS, Inc e-mail system is > monitored to secure its effective > > operation and for other lawful business purposes. > Communications using this system will also be monitored > > and may be recorded to secure effective operation and for > other lawful business purposes. > > > > BT INS Inc, 1600 Memorex Drive, Suite 200, Santa Clara > California 95050-2842 ,United States > > > > -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSlL1ZeCjgaNTdVjaAQit6Qf+J3EgmWFEyTvYGTwJCjMy3AwxEgMf6xvl Xa2p7qv3tEYArL2UKhoRwlvxn67okuGulpbECdF+ZmcLFEcek5459ZT+GLFrAhx4 +er7Lb4qG1+Nic1JbxmzpLP9cpzBvsCaRPDnbOMcSgkYKp+qF8FGlKHixNWZ1oBy 41Kv3kKbeTbTZbtUHppzEPLBerOaCt0dm2GYybE7ful4/rcN9HLpphu9U9EgrKrW EN4wUb5B6Ro/DA2JZ1Ri28y4RzcokCtdd36CfYrtcwgCFOOeYLE/RwSLrMj9eRg+ ftIL7h+U++1/MRgvrbEsxwE0B0WTCejs8v+ZC/DfUMnK0fRKCLa1YQ== =BHGT -----END PGP SIGNATURE----- From Stephen.Morris at nominet.org.uk Tue Jul 7 12:25:40 2009 From: Stephen.Morris at nominet.org.uk (Stephen.Morris at nominet.org.uk) Date: Tue, 7 Jul 2009 13:25:40 +0100 Subject: [Opendnssec-develop] Fw: KASP Configuration Documentation Message-ID: Stephen Morris/Nominet wrote on 06/07/2009 19:14:46: > As part of writing system tests, I felt that I had to understand the KASP > configuration file. For this reason, and at the risk of pre-empting the > documentation Patrik is going to write, I have written a guide to KASP > configuration - see http://trac.opendnssec.org/wiki/Signer/Configuration/ExampleKaspXml > > There are a number of questions in that page (in italics) - answers welcome. I've also written some documentation in the same format for the OpenDNSSEC configuration file - http://trac.opendnssec.org/wiki/Signer/Configuration/ExampleConfXml As before, there are a couple of questions (in italic) in the page. Stephen -------------- next part -------------- An HTML attachment was scrubbed... URL: From rickard.bondesson at iis.se Tue Jul 7 13:22:35 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Tue, 7 Jul 2009 15:22:35 +0200 Subject: [Opendnssec-develop] Building SoftHSM RC 1 In-Reply-To: <69830D4127201D4EBD146B9041199718E1DEA7@EXCHANGE.office.nic.se> References: <1E4636828B4AD841900A31378A9FE3CD0125950C6C@usemp11.ins.com> <69830D4127201D4EBD146B9041199718E1DEA7@EXCHANGE.office.nic.se> Message-ID: <69830D4127201D4EBD146B9041199718E1DF1C@EXCHANGE.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > Yeah, RC1 is an old release by now. Sorry about that. Will > create a RC2 asap (1 hour). You will find the link on > http://trac.opendnssec.org/wiki/SoftHSM Sorry, currently having some problem getting the files configured correctly in the tar-ball when doing 'make dist'. Will find a solution real soon. You could get the latest code from the SVN until the problem is fixed: svn co http://svn.opendnssec.se/trunk/m4/ svn co http://svn.opendnssec.se/trunk/softHSM/ // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSlNMG+CjgaNTdVjaAQg1qAf+LZJ7CMV/Fq7Toamdn63WMqSc7kDQsbA9 PyttPH92L9d2SXBovlwlis/Nmb+8J+l8Ltd71yErWUXEYfHnWawI90PuwmhYIy8j aLXCNTlRkcTcdjvlpYqjSfOSoDJexOFx2BdVq/HWRc/dzAa8oLZ8B9/nXoMZh3yC BaT92uxaPsV5qWje/lOuT4HfMiFwCh7g3jg2JcNC0cDWvDsa3EjhiOQYHLoYOVGl VFagVbH41qLjGTNC+g5L5UXM7i3L2dd1qDkeRU1RXU6ANcHGmlDjalVUKKX/rBEv Fj7fncsj62ASPP/vrhUrwtAATs3jhXVzILGl1VsuAOyzdVwtlwFbmQ== =9c/o -----END PGP SIGNATURE----- From Greg.Rabil at ins.com Tue Jul 7 14:05:26 2009 From: Greg.Rabil at ins.com (Greg.Rabil at ins.com) Date: Tue, 7 Jul 2009 09:05:26 -0500 Subject: [Opendnssec-develop] Building SoftHSM RC 1 In-Reply-To: <69830D4127201D4EBD146B9041199718E1DF1C@EXCHANGE.office.nic.se> References: <1E4636828B4AD841900A31378A9FE3CD0125950C6C@usemp11.ins.com> <69830D4127201D4EBD146B9041199718E1DEA7@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718E1DF1C@EXCHANGE.office.nic.se> Message-ID: <1E4636828B4AD841900A31378A9FE3CD0125950F45@usemp11.ins.com> Thank you Rickard. Unfortunately, I'm not sure how to build from the source tree. There is no 'configure.pl' script, but a 'configure.ac' file? Also, there does not appear to be the requisite 'Makefile.in' files in the bin/ and lib/ directories. Attempting to simply copy the source trees into the corresponding directories of my RC1 build did not work either. I very much appreciate your prompt responses. If there is something simple I must do to build from the source, please let me know, otherwise I will wait for you to complete the RC2 release. Best regards, Greg Rabil -----Original Message----- From: Rickard Bondesson [mailto:rickard.bondesson at iis.se] Sent: Tuesday, July 07, 2009 9:23 AM To: Rickard Bondesson; Rabil, A. (Greg); opendnssec-develop at lists.opendnssec.org Subject: Re: [Opendnssec-develop] Building SoftHSM RC 1 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > Yeah, RC1 is an old release by now. Sorry about that. Will > create a RC2 asap (1 hour). You will find the link on > http://trac.opendnssec.org/wiki/SoftHSM Sorry, currently having some problem getting the files configured correctly in the tar-ball when doing 'make dist'. Will find a solution real soon. You could get the latest code from the SVN until the problem is fixed: svn co http://svn.opendnssec.se/trunk/m4/ svn co http://svn.opendnssec.se/trunk/softHSM/ // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSlNMG+CjgaNTdVjaAQg1qAf+LZJ7CMV/Fq7Toamdn63WMqSc7kDQsbA9 PyttPH92L9d2SXBovlwlis/Nmb+8J+l8Ltd71yErWUXEYfHnWawI90PuwmhYIy8j aLXCNTlRkcTcdjvlpYqjSfOSoDJexOFx2BdVq/HWRc/dzAa8oLZ8B9/nXoMZh3yC BaT92uxaPsV5qWje/lOuT4HfMiFwCh7g3jg2JcNC0cDWvDsa3EjhiOQYHLoYOVGl VFagVbH41qLjGTNC+g5L5UXM7i3L2dd1qDkeRU1RXU6ANcHGmlDjalVUKKX/rBEv Fj7fncsj62ASPP/vrhUrwtAATs3jhXVzILGl1VsuAOyzdVwtlwFbmQ== =9c/o -----END PGP SIGNATURE----- From rickard.bondesson at iis.se Tue Jul 7 14:11:01 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Tue, 7 Jul 2009 16:11:01 +0200 Subject: [Opendnssec-develop] Building SoftHSM RC 1 In-Reply-To: <1E4636828B4AD841900A31378A9FE3CD0125950F45@usemp11.ins.com> References: <1E4636828B4AD841900A31378A9FE3CD0125950C6C@usemp11.ins.com> <69830D4127201D4EBD146B9041199718E1DEA7@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718E1DF1C@EXCHANGE.office.nic.se> <1E4636828B4AD841900A31378A9FE3CD0125950F45@usemp11.ins.com> Message-ID: <69830D4127201D4EBD146B9041199718E1DF2B@EXCHANGE.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Ahh, yeah. When building from SVN: First sh autogen.sh Then ./configure make > Thank you Rickard. Unfortunately, I'm not sure how to build > from the source tree. There is no 'configure.pl' script, but > a 'configure.ac' file? Also, there does not appear to be the > requisite 'Makefile.in' files in the bin/ and lib/ > directories. Attempting to simply copy the source trees into > the corresponding directories of my RC1 build did not work either. > > I very much appreciate your prompt responses. If there is > something simple I must do to build from the source, please > let me know, otherwise I will wait for you to complete the > RC2 release. -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSlNXdeCjgaNTdVjaAQinHQgAqW17+dUJjgc2oyOUUurQiJFBS2HE6s/R kO4NLTrfzPmCBAbi5bZVP6E/py7WC2/5Tvsrd6QaZihHky34PFZxn/4IUPb2p/T+ fwROcVT43kXkevjNfqXrW+bcpf8Ge8Cha9urk4jdw3f+91e31H+luOR1Bpiju5Zy tDHjjCfEtWBxw4dz9IF73DUDv3wVCv9hUeTSsdXa9HT0WzA9yysjYcXWFd6rivP9 5BeCrFdoXqzodVCapzkW7Wdgqumoh/VN7rDMRKcSiHROhh1pBbDxENlTdiRjxxhV t3qR/BxPOhQIu9Oe63P2nTMP9IeIDAKnXYq6vBR78ewUb3ugqw1jCw== =0Cs8 -----END PGP SIGNATURE----- From Greg.Rabil at ins.com Tue Jul 7 14:23:38 2009 From: Greg.Rabil at ins.com (Greg.Rabil at ins.com) Date: Tue, 7 Jul 2009 09:23:38 -0500 Subject: [Opendnssec-develop] Building SoftHSM RC 1 In-Reply-To: <69830D4127201D4EBD146B9041199718E1DF2B@EXCHANGE.office.nic.se> References: <1E4636828B4AD841900A31378A9FE3CD0125950C6C@usemp11.ins.com> <69830D4127201D4EBD146B9041199718E1DEA7@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718E1DF1C@EXCHANGE.office.nic.se> <1E4636828B4AD841900A31378A9FE3CD0125950F45@usemp11.ins.com> <69830D4127201D4EBD146B9041199718E1DF2B@EXCHANGE.office.nic.se> Message-ID: <1E4636828B4AD841900A31378A9FE3CD0125950F92@usemp11.ins.com> Perhaps I'm missing an 'aclocal' file? I don't see one in the SVN tree. [root at onyx softHSM]# sh autogen.sh Can't exec "aclocal": No such file or directory at /usr/local/share/autoconf/Autom4te/FileUtils.pm line 326. autoreconf: failed to run aclocal: No such file or directory [root at onyx softHSM]# Thanks, Greg -----Original Message----- From: Rickard Bondesson [mailto:rickard.bondesson at iis.se] Sent: Tuesday, July 07, 2009 10:11 AM To: Rabil, A. (Greg); opendnssec-develop at lists.opendnssec.org Subject: Re: [Opendnssec-develop] Building SoftHSM RC 1 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Ahh, yeah. When building from SVN: First sh autogen.sh Then ./configure make > Thank you Rickard. Unfortunately, I'm not sure how to build > from the source tree. There is no 'configure.pl' script, but > a 'configure.ac' file? Also, there does not appear to be the > requisite 'Makefile.in' files in the bin/ and lib/ > directories. Attempting to simply copy the source trees into > the corresponding directories of my RC1 build did not work either. > > I very much appreciate your prompt responses. If there is > something simple I must do to build from the source, please > let me know, otherwise I will wait for you to complete the > RC2 release. -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSlNXdeCjgaNTdVjaAQinHQgAqW17+dUJjgc2oyOUUurQiJFBS2HE6s/R kO4NLTrfzPmCBAbi5bZVP6E/py7WC2/5Tvsrd6QaZihHky34PFZxn/4IUPb2p/T+ fwROcVT43kXkevjNfqXrW+bcpf8Ge8Cha9urk4jdw3f+91e31H+luOR1Bpiju5Zy tDHjjCfEtWBxw4dz9IF73DUDv3wVCv9hUeTSsdXa9HT0WzA9yysjYcXWFd6rivP9 5BeCrFdoXqzodVCapzkW7Wdgqumoh/VN7rDMRKcSiHROhh1pBbDxENlTdiRjxxhV t3qR/BxPOhQIu9Oe63P2nTMP9IeIDAKnXYq6vBR78ewUb3ugqw1jCw== =0Cs8 -----END PGP SIGNATURE----- From rickard.bondesson at iis.se Tue Jul 7 14:32:32 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Tue, 7 Jul 2009 16:32:32 +0200 Subject: [Opendnssec-develop] Building SoftHSM RC 1 In-Reply-To: <1E4636828B4AD841900A31378A9FE3CD0125950F92@usemp11.ins.com> References: <1E4636828B4AD841900A31378A9FE3CD0125950C6C@usemp11.ins.com> <69830D4127201D4EBD146B9041199718E1DEA7@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718E1DF1C@EXCHANGE.office.nic.se> <1E4636828B4AD841900A31378A9FE3CD0125950F45@usemp11.ins.com> <69830D4127201D4EBD146B9041199718E1DF2B@EXCHANGE.office.nic.se> <1E4636828B4AD841900A31378A9FE3CD0125950F92@usemp11.ins.com> Message-ID: <69830D4127201D4EBD146B9041199718E1DF2F@EXCHANGE.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > Perhaps I'm missing an 'aclocal' file? I don't see one in > the SVN tree. > > [root at onyx softHSM]# sh autogen.sh > Can't exec "aclocal": No such file or directory at > /usr/local/share/autoconf/Autom4te/FileUtils.pm line 326. > autoreconf: failed to run aclocal: No such file or directory > [root at onyx softHSM]# > > > Thanks, > Greg Ohh sorry, since we are building from SVN you also need the programs automake, autoconf, libtool, etc. // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSlNcgOCjgaNTdVjaAQi66wgAgpyNdGZ6JcRw8RveEc7/eZXX58LB0lCc zA3GOsigREHObxilIGtpJkdupvOeh2YE8s471m8Tm4R+VtYMnvgQrlkQ9T4c45DL IT4SO2jYeucmvsFBkuwvgRJIRCNRg/xA9PrE+Y2OkzdHYEr4ZGPCBpmnxG3DgC6M I7fdkr9wv3bjrUEIXQN9oueJlYQTTrUXLTQVwEEZzBrmCJlDiO6q6my9SNAesYA6 mABUgRGZ1s2w6PPiCBF62ss9xlDmM1V/thMH/qJnyVWhNzzgiZ1dom2tgrhgvpT7 TDX9XCzYxXlJFUb29SbTrTjjFe+52REGZpnvy7pYkOqblQkddGO8dg== =EoBU -----END PGP SIGNATURE----- From Greg.Rabil at ins.com Tue Jul 7 14:50:29 2009 From: Greg.Rabil at ins.com (Greg.Rabil at ins.com) Date: Tue, 7 Jul 2009 09:50:29 -0500 Subject: [Opendnssec-develop] Building SoftHSM RC 1 In-Reply-To: <69830D4127201D4EBD146B9041199718E1DF2F@EXCHANGE.office.nic.se> References: <1E4636828B4AD841900A31378A9FE3CD0125950C6C@usemp11.ins.com> <69830D4127201D4EBD146B9041199718E1DEA7@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718E1DF1C@EXCHANGE.office.nic.se> <1E4636828B4AD841900A31378A9FE3CD0125950F45@usemp11.ins.com> <69830D4127201D4EBD146B9041199718E1DF2B@EXCHANGE.office.nic.se> <1E4636828B4AD841900A31378A9FE3CD0125950F92@usemp11.ins.com> <69830D4127201D4EBD146B9041199718E1DF2F@EXCHANGE.office.nic.se> Message-ID: <1E4636828B4AD841900A31378A9FE3CD0125950FED@usemp11.ins.com> Rickard, Many thanks. I had realized that I needed 'autoconf' from your previous reply. Now that I've installed 'automake' and 'libtool', I am able to configure/make/install the SoftHSM from the SVN source. Regards, Greg -----Original Message----- From: Rickard Bondesson [mailto:rickard.bondesson at iis.se] Sent: Tuesday, July 07, 2009 10:33 AM To: Rabil, A. (Greg); opendnssec-develop at lists.opendnssec.org Subject: Re: [Opendnssec-develop] Building SoftHSM RC 1 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > Perhaps I'm missing an 'aclocal' file? I don't see one in > the SVN tree. > > [root at onyx softHSM]# sh autogen.sh > Can't exec "aclocal": No such file or directory at > /usr/local/share/autoconf/Autom4te/FileUtils.pm line 326. > autoreconf: failed to run aclocal: No such file or directory > [root at onyx softHSM]# > > > Thanks, > Greg Ohh sorry, since we are building from SVN you also need the programs automake, autoconf, libtool, etc. // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSlNcgOCjgaNTdVjaAQi66wgAgpyNdGZ6JcRw8RveEc7/eZXX58LB0lCc zA3GOsigREHObxilIGtpJkdupvOeh2YE8s471m8Tm4R+VtYMnvgQrlkQ9T4c45DL IT4SO2jYeucmvsFBkuwvgRJIRCNRg/xA9PrE+Y2OkzdHYEr4ZGPCBpmnxG3DgC6M I7fdkr9wv3bjrUEIXQN9oueJlYQTTrUXLTQVwEEZzBrmCJlDiO6q6my9SNAesYA6 mABUgRGZ1s2w6PPiCBF62ss9xlDmM1V/thMH/qJnyVWhNzzgiZ1dom2tgrhgvpT7 TDX9XCzYxXlJFUb29SbTrTjjFe+52REGZpnvy7pYkOqblQkddGO8dg== =EoBU -----END PGP SIGNATURE----- From rick at openfortress.nl Tue Jul 7 16:03:12 2009 From: rick at openfortress.nl (Rick van Rein) Date: Tue, 7 Jul 2009 16:03:12 +0000 Subject: [Opendnssec-develop] Building SoftHSM RC 1 In-Reply-To: <69830D4127201D4EBD146B9041199718E1DF2F@EXCHANGE.office.nic.se> References: <1E4636828B4AD841900A31378A9FE3CD0125950C6C@usemp11.ins.com> <69830D4127201D4EBD146B9041199718E1DEA7@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718E1DF1C@EXCHANGE.office.nic.se> <1E4636828B4AD841900A31378A9FE3CD0125950F45@usemp11.ins.com> <69830D4127201D4EBD146B9041199718E1DF2B@EXCHANGE.office.nic.se> <1E4636828B4AD841900A31378A9FE3CD0125950F92@usemp11.ins.com> <69830D4127201D4EBD146B9041199718E1DF2F@EXCHANGE.office.nic.se> Message-ID: <20090707160312.GA23088@phantom.vanrein.org> Hi, > Ohh sorry, since we are building from SVN you also need the programs automake, > autoconf, libtool, etc. Either that or the ./configure should be included, right? Perhaps that's a good idea then. I know this is a two-schools-of-opinion kind of thing though. But it seems to make life easier on users. -Rick From jakob at kirei.se Tue Jul 7 19:37:11 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Tue, 7 Jul 2009 21:37:11 +0200 Subject: [Opendnssec-develop] KASP Configuration Documentation In-Reply-To: References: Message-ID: > Query: why does require a boolean value whereas opt-out > is indicated by the presence or absence of the element? > good question; I think we should change that to > Query: What format is used to specify an external HSM? > what is "an external HSM"? the repository name is just a symblic name that is later mapped to shared library + token name using the config. jakob From jakob at kirei.se Tue Jul 7 19:38:32 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Tue, 7 Jul 2009 21:38:32 +0200 Subject: [Opendnssec-develop] Fw: KASP Configuration Documentation In-Reply-To: References: Message-ID: > identifies the dynamic-link library that controls the > repository. Each type of HSM will have its own library. > > Query: how would we specify use of two separate HSMs of the same type? > two with the same dynlib, but with different token labels. > identifies the "token" within the HSM that is being > used - essentially a form of sub-repository. > > Query: is this explanation above correct? > correct enough :-) jakob From jelte at NLnetLabs.nl Tue Jul 7 22:04:37 2009 From: jelte at NLnetLabs.nl (Jelte Jansen) Date: Wed, 08 Jul 2009 00:04:37 +0200 Subject: [Opendnssec-develop] Building SoftHSM RC 1 In-Reply-To: <20090707160312.GA23088@phantom.vanrein.org> References: <1E4636828B4AD841900A31378A9FE3CD0125950C6C@usemp11.ins.com> <69830D4127201D4EBD146B9041199718E1DEA7@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718E1DF1C@EXCHANGE.office.nic.se> <1E4636828B4AD841900A31378A9FE3CD0125950F45@usemp11.ins.com> <69830D4127201D4EBD146B9041199718E1DF2B@EXCHANGE.office.nic.se> <1E4636828B4AD841900A31378A9FE3CD0125950F92@usemp11.ins.com> <69830D4127201D4EBD146B9041199718E1DF2F@EXCHANGE.office.nic.se> <20090707160312.GA23088@phantom.vanrein.org> Message-ID: <4A53C675.9010402@NLnetLabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rick van Rein wrote: > Hi, > >> Ohh sorry, since we are building from SVN you also need the programs automake, >> autoconf, libtool, etc. > > Either that or the ./configure should be included, right? > > Perhaps that's a good idea then. > > I know this is a two-schools-of-opinion kind of thing though. > But it seems to make life easier on users. > What I do on my projects at Labs is to automatically create the configure scripts when building a release tarball (for which I have a makedist.sh script); in releases it is then just a matter of running ./configure && make install. But since configure (and Makefile.in in this case) are generated automatically they should not be in the repository, imho. This is indeed a two-schools kind of thing; at least one of my colleagues at Labs does not agree :) Jelte -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkpTxnEACgkQ4nZCKsdOncVYGwCgpN1NuO5j4a07CBtmsSf4rPUK X08An3zjLByK8NbFFRQWg+ZcZndvrdpj =XtHl -----END PGP SIGNATURE----- From rick at openfortress.nl Tue Jul 7 22:17:23 2009 From: rick at openfortress.nl (Rick van Rein) Date: Tue, 7 Jul 2009 22:17:23 +0000 Subject: [Opendnssec-develop] Building SoftHSM RC 1 In-Reply-To: <4A53C675.9010402@NLnetLabs.nl> References: <1E4636828B4AD841900A31378A9FE3CD0125950C6C@usemp11.ins.com> <69830D4127201D4EBD146B9041199718E1DEA7@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718E1DF1C@EXCHANGE.office.nic.se> <1E4636828B4AD841900A31378A9FE3CD0125950F45@usemp11.ins.com> <69830D4127201D4EBD146B9041199718E1DF2B@EXCHANGE.office.nic.se> <1E4636828B4AD841900A31378A9FE3CD0125950F92@usemp11.ins.com> <69830D4127201D4EBD146B9041199718E1DF2F@EXCHANGE.office.nic.se> <20090707160312.GA23088@phantom.vanrein.org> <4A53C675.9010402@NLnetLabs.nl> Message-ID: <20090707221723.GA27227@phantom.vanrein.org> Hi, > What I do on my projects at Labs is to automatically create the configure > scripts when building a release tarball (for which I have a makedist.sh > script); > in releases it is then just a matter of running ./configure && make install. > > But since configure (and Makefile.in in this case) are generated automatically > they should not be in the repository, imho. Putting it in the release tarballs is good middle grounds. Asking people to have automake and such installed is less problematic for those who lurk on the Subversion tree than for those who download a tarball. Still, good building instructions are needed, as there are varieties of doing these things, and (I at least) am usually trying things until, somehow, magically, things start to build. That's not good enough IM(H)O. > This is indeed a two-schools kind of thing; at least one of my colleagues at > Labs does not agree :) Let's not start a war... adding ./configure to tarballs is a very good idea to resolve it pragmatically, I think. Others agreed? -Rick From roy at nominet.org.uk Tue Jul 7 21:24:03 2009 From: roy at nominet.org.uk (Roy Arends) Date: Tue, 7 Jul 2009 23:24:03 +0200 Subject: [Opendnssec-develop] Building SoftHSM RC 1 In-Reply-To: <20090707221723.GA27227@phantom.vanrein.org> References: <1E4636828B4AD841900A31378A9FE3CD0125950C6C@usemp11.ins.com> <69830D4127201D4EBD146B9041199718E1DEA7@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718E1DF1C@EXCHANGE.office.nic.se> <1E4636828B4AD841900A31378A9FE3CD0125950F45@usemp11.ins.com> <69830D4127201D4EBD146B9041199718E1DF2B@EXCHANGE.office.nic.se> <1E4636828B4AD841900A31378A9FE3CD0125950F92@usemp11.ins.com> <69830D4127201D4EBD146B9041199718E1DF2F@EXCHANGE.office.nic.se> <20090707160312.GA23088@phantom.vanrein.org> <4A53C675.9010402@NLnetLabs.nl> <20090707221723.GA27227@phantom.vanrein.org> Message-ID: Rick van Rein wrote on 07/08/2009 12:17:23 AM: > adding ./configure to tarballs is a very > good idea to resolve it pragmatically, I think. > > Others agreed? +1 Roy -------------- next part -------------- An HTML attachment was scrubbed... URL: From jelte at NLnetLabs.nl Tue Jul 7 22:31:08 2009 From: jelte at NLnetLabs.nl (Jelte Jansen) Date: Wed, 08 Jul 2009 00:31:08 +0200 Subject: [Opendnssec-develop] Building SoftHSM RC 1 In-Reply-To: <20090707221723.GA27227@phantom.vanrein.org> References: <1E4636828B4AD841900A31378A9FE3CD0125950C6C@usemp11.ins.com> <69830D4127201D4EBD146B9041199718E1DEA7@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718E1DF1C@EXCHANGE.office.nic.se> <1E4636828B4AD841900A31378A9FE3CD0125950F45@usemp11.ins.com> <69830D4127201D4EBD146B9041199718E1DF2B@EXCHANGE.office.nic.se> <1E4636828B4AD841900A31378A9FE3CD0125950F92@usemp11.ins.com> <69830D4127201D4EBD146B9041199718E1DF2F@EXCHANGE.office.nic.se> <20090707160312.GA23088@phantom.vanrein.org> <4A53C675.9010402@NLnetLabs.nl> <20090707221723.GA27227@phantom.vanrein.org> Message-ID: <4A53CCAC.3010206@NLnetLabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rick van Rein wrote: > > Still, good building instructions are needed, as there are varieties of definitely > doing these things, and (I at least) am usually trying things until, > somehow, magically, things start to build. That's not good enough IM(H)O. > yes, although jakob has done some tremendous work on this, there is still room for improvement; the big 'do-all' makefile currently has a few tricks that make it work for gnu systems and bsd systems, but not solaris, which i myself added. And personally i don't like having to edit a file to make something build (yeah i'm also looking at you, mozilla), but both these issues could be fixed by making a 'big' configure as well. And while we're at it, perhaps we could see whether it is possible to fix the dependency issues; make build does a lot of unnecessary work at the moment, although it may very well not be possible to get it completely right; recursive make and interdependencies are not always good friends. >> This is indeed a two-schools kind of thing; at least one of my colleagues at >> Labs does not agree :) > > Let's not start a war... adding ./configure to tarballs is a very > good idea to resolve it pragmatically, I think. > oh that's mostly my way of saying this is how I like to do it, but I'm not gonna fight if people disagree. Or at least not hard :) Jelte -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkpTzKwACgkQ4nZCKsdOncXKbgCgjJ5pJmv4APFC/aHbBnG3NpMc lpsAnitpkT+xvd2qEeLlReAqReeSJ3Fy =w/we -----END PGP SIGNATURE----- From rickard.bondesson at iis.se Wed Jul 8 07:16:59 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Wed, 8 Jul 2009 09:16:59 +0200 Subject: [Opendnssec-develop] Building SoftHSM RC 1 In-Reply-To: <4A53CCAC.3010206@NLnetLabs.nl> References: <1E4636828B4AD841900A31378A9FE3CD0125950C6C@usemp11.ins.com> <69830D4127201D4EBD146B9041199718E1DEA7@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718E1DF1C@EXCHANGE.office.nic.se> <1E4636828B4AD841900A31378A9FE3CD0125950F45@usemp11.ins.com> <69830D4127201D4EBD146B9041199718E1DF2B@EXCHANGE.office.nic.se> <1E4636828B4AD841900A31378A9FE3CD0125950F92@usemp11.ins.com> <69830D4127201D4EBD146B9041199718E1DF2F@EXCHANGE.office.nic.se> <20090707160312.GA23088@phantom.vanrein.org> <4A53C675.9010402@NLnetLabs.nl><20090707221723.GA27227@phantom.vanrein.org> <4A53CCAC.3010206@NLnetLabs.nl> Message-ID: <69830D4127201D4EBD146B9041199718E1DF4B@EXCHANGE.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > yes, although jakob has done some tremendous work on this, > there is still room for improvement; the big 'do-all' > makefile currently has a few tricks that make it work for gnu > systems and bsd systems, but not solaris, which i myself added. > > And personally i don't like having to edit a file to make > something build (yeah i'm also looking at you, mozilla), but > both these issues could be fixed by making a 'big' configure as well. Also remember that we should keep the configures for each component, so that each component can get its own package. And the packages will have dependencies between each other. (In the future) E.g.: Meta Package OpenDNSSEC: Enforcer, Signer, Auditor, Config Package Enforcer: libksm, libhsm, Config, ... Package Signer: libhsm, Config, ... Package libksm: ... Package libhsm: ... Package Auditor: Config, ... Package Config: ... sudo apt-get install opendnssec // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSlRH6+CjgaNTdVjaAQhoYAf/abq9/OS2rNNl7MHIlVSwhoCoNpVMfQpQ tenXF0378Is9f16DqZcg70eJ3mraBatUA/Ii44DyEZLi3WrDIOjUlftOqt4Mtsav d0gPzEfOItUxq6rwCBBQsakNwwc6aze2hKBQ9dAD3dgnzNKtIXzvxYNskGT0JhS8 qSj+nOtoZQaty3DbQXVs2FhpJWC3QMsb5rI50ePxVNtEWuLUUjFrNtAToxLculd1 lzSCAWTOlGp/9rhhSMB5AAGW7ksspWyWHOnqR3p4xfUusE0ZGpVDBF297cbF2kH1 0dvXZAol7E+zMRhqnX80kYiEYOFoX4KlTUHkl1lfi7VVnFSA1ZPXyg== =WnAu -----END PGP SIGNATURE----- From rickard.bondesson at iis.se Wed Jul 8 07:05:06 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Wed, 8 Jul 2009 09:05:06 +0200 Subject: [Opendnssec-develop] Building SoftHSM RC 1 In-Reply-To: <20090707221723.GA27227@phantom.vanrein.org> References: <1E4636828B4AD841900A31378A9FE3CD0125950C6C@usemp11.ins.com><69830D4127201D4EBD146B9041199718E1DEA7@EXCHANGE.office.nic.se><69830D4127201D4EBD146B9041199718E1DF1C@EXCHANGE.office.nic.se><1E4636828B4AD841900A31378A9FE3CD0125950F45@usemp11.ins.com><69830D4127201D4EBD146B9041199718E1DF2B@EXCHANGE.office.nic.se><1E4636828B4AD841900A31378A9FE3CD0125950F92@usemp11.ins.com><69830D4127201D4EBD146B9041199718E1DF2F@EXCHANGE.office.nic.se><20090707160312.GA23088@phantom.vanrein.org><4A53C675.9010402@NLnetLabs.nl> <20090707221723.GA27227@phantom.vanrein.org> Message-ID: <69830D4127201D4EBD146B9041199718E1DF45@EXCHANGE.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > > What I do on my projects at Labs is to automatically create the > > configure scripts when building a release tarball (for > which I have a > > makedist.sh script); in releases it is then just a matter > of running > > ./configure && make install. > > > > But since configure (and Makefile.in in this case) are generated > > automatically they should not be in the repository, imho. > > Putting it in the release tarballs is good middle grounds. > Asking people to have automake and such installed is less > problematic for those who lurk on the Subversion tree than > for those who download a tarball. +1 We should have as raw files as possible in the svn (just like it is right now). But when you do 'make dist' (at least for the SoftHSM when creating the tar-ball), you will get the ./configure and Makefile.in included and thereby no need for automake, autoconf, etc. > Still, good building instructions are needed, as there are > varieties of doing these things, and (I at least) am usually > trying things until, somehow, magically, things start to > build. That's not good enough IM(H)O. I will add a README.svn for those who build from svn. -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSlRFIuCjgaNTdVjaAQg1Egf+KGjQvxfcnclfxWiFM74bJ6NI5wsOEctm QAH/2f/MWiVa0q/4R1hAd24W/xxp9Xk56V7UkuzfgcUkAsS5QGqB7D0v84TJP0ej HmSKUUSVdxPd0tBHCqzpyRLCbgY1pAAvyIHbSoO1hlm008XJpaMI4pQALiLcHuin uh0U690Aa1T2TnNXzJEmkqYOW9SrVOqZN9sBdZ9tSiecBnh+NqGmjoISVW3tPZgd Saan/rUuTuqzZvIwJ0H5uENGEq1knH+BIhIJQSWFqDW0jNKumnSTni87z5L524fp dUZStQm5DZtDaIbfmZoPgvIAezVJmFUMARqcYKNBMTrG7y9qX3xA8w== =VQpS -----END PGP SIGNATURE----- From rickard.bondesson at iis.se Wed Jul 8 13:40:42 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Wed, 8 Jul 2009 15:40:42 +0200 Subject: [Opendnssec-develop] Telephone meeting 20090710 Message-ID: <69830D4127201D4EBD146B9041199718E1DF89@EXCHANGE.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi We have a telephone meeting on Friday. Date: Friday 10 July Time: 14:00-16:00 CEST Please update the draft agenda with your topics: http://trac.opendnssec.org/wiki/Meetings/Agenda/2009-07-10 // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSlSh2uCjgaNTdVjaAQhR2Af5AQqSXNcQvB2Uagv8yo+1gjStnDVvD/jN T3rWzD+yW1U3c2W3iornnsD+VTLiGi7ikPD982eE6uVbyrTW+d43ZXMM4FH7k13y qXofHzkjsRHvfHHgAQnvV7hppVgbAroh5X3NUHHy0TE+ejxpYxrRzPmnuT6rfY08 wjg+syVFgKWZRi/33awIaiN2qK9Rw0Tw4Z+N5PFgQKU66+06fhAzKcnZtCdwrsvF 0spF4cGGImXLzQEkN88xpb3nDvAxDCwTAJNrbEuWCK3vpujWy4uGHOFvu7r9nBA9 zXnafi7x+Cz+wkREczL18x8LktzR9gqcPU++810AYDMQxRQY6P3UDw== =Jbyi -----END PGP SIGNATURE----- From rickard.bondesson at iis.se Wed Jul 8 14:18:20 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Wed, 8 Jul 2009 16:18:20 +0200 Subject: [Opendnssec-develop] Building SoftHSM RC 1 In-Reply-To: <1E4636828B4AD841900A31378A9FE3CD0125950FED@usemp11.ins.com> References: <1E4636828B4AD841900A31378A9FE3CD0125950C6C@usemp11.ins.com> <69830D4127201D4EBD146B9041199718E1DEA7@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718E1DF1C@EXCHANGE.office.nic.se> <1E4636828B4AD841900A31378A9FE3CD0125950F45@usemp11.ins.com> <69830D4127201D4EBD146B9041199718E1DF2B@EXCHANGE.office.nic.se> <1E4636828B4AD841900A31378A9FE3CD0125950F92@usemp11.ins.com> <69830D4127201D4EBD146B9041199718E1DF2F@EXCHANGE.office.nic.se> <1E4636828B4AD841900A31378A9FE3CD0125950FED@usemp11.ins.com> Message-ID: <69830D4127201D4EBD146B9041199718E1DF93@EXCHANGE.