From rickard.bondesson at iis.se Mon Jun 1 08:34:47 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Mon, 1 Jun 2009 10:34:47 +0200 Subject: [Opendnssec-develop] Meeting agenda 20090602 Message-ID: <69830D4127201D4EBD146B9041199718C68F5F@EXCHANGE.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi Next meeting Date: Tuesday 2 June Time: 14:00-15:00 CEST Please add more topics on the wiki if you have any: http://www.opendnssec.se/wiki/Meetings/Agenda/2009-06-02 // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSiOSp+CjgaNTdVjaAQj1owf/ZwC0e90oFyDEZ27lPJ7hb4EkNV19pgPN U2pZWyOjYDAeSBz5B7NMTZeeD2OO6QAJGcqONjnCx5bSjhBLU7T05fuMnU4CBOAo G+uWnTdX+ti7hxHPZIitDJPX34Fm3DOx5Gn92K/GXjYwUTj+qvDfpKdiZ07Zxihn zJo6RB0bdgJnKczzLYzLYgw+xtzcd9p53eqwm/+2TfcjJ2visCoI4bS0BBJH9VmC TTU+WNlSl18kSD3aatUeAnZYpWcBpFRdozE11xkup4EcH55vnrZuRrar40hByy71 /fk2wO4F/d51xbhZna+Qa6PihdSG9otq2NO0lVbAKKWjFjqzgLJqpQ== =JXA8 -----END PGP SIGNATURE----- From Stephen.Morris at nominet.org.uk Mon Jun 1 16:14:01 2009 From: Stephen.Morris at nominet.org.uk (Stephen.Morris at nominet.org.uk) Date: Mon, 1 Jun 2009 17:14:01 +0100 Subject: [Opendnssec-develop] Meeting agenda 20090602 In-Reply-To: <69830D4127201D4EBD146B9041199718C68F5F@EXCHANGE.office.nic.se> References: <69830D4127201D4EBD146B9041199718C68F5F@EXCHANGE.office.nic.se> Message-ID: "Rickard Bondesson" wrote on 01/06/2009 09:34:47: > Hi > > Next meeting > Date: Tuesday 2 June > Time: 14:00-15:00 CEST > > Please add more topics on the wiki if you have any: > > http://www.opendnssec.se/wiki/Meetings/Agenda/2009-06-02 > > // Rickard Some things we should raise in the topic "What functionality are we missing?": 1. A "Watchdog" process that checks that everything is running. This is something that should be running from the time the system is booted. If any process is missing, it logs an emergency message. Is something like this needed? 2. Emergency messages This leads on the from the last one. Some messages should be immediately notified to the operator (e.g. the Kasp Auditor notifying the operator that the signed zone file has failed one or more tests). How do we do this? Although some sites will use programs like Nagios and do their own monitoring, others may want a system that comes "out of the box". The easiest way seems to be some form of email notification - should we supply the framework? (e.g. http://www.johnandcailin.com/blog/john/how-setup-real-time-email-notification-critical-syslog-events ) 3. HSM PIN How do we enter the PIN for the HSM? The requirements suggest it should be entered just once at startup - how is the user prompted to do this? 4. AXFR in/out What part of the system is responsible for extracting an AXFR from an upstream nameserver into the input zone file, and what part is responsible for loading it into the local nameserver for the downstream AXFR? Stephen From jakob at kirei.se Tue Jun 2 08:46:04 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Tue, 2 Jun 2009 10:46:04 +0200 Subject: [Opendnssec-develop] Future work: Moving the RRset signer inside the HSM? Message-ID: <8AA7E36C-FB3F-4DFF-87F5-66F25E1DBF44@kirei.se> hi, at some point we've discussed the problem with key misuse, i.e. that even if you protect your keys with a HSM you can still sign anything with any signature exception. one solution to this would be to move the RRset signer, together with some basic policy regarding what may be signed and for how long, closer to the HSM. As far as I can see, this would be possible with the Thales/nCipher SEE architecture - http://dl.getdropbox.com/u/1158919/OpenDNSSEC/see-wp.pdf . Very interesting! jakob From roy at nominet.org.uk Tue Jun 2 10:50:59 2009 From: roy at nominet.org.uk (roy at nominet.org.uk) Date: Tue, 2 Jun 2009 12:50:59 +0200 Subject: [Opendnssec-develop] conference call, this afternoon Message-ID: I will not be able to make this afternoon's call. Apologies, Roy From jad at jadickinson.co.uk Tue Jun 2 11:45:12 2009 From: jad at jadickinson.co.uk (John Dickinson) Date: Tue, 2 Jun 2009 12:45:12 +0100 Subject: [Opendnssec-develop] Meeting agenda 20090602 In-Reply-To: References: <69830D4127201D4EBD146B9041199718C68F5F@EXCHANGE.office.nic.se> Message-ID: On 1 Jun 2009, at 17:14, Stephen.Morris at nominet.org.uk wrote: > "Rickard Bondesson" wrote on 01/06/2009 > 09:34:47: > >> Hi >> >> Next meeting >> Date: Tuesday 2 June >> Time: 14:00-15:00 CEST >> >> Please add more topics on the wiki if you have any: >> >> http://www.opendnssec.se/wiki/Meetings/Agenda/2009-06-02 >> >> // Rickard > > Some things we should raise in the topic "What functionality are we > missing?": > > 1. A "Watchdog" process that checks that everything is running. > This is something that should be running from the time the system is > booted. If any process is missing, it logs an emergency message. Is > something like this needed? > > 2. Emergency messages > This leads on the from the last one. Some messages should be > immediately > notified to the operator (e.g. the Kasp Auditor notifying the operator > that the signed zone file has failed one or more tests). How do we do > this? Although some sites will use programs like Nagios and do > their own > monitoring, others may want a system that comes "out of the box". The > easiest way seems to be some form of email notification - should we > supply > the framework? (e.g. > http://www.johnandcailin.com/blog/john/how-setup-real-time-email-notification-critical-syslog-events > ) A couple of thoughts in case they go out of my head at the meeting - I really do not think that we should do either of these. These are basic operational problems that operators should already have sorted. BIND and NSD don't feel the need to do this so why do we? The signer is no more important than the name server. Watchdog processes already exist some even form part of improved rc.d systems like Solaris has. Also, you can always run the daemons in the foreground and restart it in a loop. (See Appendix D of http://ftp.isc.org/isc/pubs/tn/isc-tn-2004-1.txt) An email in someone's inbox is of no more use than a error message in a log file when it comes to actually informing a real person about an issue. As long as we use standard logging -> syslog. Then that should be sufficient. If we really want OpenDNSSEC to be proactive in sending alerts then I suggest we request a private enterprise number and send snmp traps. However, having written a mib once before for this kind of thing it is not something I would enjoy doing again :) John --- John Dickinson http://www.jadickinson.co.uk I am riding from Lands end to John O'Groats to raise money for Parkinson's Disease Research. Please sponsor me here http://justgiving.com/pedalforparkinsons2009 From rick at openfortress.nl Tue Jun 2 13:17:30 2009 From: rick at openfortress.nl (Rick van Rein) Date: Tue, 2 Jun 2009 13:17:30 +0000 Subject: [Opendnssec-develop] FYI: DNSSEC at HAR2009 Message-ID: <20090602131730.GB3455@phantom.vanrein.org> Hello all, FYI, this is our accepted submission about DNSSEC at HAR 2009, https://har2009.org/ We are very likely to mention OpenDNSSEC but, as agreed, will not use it on our attacked servers unless we all feel good about it. -Rick ------- 8< ------- 8< ------- 8< ------- 8< ------- 8< ------- Title: Cracking Internet Subtitle: The urgency of DNSSEC Abstract This workshop will introduce the problems with DNS that jeapardise the Internet as a whole. We will begin with a general discussion, and argue that the only real solution that is ready now is DNSSEC. We will continue with more detailed discussions of the Kaminsky attack, and explain how to attack the machines that we prepared for attack during HAR 2009. Full description We propose to present the following: 1. A general introduction into the Kaminsky attack, aimed at newcomers and journalists. 2. A detailed discussion of the Kaminsky attack. 3. A detailed discussion of DNSSEC. 4. Possibly a guided session in mounting the attack. Aside from this, we propose to prepare a few servers available to the HAR 2009 crowd that may be freely attacked during the conference. The servers will have varying levels of defenses against the Kaminsky attack, but we expect them all to break sooner or later. We imagine these machines to be located off-site. These presentations are a cooperative effort of: * SURFnet, in the person of Roland van Rijswijk * OpenFortress, in the person of Rick van Rein SURFnet is working to roll out DNSSEC in The Netherlands. OpenFortress provides technical facilities to SURFnet in the area. We cooperate with others such as NLnet Labs, .SE and .UK in the OpenDNSSEC.org project. We also discuss these matters with SIDN. One of our explicit goals is to get some media focus on this issue, so everyday users become a more aware that virusses are not their main problem, and start bothering their ISPs and banks about DNSSEC. This is useful because DNSSEC has a bit of a problem in that nobody starts using it because... nobody is using it yet. ISP's wait for banks to offer secure domains, banks wait for ISP's to offer domain validation. And of course we are all waiting for SIDN. Our reasons for plugging DNSSEC are that it is dirty, but it works. And it is the only solution for DNS' leakage that actually works. We also wrote a whitepaper and linked it, as well as attached it. Cheers, Rick (also for Roland) From Stephen.Morris at nominet.org.uk Tue Jun 2 17:35:07 2009 From: Stephen.Morris at nominet.org.uk (Stephen.Morris at nominet.org.uk) Date: Tue, 2 Jun 2009 18:35:07 +0100 Subject: [Opendnssec-develop] Minutes of teleconference, 2009-06-02 Message-ID: Now available on the wiki: http://www.opendnssec.se/wiki/Meetings/Minutes/2009-06-02 Stephen From jakob at kirei.se Tue Jun 2 17:58:33 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Tue, 2 Jun 2009 19:58:33 +0200 Subject: [Opendnssec-develop] shared autoconf macros Message-ID: <70005CA6-1709-49F9-A64A-E70FFB7DD7A6@kirei.se> I've started to collect some shared autoconf macros (like ldns, libxml2, strict, ...) and collected them in one file so we don't check for stuff differently all over the place. I'm about to move all shared autoconf/configure stuff into this and please help if you find anything missing. after update trunk/m4/ acinclude.m4, just do a 'make install' in trunk/m4 to update all local copies (and don't forget to commit them as well). jakob From jakob at kirei.se Tue Jun 2 18:28:09 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Tue, 2 Jun 2009 20:28:09 +0200 Subject: [Opendnssec-develop] Re: shared autoconf macros In-Reply-To: <70005CA6-1709-49F9-A64A-E70FFB7DD7A6@kirei.se> References: <70005CA6-1709-49F9-A64A-E70FFB7DD7A6@kirei.se> Message-ID: <581BC481-A87F-48FF-B5A3-04C6C4D2B6C1@kirei.se> On 2 jun 2009, at 19.58, Jakob Schlyter wrote: > I've started to collect some shared autoconf macros (like ldns, > libxml2, strict, ...) and collected them in one file so we don't > check for stuff differently all over the place. btw, if things break, please have patience (or fix) them. jakob From jakob at kirei.se Wed Jun 3 14:54:38 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Wed, 3 Jun 2009 16:54:38 +0200 Subject: [Opendnssec-develop] kaspimport perl dependency removal? Message-ID: kaspimport currently depends on perl and DBI. would it be a large amount of work to code this in C? jakob From jakob at kirei.se Wed Jun 3 20:49:46 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Wed, 3 Jun 2009 22:49:46 +0200 Subject: [Opendnssec-develop] syslog configuration Message-ID: <722A1FDB-EF59-4ED3-8B22-0A490B480B35@kirei.se> after reading some code I believe we need to add a logging configuration option to conf.xml, so we at least can specify what facility to use. or, if we want to take the easy route at this point, this could be specified on the command line (but I rather not). jakob Index: conf.xml =================================================================== --- conf.xml (revision 923) +++ conf.xml (working copy) @@ -19,6 +19,12 @@ + + + local0 + + + /var/opendnssec/kasp.db PT3600S Index: conf.rnc =================================================================== --- conf.rnc (revision 923) +++ conf.rnc (working copy) @@ -24,6 +24,13 @@ }* }, + # Configuration parameters for logging + element Logging { + element Syslog { + element Facility { xsd:string } + } + }?, + # Configuration parameters for the KASP Enforcer element Enforcer { # Where to store internal Enforcer state From sion at nominet.org.uk Thu Jun 4 09:36:10 2009 From: sion at nominet.org.uk (sion at nominet.org.uk) Date: Thu, 4 Jun 2009 10:36:10 +0100 Subject: [Opendnssec-develop] kaspimport perl dependency removal? In-Reply-To: References: Message-ID: > kaspimport currently depends on perl and DBI. would it be a large > amount of work to code this in C? kaspimport is a "quick 'n' dirty" way of setting up the database consistent with the xml configuration files. I believe that it was never intended to be a permanent feature, or to be used in anything other than testing. So, if we are to re-write it in C, should we decide exactly what we need for production? Or is it okay as it is, just not in the right language? The database schemas themselves are actually created with shell scripts, is this okay? On the topic of dependencies; I notice that the xml stuff needs java (and trang.jar). Is this just when building from subversion or is a release going to have this dependency too? Sion From rickard.bondesson at iis.se Thu Jun 4 09:47:16 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Thu, 4 Jun 2009 11:47:16 +0200 Subject: [Opendnssec-develop] System integration in Amsterdam In-Reply-To: <69830D4127201D4EBD146B9041199718C69172@EXCHANGE.office.nic.se> References: <69830D4127201D4EBD146B9041199718C69172@EXCHANGE.office.nic.se> Message-ID: <69830D4127201D4EBD146B9041199718C69330@EXCHANGE.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 For those who haven't filled in the Doodle, please do it. I will announce the date later today, so we can book our flights and hotel. // Rickard > -----Ursprungligt meddelande----- > Fr?n: opendnssec-develop-bounces at lists.opendnssec.org > [mailto:opendnssec-develop-bounces at lists.opendnssec.org] F?r > Rickard Bondesson > Skickat: den 2 juni 2009 15:23 > Till: Opendnssec-develop at lists.opendnssec.org > ?mne: [Opendnssec-develop] System integration in Amsterdam > > * PGP Signed: 06/02/09 at 15:22:32 > > Hi > > Please fill in the doodle to state which day that works best for you: > > http://www.doodle.com/b7gnygd49k9erppk > > // Rickard > > * Rickard Bondesson > * 0x537558DA(L) > > > -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSieYJOCjgaNTdVjaAQj38Af/QS+g8e/2bQMS114icoo7blm6OGB93JH6 n4+i72ehducQvVl1hrNm/Cb/MOY2WsZAaSB56OlT9qqqT13y1UYUTU5EcB7mm+rD vU0gAFKDsH3GlTXxz5+aAZsFySdXmxOCxi+IdKC81jxxE1OvM4wuBQ582gCZAfoh Efx1rbiAUprbWJYDzgZAv4+QnSkohlc9GTl9KS1rTQCESMdb754N1dlDlXBxOhV3 EVHNOLhHoh47KYS9t5l0GlK83VoXfnrnMQUS9k1d0SEdGaAzxUIgNYxxoRlW1oFX FxjKj+3PLue0LTwaskBFnR2Cp9eu3RYvCDz15qpBY/yqESwcw0VCvw== =Epp6 -----END PGP SIGNATURE----- From jad at jadickinson.co.uk Thu Jun 4 11:02:34 2009 From: jad at jadickinson.co.uk (John Dickinson) Date: Thu, 4 Jun 2009 12:02:34 +0100 Subject: [Opendnssec-develop] kaspimport perl dependency removal? In-Reply-To: References: Message-ID: On 4 Jun 2009, at 10:36, sion at nominet.org.uk wrote: >> kaspimport currently depends on perl and DBI. would it be a large >> amount of work to code this in C? > > kaspimport is a "quick 'n' dirty" way of setting up the database > consistent > with the xml configuration files. I believe that it was never > intended to > be a permanent feature, or to be used in anything other than testing. that is how i wrote it > > > So, if we are to re-write it in C, should we decide exactly what we > need > for production? Or is it okay as it is, just not in the right > language? I think a real frontend is needed - web or command line, I don't really care. I did suggest to Stephen that we could consider a Ruby/ Rails web frontend - the DB tables were named to make this "easy" - not that I really know enough ruby or rails to be sure how easy it really would be. > > > The database schemas themselves are actually created with shell > scripts, is > this okay? > > On the topic of dependencies; I notice that the xml stuff needs java > (and > trang.jar). Is this just when building from subversion or is a release > going to have this dependency too? trang is needed to convert rnc to rng. I guess we could ship just the rng files. john From roland.vanrijswijk at surfnet.nl Thu Jun 4 15:33:53 2009 From: roland.vanrijswijk at surfnet.nl (Roland van Rijswijk) Date: Thu, 04 Jun 2009 17:33:53 +0200 Subject: [Opendnssec-develop] Report of the code audit on the SoftHSM and HSMtools Message-ID: <4A27E961.8050406@surfnet.nl> Hi guys, Rick asked me to post this to the list since not everybody seemed to have it yet; let me know if you have any questions. Cheers, Roland -- -- Roland M. van Rijswijk -- SURFnet Middleware Services -- t: +31-30-2305388 -- e: roland.vanrijswijk at surfnet.nl -------------- next part -------------- A non-text attachment was scrubbed... Name: DOC20090514DNSSEC01.pdf Type: application/pdf Size: 75110 bytes Desc: not available URL: From rickard.bondesson at iis.se Thu Jun 4 17:14:19 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Thu, 4 Jun 2009 19:14:19 +0200 Subject: [Opendnssec-develop] System integration in Amsterdam Message-ID: <7632D4AA-4B78-4187-B6F3-CD9D834E6960@iis.se> 23-24 June is the date when we will meet in Amsterdam. // R From jakob at kirei.se Thu Jun 4 19:39:25 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Thu, 4 Jun 2009 21:39:25 +0200 Subject: [Opendnssec-develop] System integration in Amsterdam In-Reply-To: <7632D4AA-4B78-4187-B6F3-CD9D834E6960@iis.se> References: <7632D4AA-4B78-4187-B6F3-CD9D834E6960@iis.se> Message-ID: <041F70CB-C708-4C1C-8EB9-035BD8C64677@kirei.se> On 4 jun 2009, at 19.14, Rickard Bondesson wrote: > 23-24 June is the date when we will meet in Amsterdam. can any of the locals recommend a nice and comfy hotel near NLNetLabs (where I assume we'll be meeting) ? if, I'll probably go for the Krasnapolsky as that is the one I know is good. jakob From matthijs at NLnetLabs.nl Fri Jun 5 07:15:19 2009 From: matthijs at NLnetLabs.nl (Matthijs Mekking) Date: Fri, 05 Jun 2009 09:15:19 +0200 Subject: [Opendnssec-develop] System integration in Amsterdam In-Reply-To: <041F70CB-C708-4C1C-8EB9-035BD8C64677@kirei.se> References: <7632D4AA-4B78-4187-B6F3-CD9D834E6960@iis.se> <041F70CB-C708-4C1C-8EB9-035BD8C64677@kirei.se> Message-ID: <4A28C607.9060803@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Locals usually have no good experience in hotels nearby ;) But this was asked before, and after a short investigation, Jelte replied: NH Tropen http://www.nh-hotels.nl/nh/nl/hotels/nederland/amsterdam/nh-tropen.html or Hotel Arena http://www.hotelarena.nl - - Matthijs Jakob Schlyter wrote: > On 4 jun 2009, at 19.14, Rickard Bondesson wrote: > >> 23-24 June is the date when we will meet in Amsterdam. > > can any of the locals recommend a nice and comfy hotel near NLNetLabs > (where I assume we'll be meeting) ? > if, I'll probably go for the Krasnapolsky as that is the one I know is > good. > > > jakob > > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJKKMYEAAoJEA8yVCPsQCW5dDAIALktFoZzEJqEhtevL8+sCJ5/ se7jDXN9yQK9wSFGwCD1/lbT6W1QdhZNoobwjkxM3RoRae79OIeR+7hkxxj1LSj6 /9Ymlecw/ykknVXPHEHgSCIaY2NMVPdFQ6upz2V/gP6XQhH+TbTJ6i7JcY5R5mxB Zo646aZ1XVt1M0h/YaMfH4fIyiMx5FOkCZR/k6IDQ9lF4zvaFnCds/Zu9kwRd7bQ D1uFlFTkyikwxdX+WYXy3/gcJRZ50FafDjAHJs/q+WaJiqr4u5HVYljRDCiE6B0B ZdcyUKV6wi5wyMcH6LpzP3fn9ny0dW1dbWS6SgVVX8/LtCs1MPXvvB1eqoyy8ao= =e2Ps -----END PGP SIGNATURE----- From jakob at kirei.se Fri Jun 5 07:40:08 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Fri, 5 Jun 2009 09:40:08 +0200 Subject: [Opendnssec-develop] System integration in Amsterdam In-Reply-To: <4A28C607.9060803@nlnetlabs.nl> References: <7632D4AA-4B78-4187-B6F3-CD9D834E6960@iis.se> <041F70CB-C708-4C1C-8EB9-035BD8C64677@kirei.se> <4A28C607.9060803@nlnetlabs.nl> Message-ID: On 5 jun 2009, at 09.15, Matthijs Mekking wrote: > Hotel Arena > http://www.hotelarena.nl Rickard and I will be staying at Hotel Arena. if others join us we can do system integration in the bar! jakob From matthijs at NLnetLabs.nl Fri Jun 5 07:43:37 2009 From: matthijs at NLnetLabs.nl (Matthijs Mekking) Date: Fri, 05 Jun 2009 09:43:37 +0200 Subject: [Opendnssec-develop] System integration in Amsterdam In-Reply-To: <7632D4AA-4B78-4187-B6F3-CD9D834E6960@iis.se> References: <7632D4AA-4B78-4187-B6F3-CD9D834E6960@iis.se> Message-ID: <4A28CCA9.5030200@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 As commented on the Doodle, I wont be able to make it on the 24th, but will be present the 23th. Matthijs Rickard Bondesson wrote: > 23-24 June is the date when we will meet in Amsterdam. > > // R > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJKKMykAAoJEA8yVCPsQCW5TLMH/1Gz9s0H39w8Aj4oJ5Z8C1Io R31+UvqUDpdYhzskr8dUPjlMR3PBZyydRZ4873lzmF51d16edHDjcGsqgGsPc+9d yAl9Ot3+PO8Apj1DqP6FweaClPhdyZXK/aQiOGS7u+ZFYxWP+gR/dlKPNcSm+BYl yRt6ofnGTKJdGbYCq7HdwchrEk7B2HtiCNWjXw7pm6TJsie8I8NTN5kmtUkW7Nqh KwU0oJfiKpNF7Abq7HBTwz0oFi4kxgof+nFt1rEspVApmX81j1s9v2dtZxCkEtRX N5iMtBPdvXeDACWJ8Ng+T1+Jgkn5jRa7tAngfl7ortiPt5lfz9ZhitrTE1MaejM= =ztWF -----END PGP SIGNATURE----- From jakob at kirei.se Fri Jun 5 09:32:50 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Fri, 5 Jun 2009 11:32:50 +0200 Subject: [Opendnssec-develop] kaspimport perl dependency removal? In-Reply-To: References: Message-ID: <48508632-75F7-450C-A428-D012C50350F1@kirei.se> On 4 jun 2009, at 11.36, sion at nominet.org.uk wrote: > So, if we are to re-write it in C, should we decide exactly what we > need > for production? Or is it okay as it is, just not in the right > language? I believe we have to watch our dependencies and adding Perl+DBI is yet another one. so far we have: http://www.opendnssec.se/wiki/Signer/Dependencies > The database schemas themselves are actually created with shell > scripts, is > this okay? sure, since they require no external programs that we not already have. > On the topic of dependencies; I notice that the xml stuff needs java > (and > trang.jar). Is this just when building from subversion or is a release > going to have this dependency too? it's only used when building the RelaxNG (rng) from Compact (rnc). jakob From jakob at kirei.se Fri Jun 5 12:14:30 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Fri, 5 Jun 2009 14:14:30 +0200 Subject: [Opendnssec-develop] Re: [keihatsu.kirei.se/svn/dnssec] r945 - trunk/regression/linux In-Reply-To: <20090605121246.A05AC6BDE0@mail.kirei.se> References: <20090605121246.A05AC6BDE0@mail.kirei.se> Message-ID: <677EA948-1438-4008-A09E-CAECC3E32CEB@kirei.se> On 5 jun 2009, at 14.12, Rickard Bondeson wrote: > - --sysconfdir=/usr/local/etc \ > - --localstatedir=/usr/local/var \ > + --sysconfdir=/etc \ > + --localstatedir=/var \ to clarify to everyone - most people except these values on their systems, even though the software itself is installed in /usr/local. jakob From rickard.bondesson at iis.se Sun Jun 7 09:25:26 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Sun, 7 Jun 2009 11:25:26 +0200 Subject: [Opendnssec-develop] Signer conf Message-ID: <9526D945-8A96-4E1F-976B-E219DD308879@iis.se> How will the signer engine know which keys to sign with and which keys that are only published? The rnc will only allow publish state and not ready / active / retired. From jakob at kirei.se Sun Jun 7 09:46:06 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Sun, 7 Jun 2009 11:46:06 +0200 Subject: [Opendnssec-develop] Signer conf Message-ID: <6BD108DD-ACFC-4C42-AE6E-B6B0BE9E0C55@kirei.se> For the signer - active/publish/retired all equals publish. -- Sent from my iPhone, hence this mail might be briefer than normal. On 7 jun 2009, at 11.25, "Rickard Bondesson" wrote: > How will the signer engine know which keys to sign with and which > keys that are only published? The rnc will only allow publish state > and not ready / active / retired. > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop > From rickard.bondesson at iis.se Sun Jun 7 10:03:26 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Sun, 7 Jun 2009 12:03:26 +0200 Subject: [Opendnssec-develop] Signer conf In-Reply-To: <6BD108DD-ACFC-4C42-AE6E-B6B0BE9E0C55@kirei.se> References: <6BD108DD-ACFC-4C42-AE6E-B6B0BE9E0C55@kirei.se> Message-ID: <50C4CA36-E833-49A1-A2F8-8F5B08E7E414@iis.se> Ok, will have a look on that later today. 7 jun 2009 kl. 11.47 skrev "Jakob Schlyter" : > For the signer - active/publish/retired all equals publish. > > -- > Sent from my iPhone, hence this mail might be briefer than normal. > > On 7 jun 2009, at 11.25, "Rickard Bondesson" > wrote: > >> How will the signer engine know which keys to sign with and which >> keys that are only published? The rnc will only allow publish state >> and not ready / active / retired. >> _______________________________________________ >> Opendnssec-develop mailing list >> Opendnssec-develop at lists.opendnssec.org >> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop >> > From rickard.bondesson at iis.se Sun Jun 7 13:39:46 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Sun, 7 Jun 2009 15:39:46 +0200 Subject: [Opendnssec-develop] Signer conf In-Reply-To: <6BD108DD-ACFC-4C42-AE6E-B6B0BE9E0C55@kirei.se> References: <6BD108DD-ACFC-4C42-AE6E-B6B0BE9E0C55@kirei.se> Message-ID: <99577D01-839F-46FB-9E30-E68DFC6EAA38@iis.se> Or isn't it that publish for the signer means publish the key but do not use it for signing? And if the publish tag is not present then use the key for signing? How about the revoke bit? 7 jun 2009 kl. 11.47 skrev "Jakob Schlyter" : > For the signer - active/publish/retired all equals publish. > > -- > Sent from my iPhone, hence this mail might be briefer than normal. > > On 7 jun 2009, at 11.25, "Rickard Bondesson" > wrote: > >> How will the signer engine know which keys to sign with and which >> keys that are only published? The rnc will only allow publish state >> and not ready / active / retired. >> _______________________________________________ >> Opendnssec-develop mailing list >> Opendnssec-develop at lists.opendnssec.org >> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop >> > From jakob at kirei.se Sun Jun 7 19:08:15 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Sun, 7 Jun 2009 21:08:15 +0200 Subject: [Opendnssec-develop] Signer conf In-Reply-To: <50C4CA36-E833-49A1-A2F8-8F5B08E7E414@iis.se> References: <6BD108DD-ACFC-4C42-AE6E-B6B0BE9E0C55@kirei.se> <50C4CA36-E833-49A1-A2F8-8F5B08E7E414@iis.se> Message-ID: see also http://www.opendnssec.se/browser/docs/key-state.png. given this == "included in the zonefile". jakob From jakob at kirei.se Sun Jun 7 19:15:26 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Sun, 7 Jun 2009 21:15:26 +0200 Subject: [Opendnssec-develop] Signer conf In-Reply-To: <99577D01-839F-46FB-9E30-E68DFC6EAA38@iis.se> References: <6BD108DD-ACFC-4C42-AE6E-B6B0BE9E0C55@kirei.se> <99577D01-839F-46FB-9E30-E68DFC6EAA38@iis.se> Message-ID: <27EDBADA-8247-472F-9D21-02DF64944020@kirei.se> On 7 jun 2009, at 15.39, Rickard Bondesson wrote: > Or isn't it that publish for the signer means publish the key but do > not use it for signing? publish means "include this key in the zonefile". nothing more, nothing less. > And if the publish tag is not present then use the key for signing? whether the key is used for signing is completely orthogonal to whether it is published or not. signconf.rnc says: # sign all the DNSKEY RRsets with this key? element KSK { empty }?, # sign all non-DNSKEY RRsets with this key? element ZSK { empty }?, # include this key in the zonefile? element Publish { empty }? these are all binary flags - any combination of the above is possible (but might not make sense). i.e. a normal key signing key would have AND . but IIRC we've previously decided that we do not sign the DNSKEY RRset with a , since we don't really have to. > How about the revoke bit? the revoke bit it just a part of the and is set by the enforcer for revoked keys if the KASP states that 5011 should be used. jakob From rickard.bondesson at iis.se Mon Jun 8 06:25:25 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Mon, 8 Jun 2009 08:25:25 +0200 Subject: [Opendnssec-develop] Product page Message-ID: <69830D4127201D4EBD146B9041199718C6949B@EXCHANGE.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi Our marketing department now wants to start work on our product page. Is it ok for all of you if we move our development wiki to a subdomain / subdirectory when the product page is ready? Do you have any requirements or ideas on content, colour theme, pages to get inspiration from, etc? Feel free to comment. // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSiyu1eCjgaNTdVjaAQiBsQf+MlzBxBb/z8mKpMZsumJN+9gAl70O3R9F Oj3piisbU8o63KWT1yv9KXMmqv2Mi+jqMRNeSOK1z6mKF5h9wvPuK2s1iCAYVGzE yTvmxIlg6AtOjnxN4jtaIaPhKIl47DrqRZevIPR661aibOcxn5x1njog30U5UYhr pKIUpNxOnkYR/L+AvtM3ydL0yyB8IvrTcL4cVuMDQNMoaZhZTdrOWXNl+H5LTkFc Hs4Uxqf4/wQUwVG6mg4gMOfGUZSQx4S1/XEe/QRRltyVY1zHdPL9+k7yMul6+YyX 1BWV1KQ36fLVpPKTdYz/Mr7swwu+NhuaQLHZh/aZmytyv6+D1SHFlw== =b7NH -----END PGP SIGNATURE----- From jakob at kirei.se Mon Jun 8 07:38:28 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Mon, 8 Jun 2009 09:38:28 +0200 Subject: [Opendnssec-develop] Product page In-Reply-To: <69830D4127201D4EBD146B9041199718C6949B@EXCHANGE.office.nic.se> References: <69830D4127201D4EBD146B9041199718C6949B@EXCHANGE.office.nic.se> Message-ID: On 8 jun 2009, at 08.25, Rickard Bondesson wrote: > Our marketing department now wants to start work on our product > page. Is it ok for all of you if we move our development wiki to a > subdomain / subdirectory when the product page is ready? Do you have > any requirements or ideas on content, colour theme, pages to get > inspiration from, etc? Feel free to comment. we can move the current stuff to /trac right away and keep redirects for compatibility reasons. when we have a "product" page we'll just replace the front page with that one. seems fair? jakob From rickard.bondesson at iis.se Mon Jun 8 07:40:14 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Mon, 8 Jun 2009 09:40:14 +0200 Subject: [Opendnssec-develop] Product page In-Reply-To: References: <69830D4127201D4EBD146B9041199718C6949B@EXCHANGE.office.nic.se> Message-ID: <69830D4127201D4EBD146B9041199718C694A5@EXCHANGE.