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi SoftHSM RC2 has now been released: http://trac.opendnssec.org/export/1247/releases/libsofthsm/libsofthsm-1.0.0-RC2.tar.gz http://trac.opendnssec.org/wiki/SoftHSM // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSlSqrOCjgaNTdVjaAQiZUQf/SEW7PeS2zWBxfVUf1nCXMRf+qdy6GRY3 Oyy8aktrReDgYUQ2pA9/XS7Zr3lsnzIu1LKGg09NGAC3riNQNungzzioOxo8QhaH Dob8hz+UsCd+N+59FaaD6yj0nQM7vOdYgDnO9a5ep4ylOTiyZGfjGUxmvwCW0w0e bMg51W2i3f07g4YyDxI/+5r3Zep8VP+7GVlR31vteIe2Uk1apuEETutCRm6yT5hk hT6fDV2M5lm6pcH21RRf3rbE/hWNECWQ47hdnZaWnubcfrQ8ozpf1K0eZkhltRD2 vln51/LH/A1KGVt0uAkqZDp6HsOIqbi5VXVytw4ya6mQGeOHqiVHoQ== =VByI -----END PGP SIGNATURE----- From sion at nominet.org.uk Thu Jul 9 07:38:44 2009 From: sion at nominet.org.uk (sion at nominet.org.uk) Date: Thu, 9 Jul 2009 08:38:44 +0100 Subject: [Opendnssec-develop] KASP Configuration Documentation In-Reply-To: References: Message-ID: > > Query: why does require a boolean value whereas opt-out > > is indicated by the presence or absence of the element? > > > > good question; I think we should change that to +1 From rickard.bondesson at iis.se Thu Jul 9 08:05:41 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Thu, 9 Jul 2009 10:05:41 +0200 Subject: [Opendnssec-develop] KASP Configuration Documentation In-Reply-To: References: Message-ID: <69830D4127201D4EBD146B9041199718E1DFBD@EXCHANGE.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > > > Query: why does require a boolean value > whereas opt-out > > > is indicated by the presence or absence of the element? > > > > > > > good question; I think we should change that to > > +1 +1 -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSlWk1eCjgaNTdVjaAQivAgf+NK7KGMxFwHFI3fj8ORMlFdt6eCfofBdK hWsm0tnodRDeW4TlsxChfyY0C3hT3j8swGz/eMZR0Hk5QhgIYLfl8ik1YyMs2hMS fIlkzEwmu3T0KtedwfmWouX0Q+k6jkX29Neyf8Eu2yOhqLDR7xdcvKVVGAeZWtEi n+2ZMd8tre572FHEvY4aowa4U1PE7DfEMUbvfh9n5B/PlG9Rs+WQzKlL2gTVXXab lu1/bZ3GSTYO0TRRx5tFaiw+edxmxNWlT2lhnkCLBn7XZalvf+uAtus4/FD3q1Lw vzLCDtOvRJgz7LEKKmrvWGfwFFs7KKuUjU6GP6FfrR8wycmhaCCZhw== =DCj7 -----END PGP SIGNATURE----- From rickard.bondesson at iis.se Thu Jul 9 08:04:18 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Thu, 9 Jul 2009 10:04:18 +0200 Subject: [Opendnssec-develop] Algorithm Type and NSEC/NSEC3 Message-ID: <69830D4127201D4EBD146B9041199718E1DFB9@EXCHANGE.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi Currently we set the algorithm type in kasp.xml by using 1, 5, or 7 (supported algorithms in OpenDNSSEC). But you can still choose whether to use NSEC or NSEC3. So you can get odd combinations like NSEC but DNSKEY with type 7. Or use algo 7 for KSK and algo 5 for ZSK, which is not allowed (RFC5155). I have a solution: Use the algorithm name in the Algorithm Type field in the kasp.xml like RSAMD5 and RSASHA1. Because when you are creating a signature with a key, you do not need to know if you are using NSEC or NSEC3, right? The denial part of kasp.xml is then the only point where you specify whether to use NSEC or NSEC3. And the Signer Engine then has to add 1 plus 1 to be able to create the correct DNSKEY records. NSEC + RSASHA1 = 5. NSEC3 + RSASHA1 = 7. This solution also makes the kasp.xml more readable for the user. A problem comes when an algorithm is not supported by both NSEC and NSEC3 like MD5 or any future algorithm. But that would be solved by the future kasp-validator. // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSlWkguCjgaNTdVjaAQiS1wf/Ui3Fj6hlz61EX+JxmPDvopfreVfitJAM hSZKvwXt9I5hvZdNjTqrHEcTMHTPc+hzWvT7+D+e3GW8k4h6QcYN0n/5KLpH0o58 mbl3h0LGXHBKQxw+db/Qwk9HKVqR+U2wydH4RbmQjWEMQ9LvzKJLkcV8afFJQb44 ndPx0FBq49JpwcDJskFqab4bjqG2fBtmCuRDm1zDzIlvQeoppoxD66PvV2vqMtSP 5WvWCVfEtnEojBTwDcU0VcVSZs0FptwAlng+90I0ta60NjM3qBkND62ivZzUoUKH rHHgikGREIKWz2a5qJI3uy5ENHTsZXsvkRErroxpMR+eu/fDe1l6fA== =p0W2 -----END PGP SIGNATURE----- From jakob at kirei.se Thu Jul 9 09:07:20 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Thu, 9 Jul 2009 11:07:20 +0200 Subject: [Opendnssec-develop] Algorithm Type and NSEC/NSEC3 In-Reply-To: <69830D4127201D4EBD146B9041199718E1DFB9@EXCHANGE.office.nic.se> References: <69830D4127201D4EBD146B9041199718E1DFB9@EXCHANGE.office.nic.se> Message-ID: <1BD895BB-BE4A-48CA-A07D-B7A718781EF0@kirei.se> No, RSASHA1 is not the algorithm used by nsec3 - it has a different mnemonic. I'll make a couple of examples tonight when I'm working. -- Sent from my iPhone, hence this mail might be briefer than normal. On 9 jul 2009, at 10.04, "Rickard Bondesson" wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Hi > > Currently we set the algorithm type in kasp.xml by using 1, 5, or 7 > (supported algorithms in OpenDNSSEC). But you can still choose > whether to use NSEC or NSEC3. > > So you can get odd combinations like NSEC but DNSKEY with type 7. Or > use algo 7 for KSK and algo 5 for ZSK, which is not allowed (RFC5155). > > I have a solution: > Use the algorithm name in the Algorithm Type field in the kasp.xml > like RSAMD5 and RSASHA1. > > Because when you are creating a signature with a key, you do not > need to know if you are using NSEC or NSEC3, right? > > The denial part of kasp.xml is then the only point where you specify > whether to use NSEC or NSEC3. And the Signer Engine then has to add > 1 plus 1 to be able to create the correct DNSKEY records. NSEC + > RSASHA1 = 5. NSEC3 + RSASHA1 = 7. > > This solution also makes the kasp.xml more readable for the user. > > A problem comes when an algorithm is not supported by both NSEC and > NSEC3 like MD5 or any future algorithm. But that would be solved by > the future kasp-validator. > > // Rickard > -----BEGIN PGP SIGNATURE----- > Version: 9.8.3 (Build 4028) > Charset: utf-8 > > wsBVAwUBSlWkguCjgaNTdVjaAQiS1wf/Ui3Fj6hlz61EX+JxmPDvopfreVfitJAM > hSZKvwXt9I5hvZdNjTqrHEcTMHTPc+hzWvT7+D+e3GW8k4h6QcYN0n/5KLpH0o58 > mbl3h0LGXHBKQxw+db/Qwk9HKVqR+U2wydH4RbmQjWEMQ9LvzKJLkcV8afFJQb44 > ndPx0FBq49JpwcDJskFqab4bjqG2fBtmCuRDm1zDzIlvQeoppoxD66PvV2vqMtSP > 5WvWCVfEtnEojBTwDcU0VcVSZs0FptwAlng+90I0ta60NjM3qBkND62ivZzUoUKH > rHHgikGREIKWz2a5qJI3uy5ENHTsZXsvkRErroxpMR+eu/fDe1l6fA== > =p0W2 > -----END PGP SIGNATURE----- > > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop From rickard.bondesson at iis.se Thu Jul 9 09:15:33 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Thu, 9 Jul 2009 11:15:33 +0200 Subject: [Opendnssec-develop] Algorithm Type and NSEC/NSEC3 In-Reply-To: <1BD895BB-BE4A-48CA-A07D-B7A718781EF0@kirei.se> References: <69830D4127201D4EBD146B9041199718E1DFB9@EXCHANGE.office.nic.se> <1BD895BB-BE4A-48CA-A07D-B7A718781EF0@kirei.se> Message-ID: <69830D4127201D4EBD146B9041199718E1DFD0@EXCHANGE.office.nic.se> > No, RSASHA1 is not the algorithm used by nsec3 - it has a > different mnemonic. I'll make a couple of examples tonight > when I'm working. It do use RSASHA1 for signatures, but RSASHA1 is not equal to the type 7. RSASHA1 could be both 5 and 7 depending on the denial. E.g.: Policy/Denial/NSEC + Policy/Keys/KSK/Algorithm(RSASHA1) = Algorithm type 5 for the KSK. Policy/Denial/NSEC + Policy/Keys/ZSK/Algorithm(RSAMD5) = Algorithm type 1 for the ZSK. Or: Policy/Denial/NSEC3 + Policy/Keys/KSK/Algorithm(RSASHA1) = Algorithm type 7 for the KSK. Policy/Denial/NSEC3 + Policy/Keys/ZSK/Algorithm(RSASHA1) = Algorithm type 7 for the ZSK. > -- > Sent from my iPhone, hence this mail might be briefer than normal. > > On 9 jul 2009, at 10.04, "Rickard Bondesson" > wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA256 > > > > Hi > > > > Currently we set the algorithm type in kasp.xml by using 1, 5, or 7 > > (supported algorithms in OpenDNSSEC). But you can still > choose whether > > to use NSEC or NSEC3. > > > > So you can get odd combinations like NSEC but DNSKEY with > type 7. Or > > use algo 7 for KSK and algo 5 for ZSK, which is not allowed > (RFC5155). > > > > I have a solution: > > Use the algorithm name in the Algorithm Type field in the kasp.xml > > like RSAMD5 and RSASHA1. > > > > Because when you are creating a signature with a key, you > do not need > > to know if you are using NSEC or NSEC3, right? > > > > The denial part of kasp.xml is then the only point where > you specify > > whether to use NSEC or NSEC3. And the Signer Engine then has to add > > 1 plus 1 to be able to create the correct DNSKEY records. NSEC + > > RSASHA1 = 5. NSEC3 + RSASHA1 = 7. > > > > This solution also makes the kasp.xml more readable for the user. > > > > A problem comes when an algorithm is not supported by both NSEC and > > NSEC3 like MD5 or any future algorithm. But that would be solved by > > the future kasp-validator. > > > > // Rickard > > -----BEGIN PGP SIGNATURE----- > > Version: 9.8.3 (Build 4028) > > Charset: utf-8 > > > > wsBVAwUBSlWkguCjgaNTdVjaAQiS1wf/Ui3Fj6hlz61EX+JxmPDvopfreVfitJAM > > hSZKvwXt9I5hvZdNjTqrHEcTMHTPc+hzWvT7+D+e3GW8k4h6QcYN0n/5KLpH0o58 > > mbl3h0LGXHBKQxw+db/Qwk9HKVqR+U2wydH4RbmQjWEMQ9LvzKJLkcV8afFJQb44 > > ndPx0FBq49JpwcDJskFqab4bjqG2fBtmCuRDm1zDzIlvQeoppoxD66PvV2vqMtSP > > 5WvWCVfEtnEojBTwDcU0VcVSZs0FptwAlng+90I0ta60NjM3qBkND62ivZzUoUKH > > rHHgikGREIKWz2a5qJI3uy5ENHTsZXsvkRErroxpMR+eu/fDe1l6fA== > > =p0W2 > > -----END PGP SIGNATURE----- > > > > _______________________________________________ > > Opendnssec-develop mailing list > > Opendnssec-develop at lists.opendnssec.org > > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop > From jelte at NLnetLabs.nl Thu Jul 9 09:40:52 2009 From: jelte at NLnetLabs.nl (Jelte Jansen) Date: Thu, 09 Jul 2009 11:40:52 +0200 Subject: [Opendnssec-develop] Algorithm Type and NSEC/NSEC3 In-Reply-To: <69830D4127201D4EBD146B9041199718E1DFD0@EXCHANGE.office.nic.se> References: <69830D4127201D4EBD146B9041199718E1DFB9@EXCHANGE.office.nic.se> <1BD895BB-BE4A-48CA-A07D-B7A718781EF0@kirei.se> <69830D4127201D4EBD146B9041199718E1DFD0@EXCHANGE.office.nic.se> Message-ID: <4A55BB24.8000902@NLnetLabs.nl> Rickard Bondesson wrote: >> No, RSASHA1 is not the algorithm used by nsec3 - it has a >> different mnemonic. I'll make a couple of examples tonight >> when I'm working. > > It do use RSASHA1 for signatures, but RSASHA1 is not equal to the type 7. RSASHA1 could be both 5 and 7 depending on the denial. > > E.g.: > Policy/Denial/NSEC + Policy/Keys/KSK/Algorithm(RSASHA1) = Algorithm type 5 for the KSK. > Policy/Denial/NSEC + Policy/Keys/ZSK/Algorithm(RSAMD5) = Algorithm type 1 for the ZSK. > > Or: > > Policy/Denial/NSEC3 + Policy/Keys/KSK/Algorithm(RSASHA1) = Algorithm type 7 for the KSK. > Policy/Denial/NSEC3 + Policy/Keys/ZSK/Algorithm(RSASHA1) = Algorithm type 7 for the ZSK. > Well, the engine could automagically fix the erroneous combination 5+nsec3, but 7+nsec is perfectly valid. But what should the engine do then when an administrator changes the denial value from nsec to nsec3? that would then require a rollover scheme, since the public key would change... it may be more reasonably to error on 1/5+nsec3 Jelte From rickard.bondesson at iis.se Thu Jul 9 10:06:03 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Thu, 9 Jul 2009 12:06:03 +0200 Subject: [Opendnssec-develop] Algorithm Type and NSEC/NSEC3 In-Reply-To: <4A55BB24.8000902@NLnetLabs.nl> References: <69830D4127201D4EBD146B9041199718E1DFB9@EXCHANGE.office.nic.se> <1BD895BB-BE4A-48CA-A07D-B7A718781EF0@kirei.se> <69830D4127201D4EBD146B9041199718E1DFD0@EXCHANGE.office.nic.se> <4A55BB24.8000902@NLnetLabs.nl> Message-ID: <69830D4127201D4EBD146B9041199718E1DFD6@EXCHANGE.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > Well, the engine could automagically fix the erroneous > combination 5+nsec3, but > 7+nsec is perfectly valid. True since 7 is just an alias for 5. But doesn't the validator then think it should get NSEC3 and not NSEC records? Or could it guess that without the DNSKEY type = 5? > But what should the engine do then when an administrator > changes the denial value from nsec to nsec3? that would then > require a rollover scheme, since the public key would change... > > it may be more reasonably to error on 1/5+nsec3 True. So this is only applyable to the kasp.xml and we should still use the 1,5,7 for the signconf.xml. Because the kasp.xml is only used for new keys. And when a key is generated by keygend it get its flag from the current policy and will keep this flag although the policy changes, in the "keypairs" field of the kasp.db // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSlXBC+CjgaNTdVjaAQguFwgAncqbKMULKD5EUWKTn+IeKZ3QdH6KFRJg Xp5qTWWRWq04+vitW0OM+UNs6/YkXtiJ3m5jG58ModsKRwaQyRTQOBUWb5F8YxPG k0FsFnCketXS6MFXqjRRAspTDyReueaKtUvB8iFDlTUO/G7ta9UStoWg8a7RHhK/ 4s7Msgg2rEBt3OjWXGszQMBuXcrCb6KSazOMpo1BmuXgrV71gDaUzqB+vLKKayV3 Lzrw3JeVeDMbUdhOCQToiIgr6QaYSM2o9DUvFKgrArmdvZHfziVHEbLwGJco0UGp h/4C5s8aMN40aTgShC4RbojWwc8IH6SKmGIKDzlvRvx5WbE3wdfL7w== =J5rq -----END PGP SIGNATURE----- From patrik.wallstrom at iis.se Thu Jul 9 11:03:32 2009 From: patrik.wallstrom at iis.se (Patrik Wallstrom) Date: Thu, 9 Jul 2009 13:03:32 +0200 Subject: [Opendnssec-develop] parameter issues - policy or zone... Message-ID: Zone and Parent blocks in kasp.xml - shouldn't those be in a configuration for the actual zone since each zone can have different parents and propagation times? BackupDelay in conf.xml - isn't that a policy related parameter? -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 194 bytes Desc: This is a digitally signed message part URL: From Stephen.Morris at nominet.org.uk Thu Jul 9 11:41:37 2009 From: Stephen.Morris at nominet.org.uk (Stephen.Morris at nominet.org.uk) Date: Thu, 9 Jul 2009 12:41:37 +0100 Subject: [Opendnssec-develop] parameter issues - policy or zone... In-Reply-To: References: Message-ID: > BackupDelay in conf.xml - isn't that a policy related parameter? No. It represents how frequently you backup the DNSSEC system. The idea is that a key, although generated, is not used until it has been backed up. I see that I've missed some documentation on the other enforcer elements - I'll update that page. Stephen -------------- next part -------------- An HTML attachment was scrubbed... URL: From rickard.bondesson at iis.se Thu Jul 9 13:17:58 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Thu, 9 Jul 2009 15:17:58 +0200 Subject: [Opendnssec-develop] Algorithm Type and NSEC/NSEC3 In-Reply-To: <69830D4127201D4EBD146B9041199718E1DFD6@EXCHANGE.office.nic.se> References: <69830D4127201D4EBD146B9041199718E1DFB9@EXCHANGE.office.nic.se> <1BD895BB-BE4A-48CA-A07D-B7A718781EF0@kirei.se><69830D4127201D4EBD146B9041199718E1DFD0@EXCHANGE.office.nic.se><4A55BB24.8000902@NLnetLabs.nl> <69830D4127201D4EBD146B9041199718E1DFD6@EXCHANGE.office.nic.se> Message-ID: <69830D4127201D4EBD146B9041199718E1E004@EXCHANGE.