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > we can move the current stuff to /trac right away and keep > redirects for compatibility reasons. when we have a "product" > page we'll just replace the front page with that one. seems fair? > > jakob > > +1 -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSizAXuCjgaNTdVjaAQgSagf+JgTMVJTbBxSnz2Zp/haaarnvp1KUhiwd hJxEDAuR1nP3URRe4p5HKqURtjZ266pRUpXaKtRIfijot4GSBBhlpjY1vyNq5FcT oHTrfHUasQ3oNBPzxBtZU5uVYoK2QvfssdaWX+F5u6MaQ8Ui3WRAvvE57WHyrJ/X YHWmvPPlwnKhMVcIn4PVLwzbzxt1qcevMuw0/FEXhoZ0euKn4n3SytHajfpNvqiZ 7YBX8XlmL1EYqg3as9DoGYIl7Fs6LYE614U90vcWPtI69myIo9mh/ga+6GUKxceP TMRphlB6L8iTYECrWLVlpw8WLiYnRkRxNzCSLgyxx1W1EnzDKNO3cg== =i3+f -----END PGP SIGNATURE----- From jakob at kirei.se Mon Jun 8 07:43:36 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Mon, 8 Jun 2009 09:43:36 +0200 Subject: [Opendnssec-develop] Product page In-Reply-To: References: <69830D4127201D4EBD146B9041199718C6949B@EXCHANGE.office.nic.se> Message-ID: <61617EB1-8EE2-4946-B466-31FC79449E9C@kirei.se> On 8 jun 2009, at 09.38, Jakob Schlyter wrote: > On 8 jun 2009, at 08.25, Rickard Bondesson wrote: > >> Our marketing department now wants to start work on our product >> page. Is it ok for all of you if we move our development wiki to a >> subdomain / subdirectory when the product page is ready? Do you >> have any requirements or ideas on content, colour theme, pages to >> get inspiration from, etc? Feel free to comment. > > we can move the current stuff to /trac right away and keep redirects > for compatibility reasons. when we have a "product" page we'll just > replace the front page with that one. seems fair? (replying to myself...) or just move everything current to trac.opendnssec.se to keep things cleaner and indepedent - easier and less error-prone I believe. j From jelte at NLnetLabs.nl Mon Jun 8 08:16:11 2009 From: jelte at NLnetLabs.nl (Jelte Jansen) Date: Mon, 08 Jun 2009 10:16:11 +0200 Subject: [Opendnssec-develop] Product page In-Reply-To: <61617EB1-8EE2-4946-B466-31FC79449E9C@kirei.se> References: <69830D4127201D4EBD146B9041199718C6949B@EXCHANGE.office.nic.se> <61617EB1-8EE2-4946-B466-31FC79449E9C@kirei.se> Message-ID: <4A2CC8CB.5070807@NLnetLabs.nl> Jakob Schlyter wrote: > On 8 jun 2009, at 09.38, Jakob Schlyter wrote: > >> On 8 jun 2009, at 08.25, Rickard Bondesson wrote: >> >>> Our marketing department now wants to start work on our product page. >>> Is it ok for all of you if we move our development wiki to a >>> subdomain / subdirectory when the product page is ready? Do you have >>> any requirements or ideas on content, colour theme, pages to get >>> inspiration from, etc? Feel free to comment. >> >> we can move the current stuff to /trac right away and keep redirects >> for compatibility reasons. when we have a "product" page we'll just >> replace the front page with that one. seems fair? > > (replying to myself...) > > or just move everything current to trac.opendnssec.se to keep things > cleaner and indepedent - easier and less error-prone I believe. > +1, but if we're going for clean, i would like to add that trac is merely a specific implementation, and specifying the purpose is better than the name of the tool in such a case. Jelte From jakob at kirei.se Mon Jun 8 08:19:38 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Mon, 8 Jun 2009 10:19:38 +0200 Subject: [Opendnssec-develop] Product page In-Reply-To: <4A2CC8CB.5070807@NLnetLabs.nl> References: <69830D4127201D4EBD146B9041199718C6949B@EXCHANGE.office.nic.se> <61617EB1-8EE2-4946-B466-31FC79449E9C@kirei.se> <4A2CC8CB.5070807@NLnetLabs.nl> Message-ID: On 8 jun 2009, at 10.16, Jelte Jansen wrote: > Jakob Schlyter wrote: >> On 8 jun 2009, at 09.38, Jakob Schlyter wrote: >>> On 8 jun 2009, at 08.25, Rickard Bondesson wrote: >>> >>>> Our marketing department now wants to start work on our product >>>> page. Is it ok for all of you if we move our development wiki to >>>> a subdomain / subdirectory when the product page is ready? Do you >>>> have any requirements or ideas on content, colour theme, pages to >>>> get inspiration from, etc? Feel free to comment. >>> >>> we can move the current stuff to /trac right away and keep >>> redirects for compatibility reasons. when we have a "product" page >>> we'll just replace the front page with that one. seems fair? >> (replying to myself...) >> or just move everything current to trac.opendnssec.se to keep >> things cleaner and indepedent - easier and less error-prone I >> believe. > > +1, but if we're going for clean, i would like to add that trac is > merely a specific implementation, and specifying the purpose is > better than the name of the tool in such a case. agreed, but on the other hand all links are kind of TRAC-specific and will most likely change if we change tool. and if we do, we need to make compat redirects to the new structure anyway? jakob From jelte at NLnetLabs.nl Mon Jun 8 08:21:57 2009 From: jelte at NLnetLabs.nl (Jelte Jansen) Date: Mon, 08 Jun 2009 10:21:57 +0200 Subject: [Opendnssec-develop] Product page In-Reply-To: References: <69830D4127201D4EBD146B9041199718C6949B@EXCHANGE.office.nic.se> <61617EB1-8EE2-4946-B466-31FC79449E9C@kirei.se> <4A2CC8CB.5070807@NLnetLabs.nl> Message-ID: <4A2CCA25.3080803@NLnetLabs.nl> Jakob Schlyter wrote: > > agreed, but on the other hand all links are kind of TRAC-specific and > will most likely change if we change tool. and if we do, we need to make > compat redirects to the new structure anyway? > yes. But having done something like that much too recently to be comfortable, I'd like to see those kept to a minimum :) Jelte From jakob at kirei.se Mon Jun 8 09:21:41 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Mon, 8 Jun 2009 11:21:41 +0200 Subject: [Opendnssec-develop] plan for new website In-Reply-To: <61617EB1-8EE2-4946-B466-31FC79449E9C@kirei.se> References: <69830D4127201D4EBD146B9041199718C6949B@EXCHANGE.office.nic.se> <61617EB1-8EE2-4946-B466-31FC79449E9C@kirei.se> Message-ID: <02372FC7-8F6A-4EC0-985D-492126AE11C6@kirei.se> ok, this is plan: 1. move current TRAC to trac.opendnssec.se (with redirects from www.opendnssec.se ) 2. put temporary placeholder website at www.opendnssec.se (redirects for trac still active) 3. wait for new website to be ready for deployment (temporary at wp.opendnssec.se) 4. set up new webiste at www.opendnssec.se (redirects for trac still active) jakob From rick at openfortress.nl Mon Jun 8 09:30:13 2009 From: rick at openfortress.nl (Rick van Rein) Date: Mon, 8 Jun 2009 09:30:13 +0000 Subject: [Opendnssec-develop] plan for new website In-Reply-To: <02372FC7-8F6A-4EC0-985D-492126AE11C6@kirei.se> References: <69830D4127201D4EBD146B9041199718C6949B@EXCHANGE.office.nic.se> <61617EB1-8EE2-4946-B466-31FC79449E9C@kirei.se> <02372FC7-8F6A-4EC0-985D-492126AE11C6@kirei.se> Message-ID: <20090608093013.GC22687@phantom.vanrein.org> Hi, > 1. move current TRAC to trac.opendnssec.se (with redirects from > www.opendnssec.se ) Or use a name that doesn't reflect the software choice, but its intention. Also note that .org is now signed, so we can rejuvenate opendnssec.org, which is usually a better name for open source software. -Rick From jakob at kirei.se Mon Jun 8 09:33:18 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Mon, 8 Jun 2009 11:33:18 +0200 Subject: [Opendnssec-develop] plan for new website In-Reply-To: <20090608093013.GC22687@phantom.vanrein.org> References: <69830D4127201D4EBD146B9041199718C6949B@EXCHANGE.office.nic.se> <61617EB1-8EE2-4946-B466-31FC79449E9C@kirei.se> <02372FC7-8F6A-4EC0-985D-492126AE11C6@kirei.se> <20090608093013.GC22687@phantom.vanrein.org> Message-ID: <6615D727-EFA7-4167-B433-C4B19FC2B6E2@kirei.se> On 8 jun 2009, at 11.30, Rick van Rein wrote: > Hi, > >> 1. move current TRAC to trac.opendnssec.se (with redirects from >> www.opendnssec.se ) > > Or use a name that doesn't reflect the software choice, but its > intention. the URL paths used are implementation-specific enough and if/when we change software, we need to redirect anyway since all paths will change. also changing hostname as that point is a minor but will also make the transition easier since the old and new software doesn't need to run on the same host. hance, trac.opendnssec.{se,org} makes sense. > Also note that .org is now signed, so we can rejuvenate > opendnssec.org, > which is usually a better name for open source software. sure. should .org be our primary name? jakob From roy at nominet.org.uk Mon Jun 8 09:38:20 2009 From: roy at nominet.org.uk (roy at nominet.org.uk) Date: Mon, 8 Jun 2009 11:38:20 +0200 Subject: [Opendnssec-develop] plan for new website In-Reply-To: <20090608093013.GC22687@phantom.vanrein.org> References: <69830D4127201D4EBD146B9041199718C6949B@EXCHANGE.office.nic.se> <61617EB1-8EE2-4946-B466-31FC79449E9C@kirei.se> <02372FC7-8F6A-4EC0-985D-492126AE11C6@kirei.se> <20090608093013.GC22687@phantom.vanrein.org> Message-ID: Rick van Rein wrote on 06/08/2009 11:30:13 AM: > Hi, > > > 1. move current TRAC to trac.opendnssec.se (with redirects from > > www.opendnssec.se ) > > Or use a name that doesn't reflect the software choice, but its intention. > > Also note that .org is now signed, so we can rejuvenate opendnssec.org, > which is usually a better name for open source software. Though they are signed, they do not accept signed delegations yet. But that shouldn't stop us from using it :-) Roy From olaf at NLnetLabs.nl Mon Jun 8 12:15:12 2009 From: olaf at NLnetLabs.nl (Olaf Kolkman) Date: Mon, 8 Jun 2009 14:15:12 +0200 Subject: [Opendnssec-develop] plan for new website In-Reply-To: <6615D727-EFA7-4167-B433-C4B19FC2B6E2@kirei.se> References: <69830D4127201D4EBD146B9041199718C6949B@EXCHANGE.office.nic.se> <61617EB1-8EE2-4946-B466-31FC79449E9C@kirei.se> <02372FC7-8F6A-4EC0-985D-492126AE11C6@kirei.se> <20090608093013.GC22687@phantom.vanrein.org> <6615D727-EFA7-4167-B433-C4B19FC2B6E2@kirei.se> Message-ID: <3C0C611F-4543-4664-9FE9-DA5B611CE288@NLnetLabs.nl> On 8 jun 2009, at 11:33, Jakob Schlyter wrote: > > sure. should .org be our primary name? IMHO yes. -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 235 bytes Desc: This is a digitally signed message part URL: From jakob at kirei.se Mon Jun 8 12:23:42 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Mon, 8 Jun 2009 14:23:42 +0200 Subject: [Opendnssec-develop] plan for new website In-Reply-To: <3C0C611F-4543-4664-9FE9-DA5B611CE288@NLnetLabs.nl> References: <69830D4127201D4EBD146B9041199718C6949B@EXCHANGE.office.nic.se> <61617EB1-8EE2-4946-B466-31FC79449E9C@kirei.se> <02372FC7-8F6A-4EC0-985D-492126AE11C6@kirei.se> <20090608093013.GC22687@phantom.vanrein.org> <6615D727-EFA7-4167-B433-C4B19FC2B6E2@kirei.se> <3C0C611F-4543-4664-9FE9-DA5B611CE288@NLnetLabs.nl> Message-ID: <3D4737C5-8356-4D9C-B45D-8A2024F1C3D0@kirei.se> On 