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 To summerize my suggestion: Change the meening of Policy/Keys/KSK/Algorithm and Policy/Keys/ZSK/Algorithm from algorithm type (currently 1, 5, and 7) to the algorithm name representing the signing mechanism (e.g. RSASHA1 and RSAMD5 or something similar). So that it does not specify anything about NSEC/NSEC3 in the KASP policy for the key. When a key-pair is assigned to a zone within the Enforcer, it will be get the correct algorithm type according to the denial type in the current policy in combination with the RSASHA1 or RSAMD5. NSEC + MD5 = 1 NSEC + RSASHA1 = 5 NSEC3 + RSASHA1 = 7 The Signer Engine will still get 1, 5, or 7 in the signconf.xml from the communicated. So we should still be able to change policies (e.g. going from NSEC to NSEC3), since the key-pair itself will remember its own algorithm type. So the change is only in kasp.xml (.rnc) and when assigning a key-pair to a zone in the KASP database. To make it easier for the user. // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSlXuBuCjgaNTdVjaAQg0Ogf+LsMXqvx2yEjUCwlDCvYykaRSn/yUQSJT g29bg0xDivRbs1vbHd0lk49/ykwyprhndzX3pk7g2pRUiTD2ij48pf9+o+piaUvt 0Y0xMrfdtLv4Ml4vxFnVrZCHV6ro9OWuRAhQrPJIfBQ0JfePZnWm+5t5IBczl0Cx aMQAbOT5CQVrUzZYTIf6w2GvA3CYLZ5r3OZoY4JwqFCVQWah/dyPWZpzoRFHWLw8 XulXQ0e/Z+zK0DA9hZyRLCzNVRHKmYErNACoHaf68Pte+NLUKS2yvFLYMSoSWk8B 9Q39vrLGoBzTKcxig+TvyeW+4Wq+54IM2Eew4VLm3Xbi9v6qes0pJA== =sW3z -----END PGP SIGNATURE----- From jakob at kirei.se Thu Jul 9 14:00:10 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Thu, 9 Jul 2009 16:00:10 +0200 Subject: [Opendnssec-develop] Algorithm Type and NSEC/NSEC3 In-Reply-To: <69830D4127201D4EBD146B9041199718E1E004@EXCHANGE.office.nic.se> References: <69830D4127201D4EBD146B9041199718E1DFB9@EXCHANGE.office.nic.se> <1BD895BB-BE4A-48CA-A07D-B7A718781EF0@kirei.se><69830D4127201D4EBD146B9041199718E1DFD0@EXCHANGE.office.nic.se><4A55BB24.8000902@NLnetLabs.nl> <69830D4127201D4EBD146B9041199718E1DFD6@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718E1E004@EXCHANGE.office.nic.se> Message-ID: I understand your proposal, but I still believe that using ambigous mnemonics is a bad idea. We may however revisit this issue for a later release, and perhaps use a different set of XML tags at that point. Remember that we are close to release and that features like this will distract us from working code! Jakob - architect on vacation, but still alert -- Sent from my iPhone, hence this mail might be briefer than normal. On 9 jul 2009, at 15.17, "Rickard Bondesson" wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > To summerize my suggestion: > > Change the meening of Policy/Keys/KSK/Algorithm and Policy/Keys/ZSK/ > Algorithm from algorithm type (currently 1, 5, and 7) to the > algorithm name representing the signing mechanism (e.g. RSASHA1 and > RSAMD5 or something similar). So that it does not specify anything > about NSEC/NSEC3 in the KASP policy for the key. > > When a key-pair is assigned to a zone within the Enforcer, it will > be get the correct algorithm type according to the denial type in > the current policy in combination with the RSASHA1 or RSAMD5. > > NSEC + MD5 = 1 > NSEC + RSASHA1 = 5 > NSEC3 + RSASHA1 = 7 > > The Signer Engine will still get 1, 5, or 7 in the signconf.xml from > the communicated. So we should still be able to change policies > (e.g. going from NSEC to NSEC3), since the key-pair itself will > remember its own algorithm type. > > So the change is only in kasp.xml (.rnc) and when assigning a key- > pair to a zone in the KASP database. To make it easier for the user. > > // Rickard > -----BEGIN PGP SIGNATURE----- > Version: 9.8.3 (Build 4028) > Charset: utf-8 > > wsBVAwUBSlXuBuCjgaNTdVjaAQg0Ogf+LsMXqvx2yEjUCwlDCvYykaRSn/yUQSJT > g29bg0xDivRbs1vbHd0lk49/ykwyprhndzX3pk7g2pRUiTD2ij48pf9+o+piaUvt > 0Y0xMrfdtLv4Ml4vxFnVrZCHV6ro9OWuRAhQrPJIfBQ0JfePZnWm+5t5IBczl0Cx > aMQAbOT5CQVrUzZYTIf6w2GvA3CYLZ5r3OZoY4JwqFCVQWah/dyPWZpzoRFHWLw8 > XulXQ0e/Z+zK0DA9hZyRLCzNVRHKmYErNACoHaf68Pte+NLUKS2yvFLYMSoSWk8B > 9Q39vrLGoBzTKcxig+TvyeW+4Wq+54IM2Eew4VLm3Xbi9v6qes0pJA== > =sW3z > -----END PGP SIGNATURE----- > > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop From rickard.bondesson at iis.se Thu Jul 9 15:12:05 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Thu, 9 Jul 2009 17:12:05 +0200 Subject: [Opendnssec-develop] Algorithm Type and NSEC/NSEC3 In-Reply-To: References: <69830D4127201D4EBD146B9041199718E1DFB9@EXCHANGE.office.nic.se> <1BD895BB-BE4A-48CA-A07D-B7A718781EF0@kirei.se><69830D4127201D4EBD146B9041199718E1DFD0@EXCHANGE.office.nic.se><4A55BB24.8000902@NLnetLabs.nl> <69830D4127201D4EBD146B9041199718E1DFD6@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718E1E004@EXCHANGE.office.nic.se> Message-ID: <629A7F31-210E-47BB-A822-4851EE5CD1A6@iis.se> That is why I say "or similar". Want to discuss the issue before putting it to pivotal tracker. To see if more people share my view. 9 jul 2009 kl. 16.01 skrev "Jakob Schlyter" : > I understand your proposal, but I still believe that using ambigous > mnemonics is a bad idea. We may however revisit this issue for a > later release, and perhaps use a different set of XML tags at that > point. Remember that we are close to release and that features like > this will distract us from working code! > > Jakob - architect on vacation, but still alert > > -- > Sent from my iPhone, hence this mail might be briefer than normal. > > On 9 jul 2009, at 15.17, "Rickard Bondesson" > wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA256 >> >> To summerize my suggestion: >> >> Change the meening of Policy/Keys/KSK/Algorithm and Policy/Keys/ZSK/ >> Algorithm from algorithm type (currently 1, 5, and 7) to the >> algorithm name representing the signing mechanism (e.g. RSASHA1 and >> RSAMD5 or something similar). So that it does not specify anything >> about NSEC/NSEC3 in the KASP policy for the key. >> >> When a key-pair is assigned to a zone within the Enforcer, it will >> be get the correct algorithm type according to the denial type in >> the current policy in combination with the RSASHA1 or RSAMD5. >> >> NSEC + MD5 = 1 >> NSEC + RSASHA1 = 5 >> NSEC3 + RSASHA1 = 7 >> >> The Signer Engine will still get 1, 5, or 7 in the signconf.xml >> from the communicated. So we should still be able to change >> policies (e.g. going from NSEC to NSEC3), since the key-pair itself >> will remember its own algorithm type. >> >> So the change is only in kasp.xml (.rnc) and when assigning a key- >> pair to a zone in the KASP database. To make it easier for the user. >> >> // Rickard >> -----BEGIN PGP SIGNATURE----- >> Version: 9.8.3 (Build 4028) >> Charset: utf-8 >> >> wsBVAwUBSlXuBuCjgaNTdVjaAQg0Ogf+LsMXqvx2yEjUCwlDCvYykaRSn/yUQSJT >> g29bg0xDivRbs1vbHd0lk49/ykwyprhndzX3pk7g2pRUiTD2ij48pf9+o+piaUvt >> 0Y0xMrfdtLv4Ml4vxFnVrZCHV6ro9OWuRAhQrPJIfBQ0JfePZnWm+5t5IBczl0Cx >> aMQAbOT5CQVrUzZYTIf6w2GvA3CYLZ5r3OZoY4JwqFCVQWah/dyPWZpzoRFHWLw8 >> XulXQ0e/Z+zK0DA9hZyRLCzNVRHKmYErNACoHaf68Pte+NLUKS2yvFLYMSoSWk8B >> 9Q39vrLGoBzTKcxig+TvyeW+4Wq+54IM2Eew4VLm3Xbi9v6qes0pJA== >> =sW3z >> -----END PGP SIGNATURE----- >> >> _______________________________________________ >> Opendnssec-develop mailing list >> Opendnssec-develop at lists.opendnssec.org >> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop From jakob at kirei.se Thu Jul 9 19:01:53 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Thu, 9 Jul 2009 21:01:53 +0200 Subject: [Opendnssec-develop] Algorithm Type and NSEC/NSEC3 In-Reply-To: References: <69830D4127201D4EBD146B9041199718E1DFB9@EXCHANGE.office.nic.se> <1BD895BB-BE4A-48CA-A07D-B7A718781EF0@kirei.se><69830D4127201D4EBD146B9041199718E1DFD0@EXCHANGE.office.nic.se><4A55BB24.8000902@NLnetLabs.nl> <69830D4127201D4EBD146B9041199718E1DFD6@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718E1E004@EXCHANGE.office.nic.se> Message-ID: <65EE56CB-A9C0-48E0-A0BE-F46D4C289DDA@kirei.se> first I'd like to note that the type of the key (in the HSM context) is indeed separate from what type of signatures we choose to create with that key. currently we say that a key is of a type (e.g. 7) which not only indicates that the key is an RSA key, but also that we should do generate SHA1 based signatures and that we are using NSEC3. for post 1.0 releases, we may reconsider this. we could choose to indicate that a key is RSA and add something to the element that indicates that we want to generated SHA1 signatures. if it is NSEC3 or NSEC can be derived from the element. this is much more elaborate, but I believe it is worth considering. for the first release we keep the numerical algorithm identifier. we may want to allow mnemonics as described in the IANA registry[1], but I'm not sure about that. the current XML schema only allows integers and if we change that code must be added to both the enforcer and to the signer engine. jakob [1] http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml From jakob at kirei.se Thu Jul 9 19:12:23 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Thu, 9 Jul 2009 21:12:23 +0200 Subject: [Opendnssec-develop] KASP Configuration Documentation In-Reply-To: <69830D4127201D4EBD146B9041199718E1DFBD@EXCHANGE.office.nic.se> References: <69830D4127201D4EBD146B9041199718E1DFBD@EXCHANGE.office.nic.se> Message-ID: On 9 jul 2009, at 10.05, Rickard Bondesson wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > >>>> Query: why does require a boolean value >> whereas opt-out >>>> is indicated by the presence or absence of the element? >>>> >>> >>> good question; I think we should change that to >> >> +1 > > +1 schema changed, code not changed. sion; will you update libksm? jakob From sion at nominet.org.uk Fri Jul 10 07:27:58 2009 From: sion at nominet.org.uk (sion at nominet.org.uk) Date: Fri, 10 Jul 2009 08:27:58 +0100 Subject: [Opendnssec-develop] KASP Configuration Documentation In-Reply-To: References: <69830D4127201D4EBD146B9041199718E1DFBD@EXCHANGE.office.nic.se> Message-ID: > >>>> Query: why does require a boolean value > >> whereas opt-out > >>>> is indicated by the presence or absence of the element? > >>>> > >>> > >>> good question; I think we should change that to > >> > >> +1 > > > > +1 > > schema changed, code not changed. > > sion; will you update libksm? > > jakob > Done From rickard.bondesson at iis.se Fri Jul 10 14:16:27 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Fri, 10 Jul 2009 16:16:27 +0200 Subject: [Opendnssec-develop] The invitations for the event Message-ID: <69830D4127201D4EBD146B9041199718E1E06E@EXCHANGE.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > -----Ursprungligt meddelande----- > Fr?n: administrator at iis.se [mailto:administrator at iis.se] > Skickat: den 10 juli 2009 16:11 > Till: Rickard Bondesson > ?mne: > > This E-mail was sent from "RNPB22552" (Aficio MP C3000). > > Scan Date: 10.07.2009 16:11:02 (+0200) > Queries to: administrator at iis.se > -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSldNO+CjgaNTdVjaAQi0Agf/dYNUB2qRp6bUgHLHDB+Zw8UbMh+1Cl5r EndMkLQDOhVWl2i3L0SP8eiHDke93+hHtC3SYkezZpZFm9Aes3kICzDshYBGuJES ZASIoDNW4EH8YR+hBZm56waPpttuhyhf/RRePanRL/j3F+EvXiL4UglB3Q8O6xvM YCqlQv6Ic8Ekrhptb64ROX7B7p+m0eQSEBFq1fhdgMWg7fZubXGtihIvUYzjWOWQ Ws2IInoEV1G2zdRshzzDmwKEez8ADVkW8QJAYUHGZjL6W2dRN8rNnOY2MLRJbqGs zzn1J/xQW/Ieskuk51jGjJVpNaNMNGHAZcIY2OxuHD6zspvhyvcWpQ== =UErV -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: 20090710161103061.pdf Type: application/pdf Size: 149274 bytes Desc: 20090710161103061.pdf URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 20090710161103061.pdf.sig Type: application/octet-stream Size: 486 bytes Desc: not available URL: From matthijs at NLnetLabs.nl Fri Jul 10 14:26:46 2009 From: matthijs at NLnetLabs.nl (Matthijs Mekking) Date: Fri, 10 Jul 2009 16:26:46 +0200 Subject: [Opendnssec-develop] minutes meeting 10 july Message-ID: <4A574FA6.9000304@nlnetlabs.nl> Here are the minutes for the meeting today. I bound to have miss something, so please read them :) Best regards, Matthijs -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: odd-minutes-20090710.txt URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 552 bytes Desc: OpenPGP digital signature URL: From jelte at NLnetLabs.nl Fri Jul 10 16:38:48 2009 From: jelte at NLnetLabs.nl (Jelte Jansen) Date: Fri, 10 Jul 2009 18:38:48 +0200 Subject: [Opendnssec-develop] svn repos http front Message-ID: <4A576E98.2080407@NLnetLabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I don't usually use it, but the svn http frontend seems broken: jelte at dragon:/tmp> svn co http://trac.opendnssec.org/browser/trunk/ svn: XML data was not well-formed Is there anyone besides Jakob who has the access rights to fix this? :) Jelte -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkpXbpUACgkQ4nZCKsdOncUZ4wCaAyVPSptPZkd/B/8a0HEk3h2X 0f4AoJmox0GXQFDVmTpm8K3JArRXhjbG =rgF5 -----END PGP SIGNATURE----- From jakob at kirei.se Fri Jul 10 16:59:49 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Fri, 10 Jul 2009 18:59:49 +0200 Subject: [Opendnssec-develop] svn repos http front In-Reply-To: <4A576E98.2080407@NLnetLabs.nl> References: <4A576E98.2080407@NLnetLabs.nl> Message-ID: <200C4314-995C-4371-8145-75E90F3A51A9@kirei.se> That is not the repo - that's the web ui. The repo is at svn.opendnssec.org/trunk -- Sent from my iPhone, hence this mail might be briefer than normal. On 10 jul 2009, at 18.38, Jelte Jansen wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Hi, > > I don't usually use it, but the svn http frontend seems broken: > > jelte at dragon:/tmp> svn co http://trac.opendnssec.org/browser/trunk/ > svn: XML data was not well-formed > > Is there anyone besides Jakob who has the access rights to fix > this? :) > > Jelte > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iEYEARECAAYFAkpXbpUACgkQ4nZCKsdOncUZ4wCaAyVPSptPZkd/B/8a0HEk3h2X > 0f4AoJmox0GXQFDVmTpm8K3JArRXhjbG > =rgF5 > -----END PGP SIGNATURE----- > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop > From jakob at kirei.se Sun Jul 12 09:51:10 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Sun, 12 Jul 2009 11:51:10 +0200 Subject: [Opendnssec-develop] KSK Rollovers In-Reply-To: References: Message-ID: <509522F0-1D27-4BAD-860A-757158519A76@kirei.se> my idea is that we at some point write a program that given a zonelist compares the DNSKEYs at the child with the DS at each zone's parent, and report back. or it could take action to make sure they are in sync (using the appropriate child to registrar protocol). IMHO, writing such a program (reporting only) should be doable i about 3 points and I think we should consider writing one before 1.0. jakob From rickard.bondesson at iis.se Mon Jul 13 07:24:09 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Mon, 13 Jul 2009 09:24:09 +0200 Subject: [Opendnssec-develop] The invitations for the event In-Reply-To: <69830D4127201D4EBD146B9041199718E1E06E@EXCHANGE.office.nic.se> References: <69830D4127201D4EBD146B9041199718E1E06E@EXCHANGE.office.nic.se> Message-ID: <69830D4127201D4EBD146B9041199718E1E085@EXCHANGE.