8 jun 2009, at 14.15, Olaf Kolkman wrote: > > On 8 jun 2009, at 11:33, Jakob Schlyter wrote: > >> >> sure. should .org be our primary name? > > > IMHO yes. anyone not agreeing on opendnssec.org? j From roland.vanrijswijk at surfnet.nl Mon Jun 8 12:24:21 2009 From: roland.vanrijswijk at surfnet.nl (Roland van Rijswijk) Date: Mon, 08 Jun 2009 14:24:21 +0200 Subject: [Opendnssec-develop] plan for new website In-Reply-To: <3C0C611F-4543-4664-9FE9-DA5B611CE288@NLnetLabs.nl> References: <69830D4127201D4EBD146B9041199718C6949B@EXCHANGE.office.nic.se> <61617EB1-8EE2-4946-B466-31FC79449E9C@kirei.se> <02372FC7-8F6A-4EC0-985D-492126AE11C6@kirei.se> <20090608093013.GC22687@phantom.vanrein.org> <6615D727-EFA7-4167-B433-C4B19FC2B6E2@kirei.se> <3C0C611F-4543-4664-9FE9-DA5B611CE288@NLnetLabs.nl> Message-ID: <4A2D02F5.9020703@surfnet.nl> Olaf Kolkman wrote: > > On 8 jun 2009, at 11:33, Jakob Schlyter wrote: > >> >> sure. should .org be our primary name? > > > IMHO yes. +1 -- -- Roland M. van Rijswijk -- SURFnet Middleware Services -- t: +31-30-2305388 -- e: roland.vanrijswijk at surfnet.nl From rick at openfortress.nl Mon Jun 8 12:52:19 2009 From: rick at openfortress.nl (Rick van Rein) Date: Mon, 8 Jun 2009 12:52:19 +0000 Subject: [Opendnssec-develop] plan for new website In-Reply-To: <3C0C611F-4543-4664-9FE9-DA5B611CE288@NLnetLabs.nl> References: <69830D4127201D4EBD146B9041199718C6949B@EXCHANGE.office.nic.se> <61617EB1-8EE2-4946-B466-31FC79449E9C@kirei.se> <02372FC7-8F6A-4EC0-985D-492126AE11C6@kirei.se> <20090608093013.GC22687@phantom.vanrein.org> <6615D727-EFA7-4167-B433-C4B19FC2B6E2@kirei.se> <3C0C611F-4543-4664-9FE9-DA5B611CE288@NLnetLabs.nl> Message-ID: <20090608125219.GA25819@phantom.vanrein.org> Hi, > >sure. should .org be our primary name? votes++ From Stephen.Morris at nominet.org.uk Mon Jun 8 13:43:50 2009 From: Stephen.Morris at nominet.org.uk (Stephen.Morris at nominet.org.uk) Date: Mon, 8 Jun 2009 14:43:50 +0100 Subject: [Opendnssec-develop] plan for new website In-Reply-To: <4A2D02F5.9020703@surfnet.nl> References: <69830D4127201D4EBD146B9041199718C6949B@EXCHANGE.office.nic.se> <61617EB1-8EE2-4946-B466-31FC79449E9C@kirei.se> <02372FC7-8F6A-4EC0-985D-492126AE11C6@kirei.se> <20090608093013.GC22687@phantom.vanrein.org> <6615D727-EFA7-4167-B433-C4B19FC2B6E2@kirei.se> <3C0C611F-4543-4664-9FE9-DA5B611CE288@NLnetLabs.nl> <4A2D02F5.9020703@surfnet.nl> Message-ID: Roland van Rijswijk wrote on 08/06/2009 13:24:21: > Olaf Kolkman wrote: > > > > On 8 jun 2009, at 11:33, Jakob Schlyter wrote: > > > >> > >> sure. should .org be our primary name? > > > > > > IMHO yes. > > +1 +2 Stephen From jakob at kirei.se Mon Jun 8 14:19:47 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Mon, 8 Jun 2009 16:19:47 +0200 Subject: [Opendnssec-develop] plan for new website In-Reply-To: References: <69830D4127201D4EBD146B9041199718C6949B@EXCHANGE.office.nic.se> <61617EB1-8EE2-4946-B466-31FC79449E9C@kirei.se> <02372FC7-8F6A-4EC0-985D-492126AE11C6@kirei.se> <20090608093013.GC22687@phantom.vanrein.org> <6615D727-EFA7-4167-B433-C4B19FC2B6E2@kirei.se> <3C0C611F-4543-4664-9FE9-DA5B611CE288@NLnetLabs.nl> <4A2D02F5.9020703@surfnet.nl> Message-ID: <7A5ED5E3-B723-4EF4-9F24-CB1AAD801442@kirei.se> On 8 jun 2009, at 15.43, Stephen.Morris at nominet.org.uk wrote: > Roland van Rijswijk wrote on > 08/06/2009 > 13:24:21: > >> Olaf Kolkman wrote: >>> >>> On 8 jun 2009, at 11:33, Jakob Schlyter wrote: >>> >>>> >>>> sure. should .org be our primary name? >>> >>> >>> IMHO yes. >> >> +1 > > +2 I will make the change now and also move the trac stuff to trac.opendnssec.org. j From jelte at NLnetLabs.nl Mon Jun 8 14:22:28 2009 From: jelte at NLnetLabs.nl (Jelte Jansen) Date: Mon, 08 Jun 2009 16:22:28 +0200 Subject: [Opendnssec-develop] libtool and dependency in statics Message-ID: <4A2D1EA4.4070002@NLnetLabs.nl> from a bit of experimenting after a build failure in the enforcer, I just found out that libtool appears to do some form of lazy linking in its output: libhsm.la depends on libldns.la, but it doesn't remember its location (i don't use default paths for self-built software) So when building the enforcer libtool wants libldns.la to be in /usr/local/lib, and since the configure there rightfully does not contain an optin --with-ldns=, it fails. Until i remove libhsm.la at the target (in this case ~/opt/opendnssec/lib/libhsm.la). Does anyone if there is some magic chant for libtool to include the needed ldns function in libhsm.la (or let it search the right location for libldns.la, it does seem to be written into that .la file, but appears to be ignored...) Jelte From jakob at kirei.se Mon Jun 8 14:27:16 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Mon, 8 Jun 2009 16:27:16 +0200 Subject: [Opendnssec-develop] plan for new website In-Reply-To: <7A5ED5E3-B723-4EF4-9F24-CB1AAD801442@kirei.se> References: <69830D4127201D4EBD146B9041199718C6949B@EXCHANGE.office.nic.se> <61617EB1-8EE2-4946-B466-31FC79449E9C@kirei.se> <02372FC7-8F6A-4EC0-985D-492126AE11C6@kirei.se> <20090608093013.GC22687@phantom.vanrein.org> <6615D727-EFA7-4167-B433-C4B19FC2B6E2@kirei.se> <3C0C611F-4543-4664-9FE9-DA5B611CE288@NLnetLabs.nl> <4A2D02F5.9020703@surfnet.nl> <7A5ED5E3-B723-4EF4-9F24-CB1AAD801442@kirei.se> Message-ID: <5BF74FA6-5E5B-4534-8DC4-B77FABF3B82F@kirei.se> On 8 jun 2009, at 16.19, Jakob Schlyter wrote: > I will make the change now and also move the trac stuff to > trac.opendnssec.org. done. jakob From rick at openfortress.nl Mon Jun 8 14:45:21 2009 From: rick at openfortress.nl (Rick van Rein) Date: Mon, 8 Jun 2009 14:45:21 +0000 Subject: [Opendnssec-develop] libtool and dependency in statics In-Reply-To: <4A2D1EA4.4070002@NLnetLabs.nl> References: <4A2D1EA4.4070002@NLnetLabs.nl> Message-ID: <20090608144521.GA27262@phantom.vanrein.org> Hi Jelte, > Does anyone if there is some magic chant for libtool to include the needed > ldns function in libhsm.la (or let it search the right location for > libldns.la, it does seem to be written into that .la file, but appears to > be ignored...) There is a chant called -rpath for ld, can you translate that to libtool? -rpath dir Add a directory to the runtime library search path. -rpath-link DIR I never used libtool (as a developer) so may I'm stating the obvious here. -Rick From jakob at kirei.se Mon Jun 8 14:48:58 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Mon, 8 Jun 2009 16:48:58 +0200 Subject: [Opendnssec-develop] libtool and dependency in statics In-Reply-To: <4A2D1EA4.4070002@NLnetLabs.nl> References: <4A2D1EA4.4070002@NLnetLabs.nl> Message-ID: <46670C1D-F909-4CCA-85A1-2C9D7F1261CB@kirei.se> On 8 jun 2009, at 16.22, Jelte Jansen wrote: > from a bit of experimenting after a build failure in the enforcer, I > just found out that libtool appears to do some form of lazy linking > in its output: libhsm.la depends on libldns.la, but it doesn't > remember its location (i don't use default paths for self-built > software) > > So when building the enforcer libtool wants libldns.la to be in /usr/ > local/lib, and since the configure there rightfully does not contain > an optin --with-ldns=, it fails. Until i remove libhsm.la at the > target (in this case ~/opt/opendnssec/lib/libhsm.la). > > Does anyone if there is some magic chant for libtool to include the > needed ldns function in libhsm.la (or let it search the right > location for libldns.la, it does seem to be written into that .la > file, but appears to be ignored...) one should also note that the enforcer does not any functions in libhsm that actually depends on ldns, so ldns shoudn't even be needed in the first place (that's why we moved DNS-specific functions to libhsmdns.h). jakob From jakob at kirei.se Mon Jun 8 18:55:23 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Mon, 8 Jun 2009 20:55:23 +0200 Subject: [Opendnssec-develop] hsmspeed using libhsm Message-ID: <28EAA029-EE17-4B6A-9C7D-65BC854042ED@kirei.se> hi, I just wrote a small toy to test signing speed using libhsm. I should add multiple threads as well I guess, but that's for another evening... jakob kuriputo> ./hsmspeed -f conf-softhsm.xml -i 10000 Opening HSM Library... Generating temporary key... Temporary key created: 611b4dbb03a1499493b0a046a7cc281a Signing 10000 RRsets... Signing done. 10000 signatures, 503.78 sig/s Deleting temporary key... kuriputo> ./hsmspeed -f conf-sca6000.xml -i 10000 Opening HSM Library... Generating temporary key... Temporary key created: 549fa80a1c99ec1ed299af892b0907ea Signing 10000 RRsets... Signing done. 10000 signatures, 2656.01 sig/s Deleting temporary key... From rickard.bondesson at iis.se Wed Jun 10 13:32:26 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Wed, 10 Jun 2009 15:32:26 +0200 Subject: [Opendnssec-develop] DateTime::Duration Message-ID: <69830D4127201D4EBD146B9041199718D2493E@EXCHANGE.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi All of our times in the configurations are positive, except in one case: -PT300S The reason this duration is negative is because we want the signatures to be valid before the current time when signing. But the kaspimport can not save negative numbers in the database. This fix would correct that problem if added to the duration2sec function: ***** if ( $d->is_negative ) { $sec = $sec * -1; } ***** The next problem is when generating the zone config. All output from the communicated to the XML is in the format "PTxxxS", where xxx is pure integer. This means that there must be checks for negative numbers in communicated so that we use the format "-PTxxxS". The best solution would to only use positive durations in the config files and let the Signer Engine subtract the duration in this single case. Any comments? We need a fix because current code will not generate valid signatures (but they are valid 5 minutes later in this case). // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSi+16uCjgaNTdVjaAQj+mAf/chY04FpKrHulf02IGHXRgRafK29Oh5hS jiShKZ6RL8nzH6+MEhmywdG27efHEi2i5l5Ilrmovh9hFih0cSr08BjkMtLOJor4 j90DE5JnLVZvi1+6c+bOvEpUyC/90tpRGMX9/nl5yzgfQFHhfQNO/HF0/eHFGjns 1M3HBidwZdsTB1CF52pU+kSGZ5DepsB69LCWfV4qKFsFJFB4Fw7Cvn67Ys8K1vxA 8rg8cxKSd0ORmaZiYURJIjDj8/yGJUj7knwVlrd0K0I5dolSUt41xz+tFc6fG89V o2rzQ46kiDbDSQHJ3KMqJia/msWhbOQ8VcXProw4+9dTuTXp+pZeww== =lw7J -----END PGP SIGNATURE----- From rickard.bondesson at iis.se Wed Jun 10 13:41:37 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Wed, 10 Jun 2009 15:41:37 +0200 Subject: [Opendnssec-develop] DateTime::Duration In-Reply-To: <69830D4127201D4EBD146B9041199718D2493E@EXCHANGE.office.nic.se> References: <69830D4127201D4EBD146B9041199718D2493E@EXCHANGE.office.nic.se> Message-ID: <69830D4127201D4EBD146B9041199718D24943@EXCHANGE.