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Please send me the names of those we should invite: Name, email, organization You can also add them directly to the google docs, if you have a google account (send me your google account and I will give you access). // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSlrhGeCjgaNTdVjaAQjpZQgAg2IXN85o1X3uzOc12Sfzi/l2QXRd/8Lr 86MA+7In6TEmwJjEx+F1QHu3ECsTJtqGP31Y2S4m5ZRvi/lVUdHYVBOVyJm95zA+ AcPNuFZfHJtnzinFAaTtCgf8+E/6KoEwqZJwS7w5Yw4KlZRlybr//mYEJQejd+xp DV0AtkvtsLyLWOqyyYjExqdZZu6Jr6Wpjrw0h8UgnAusImXJa0NVGunwduuqY1c/ niBkDoHQS0CIey2v484qQ4bgdp79EH8GyJO1Mtlznl0yR5Zj9R41cRAvFIo92hV7 wmjfghqMHoPoOENcgrBPvHQhXI0/oh73DxuDJio9mNtF/HdAdw+egQ== =gmEf -----END PGP SIGNATURE----- From rickard.bondesson at iis.se Mon Jul 13 08:36:40 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Mon, 13 Jul 2009 10:36:40 +0200 Subject: [Opendnssec-develop] Release management Message-ID: <69830D4127201D4EBD146B9041199718E1E08E@EXCHANGE.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi As promised during the last meeting, I here send how I do a release of SoftHSM. http://trac.opendnssec.org/wiki/ProjectPlan/ReleaseManagement Please try to make a tarball of your components and see if it can be done. // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSlryGOCjgaNTdVjaAQi6PQf/Q+DKFKVJ53DmfwTn+BL95txhjaOnaK8m SkGIBnCn9E8tofBxSicvSxh0MqTZLh7iy21zaTttc2oz3mB8/2ho0nlB1XHeXwPZ 2Iwg8/0KlFzYjRSgurE/32x7dhvY22zmnQ0QHbMjksUORA8w0noBuyge+hig6Xq/ mwa1YmvwsCeznfr4jysZtFocSerzFjADhlL+G2s03v37RCLSveLhExwgHnRHvhRy rLrwrQqt9TNx9OI9zlBPzBqf9Q17yshsxjPsE4MBIpdORQhXpoT6s4GIW0WQQuls TE6lF/NZ/sTWeyzyVD3sto0IGbfJ6KpBoMQmi4oeoNeiAnNTo1W1cg== =P++i -----END PGP SIGNATURE----- From Antoin.Verschuren at sidn.nl Mon Jul 13 09:57:36 2009 From: Antoin.Verschuren at sidn.nl (Antoin Verschuren) Date: Mon, 13 Jul 2009 11:57:36 +0200 Subject: [Opendnssec-develop] KSK Rollovers References: <509522F0-1D27-4BAD-860A-757158519A76@kirei.se> Message-ID: <850A39016FA57A4887C0AA3C8085F949F02DF3@KAEVS1.SIDN.local> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 While I'm generaly in favour of such a mechanism, I often wonder who's responsibility it is that a chain of trust is still intact. I would like to consider the impact on the operation on this. So first question is: Should a parent check if a DS that is presented to him over a secure channel is the same as in a child zone before entering it into the parent zone, or is that the responsibility of the child ? (bogus in bogus out). What are the arguments for or against this. (Many parents don't do pre-delegation checks. What does DNSSEC change?) Second: If childs frequently check the DS at the parent zone, this could have quite an impact on the parent zone with many childs. Isn't a better mechanism that the parent check their DS against the DNSKEY of the child zone and report about that ? (queries are spread out over more zones and servers) Antoin Verschuren Technical Policy Advisor SIDN Utrechtseweg 310, PO Box 5022, 6802 EA Arnhem, The Netherlands P: +31 26 3525500 F: +31 26 3525505 M: +31 6 23368970 mailto:antoin.verschuren at sidn.nl xmpp:antoin at jabber.sidn.nl http://www.sidn.nl/ > -----Original Message----- > From: opendnssec-develop-bounces at lists.opendnssec.org [mailto:opendnssec- > develop-bounces at lists.opendnssec.org] On Behalf Of Jakob Schlyter > Sent: Sunday, July 12, 2009 11:51 AM > To: Stephen.Morris at nominet.org.uk > Cc: Opendnssec-develop at lists.opendnssec.org > Subject: Re: [Opendnssec-develop] KSK Rollovers > > my idea is that we at some point write a program that given a zonelist > compares the DNSKEYs at the child with the DS at each zone's parent, > and report back. or it could take action to make sure they are in sync > (using the appropriate child to registrar protocol). > > IMHO, writing such a program (reporting only) should be doable i about > 3 points and I think we should consider writing one before 1.0. > > jakob > > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -----BEGIN PGP SIGNATURE----- Version: 9.6.3 (Build 3017) wsBVAwUBSlsFEDqHrM883AgnAQhjBAgAgccU/M0rPV+rSYDrR4jJpPqQK9CWArK1 eyHJ33qrWyeMGvY4tNOupNUmhQiDq6pXVRTlyGb8bbNwRJLqit6+M4hygoHwAase zDw9UJeGkas10vkwM7OlqCSMiwgriEHX7JJU0Y8NG0PZnqSeC52bQFfl5cp3NA/5 X4bBAwQsMsKtyumepgTN7gkEYMVoxMB8oOdTLs6gGREANunMe2Xcm94uhswLQ0/k g2gUd79rNqkN9Y7sGUIHOp85RgZWk6wjNZSBXM8ZgYwrfK02dRNARl7rw8kAvDNz 04Pre/3AXqGuZgiRl9w5LyYeYmIRnk9Pwv1naN4iDEdR0ecL85NHKw== =dZUC -----END PGP SIGNATURE----- From jakob at kirei.se Mon Jul 13 17:55:05 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Mon, 13 Jul 2009 19:55:05 +0200 Subject: [Opendnssec-develop] KSK Rollovers In-Reply-To: <850A39016FA57A4887C0AA3C8085F949F02DF3@KAEVS1.SIDN.local> References: <509522F0-1D27-4BAD-860A-757158519A76@kirei.se> <850A39016FA57A4887C0AA3C8085F949F02DF3@KAEVS1.SIDN.local> Message-ID: <03073E1B-F6BF-4F73-A086-C6CC1F1033A3@kirei.se> On 13 jul 2009, at 11.57, Antoin Verschuren wrote: > Should a parent check if a DS that is presented to him over a secure > channel is the same as in a child zone before entering it into the > parent zone, or is that the responsibility of the child ? (bogus in > bogus out). I think it is the responsibility of the child, since the child may want to prepublish fingerprints in at the parent. > If childs frequently check the DS at the parent zone, this could > have quite an impact on the parent zone with many childs. Isn't a > better mechanism that the parent check their DS against the DNSKEY > of the child zone and report about that ? (queries are spread out > over more zones and servers) since the DS is included in every NS response from the parent, I believe that the impact of the child own checks are a non-issue. I envision the child to query the parent once every day or so, that should be enough and not even measurable compared to the normal query load. jakob From jelte at NLnetLabs.nl Tue Jul 14 08:56:41 2009 From: jelte at NLnetLabs.nl (Jelte Jansen) Date: Tue, 14 Jul 2009 10:56:41 +0200 Subject: [Opendnssec-develop] engine config for auditing Message-ID: <4A5C4849.8080202@NLnetLabs.nl> Hi, since the auditor tool might be a bit cpu-intensive, administrators may wish to turn off automatic auditing after sign, so I'd like to make it configurable whether the auditor is called at all. Now originally i was thinking to just make a single element in conf.xml. But now i'm wondering; do we want to do this on a per-zone basis (and therefore put it in zonelist)? Jelte From Alexd at nominet.org.uk Tue Jul 14 09:06:24 2009 From: Alexd at nominet.org.uk (Alexd at nominet.org.uk) Date: Tue, 14 Jul 2009 10:06:24 +0100 Subject: [Opendnssec-develop] engine config for auditing In-Reply-To: <4A5C4849.8080202@NLnetLabs.nl> References: <4A5C4849.8080202@NLnetLabs.nl> Message-ID: Hi - > since the auditor tool might be a bit cpu-intensive, administrators > may wish to > turn off automatic auditing after sign, so I'd like to make it configurable > whether the auditor is called at all. Now originally i was thinking > to just make > a single element in conf.xml. But now i'm wondering; do we want to > do this on a > per-zone basis (and therefore put it in zonelist)? I think it should be configurable on a per-zone basis. Configuration options could include : a) turn auditor off completely for the zone (would like to keep this as a last resort) b) configure percentage of records which should be checked (ideally splitting out different checks, such as RRSIG checks) c) an upper limit of the time spent auditing the zone - simply audit as much as can be done in the given time I hope to have some suggestions for sensible options for b) in the next day or so. Given that these options only affect the auditor, they could be left unfrozen for another couple of days without adverse effect on other components. Thanks, Alex. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jakob at kirei.se Tue Jul 14 10:48:08 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Tue, 14 Jul 2009 12:48:08 +0200 Subject: [Opendnssec-develop] engine config for auditing In-Reply-To: <4A5C4849.8080202@NLnetLabs.nl> References: <4A5C4849.8080202@NLnetLabs.nl> Message-ID: <4CD1AD51-9DEB-443B-B1B0-57CD6A166853@kirei.se> On 14 jul 2009, at 10.56, Jelte Jansen wrote: > since the auditor tool might be a bit cpu-intensive, administrators > may wish to turn off automatic auditing after sign, so I'd like to > make it configurable whether the auditor is called at all. Now > originally i was thinking to just make a single element in conf.xml. > But now i'm wondering; do we want to do this on a per-zone basis > (and therefore put it in zonelist)? as the policy is given by KASP, it makes sense to me to also configure auditing of the same policy via KASP. I do however suggest we push this into the beta-release for now. jakob -- Jakob Schlyter Kirei AB - http://www.kirei.se/ From jelte at NLnetLabs.nl Tue Jul 14 10:54:20 2009 From: jelte at NLnetLabs.nl (Jelte Jansen) Date: Tue, 14 Jul 2009 12:54:20 +0200 Subject: [Opendnssec-develop] engine config for auditing In-Reply-To: <4CD1AD51-9DEB-443B-B1B0-57CD6A166853@kirei.se> References: <4A5C4849.8080202@NLnetLabs.nl> <4CD1AD51-9DEB-443B-B1B0-57CD6A166853@kirei.se> Message-ID: <4A5C63DC.30708@NLnetLabs.nl> Jakob Schlyter wrote: > On 14 jul 2009, at 10.56, Jelte Jansen wrote: > >> since the auditor tool might be a bit cpu-intensive, administrators >> may wish to turn off automatic auditing after sign, so I'd like to >> make it configurable whether the auditor is called at all. Now >> originally i was thinking to just make a single element in conf.xml. >> But now i'm wondering; do we want to do this on a per-zone basis (and >> therefore put it in zonelist)? > > as the policy is given by KASP, it makes sense to me to also configure > auditing of the same policy via KASP. > I do however suggest we push this into the beta-release for now. > putting it in zone_config.xml would be most logical (for now i read it from zonelist.xml, but it's not a hard change). But wasn't automatic auditing one of the hard requirements for alpha? Jelte From jakob at kirei.se Tue Jul 14 11:00:10 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Tue, 14 Jul 2009 13:00:10 +0200 Subject: [Opendnssec-develop] engine config for auditing In-Reply-To: <4A5C63DC.30708@NLnetLabs.nl> References: <4A5C4849.8080202@NLnetLabs.nl> <4CD1AD51-9DEB-443B-B1B0-57CD6A166853@kirei.se> <4A5C63DC.30708@NLnetLabs.nl> Message-ID: <51F448FC-3EDC-490C-BF3E-F3DAD2269D62@kirei.se> On 14 jul 2009, at 12.54, Jelte Jansen wrote: > putting it in zone_config.xml would be most logical (for now i read > it from zonelist.xml, but it's not a hard change). logical for whom? not from an auditing/security policy perspective. when a given policy is set you also - as part of the policy - specify how it should be audited. so per design, IMHO, that's where the auditing configuration should be. > But wasn't automatic auditing one of the hard requirements for alpha? true. I say we do in the kasp for now and let that propate into the signconf in cases where the signer is asked to requets an audit. ok? -- Jakob Schlyter Kirei AB - http://www.kirei.se/ From jelte at NLnetLabs.nl Tue Jul 14 11:01:43 2009 From: jelte at NLnetLabs.nl (Jelte Jansen) Date: Tue, 14 Jul 2009 13:01:43 +0200 Subject: [Opendnssec-develop] engine config for auditing In-Reply-To: <4A5C6534.4050601@NLnetLabs.nl> References: <4A5C4849.8080202@NLnetLabs.nl> <4CD1AD51-9DEB-443B-B1B0-57CD6A166853@kirei.se> <4A5C63DC.30708@NLnetLabs.nl> <51F448FC-3EDC-490C-BF3E-F3DAD2269D62@kirei.se> <4A5C6534.4050601@NLnetLabs.nl> Message-ID: <4A5C6597.5040402@NLnetLabs.nl> (resend, forgot -to-all when pressing reply) Jakob Schlyter wrote: > On 14 jul 2009, at 12.54, Jelte Jansen wrote: > >> putting it in zone_config.xml would be most logical (for now i read >> it from zonelist.xml, but it's not a hard change). > > logical for whom? not from an auditing/security policy perspective. > when a given policy is set you also - as part of the policy - specify > how it should be audited. so per design, IMHO, that's where the > auditing configuration should be. > >> But wasn't automatic auditing one of the hard requirements for alpha? > > true. I say we do in the kasp for now and let that propate > into the signconf in cases where the signer is asked to requets an > audit. ok? > sorry, i'm only talking from the point of view of the engine, so how the kasp knows whether to put in the config was not considered yet in my message. So we seem to agree :) From Jonathan.Stanton at cit.coop Wed Jul 15 11:18:56 2009 From: Jonathan.Stanton at cit.coop (Jonathan Stanton) Date: Wed, 15 Jul 2009 12:18:56 +0100 Subject: [Opendnssec-develop] Couple of comments Message-ID: <584B0C4A9BE2D94E99D4003D446B066401641F43@coop-exchange.coop.local> Hello there, I have found a couple of issues with the latest trunk version. Just for your info :) 1) When within the CLI if you issue a "zones" command and you have multiple zone files then a needs issuing after the date bit. cmd> zones name: doilooklikeicare.com last config file read: Nonename: myotherdomainisfunnier.com last config file read: 2009-07-15 11:35:49.661535 2) I was getting the following error which was fixed when I removed the "NotifyCommand" tag from conf.xml. This used to work in previous versions (2 weeks ago). If this functionality is not now an option how can I run a process after a signing has occurred? Has this moved to the zone config so it can be done on a per zone basis? /etc/opendnssec/conf.xml:33: element NotifyCommand: Relax-NG validity error : Did not expect element NotifyCommand there /var/opendnssec/tmp /etc/opendnssec/zonelist.xml /usr/local/libexec/opendnssec 8 rndc reload 1 When I run "ksmutil update" I get a Seg Fault SQLite database set to: /var/opendnssec/kasp.db Repository softHSM found Capacity set to . zonelist filename set to /etc/opendnssec/zonelist.xml. Policy default found Segmentation fault The logfile /var/log/message has the following entry. Jul 15 13:06:04 opensndsec1 kernel: [ 6076.619766] ksmutil[22567]: segfault at 2 ip b7f69353 sp bf892980 error 6 in libksm.so.0.0.0[b7f5a000+11000] Many thanks for this great project. Jonathan -------------------------------------------------------------------------- Please don't print this email unless you really need to... -------------------------------------------------------------------------- Co-operative IT is part of The Midcounties Co-operative The Midcounties Co-operative is an innovative co-operative business, owned by its customers and staff in the 9 counties it spans. We trade in a number of retail sectors including food, travel, funerals, motors, childcare, pharmacy, post offices and IT. We are proud to be a successful co-operative, founded on co-operative values and principles that co-ops share throughout the world. This e-mail is confidential and is for the named recipient(s) only. If you are not the named recipient(s) please do not disseminate or copy this e-mail, but please delete it and any copies from your computer. The Midcounties Co-operative has taken reasonable precautions to ensure that any attachment to this e-mail has been checked for viruses. However, we cannot accept liability for any damage sustained as a result of any such viruses and advise you to carry out your own virus checks before opening any attachment. Furthermore, we do