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > Any comments? Or should we use the simple and ugly solution: Index: trunk/enforcer/communicated/communicator.c =================================================================== - --- trunk/enforcer/communicated/communicator.c (revision 989) +++ trunk/enforcer/communicated/communicator.c (working copy) @@ -353,7 +353,7 @@ fprintf(file, "\t\t\t\tPT%dS\n", policy->signature->valdenial); fprintf(file, "\t\t\t\n"); fprintf(file, "\t\t\tPT%dS\n", policy->signer->jitter); - - fprintf(file, "\t\t\tPT%dS\n", policy->signature->clockskew); + fprintf(file, "\t\t\t-PT%dS\n", policy->signature->clockskew); fprintf(file, "\t\t\n"); fprintf(file, "\n"); -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSi+4EeCjgaNTdVjaAQitWwf+L+/jkFiRgRzj5mH11UzGQclouIX8RdNB hBiyQA3oY2uiUSlBzQmydXReN2r0h7Whax93KWedI2IkD1x0WZ1FARt2VZkt7ky0 r5CGLcXJw6hMlfTWtPHPoH+8EukzxrncjGaQ9XLIgjktPIcDtPRLEB4vkd7wJXvj UdBjOcBR+RNQPphSLv45ioi/b+45teHHsW48rUT77wpDEuD0jtdyOOvlch1V2FKD Ee1BsugrOMOKYYhp2tWb7q7wTYTiVBlFoCCKlZm4mfU2RsmBBxhfkM6pmc5DQlKn vhZRia1d04PrrotY01RVl//kXnB/9DGBlb1i8k4VbzLIB9ZFuTFBpg== =oUOO -----END PGP SIGNATURE----- From sion at nominet.org.uk Wed Jun 10 13:53:31 2009 From: sion at nominet.org.uk (sion at nominet.org.uk) Date: Wed, 10 Jun 2009 14:53:31 +0100 Subject: [Opendnssec-develop] DateTime::Duration In-Reply-To: <69830D4127201D4EBD146B9041199718D2493E@EXCHANGE.office.nic.se> References: <69830D4127201D4EBD146B9041199718D2493E@EXCHANGE.office.nic.se> Message-ID: > The best solution would to only use positive durations in the config > files and let the Signer Engine subtract the duration in this single case. +1 Although I am also happy to fix communicator.c if people would rather that. Sion From jelte at NLnetLabs.nl Thu Jun 11 08:00:09 2009 From: jelte at NLnetLabs.nl (Jelte Jansen) Date: Thu, 11 Jun 2009 10:00:09 +0200 Subject: [Opendnssec-develop] list archive certificate Message-ID: <4A30B989.3050103@NLnetLabs.nl> Hi, I just noticed the list archives have an https certificate that points to the wrong name (lists.nominet.org.uk). Would it be a lot of trouble to put in a correct one here? Jelte From roy at nominet.org.uk Thu Jun 11 08:57:09 2009 From: roy at nominet.org.uk (roy at nominet.org.uk) Date: Thu, 11 Jun 2009 10:57:09 +0200 Subject: [Opendnssec-develop] list archive certificate In-Reply-To: <4A30B989.3050103@NLnetLabs.nl> References: <4A30B989.3050103@NLnetLabs.nl> Message-ID: > [Opendnssec-develop] list archive certificate > > Hi, > > I just noticed the list archives have an https certificate that points to the > wrong name (lists.nominet.org.uk). Would it be a lot of trouble to put in a > correct one here? I'm on it. Roy From jelte at NLnetLabs.nl Fri Jun 12 09:52:45 2009 From: jelte at NLnetLabs.nl (Jelte Jansen) Date: Fri, 12 Jun 2009 11:52:45 +0200 Subject: [Opendnssec-develop] checks for changed zone config and zone input files Message-ID: <4A32256D.8090805@NLnetLabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, it appears we may have a specification discrepancy about some of the input files for the signer engine. Currently, the engine reads the zone configuration files on startup, and re-reads them when it gets the 'update' command. It does not regularly check if they have changed. The reason for this is that I want to keep disk access down a bit, and continual polling/parsing seems overkill. I could do it on every re-sign run, but in that case it might take a while before a change is accepted (for instance, if you change the re-sign interval from very long to very short, it will take the very-long time to discover that it has changed). In those cases it would make sense that the engine is told that there is a change, and my understanding was, if that is needed in some cases, why not just do it every time the config has changed (btw, currently there is only a 'check-all-configs' command, I could make it more specific into a 'check-this-zone-for-new-config'). So IMHO, it would make sense for the communicator to tell the engine that it has changed a zone configuration. But of course you are allowed to differ in opinion :) Kind of the same reasoning goes for the zone input file, but this time it would be the administrator/frontend to do the kicking (through the 'sign ' command). Should these be changed? Jelte -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkoyJW0ACgkQ4nZCKsdOncWm2QCcCr9eCHj+mgZ2vrq6gT7RtaIx 5ukAniAIEgkWTWMzHvCsCGgiDXKAV4tT =YyHQ -----END PGP SIGNATURE----- From jakob at kirei.se Fri Jun 12 10:05:35 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Fri, 12 Jun 2009 06:05:35 -0400 Subject: [Opendnssec-develop] checks for changed zone config and zone input files In-Reply-To: <4A32256D.8090805@NLnetLabs.nl> References: <4A32256D.8090805@NLnetLabs.nl> Message-ID: On 12 jun 2009, at 05.52, Jelte Jansen wrote: > Currently, the engine reads the zone configuration files on startup, > and > re-reads them when it gets the 'update' command. It does not > regularly check if > they have changed. The reason for this is that I want to keep disk > access down a > bit, and continual polling/parsing seems overkill. do you think that stat(2) all input files once every X minutes is overkill? > I could do it on every re-sign run, but in that case it might take a > while > before a change is accepted (for instance, if you change the re-sign > interval > from very long to very short, it will take the very-long time to > discover that > it has changed). In those cases it would make sense that the engine > is told that > there is a change, and my understanding was, if that is needed in > some cases, > why not just do it every time the config has changed (btw, currently > there is > only a 'check-all-configs' command, I could make it more specific > into a > 'check-this-zone-for-new-config'). yes, checking a specific file makes sense to me. you would check the zone config every time the zone input file has changed as well I guess. > So IMHO, it would make sense for the communicator to tell the engine > that it has > changed a zone configuration. But of course you are allowed to > differ in opinion :) I think we can add that for a later version - perhaps some command socket that it can notify the signer via. > Kind of the same reasoning goes for the zone input file, but this > time it would > be the administrator/frontend to do the kicking (through the 'sign > ' command). right. jakob From jelte at NLnetLabs.nl Fri Jun 12 10:59:09 2009 From: jelte at NLnetLabs.nl (Jelte Jansen) Date: Fri, 12 Jun 2009 12:59:09 +0200 Subject: [Opendnssec-develop] checks for changed zone config and zone input files In-Reply-To: References: <4A32256D.8090805@NLnetLabs.nl> Message-ID: <4A3234FD.7000709@NLnetLabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jakob Schlyter wrote: > On 12 jun 2009, at 05.52, Jelte Jansen wrote: > >> Currently, the engine reads the zone configuration files on startup, and >> re-reads them when it gets the 'update' command. It does not regularly >> check if >> they have changed. The reason for this is that I want to keep disk >> access down a >> bit, and continual polling/parsing seems overkill. > > do you think that stat(2) all input files once every X minutes is overkill? > if I understood correctly, most files are rewritten by the communicator, even if there are no changes, so there would be quite a bit of parsing involved (this is just hearsay right now, so please correct me :) ) >> So IMHO, it would make sense for the communicator to tell the engine >> that it has >> changed a zone configuration. But of course you are allowed to differ >> in opinion :) > > I think we can add that for a later version - perhaps some command > socket that it can notify the signer via. > well, the engine has this already (plain text commands on tcp localhost:47806), to which signer_engine_cli is just a front-end -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkoyNP0ACgkQ4nZCKsdOncVe4wCgx684VT5/5/T8Zi+fond5zTap IRIAniRJwGbk4koAq31/ykRYuZK7bbX6 =gXv+ -----END PGP SIGNATURE----- From sion at nominet.org.uk Fri Jun 12 11:04:49 2009 From: sion at nominet.org.uk (sion at nominet.org.uk) Date: Fri, 12 Jun 2009 12:04:49 +0100 Subject: [Opendnssec-develop] checks for changed zone config and zone input files In-Reply-To: <4A3234FD.7000709@NLnetLabs.nl> References: <4A32256D.8090805@NLnetLabs.nl> <4A3234FD.7000709@NLnetLabs.nl> Message-ID: > if I understood correctly, most files are rewritten by the > communicator, even if > there are no changes, so there would be quite a bit of parsing > involved (this is > just hearsay right now, so please correct me :) ) That is certainly correct at the moment. I can look to change this behaviour if it makes things simpler. Sion From jakob at kirei.se Fri Jun 12 12:21:24 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Fri, 12 Jun 2009 08:21:24 -0400 Subject: [Opendnssec-develop] checks for changed zone config and zone input files In-Reply-To: References: <4A32256D.8090805@NLnetLabs.nl> <4A3234FD.7000709@NLnetLabs.nl> Message-ID: <8E469D8F-323E-41DC-9932-3AA4F61D60BA@kirei.se> On 12 jun 2009, at 07.04, sion at nominet.org.uk wrote: >> if I understood correctly, most files are rewritten by the >> communicator, even if >> there are no changes, so there would be quite a bit of parsing >> involved (this is >> just hearsay right now, so please correct me :) ) > > That is certainly correct at the moment. I can look to change this > behaviour if it makes things simpler. yes, that would be a lot better. just rewrite the config if it actually changed. jakob From jakob at kirei.se Fri Jun 12 14:51:25 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Fri, 12 Jun 2009 10:51:25 -0400 Subject: [Opendnssec-develop] libhsm speed tests with sca6k Message-ID: <1D5AD2E3-BD2F-40AC-B9EF-8D0F0EE93A37@kirei.se> 128 threads, 1000 signatures per thread, 13387.46 sig/s (RSA 1024 bits) doesn't seem that libhsm add too much overhead. good. From roy at nominet.org.uk Fri Jun 12 21:19:01 2009 From: roy at nominet.org.uk (roy at nominet.org.uk) Date: Fri, 12 Jun 2009 23:19:01 +0200 Subject: [Opendnssec-develop] libhsm speed tests with sca6k In-Reply-To: <1D5AD2E3-BD2F-40AC-B9EF-8D0F0EE93A37@kirei.se> References: <1D5AD2E3-BD2F-40AC-B9EF-8D0F0EE93A37@kirei.se> Message-ID: Jakob Schlyter wrote on 06/12/2009 04:51:25 PM: > 128 threads, 1000 signatures per thread, 13387.46 sig/s (RSA 1024 bits) > > doesn't seem that libhsm add too much overhead. good. :-) From jakob at kirei.se Tue Jun 16 08:09:22 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Tue, 16 Jun 2009 10:09:22 +0200 Subject: [Opendnssec-develop] XXX_{INCLUDES,LIBS} vs CPPFLAGS & LDFLAGS Message-ID: hi, we're not consistent how we use auto{make,conf} and external packages. for some components we set XXX_{INCLUDES,LIBS} and have each component add them in each Makefile. for some componets we set CPPFLAGS & LDFLAGS. for some we let the components AC_SUBST the XXX_{INCLUDES,LIBS}, and for some we use the makefile variables. any thoughts? I suggest we use set XXX_{INCLUDES,LIBS} and use them as makefile variables. jakob -- Jakob Schlyter Kirei AB - http://www.kirei.se/ From rickard.bondesson at iis.se Tue Jun 16 13:47:19 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Tue, 16 Jun 2009 15:47:19 +0200 Subject: [Opendnssec-develop] Meeting 16 June Message-ID: <69830D4127201D4EBD146B9041199718D24CF7@EXCHANGE.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Next meeting is tomorrow. Date: Wednesday 16 June Time: 14:00-15:00 CEST Please update the agenda if you have more topics: http://trac.opendnssec.org/wiki/Meetings/Agenda/2009-06-16 // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSjeiZ+CjgaNTdVjaAQi2+gf9GDJko09Jnu/wNfk1i3aK+1N/1myIbxrr FWSarcZ5Ad1bK+Lz8RGHSoPQbPT8S9AWbZzheFudHRGxBj2pC5UMAQoCfpNz4mOS lV1sgExLO+Fvz8e2lvGOBNmI1XV8WJe3wrrIOzwiWAFh8N/HjSY+2LQuTlQmAKLy hLZSi541vmRlDEc/orWeqjCb8UZCM9uEYTOSq/E37tA0L8WTEdwET0ygQ3Y8keXi BhDVo026+lU9k+poFJPhAWSHVjvmjWzfdk3eaFsQxjb242QcPlu8DlaIcQNguDxV NH7vbG01je6Wn9snAK93c+j+c+HWreK8RVKzKGO+99wFVRi9sGsnhQ== =MYaS -----END PGP SIGNATURE----- From jakob at kirei.se Tue Jun 16 13:57:15 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Tue, 16 Jun 2009 15:57:15 +0200 Subject: [Opendnssec-develop] Aladdin eToken as HSM with libhsm Message-ID: <0A422713-3995-4CC1-A799-2FFA4A2C1A96@kirei.se> 1 thread, 10 signatures per thread, 9.07 sig/s (RSA 1024 bits) 1 thread, 10 signatures per thread, 2.74 sig/s (RSA 2048 bits) nice. From rickard.bondesson at iis.se Tue Jun 16 14:21:33 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Tue, 16 Jun 2009 16:21:33 +0200 Subject: [Opendnssec-develop] Meeting 16 June In-Reply-To: <69830D4127201D4EBD146B9041199718D24CF7@EXCHANGE.office.nic.se> References: <69830D4127201D4EBD146B9041199718D24CF7@EXCHANGE.office.nic.se> Message-ID: <69830D4127201D4EBD146B9041199718D24CFF@EXCHANGE.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 It should be the 17th, not the 16th... Sorry > -----Ursprungligt meddelande----- > Fr?n: opendnssec-develop-bounces at lists.opendnssec.org > [mailto:opendnssec-develop-bounces at lists.opendnssec.org] F?r > Rickard Bondesson > Skickat: den 16 juni 2009 15:47 > Till: Opendnssec-develop at lists.opendnssec.org > ?mne: [Opendnssec-develop] Meeting 16 June > > * PGP Signed: 06/16/09 at 15:47:19 > > Next meeting is tomorrow. > > Date: Wednesday 16 June > Time: 14:00-15:00 CEST > > Please update the agenda if you have more topics: > > http://trac.opendnssec.org/wiki/Meetings/Agenda/2009-06-16 > > // Rickard > > * Rickard Bondesson > * 0x537558DA(L) > > > -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSjeqbeCjgaNTdVjaAQgZHwf+NlJgrB7JVNOEu7+r536lR7vIGmmsvZih uOC3bKiWoiKrETFfc986yRJxIAkotDGvfFSxpPTT5FhmbKhk7ftIh/Q/RnR5UtMq Ys4QPTok1OhY6C5HlDcsQZJcvl8s+za/GYTdvZdGrthdkkngVgiot3bIBsqqlXp5 Bze1EK+j+BdBzKmtwttioLYBZganCsZ6cH1TUcBZOW3RzZ2jJCKhS+Y4RwFzFtR0 g+xQY0V68IlgYIwQV5cV0h+XqDVvQxs2SHO3e5S9lrwg7TgYmgwDiFZNCrnQNIL3 mkfdGrceqevZxH1HmjZTUoGxo9I3bHNUXJvfWnzu5r1dBDomh72vBQ== =35KE -----END PGP SIGNATURE----- From rick at openfortress.nl Wed Jun 17 19:36:06 2009 From: rick at openfortress.nl (Rick van Rein) Date: Wed, 17 Jun 2009 19:36:06 +0000 Subject: [Opendnssec-develop] hsmbully -> back to square one :( Message-ID: <20090617193606.GA1857@phantom.vanrein.org> Gents, I just lost all my hsmbully code in an attempt to "quickly" check it in at the end of a long, tiring day. (svn checkin was unwantedly recursive, and the subsequent svn del -f did more than just remove from the repo listing.) This is a setback, but luckily it has no dependencies with the mainstream code of OpenDNSSEC. I'll be pressed for time in the weeks to come, so I am trying to have it done before 2 more weeks. A few upcoming long train travels may be just the thing I need for that. Apologies, -Rick From jakob at kirei.se Wed Jun 17 21:05:56 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Wed, 17 Jun 2009 23:05:56 +0200 Subject: [Opendnssec-develop] hsmbully -> back to square one :( In-Reply-To: <20090617193606.GA1857@phantom.vanrein.org> References: <20090617193606.GA1857@phantom.vanrein.org> Message-ID: <80C735F2-A30E-4046-9133-CB4FA5EA3AB6@kirei.se> On 17 jun 2009, at 21.36, Rick van Rein wrote: > I just lost all my hsmbully code in an attempt to "quickly" check it > in at > the end of a long, tiring day. (svn checkin was unwantedly > recursive, and > the subsequent svn del -f did more than just remove from the repo > listing.) > > This is a setback, but luckily it has no dependencies with the > mainstream > code of OpenDNSSEC. I'll be pressed for time in the weeks to come, > so I > am trying to have it done before 2 more weeks. A few upcoming long > train > travels may be just the thing I need for that. would it make sense to write the conformance test tool using libhsm? in that case I believe it might be rather quick to get some results. jakob From rick at openfortress.nl Wed Jun 17 22:23:26 2009 From: rick at openfortress.nl (Rick van Rein) Date: Wed, 17 Jun 2009 22:23:26 +0000 Subject: [Opendnssec-develop] hsmbully -> back from square one ;-) In-Reply-To: <20090617193606.GA1857@phantom.vanrein.org> References: <20090617193606.GA1857@phantom.vanrein.org> Message-ID: <20090617222326.GF2638@phantom.vanrein.org> Hah! > I just lost all my hsmbully code in an attempt to "quickly" check it in [...] Linux doesn't lend itself to force humility onto developers ;-) I recovered the files and checked them in. They're in SVN now. Of course I tested for recovery mistakes first. Short story: ext3grep /dev/sdaN --restore-file /path/to/hsmbully.c --deleted Long story: http://www.xs4all.nl/~carlo17/howto/undelete_ext3.html Cheers, -Rick From rickard.bondesson at iis.se Fri Jun 19 13:25:57 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Fri, 19 Jun 2009 15:25:57 +0200 Subject: [Opendnssec-develop] Amsterdam Message-ID: Please indicate if you will attend, so Jelte can order lunch. Rickard: will attend both days From jakob at kirei.se Fri Jun 19 14:56:45 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Fri, 19 Jun 2009 16:56:45 +0200 Subject: [Opendnssec-develop] Amsterdam In-Reply-To: References: Message-ID: <6BDA2D93-1345-4E27-BEA8-2ECE856B8D8E@kirei.se> Jakob both days! -- Sent from my iPhone, hence this mail might be briefer than normal. On 19 jun 2009, at 15.25, "Rickard Bondesson" wrote: > Please indicate if you will attend, so Jelte can order lunch. > > Rickard: will attend both days > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop > From Antoin.Verschuren at sidn.nl Fri Jun 19 15:28:32 2009 From: Antoin.Verschuren at sidn.nl (Antoin Verschuren) Date: Fri, 19 Jun 2009 17:28:32 +0200 Subject: [Opendnssec-develop] Amsterdam In-Reply-To: References: Message-ID: I'll be there on Tuesday. Antoin Verschuren On 19 jun 2009, at 15:42, "Rickard Bondesson" wrote: > Please indicate if you will attend, so Jelte can order lunch. > > Rickard: will attend both days > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop From Stephen.Morris at nominet.org.uk Fri Jun 19 16:03:40 2009 From: Stephen.Morris at nominet.org.uk (Stephen.Morris at nominet.org.uk) Date: Fri, 19 Jun 2009 17:03:40 +0100 Subject: [Opendnssec-develop] Amsterdam In-Reply-To: References: Message-ID: "Rickard Bondesson" , wrote on 19/06/2009 14:25:57: > Please indicate if you will attend, so Jelte can order lunch. Stephen, Sion, Alex: will attend both days -------------- next part -------------- An HTML attachment was scrubbed... URL: From Stephen.Morris at nominet.org.uk Fri Jun 19 16:33:37 2009 From: Stephen.Morris at nominet.org.uk (Stephen.Morris at nominet.org.uk) Date: Fri, 19 Jun 2009 17:33:37 +0100 Subject: [Opendnssec-develop] Packing and OpenDNSSEC User Account Message-ID: I have been building (though not yet running) OpenDNSSEC under OS/X. A couple of things to consider: Packaging Although we will provide source, installing at least three pre-requisites (ldns, libxml2 and Botan) and building OpenDNSSEC from scratch (we definitely need a single Makefile!) is not a five-minute task. When we come around to releasing the software as a product, we should think of statically linking everything and supplying pre-built packages for at least one or two of the supported operating systems. User Account and Working Directory I notice that both the enforcer and the signer create a "var" subdirectory in the installation directory. I'm not sure this is a good idea - I generally put software in a read-only area (which may be on a partition of limited size). Although it is possible to subsequently move the "var" directory to another area and add a symbolic link to it in the installation directory, I think we should look at another solution. A question related to this is "under what username does OpenDNSSEC run?". I would suggest that the recommended configuration be to create a user account under which all the OpenDNSSEC software runs, and that the working area for OpenDNSSEC be located in that user's home. There would need to be some way of specifying the username at startup, but for the moment, it could default to "opendnssec". Stephen -------------- next part -------------- An HTML attachment was scrubbed... URL: From jakob at kirei.se Fri Jun 19 18:55:52 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Fri, 