not accept responsibility for any change made to this message after it was sent by the sender. This Message has been Scanned by SurfControl(c) Email Filter From sion at nominet.org.uk Wed Jul 15 11:29:37 2009 From: sion at nominet.org.uk (sion at nominet.org.uk) Date: Wed, 15 Jul 2009 12:29:37 +0100 Subject: [Opendnssec-develop] Couple of comments In-Reply-To: <584B0C4A9BE2D94E99D4003D446B066401641F43@coop-exchange.coop.local> References: <584B0C4A9BE2D94E99D4003D446B066401641F43@coop-exchange.coop.local> Message-ID: Hi there, I can't comment so much on the signer stuff, but I might know something about the ksmutil issue... > When I run "ksmutil update" > I get a Seg Fault > > > SQLite database set to: /var/opendnssec/kasp.db > Repository softHSM found > Capacity set to . > zonelist filename set to /etc/opendnssec/zonelist.xml. > Policy default found > Segmentation fault > > > The logfile /var/log/message has the following entry. > Jul 15 13:06:04 opensndsec1 kernel: [ 6076.619766] ksmutil[22567]: > segfault at 2 ip b7f69353 sp bf892980 error 6 in > libksm.so.0.0.0[b7f5a000+11000] Is this running on solaris? I have a fix for an issue that looks just like this, which I shall hopefully check in to subversion today (I'll drop you an email when I do). If you are not running on solaris could you let me know what OS you are running and what version of libXML2 you have installed? Thank you Sion Lloyd From Greg.Rabil at ins.com Wed Jul 15 22:20:28 2009 From: Greg.Rabil at ins.com (Greg.Rabil at ins.com) Date: Wed, 15 Jul 2009 17:20:28 -0500 Subject: [Opendnssec-develop] SoftHSM with BIND dnssec-key* utilities Message-ID: <1E4636828B4AD841900A31378A9FE3CD0125B52C95@usemp11.ins.com> Hello again DNSSEC wizards, First, I would again like to thank those who helped me get the latest SoftHSM installed on my test box. FWIW, I believe it is acceptable that folks building from the SVN trunk must have the autoconf/automake/libtools installed. Of course, since the RC2 release has been made available, these tools are not necessary to configure/make/install, since they are included in the tar bundle. I'm now hoping to test the storage of actual DNSSEC keys in the SoftHSM, and of course, use those keys to sign zones. I am not a security engineer, and unfortunately, I don't have access to much in the way of expertise in the security (specifically OpenSSL) area. I'm honestly still struggling with the difference between a PKCS11 *engine* and a PKCS11 *module* and where OpenCryptoki fits into the mix (if at all). I would gladly welcome any links, references, etc that I should read to help me understand this space better. My test box is RHEL5, and I've now installed the following software on this box: - Botan 1.6.2 - SQLite 3.6.16 - SoftHSM 1.0.0-RC2 - Libp11 (from OpenSC) - Engine_pkcs11 (from OpenSC) - OpenCryptoki 2.2.7 - BIND 9.6.1 (./configure --with-openssl=/usr/local/ssl --with-pkcs11) The contents of my /usr/local/etc/softhsm.conf file looks as follows: # softHSM configuration file # 0:/var/softhsm/slot0.db I've initialized a token in slot0 with the following command: softhsm --init-token --slot 0 --label "Test token 1" (with SO and user password 'foobar') I've added the following to the end of my openssl.cnf file: openssl_conf = openssl_def [openssl_def] engines = engine_section [engine_section] pkcs11 = pkcs11_section [pkcs11_section] engine_id = pkcs11 #dynamic_path = /usr/local/lib/engines/engine_pkcs11.so SO_PATH = /usr/local/lib/engines/engine_pkcs11.so MODULE_PATH = /usr/local/lib/libsofthsm.so PIN = foobar init = 0 This is where I get lost. I'm really not sure if the MODULE_PATH should point to the libsofthsm shared library? If not, what should this be? I'm further confused by the README.pkcs11 file that accompanies BIND 9.6.1, which states the following: OpenSSL Engines With PKCS#11 support the PKCS#11 engine is statically loaded but at its initialization it dynamically loads the PKCS#11 objects. Even the pre commands are therefore unused they are defined with: SO_PATH: define: PKCS11_SO_PATH default: /usr/local/lib/engines/engine_pkcs11.so MODULE_PATH: define: PKCS11_MODULE_PATH default: /usr/lib/libpkcs11.so Without PKCS#11 support, a specific OpenSSL engine can be still used by defining ENGINE_ID at compile time. I read this several times, and I'm still not sure if I understand it. However, I *think* that this means that the values in my openssl.cnf file don't apply to BIND and the associated BIND tools, because the PKCS#11 engine is statically linked? In any case, only the SO_PATH is consistently set to the 'engine_pkcs11.so' library, where all of the examples I've seen have different values for the MODULE_PATH, which I thought should be the libsofthsm.so? Also, the 'contrib/pkcs11' folder of the BIND distribution includes "a set of utilities that when used together create rsa keys in a PKCS11 keystore". Do I need to use these tools to store keys in the SoftHSM? If not how do I actually generate keys and put them into the SoftHSM? I see here http://trac.opendnssec.org/wiki/SoftHSM/Install how to *import* keys from a .pem file format, but shouldn't I be able to just generate keys and store them directly? Finally, whenever I try to run the BIND tools dnssec-keyfromlabel or dnssec-keygen, I get the following error: ./dnssec-keyfromlabel -a RSASHA1 -l foobar joe dst_api.c:209: fatal error: RUNTIME_CHECK(dst_initialized == isc_boolean_true) failed Aborted I don't know what the source of this problem is. Perhaps it is just that my binaries are not correct, but I suspect that I don't have something configured/aligned correctly, and that is what generates the error. I guess I'm hoping that the folks on this mailing list have pieced all these things together somewhere along the way, and actually signed zones using keys in the SoftHSM. I'd like to get to the same point, and I would greatly appreciate any pointers that you can provide. I'm perfectly okay with a response like "go read these pages/books/links and then come back with any questions". Clearly, I am a newbie at all of this, so please be gentle ;-) Best regards, Greg Rabil A. Gregory Rabil | Lead Software Architect | BT Diamond IP | Tel: +1 (610) 423-4770 | Fax: +1 (610) 423-4774 | Greg.Rabil at bt.com | http://bt.diamondip.com This electronic message contains information from BT INS, Inc, which may be privileged or confidential. The information is intended for use only by the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is strictly prohibited. If you have received this electronic message in error, please notify me by telephone or email (to the number or email address above) immediately. Activity and use of the BT INS, Inc e-mail system is monitored to secure its effective operation and for other lawful business purposes. Communications using this system will also be monitored and may be recorded to secure effective operation and for other lawful business purposes. BT INS Inc, 1600 Memorex Drive, Suite 200, Santa Clara California 95050-2842 ,United States -------------- next part -------------- An HTML attachment was scrubbed... URL: From rickard.bondesson at iis.se Thu Jul 16 07:51:46 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Thu, 16 Jul 2009 09:51:46 +0200 Subject: [Opendnssec-develop] SoftHSM with BIND dnssec-key* utilities In-Reply-To: <1E4636828B4AD841900A31378A9FE3CD0125B52C95@usemp11.ins.com> References: <1E4636828B4AD841900A31378A9FE3CD0125B52C95@usemp11.ins.com> Message-ID: <69830D4127201D4EBD146B9041199718E1E1A8@EXCHANGE.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > Hello again DNSSEC wizards, Hi Greg > I am not a security engineer, and unfortunately, I don?t have > access to much in the way of expertise in the security > (specifically OpenSSL) area. I?m honestly still struggling > with the difference between a PKCS11 *engine* and a PKCS11 > *module* and where OpenCryptoki fits into the mix (if at > all). I would gladly welcome any links, references, etc that > I should read to help me understand this space better. An engine can provide OpenSSL with cryptographic functionality. So that you can switch the engine in "your car" for a faster one. A PKCS#11 engine then provides OpenSSL the cryptographic operations via an HSM. A PKCS#11 module is the library that you application links against, so you can talk to the HSM. OpenSSL -> Engine -> Module -> HSM OpenCryptoki should not be confused with Cryptoki, which is the name of the PKCS#11 API. OpenCryptoki is an open source software, a PKCS#11 module, that can provide a PKCS#11 interface for different HSM:s (not everyone has its own complete PKCS#11 module), e.g. IBM cryptographic hardware, Sun SCA600, and a soft token for testing. Info from OpenDNSSEC http://trac.opendnssec.org/wiki/HSM http://trac.opendnssec.org/wiki/PKCS11 Wikipedia summery http://en.wikipedia.org/wiki/PKCS11 PKCS#11 Documentation ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-11/v2-20/pkcs-11v2-20a3.pdf Engine PKCS#11 http://www.opensc-project.org/engine_pkcs11/ > # softHSM configuration file > > # > > 0:/var/softhsm/slot0.db > > > > I?ve initialized a token in slot0 with the following command: > > softhsm --init-token --slot 0 --label "Test token 1" (with > SO and user password ?foobar?) Looks ok. > I?ve added the following to the end of my openssl.cnf file: > > > > openssl_conf = openssl_def > > > > [openssl_def] > > engines = engine_section > > > > [engine_section] > > pkcs11 = pkcs11_section > > > > [pkcs11_section] > > engine_id = pkcs11 > > #dynamic_path = /usr/local/lib/engines/engine_pkcs11.so > > SO_PATH = /usr/local/lib/engines/engine_pkcs11.so > > MODULE_PATH = /usr/local/lib/libsofthsm.so > > PIN = foobar > > init = 0 > > This is where I get lost. I?m really not sure if the > MODULE_PATH should point to the libsofthsm shared library? > If not, what should this be? I have tried with: dynamic_path = /usr/local/lib/engines/engine_pkcs11.so And not the SO_PATH, but got it working with OpenSSL. Yeah, MODULE_PATH should point to libsofthsm.so You can read more on: http://www.opensc-project.org/engine_pkcs11/wiki/QuickStart > I?m further confused by the README.pkcs11 file that > accompanies BIND 9.6.1, which states the following: > > > > OpenSSL Engines > > > > With PKCS#11 support the PKCS#11 engine is statically loaded > but at its > > initialization it dynamically loads the PKCS#11 objects. > > Even the pre commands are therefore unused they are defined with: > > SO_PATH: > > define: PKCS11_SO_PATH > > default: /usr/local/lib/engines/engine_pkcs11.so > > MODULE_PATH: > > define: PKCS11_MODULE_PATH > > default: /usr/lib/libpkcs11.so > > Without PKCS#11 support, a specific OpenSSL engine can be still used > > by defining ENGINE_ID at compile time. > > > > I read this several times, and I?m still not sure if I > understand it. However, I *think* that this means that the > values in my openssl.cnf file don?t apply to BIND and the > associated BIND tools, because the PKCS#11 engine is > statically linked? In any case, only the SO_PATH is > consistently set to the ?engine_pkcs11.so? library, where all > of the examples I?ve seen have different values for the > MODULE_PATH, which I thought should be the libsofthsm.so? I think they mean that the engine is statically loaded (because they are using SO_PATH), but the module is dynamicly loaded on the fly. Yeah, module path is the location of the PKCS#11 module you want to use. > Also, the ?contrib/pkcs11? folder of the BIND distribution > includes ?a set of utilities that when used together create > rsa keys in a PKCS11 keystore?. Do I need to use these tools > to store keys in the SoftHSM? If not how do I actually > generate keys and put them into the SoftHSM? I see here > http://trac.opendnssec.org/wiki/SoftHSM/Install how to > *import* keys from a .pem file format, but shouldn?t I be > able to just generate keys and store them directly? I do not actually know how Bind create its keys, but it could be the case that you must use their tools. Their tools then calls the PKCS#11 functions and create a key that way. - From my point of view you only need to call the PKCS#11 functions in the libsofthsm, the tools are just there to give you a quick command line utility. You can always use the C_CreateObject function to create an object in SoftHSM (if you are writing your own software). But you need the softhsm tool, if you want to extract the keys. Because I take them directly from the database, thus bypassing any PKCS#11 extraction rules (you can specify that a key should not be extractable via the PKCS#11 interface). You always play around with "pkcs11-tool" that comes with OpenSC that you have installed. > Finally, whenever I try to run the BIND tools > dnssec-keyfromlabel or dnssec-keygen, I get the following error: > > > > ./dnssec-keyfromlabel -a RSASHA1 -l foobar joe > > dst_api.c:209: fatal error: RUNTIME_CHECK(dst_initialized == > isc_boolean_true) failed > > Aborted > > > > I don?t know what the source of this problem is. Perhaps it > is just that my binaries are not correct, but I suspect that > I don?t have something configured/aligned correctly, and that > is what generates the error. Sorry haven't tried to run Bind with Engine PKCS#11. > I guess I?m hoping that the folks on this mailing list have > pieced all these things together somewhere along the way, and > actually signed zones using keys in the SoftHSM. I?d like to > get to the same point, and I would greatly appreciate any > pointers that you can provide. I?m perfectly okay with a > response like ?go read these pages/books/links and then come > back with any questions?. I tried the Engine PKCS#11 some months ago, but it had some bugs in it. Perhaps they are fixed by now. Hopefully everything will go well for you. // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSl7cEuCjgaNTdVjaAQgFrwf8CgN99l92T7Spy1RU/XY/l3mrJDAjkDOO NPcj8Tovy7xppOApQmd9EeyTJyZe99oSaOQwzSXwtLrLX4XMDWL8L3/YEd2Bzi6X DZsgjXDumLOAQ6q2jzikquscjK4sdP8agcU9+dbmCIDVRy9YtilB11ps41AJxtWP F6orZmbvLdWqY2ZYWCSr+31rVwmn8ZADiszFyF9AmNLoLm7QcvXBJrp4IWT3PSSn WxZcCR0ANlcbn5yWfO2swJ23QIQ8A4g0CW1MnUeJ6hbJU3pSyPJnCtx1tDWWrHVh KlbbiigptV7boyXVapiX/HzFCNCPvZbt2lu2PdO4y0kKoCW1g2O93g== =841S -----END PGP SIGNATURE----- From Antoin.Verschuren at sidn.nl Thu Jul 16 12:19:51 2009 From: Antoin.Verschuren at sidn.nl (Antoin Verschuren) Date: Thu, 16 Jul 2009 14:19:51 +0200 Subject: [Opendnssec-develop] OpenDNSSEC requirement testing Message-ID: <850A39016FA57A4887C0AA3C8085F949F02FDC@KAEVS1.SIDN.local> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi folks, This is just a little good news note informing you that our management team has accepted and approved our budget for OpenDNSSEC requirement testing. We now start recruiting from a known pool of available testers to find the best match. Our test manager does not foresee a long time to recruit, so probably in August I will be able to add a tester to the team. We have a budget for one full FTE for half a year working in SIDN's test team dedicated to testing OpenDNSSEC. We do have some stages that we enter in setting this up: - -Recruiting - -Training in (Open)DNS(SEC) - -Writing a test plan - -Setting up test lab - -Perform testing of proposed Beta releases until time is up We will only proceed each step if the previous one has ended successfully, so basically if we f.e. don't think the testplan has sufficient Quality, then we don't proceed. Cheers, Antoin Verschuren Technical Policy Advisor SIDN Utrechtseweg 310, PO Box 5022, 6802 EA Arnhem, The Netherlands P: +31 26 3525500 F: +31 26 3525505 M: +31 6 23368970 mailto:antoin.verschuren at sidn.nl xmpp:antoin at jabber.sidn.nl http://www.sidn.nl/ -----BEGIN PGP SIGNATURE----- Version: 9.6.3 (Build 3017) wsBVAwUBSl8a5zqHrM883AgnAQhAwAgAnx92d0T5W24GAcnNOcxdFGTCKj1w0k7C oYTjR7IvjQZqLHKSA0GXGa/pyWAqP9uEZL6+jbFJSt96VtoyETrfdhk9LHiem2dU z+LtyUbhGxgQZkZ2iDPZEJQCmrhTuOz01r+qRaHjUV39VIWgB+azaOdhGVMwBpNN eg0VdARenq7ApX46sKFo+IELSZRv29hMLr7knBzbjXH0serU7rp04CLlkG8RcyDD T1cfKjczXS3SOsM/IoYbfr0K3X9X8mehcyG37y18+NOmMLqSxy8MfNzH/M48UUTV vGZhRuzGZMTu9XrlhITEGqSaVzvLf3h7o9Ha+owCJnG/TU5I85zcbw== =jfK3 -----END PGP SIGNATURE----- From roy at nominet.org.uk Thu Jul 16 12:42:41 2009 From: roy at nominet.org.uk (roy at nominet.org.uk) Date: Thu, 16 Jul 2009 14:42:41 +0200 Subject: [Opendnssec-develop] OpenDNSSEC requirement testing In-Reply-To: <850A39016FA57A4887C0AA3C8085F949F02FDC@KAEVS1.SIDN.local> References: <850A39016FA57A4887C0AA3C8085F949F02FDC@KAEVS1.SIDN.local> Message-ID: Antoin Verschuren wrote on 07/16/2009 02:19:51 PM: > Hi folks, > > This is just a little good news note informing you that our > management team has accepted and approved our budget for OpenDNSSEC > requirement testing. > We now start recruiting from a known pool of available testers to > find the best match. > Our test manager does not foresee a long time to recruit, so > probably in August I will be able to add a tester to the team. > > We have a budget for one full FTE for half a year working in SIDN's > test team dedicated to testing OpenDNSSEC. > We do have some stages that we enter in setting this up: > - -Recruiting > - -Training in (Open)DNS(SEC) > - -Writing a test plan > - -Setting up test lab > - -Perform testing of proposed Beta releases until time is up > > We will only proceed each step if the previous one has ended > successfully, so basically if we f.e. don't think the testplan has > sufficient Quality, then we don't proceed. Fantastic! Looking forward to work with your testteam! Roy From jakob at kirei.se Fri Jul 17 11:08:37 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Fri, 17 Jul 2009 13:08:37 +0200 Subject: [Opendnssec-develop] release handling Message-ID: <46563E4D-7161-4EE5-8D62-0494F804A021@kirei.se> please do not make any releases yet, just practice... I want to make a coordinate release for all components at once. softHSM is differnt though. j From rickard.bondesson at iis.se Fri Jul 17 12:35:17 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Fri, 17 Jul 2009 14:35:17 +0200 Subject: [Opendnssec-develop] Next meeting 20 July Message-ID: <69830D4127201D4EBD146B9041199718E1E226@EXCHANGE.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi The next meeting is on Monday, 20 July, 14-15 CEST. The agenda can be found on: http://trac.opendnssec.org/wiki/Meetings/Agenda/2009-07-20 Please update with any topics. // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSmBwBeCjgaNTdVjaAQjV/Af+L+Z/PzZhLQtVMGMxKoR9tj/S9zROA3/4 +Z7YnSQcvv6N21OnLgdPj3V4jhiSDtYjHDaZN2WcWkn1dn1GzoBixNaEBgjZNzar T2LcTTYnAB8v5/BmZ0wuG0R3JeRd0LWONY6GDnMnvVqSMgNOp4G9xqyZQfqscpsM tYm/iiMTSRzaF5mswvmgo8UB9Br9j8j1izYxngugTX/N4JFCzwLRaFtj1/QV0j1V pbK5p/GRxF9pa2Vp0dbvr42RXesH02XKYRXjkg9RxmYf8Y6JGajSCYLEynBhnGU8 IZUHSzYIp8jlVgYgG4H5JYgCpj+fTJqPPlvflwzxlj6z5ZbBbpzugg== =++nb -----END PGP SIGNATURE----- From patrik.wallstrom at iis.se Fri Jul 17 13:16:08 2009 From: patrik.wallstrom at iis.se (Patrik Wallstrom) Date: Fri, 17 Jul 2009 15:16:08 +0200 Subject: [Opendnssec-develop] -? Message-ID: signer_engine, keygend and communicated all wants -? to give the user help. We may want to changed all these occurences to -h instead, since -? does not work in my shell... :) -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 194 bytes Desc: This is a digitally signed message part URL: From jakob at kirei.se Fri Jul 17 13:19:23 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Fri, 17 Jul 2009 15:19:23 +0200 Subject: [Opendnssec-develop] -? In-Reply-To: References: Message-ID: <3E53B628-E32C-4B0F-BFB9-B47156CA81F0@kirei.se> On 17 jul 2009, at 15.16, Patrik Wallstrom wrote: > signer_engine, keygend and communicated all wants -? to give the > user help. We may want to changed all these occurences to -h > instead, since -? does not work in my shell... :) +1 From rick at openfortress.nl Fri Jul 17 13:27:01 2009 From: rick at openfortress.nl (Rick van Rein) Date: Fri, 17 Jul 2009 13:27:01 +0000 Subject: [Opendnssec-develop] -? In-Reply-To: References: Message-ID: <20090717132701.GA6189@phantom.vanrein.org> Hey, > signer_engine, keygend and communicated all wants -? to give the user > help. We may want to changed all these occurences to -h instead, since > -? does not work in my shell... :) Of course +1 Let's all follow Patrik's shell ;-) -Rick From sion at nominet.org.uk Fri Jul 17 13:43:19 2009 From: sion at nominet.org.uk (sion at nominet.org.uk) Date: Fri, 17 Jul 2009 14:43:19 +0100 Subject: [Opendnssec-develop] -? In-Reply-To: <3E53B628-E32C-4B0F-BFB9-B47156CA81F0@kirei.se> References: <3E53B628-E32C-4B0F-BFB9-B47156CA81F0@kirei.se> Message-ID: > > signer_engine, keygend and communicated all wants -? to give the > > user help. We may want to changed all these occurences to -h > > instead, since -? does not work in my shell... :) > > +1 either will now work with keygend and communicated. Sion From jelte at NLnetLabs.nl Fri Jul 17 13:48:58 2009 From: jelte at NLnetLabs.nl (Jelte Jansen) Date: Fri, 17 Jul 2009 15:48:58 +0200 Subject: [Opendnssec-develop] -? In-Reply-To: References: Message-ID: <4A60814A.8090602@NLnetLabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Patrik Wallstrom wrote: > signer_engine, keygend and communicated all wants -? to give the user > help. We may want to changed all these occurences to -h instead, since > -? does not work in my shell... :) > technically, the signer_engine shellscript gave (a bad) usage() on anything unknown, not specifically -?. anyhew that one was out of date anyway, and the actual .py worked with -h and a correct usage, so it doesn't do more than call the correct .py now full clean rebuild probably required -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkpggUoACgkQ4nZCKsdOncUrSQCfYhpV2pcHgFxM7UDBJpnNFwg0 DeEAn3jrmJnW+J0Zjv7cHO5Ih4MRL4OM =JNG6 -----END PGP SIGNATURE----- From Jonathan.Stanton at cit.coop Mon Jul 20 11:43:12 2009 From: Jonathan.Stanton at cit.coop (Jonathan Stanton) Date: Mon, 20 Jul 2009 12:43:12 +0100 Subject: [Opendnssec-develop] Error appearing with signer engine In-Reply-To: <4A60814A.8090602@NLnetLabs.nl> References: <4A60814A.8090602@NLnetLabs.nl> Message-ID: <584B0C4A9BE2D94E99D4003D446B0664016EE81D@coop-exchange.coop.local> Just for your information. I have notice the following error appearing in my message logs in the last couple of weeks. The system in no longer signing the zones. I have performed a trunk checkout and "make clean autogen build" and still getting this issue. Jul 20 13:36:27 opensndsec1 OpenDNSSEC signer engine: Sending response: Error handling command: 'NoneType' object has no attribute 'signatures_resign_time'Traceback (most recent call last):#012 File "/usr/local/lib/opendnssec/signer/Engine.py", line 295, in handle_command#012 self.schedule_signing(args[1])#012 File "/usr/local/lib/opendnssec/signer/Engine.py", line 508, in schedule_signing#012 zone.zone_config.signatures_resign_time#012AttributeError: 'NoneType' object has no attribute 'signatures_resign_time'#012#012 It was trying to sign the example.com zone. Regards Jonathan -------------------------------------------------------------------------- Please don't print this email unless you really need to... -------------------------------------------------------------------------- Co-operative IT is part of The Midcounties Co-operative The Midcounties Co-operative is an innovative co-operative business, owned by its customers and staff in the 9 counties it spans. We trade in a number of retail sectors including food, travel, funerals, motors, childcare, pharmacy, post offices and IT. We are proud to be a successful co-operative, founded on co-operative values and principles that co-ops share throughout the world. This e-mail is confidential and is for the named recipient(s) only. If you are not the named recipient(s) please do not disseminate or copy this e-mail, but please delete it and any copies from your computer. The Midcounties Co-operative has taken reasonable precautions to ensure that any attachment to this e-mail has been checked for viruses. However, we cannot accept liability for any damage sustained as a result of any such viruses and advise you to carry out your own virus checks before opening any attachment. Furthermore, we do not accept responsibility for any change made to this message after it was sent by the sender. This Message has been Scanned by SurfControl(c) Email Filter From patrik.wallstrom at iis.se Mon Jul 20 12:41:39 2009 From: patrik.wallstrom at iis.se (Patrik Wallstrom) Date: Mon, 20 Jul 2009 14:41:39 +0200 Subject: [Opendnssec-develop] wordpress information Message-ID: <5D597897-8B8F-4572-AD1B-665B71EC9DAD@iis.se> This is just about what we need for the Wordpress site. About Features Documentation HSM Buyers Guide Download Support Links Mailinglists (dev, users, announce) Bug reporting News -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 194 bytes Desc: This is a digitally signed message part URL: From jakob at kirei.se Mon Jul 20 18:41:30 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Mon, 20 Jul 2009 20:41:30 +0200 Subject: [Opendnssec-develop] wordpress information In-Reply-To: <5D597897-8B8F-4572-AD1B-665B71EC9DAD@iis.se> References: <5D597897-8B8F-4572-AD1B-665B71EC9DAD@iis.se> Message-ID: <512E7976-478F-46AC-82FC-7F816DBC50B8@kirei.se> On 20 jul 2009, at 14.41, Patrik Wallstrom wrote: > This is just about what we need for the Wordpress site. > > About > Features > Documentation > HSM Buyers Guide > Download > Support > Links > Mailinglists (dev, users, announce) > Bug reporting > News placeholders added to wp.opendnssec.org. is the "news" item in blog format? j From patrik.wallstrom at iis.se Fri Jul 24 08:47:03 2009 From: patrik.wallstrom at iis.se (Patrik Wallstrom) Date: Fri, 24 Jul 2009 10:47:03 +0200 Subject: [Opendnssec-develop] updating policies Message-ID: <19D7520D-A355-4B4F-8DA7-B1329D1FB216@iis.se> I am trying the ksmutil update command. What I did was to update the kasp.xml file and added a new policy called newpolicy with just a small change, making the KSK 4096 bits. mask$~>sudo ksmutil update SQLite database set to: /var/opendnssec/kasp.db Repository softHSM found No Maximum Capacity set. zonelist filename set to /etc/opendnssec/zonelist.xml. Policy default found Error: unable to insert policy default; skipping Policy newpolicy found Error: unable to get policy id for newpolicy; skipping Failed to update policies The database I am using was setup a couple of weeks ago, but the code is the latest from svn. All signing works. So has the database changed? This is supposed to work, right? -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 194 bytes Desc: This is a digitally signed message part URL: From rickard.bondesson at iis.se Fri Jul 24 09:04:33 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Fri, 24 Jul 2009 11:04:33 +0200 Subject: [Opendnssec-develop] Sqlite problem Message-ID: <69830D4127201D4EBD146B9041199718E1E455@EXCHANGE.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi Does anyone know why sqlite gets so many ENOENT? And just repeat itself over and over. How should I fix this? What could be the cause of the problem? This happens when I try to run "hsmutil list". // Rickard . . . fstat64(5, {st_mode=S_IFREG|0644, st_size=246784, ...}) = 0 _llseek(5, 24, [24], SEEK_SET) = 0 read(5, "\0\0\1O\0\0\0\0\0\0\0\0\0\0\0\0", 16) = 16 fcntl64(5, F_SETLK64, {type=F_UNLCK, whence=SEEK_SET, start=0, len=0}, 0xbfbd9ea4) = 0 fcntl64(5, F_SETLK64, {type=F_RDLCK, whence=SEEK_SET, start=1073741824, len=1}, 0xbfbd9ac4) = 0 fcntl64(5, F_SETLK64, {type=F_RDLCK, whence=SEEK_SET, start=1073741826, len=510}, 0xbfbd9ac4) = 0 fcntl64(5, F_SETLK64, {type=F_UNLCK, whence=SEEK_SET, start=1073741824, len=1}, 0xbfbd9ac4) = 0 access("/home/rickard/opendnssec/token.1.db-journal", F_OK) = -1 ENOENT (No such file or directory) fstat64(5, {st_mode=S_IFREG|0644, st_size=246784, ...}) = 0 _llseek(5, 24, [24], SEEK_SET) = 0 read(5, "\0\0\1O\0\0\0\0\0\0\0\0\0\0\0\0", 16) = 16 fcntl64(5, F_SETLK64, {type=F_UNLCK, whence=SEEK_SET, start=0, len=0}, 0xbfbd9ea4) = 0 fcntl64(5, F_SETLK64, {type=F_RDLCK, whence=SEEK_SET, start=1073741824, len=1}, 0xbfbd9ac4) = 0 fcntl64(5, F_SETLK64, {type=F_RDLCK, whence=SEEK_SET, start=1073741826, len=510}, 0xbfbd9ac4) = 0 fcntl64(5, F_SETLK64, {type=F_UNLCK, whence=SEEK_SET, start=1073741824, len=1}, 0xbfbd9ac4) = 0 access("/home/rickard/opendnssec/token.1.db-journal", F_OK) = -1 ENOENT (No such file or directory) fstat64(5, {st_mode=S_IFREG|0644, st_size=246784, ...}) = 0 _llseek(5, 24, [24], SEEK_SET) = 0 read(5, "\0\0\1O\0\0\0\0\0\0\0\0\0\0\0\0", 16) = 16 fcntl64(5, F_SETLK64, {type=F_UNLCK, whence=SEEK_SET, start=0, len=0}, 0xbfbd9ea4) = 0 fcntl64(5, F_SETLK64, {type=F_RDLCK, whence=SEEK_SET, start=1073741824, len=1}, 0xbfbd9ac4) = 0 fcntl64(5, F_SETLK64, {type=F_RDLCK, whence=SEEK_SET, start=1073741826, len=510}, 0xbfbd9ac4) = 0 fcntl64(5, F_SETLK64, {type=F_UNLCK, whence=SEEK_SET, start=1073741824, len=1}, 0xbfbd9ac4) = 0 access("/home/rickard/opendnssec/token.1.db-journal", F_OK) = -1 ENOENT (No such file or directory) fstat64(5, {st_mode=S_IFREG|0644, st_size=246784, ...}) = 0 _llseek(5, 24, [24], SEEK_SET) = 0 read(5, "\0\0\1O\0\0\0\0\0\0\0\0\0\0\0\0", 16) = 16 fcntl64(5, F_SETLK64, {type=F_UNLCK, whence=SEEK_SET, start=0, len=0}, 0xbfbd9ea4) = 0 fcntl64(5, F_SETLK64, {type=F_RDLCK, whence=SEEK_SET, start=1073741824, len=1}, 0xbfbd9ac4) = 0 fcntl64(5, F_SETLK64, {type=F_RDLCK, whence=SEEK_SET, start=1073741826, len=510}, 0xbfbd9ac4) = 0 fcntl64(5, F_SETLK64, {type=F_UNLCK, whence=SEEK_SET, start=1073741824, len=1}, 0xbfbd9ac4) = 0 access("/home/rickard/opendnssec/token.1.db-journal", F_OK) = -1 ENOENT (No such file or directory) . . . -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSml5IeCjgaNTdVjaAQgUDQf8CQCUpVKoiGDnOYxLnK3CPwNjhxTxS7lP fpvUPpni/5H1xW+EDWZEKTPFyVGhh+OwaDKMRfzBnx+6QPOLk7SkyE+XnnfdL0Tv ZleBC8LH2IrfDLYfqLzz73qE3YbXmoKQaK9iH4bvRuesl2Bi0aF/eXpnHYpP5sUt mBFnzdT7oFbFO/gXMmpdEhHNJl+Oc7Td7yT1VlyQft3uzXUm8ApQowMW+W4xPiAA f3tPeU6pIYSgWscOP+z2ulUHWLtE/wRRa08WX8XCBeXinrxWiG5ELHyYEVRJWu/N NsTE+hs59jDq9cktF3mjtec4PvwyMRC1GFVt8u7Ph2XxKT9YUAoRSQ== =SKlM -----END PGP SIGNATURE----- From sion at nominet.org.uk Fri Jul 24 09:57:16 2009 From: sion at nominet.org.uk (sion at nominet.org.uk) Date: Fri, 24 Jul 2009 10:57:16 +0100 Subject: [Opendnssec-develop] updating policies In-Reply-To: <19D7520D-A355-4B4F-8DA7-B1329D1FB216@iis.se> References: <19D7520D-A355-4B4F-8DA7-B1329D1FB216@iis.se> Message-ID: > The database I am using was setup a couple of weeks ago, but the code > is the latest from svn. All signing works. So has the database > changed? This is supposed to work, right? The database has changed I'm afraid. There is an extra text column in the policies table called "audit", and the KEYDATA_VIEW has changed. There may be other changes depending on how old your database is exactly, but these 2 will be the significant ones. if you run the view sql as it is in svn and something like: alter table policies add column audit text then your database will be brought up to date without you needing to lose all of your data. I guess at some point (the alpha build perhaps) database changes will require migration scripts? Sion From sion at nominet.org.uk Fri Jul 24 10:12:33 2009 From: sion at nominet.org.uk (sion at nominet.org.uk) Date: Fri, 24 Jul 2009 11:12:33 +0100 Subject: [Opendnssec-develop] updating policies In-Reply-To: References: <19D7520D-A355-4B4F-8DA7-B1329D1FB216@iis.se> Message-ID: > > The database I am using was setup a couple of weeks ago, but the code > > is the latest from svn. All signing works. So has the database > > changed? This is supposed to work, right? > > The database has changed I'm afraid. There is an extra text column in the > policies table called "audit", and the KEYDATA_VIEW has changed. > > There may be other changes depending on how old your database is exactly, > but these 2 will be the significant ones. > > if you run the view sql as it is in svn and something like: > > alter table policies add column audit text Sorry, so that you don't have to find it in svn the view sql is: drop view if exists KEYDATA_VIEW; create view KEYDATA_VIEW as select k.id as id, k.state as state, k.generate as generate, k.publish as publish, k.ready as ready, k.active as active, k.retire as retire, k.dead as dead, d.keytype as keytype, k.algorithm as algorithm, k.HSMkey_id as location, d.zone_id as zone_id, k.policy_id as policy_id, k.securitymodule_id as securitymodule_id, k.size as size, k.compromisedflag as compromisedflag from keypairs k left outer join dnsseckeys d on k.id = d.keypair_id; assuming that you are using sqlite. Sion From rickard.bondesson at iis.se Fri Jul 24 13:08:33 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Fri, 24 Jul 2009 15:08:33 +0200 Subject: [Opendnssec-develop] Meeting on Sunday Message-ID: <69830D4127201D4EBD146B9041199718E1E47A@EXCHANGE.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi Next meeting is on Sunday 13-15 in room 502. We have a telephone in the room so people can call in on the usual number (if they want). We will talk about the alpha release. // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSmmyUeCjgaNTdVjaAQgwOwf+I59GrNj7bNcEGhF7V77ftn+c7FcOKsv7 j7qtBewwtVv+z7IUIZvOPGjm6TF0x8J0xhnWpp5YACSG1QK6E541MZZG0nLinjMG mOqePoFZkGjD9Oyyk4vo5cn+Ns1yq/ZxERGDUER+YY3GuqUAhSrWe7Q3WMocOQTj 2x1upbMnk2WwMCseZUWlQnAKsPzPqtmxEckwbRKfPPlCgU/wadGwwjpA2kCIm1X8 VNArSbqrPNTJ/8sEiaQ21h3yZHdDHg29fpp0kjRKoDurLDKQM1uGJuSxCQnu9P2A /z+kdI9FJLx0/3J69pwLE97dkagkpADVtoELd72RGPXQG7dGfhp02A== =NXYK -----END PGP SIGNATURE----- From olaf at NLnetLabs.nl Fri Jul 24 13:56:19 2009 From: olaf at NLnetLabs.nl (Olaf Kolkman) Date: Fri, 24 Jul 2009 15:56:19 +0200 Subject: [Opendnssec-develop] Meeting on Sunday In-Reply-To: <69830D4127201D4EBD146B9041199718E1E47A@EXCHANGE.office.nic.se> References: <69830D4127201D4EBD146B9041199718E1E47A@EXCHANGE.office.nic.se> Message-ID: <57245499-59D5-4106-91AD-0B24621C4149@NLnetLabs.nl> On 24 jul 2009, at 15:08, Rickard Bondesson wrote: > > Next meeting is on Sunday 13-15 in room 502. We have a telephone in > the room so people can call in on the usual number (if they want). > We will talk about the alpha release. This is one of the meetings I would have liked to attend, but unfortunately I am locked in IAB meetings for the day. Good luck... --Olaf -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 235 bytes Desc: This is a digitally signed message part URL: From rickard.bondesson at iis.se Sun Jul 26 12:27:45 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Sun, 26 Jul 2009 14:27:45 +0200 Subject: [Opendnssec-develop] Next meeting 18 aug Message-ID: <69830D4127201D4EBD146B9041199718E1E49E@EXCHANGE.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi Next meeting is on 18th aug, a Thursday. Between 14 and 16 CEST. We will have a discussion about our alpha release. Have we fixed all bugs, plan the future, etc. // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSmxLweCjgaNTdVjaAQg0IwgAnNSks6Ch2YUwd2jCplYAuwtyRviXGYZX BENq9CdgeQBioj1eyZv9fXSHyadBKRkqakBIqYfepOIIoUy4JWGuUInAC3lF7NXS 9w30fwjaVUboA5MVKnbqudu5Y9xShcFi+ujlXRiBEmvhnzUQX7S40PnrQef86aau Rl0LFXFea4AXJfKFkimDFqZwMuUv5bH5Rjrbje4W/Ox5k/WpK4mX7aiUmCd2wAFw FVneVR3XpKr4TL2hKWXUwcOYviU6W2u5RBkVjyvVXTkgqu5QXcbA2G5ymhbKBxmz L2q1EnirlADUy7EY4q/XtPxYHJ64ACKvSma72y7A53FcLWTE/7D/kw== =mm+5 -----END PGP SIGNATURE----- From matthijs at NLnetLabs.nl Mon Jul 27 07:57:48 2009 From: matthijs at NLnetLabs.nl (Matthijs Mekking) Date: Mon, 27 Jul 2009 09:57:48 +0200 Subject: [Opendnssec-develop] minutes Message-ID: <4A6D5DFC.2010401@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Minutes from the last three meetings are now online. Matthijs -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJKbV36AAoJEA8yVCPsQCW5dtQIAKtFgmDm1A/b0tj+i1GpFo4S bf61VfHfyCtSArwsRF/J64l81dhy5+mbVXBM6v+cr2zX2r/pq6qqpmnqkfKpVfEC ZqgksJlApZBL9OkMTs5unoHgrs/C/mF+6iuBcU/rfEV2CjgWnT2dx9PwRjf76zyV 5xjnIlHlpcn+W1HiQHYz89/402pDaGV4G85kw3uFQ+SZQYAZUj/kbU6MHnQ44H3z xCj1tK8kl9oN5R5De7bbfnE6R2x5j0i29nZq8MBdJp1qdsTR1Fpl5lVjq42Tt452 JB3+ZeVUERvWy8kFGOkedH/4g8dYwvLTx/EtHUSyv4ghNZs204A7x0VdOFeInvU= =3hON -----END PGP SIGNATURE----- From owner-dnssec-trac at kirei.se Sun Jul 26 12:53:55 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Sun, 26 Jul 2009 12:53:55 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #1: Dummy test ticket Message-ID: <043.7ec43215f16161a86348a8fcda154858@kirei.se> #1: Dummy test ticket ------------------------+--------------------------------------------------- Reporter: jakob | Owner: jakob Type: enhancement | Status: new Priority: major | Component: Unknown Version: | Keywords: ------------------------+--------------------------------------------------- -- Ticket URL: OpenDNSSEC OpenDNSSEC From rick at openfortress.nl Wed Jul 29 15:18:01 2009 From: rick at openfortress.nl (Rick van Rein) Date: Wed, 29 Jul 2009 15:18:01 +0000 Subject: [Opendnssec-develop] How to recognise Kaminsky's attack? Message-ID: <20090729151801.GA23105@phantom.vanrein.org> Hi, This is somewhat contextual around OpenDNSSEC: A while back I've seen a network traffic analysis that indicated how the Kaminsky attack had its own indications in traffic patterns. I cannot find it back, and I wonder if any of you has seen it as well. I would appreciate a link or a gist of the patterns. Thanks, -Rick From owner-dnssec-trac at kirei.se Thu Jul 30 15:14:54 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Thu, 30 Jul 2009 15:14:54 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #2: Can not compile 1.0a1, problem with SoftHSM Message-ID: <058.9abe7503590c8a5934ab958506bad933@kirei.se> #2: Can not compile 1.0a1, problem with SoftHSM ---------------------------------+------------------------------------------ Reporter: mattias at nonetwork.se | Owner: rb Type: defect | Status: new Priority: major | Component: SoftHSM Version: 1.0a1 | Keywords: SoftDatabase ---------------------------------+------------------------------------------ Hi, I get this error will compiling 1.0a1 {{{ [mattias at gozo OpenDNSSEC-1.0a1]$ make Making all in softHSM make[1]: Entering directory `/home/mattias/opendnssec/build/OpenDNSSEC-1.0a1/softHSM' make all-recursive make[2]: Entering directory `/home/mattias/opendnssec/build/OpenDNSSEC-1.0a1/softHSM' Making all in src make[3]: Entering directory `/home/mattias/opendnssec/build/OpenDNSSEC-1.0a1/softHSM/src' Making all in lib make[4]: Entering directory `/home/mattias/opendnssec/build/OpenDNSSEC-1.0a1/softHSM/src/lib' /bin/sh ../../libtool --tag=CXX --mode=compile g++ -DHAVE_CONFIG_H -I. -I../.. -I./cryptoki -I/usr/include -I/usr/include -Wno-long-long -g -O2 -MT SoftDatabase.lo -MD -MP -MF .deps/SoftDatabase.Tpo -c -o SoftDatabase.lo SoftDatabase.cpp libtool: compile: g++ -DHAVE_CONFIG_H -I. -I../.. -I./cryptoki -I/usr/include -I/usr/include -Wno-long-long -g -O2 -MT SoftDatabase.lo -MD -MP -MF .deps/SoftDatabase.Tpo -c SoftDatabase.cpp -fPIC -DPIC -o .libs/SoftDatabase.o SoftDatabase.cpp: In member function ?char* SoftDatabase::getTokenLabel()?: SoftDatabase.cpp:192: error: ?sprintf? was not declared in this scope make[4]: *** [SoftDatabase.lo] Error 1 make[4]: Leaving directory `/home/mattias/opendnssec/build/OpenDNSSEC-1.0a1/softHSM/src/lib' make[3]: *** [all-recursive] Error 1 make[3]: Leaving directory `/home/mattias/opendnssec/build/OpenDNSSEC-1.0a1/softHSM/src' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/home/mattias/opendnssec/build/OpenDNSSEC-1.0a1/softHSM' make[1]: *** [all] Error 2 make[1]: Leaving directory `/home/mattias/opendnssec/build/OpenDNSSEC-1.0a1/softHSM' make: *** [all-recursive] Error 1 }}} Trying to build this on a FC11 installation following the instructions on http://trac.opendnssec.org/wiki/Signer/Install -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Thu Jul 30 21:15:30 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Thu, 30 Jul 2009 21:15:30 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #3: Please, really please, drop the Ruby on the floor Message-ID: <053.1d9719264068533622d6a3fffe52a6d5@kirei.se> #3: Please, really please, drop the Ruby on the floor ----------------------------+----------------------------------------------- Reporter: ondrej at sury.org | Owner: alex Type: defect | Status: new Priority: minor | Component: Auditor Version: 1.0a1 | Keywords: ----------------------------+----------------------------------------------- If it's not too late, please don't use Ruby. It's extremely hard to package. For more info: http://pkg-ruby-extras.alioth.debian.org/rubygems.html (Citing Wouter Verhelst: "Oh, the horror.") -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Fri Jul 31 09:05:44 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 31 Jul 2009 09:05:44 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #2: Can not compile 1.0a1, problem with SoftHSM In-Reply-To: <058.9abe7503590c8a5934ab958506bad933@kirei.se> References: <058.9abe7503590c8a5934ab958506bad933@kirei.se> Message-ID: <067.b4b14466e75180dac7ffaf798e7b6fcc@kirei.se> #2: Can not compile 1.0a1, problem with SoftHSM ---------------------------------+------------------------------------------ Reporter: mattias at nonetwork.se | Owner: rb Type: defect | Status: new Priority: major | Component: SoftHSM Version: 1.0a1 | Resolution: Keywords: SoftDatabase | ---------------------------------+------------------------------------------ Comment(by rb): In GCC 4.3 the C++ header dependencies have been cleaned up. http://www.cyrius.com/journal/gcc/gcc-4.3-include -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Fri Jul 31 12:29:54 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 31 Jul 2009 12:29:54 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #4: zone_reader (signer) does not read zone files in standard bind format Message-ID: <058.c72187a0f7ff001a55c0cb58d778bbe4@kirei.se> #4: zone_reader (signer) does not read zone files in standard bind format ---------------------------------+------------------------------------------ Reporter: mattias at nonetwork.se | Owner: jelte Type: defect | Status: new Priority: minor | Component: Signer Version: 1.0a1 | Keywords: ---------------------------------+------------------------------------------ It seams zone_reader does not handle zone files in standard bind zone file syntax: {{{ $ORIGIN . $TTL 43200 ; 12 hours nonetwork.se IN SOA ns01.nonetwork.se. hostmaster.compricer.se. ( 2009070501 ; serial 86400 ; refresh (1 day) 7200 ; retry (2 hour) 1200000 ; expire (approx. 14 days) 86400 ; minimum (1 day) ) zone_reader -o nonetwork.se -f /var/named/chroot/var/named/external/nonetwork.se Warning: Syntax error, value expected: nonetwork.se IN SOA ns01.nonetwork.se. hostmaster.compricer.se. ( }}} So, you have to format the SOA record like:[[BR]] tjeb.nl. 3600 IN SOA ns.tjeb.nl. jelte.tjeb.nl. 206 28800 7200 604800 3600 -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Fri Jul 31 19:55:34 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 31 Jul 2009 19:55:34 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #1: Dummy test ticket In-Reply-To: <043.7ec43215f16161a86348a8fcda154858@kirei.se> References: <043.7ec43215f16161a86348a8fcda154858@kirei.se> Message-ID: <052.cd0f4e4c39f656ba3b8723ba4a334df6@kirei.se> #1: Dummy test ticket ------------------------+--------------------------------------------------- Reporter: jakob | Owner: jakob Type: enhancement | Status: closed Priority: major | Component: Unknown Version: | Resolution: invalid Keywords: | ------------------------+--------------------------------------------------- Changes (by jakob): * status: new => closed * resolution: => invalid -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Fri Jul 31 19:58:21 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 31 Jul 2009 19:58:21 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #3: Please, really please, drop the Ruby on the floor In-Reply-To: <053.1d9719264068533622d6a3fffe52a6d5@kirei.se> References: <053.1d9719264068533622d6a3fffe52a6d5@kirei.se> Message-ID: <062.dbfa0ea476cad586e19e0f12f444e4d4@kirei.se> #3: Please, really please, drop the Ruby on the floor ----------------------------+----------------------------------------------- Reporter: ondrej at sury.org | Owner: alex Type: defect | Status: closed Priority: minor | Component: Auditor Version: 1.0a1 | Resolution: wontfix Keywords: | ----------------------------+----------------------------------------------- Changes (by jakob): * status: new => closed * resolution: => wontfix Comment: The auditor will use Ruby, since we do not want to share any code with the rest of the project - after all, the auditor exists to find bugs in other code, so reusing libraries from what it audits seems just bad. Having said that, it is optional to use the auditor and it is easily replaceable. -- Ticket URL: OpenDNSSEC OpenDNSSEC