19 Jun 2009 20:55:52 +0200 Subject: [Opendnssec-develop] Packing and OpenDNSSEC User Account In-Reply-To: References: Message-ID: On 19 jun 2009, at 18.33, Stephen.Morris at nominet.org.uk wrote: > Packaging > Although we will provide source, installing at least three pre- > requisites (ldns, libxml2 and Botan) and building OpenDNSSEC from > scratch (we definitely need a single Makefile!) is not a five-minute > task. When we come around to releasing the software as a product, > we should think of statically linking everything and supplying pre- > built packages for at least one or two of the supported operating > systems. A top makefile is absolutely useful, but only people building OpenDNSSEC themselves. Package maintainers will most likely want to build the different components separately and distribute them as separate packages to ease maintenance. I believe we've already decided that we (post-alpha) will create packages for Ubuntu and possibly Solaris. Those packages will depend on any external packages, so linking statically is not needed. Also, distributing anything linking statically will force us to re- release software as soon as any vulnerabilities has emerged in the linked components. With dynamic linking, we do not have to care about this at all. > User Account and Working Directory > I notice that both the enforcer and the signer create a "var" > subdirectory in the installation directory. I'm not sure this is a > good idea - I generally put software in a read-only area (which may > be on a partition of limited size). Although it is possible to > subsequently move the "var" directory to another area and add a > symbolic link to it in the installation directory, I think we should > look at another solution. A question related to this is "under what > username does OpenDNSSEC run?". If configure is run correctly (see regression/ for examples), all OpenDNSSEC binaries is installed under $PREFIX, all user configurable data in /etc/opendnssec and all variable data in /var/opendnssec - just as one would expect. What user the OpenDNSSEC components run under will be user definable and I suggest we discuss this next week together with chroot directories et al. My plan is that all such parameters should be commonly configured in the main configuration file (/etc/opendnssec/ conf.xml). > I would suggest that the recommended configuration be to create a > user account under which all the OpenDNSSEC software runs, and that > the working area for OpenDNSSEC be located in that user's home. > There would need to be some way of specifying the username at > startup, but for the moment, it could default to "opendnssec". putting the working area in the users home is generally not recommended as the location of home directories varies among the operating systems, but we will make sure all components cwd (and in some cases chroot) into /var/opendssec as soon as possible. jakob From rick at openfortress.nl Fri Jun 19 21:09:53 2009 From: rick at openfortress.nl (Rick van Rein) Date: Fri, 19 Jun 2009 21:09:53 +0000 Subject: [Opendnssec-develop] Packing and OpenDNSSEC User Account In-Reply-To: References: Message-ID: <20090619210953.GA17578@phantom.vanrein.org> Hi, > A top makefile is absolutely useful, but only people building > OpenDNSSEC themselves. Package maintainers will most likely want to > build the different components separately and distribute them as > separate packages to ease maintenance. I've only really looked at RPM, where you build it all at once and then create packages for components. A little different from what you are saying, but minor. > I believe we've already decided > that we (post-alpha) will create packages for Ubuntu and possibly > Solaris. I'll try it on Debian to make sure we're not creating those packages that _only_ run on Ubuntu. It's one of the negative effects of the public attention for Ubuntu that haunts Debian-developers. -Rick From roy at nominet.org.uk Sat Jun 20 00:22:01 2009 From: roy at nominet.org.uk (Roy Arends) Date: Sat, 20 Jun 2009 11:22:01 +1100 Subject: [Opendnssec-develop] Amsterdam In-Reply-To: References: Message-ID: > Please indicate if you will attend, so Jelte can order lunch. > > Rickard: will attend both days Will not attend, Roy -------------- next part -------------- An HTML attachment was scrubbed... URL: From jelte at NLnetLabs.nl Mon Jun 22 11:42:01 2009 From: jelte at NLnetLabs.nl (Jelte Jansen) Date: Mon, 22 Jun 2009 13:42:01 +0200 Subject: [Opendnssec-develop] Meeting location Message-ID: <4A3F6E09.8050005@NLnetLabs.nl> For those of you with my memory, and those of you who weren't there last meeting, the meeting will take place in room 1b of the Matrix 2 building; Science Park 400 1098XH Amsterdam We recently had a street name change, the old address was Kruislaan 400. googlemap: http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=kruislaan+400+amsterdam&sll=37.579413,-95.712891&sspn=48.80835,62.226563&ie=UTF8&ll=52.355985,4.957098&spn=0.004659,0.007596&t=h&z=17&iwloc=A If you are coming by public transport, there are 2 buses from Amstel Station, line 40 (to Station Muiderpoort) and line 240 (to the Science Park). Both have a slightly different route than they used to, and they go around the university now, but it is the same bus stop. Which of course has also been renamed (sigh) to 'Aqua'. There's an almost readable map here http://www.nlnetlabs.nl/~benno/bgp-party/science_park.jpg (fyi, our office is on the other side of the road, at nr 140) See you there! Jelte From jelte at NLnetLabs.nl Tue Jun 23 13:30:27 2009 From: jelte at NLnetLabs.nl (Jelte Jansen) Date: Tue, 23 Jun 2009 15:30:27 +0200 Subject: [Opendnssec-develop] [Fwd: Notes for compiling openDNSSEC] Message-ID: <4A40D8F3.8070301@NLnetLabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------- Original Message -------- Subject: Notes for compiling openDNSSEC Date: Tue, 23 Jun 2009 15:22:34 +0200 From: Wouter Wijngaards To: Jelte Jansen Hoi, Can you send this to the openDNSSEC mailing list? Attached, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkpA2OcACgkQ4nZCKsdOncUIwwCfagvpwizLr7IFwDNw5SSjMOwr w80AoLFTsqj2M0rQdMWutGk1J1HESk58 =jLnu -----END PGP SIGNATURE----- -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: notes.txt URL: From jelte at NLnetLabs.nl Tue Jun 23 21:41:41 2009 From: jelte at NLnetLabs.nl (Jelte Jansen) Date: Tue, 23 Jun 2009 23:41:41 +0200 Subject: [Opendnssec-develop] [Fwd: new notes] Message-ID: <4A414C15.9070502@NLnetLabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------- Original Message -------- Subject: new notes Date: Tue, 23 Jun 2009 18:18:38 +0200 From: Wouter Wijngaards To: Jelte Jansen Hi Jelte, Could you forward this to the rest? The notes expanded with 'run' instructions. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkpBTBIACgkQ4nZCKsdOncVNWQCfTgM2sAFW0+q1B0W0zmpaeH6T FIMAoJcRcT+6w2xf071G/JCELq1mNXKe =2Il4 -----END PGP SIGNATURE----- -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: notes.txt URL: From sion at nominet.org.uk Thu Jun 25 11:07:06 2009 From: sion at nominet.org.uk (sion at nominet.org.uk) Date: Thu, 25 Jun 2009 12:07:06 +0100 Subject: [Opendnssec-develop] kaspimport Message-ID: So I have made some changes to kaspimport. (built from trunk/libksm/utils/kaspimport.in) running kaspimport -f -i will still nuke your database and start again with the config files that you have. (No keys will survive, "i for initialise".) remove the -i flag and it should do updates instead of inserts if the rows already exist... to an extent. Known Issues: Nothing will be removed from the database in response to being removed from the config files. Brand new parameters in existing policies will probably fail. I've not tested it on MySQL, only sqlite (and at one point rely on the error code returned, which may well be different). Hopefully this will be okay and extend the usefulness of the script until I write a proper import program. Sion From sion at nominet.org.uk Fri Jun 26 08:22:32 2009 From: sion at nominet.org.uk (sion at nominet.org.uk) Date: Fri, 26 Jun 2009 09:22:32 +0100 Subject: [Opendnssec-develop] Log facilities Message-ID: Which log facilities do we want to allow users to specify? LOG_USER LOG_SYSLOG LOG_LOCAL0 .. LOG_LOCAL7 LOG_DAEMON (maybe?) Or just anything from sys/syslog.h ? And what should it default to if nothing is specified? Sion From jakob at kirei.se Fri Jun 26 08:26:32 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Fri, 26 Jun 2009 10:26:32 +0200 Subject: [Opendnssec-develop] Log facilities In-Reply-To: References: Message-ID: On 26 jun 2009, at 10.22, sion at nominet.org.uk wrote: > > Which log facilities do we want to allow users to specify? > > LOG_USER > LOG_SYSLOG > LOG_LOCAL0 .. LOG_LOCAL7 > LOG_DAEMON (maybe?) I suggest the string that goes into is one of: kern,user,mail,daemon,auth,syslog,lpr,news,uucp,audit,cron,local[0-7] > And what should it default to if nothing is specified? daemon jakob -- Jakob Schlyter Kirei AB - http://www.kirei.se/ From Jonathan.Stanton at cit.coop Fri Jun 26 15:55:05 2009 From: Jonathan.Stanton at cit.coop (Jonathan Stanton) Date: Fri, 26 Jun 2009 16:55:05 +0100 Subject: [Opendnssec-develop] Latest version of ldns In-Reply-To: <49E45A3E.4060606@NLnetLabs.nl> References: <49DA0E7F.3000904@NLnetLabs.nl> <49DB0179.90609@nlnetlabs.nl> <69830D4127201D4EBD146B904119971896D17E@EXCHANGE.office.nic.se> <49DF0ADE.3050304@surfnet.nl><69830D4127201D4EBD146B9041199718B065F5@EXCHANGE.office.nic.se> <49E45A3E.4060606@NLnetLabs.nl> Message-ID: <584B0C4A9BE2D94E99D4003D446B066401460F96@coop-exchange.coop.local> Hello there, I am trying to compile libhsm (trunk) however it keeps saying checking for ldns_sha1... no .............. ldns library too old, please update it I _am_ using the latest released version from nlnetlabs. Is there a specific version from somewhere else that I need to use? Many thanks Jonathan Stanton -------------------------------------------------------------------------- Please don't print this email unless you really need to... -------------------------------------------------------------------------- Co-operative IT is part of The Midcounties Co-operative The Midcounties Co-operative is an innovative co-operative business, owned by its customers and staff in the 9 counties it spans. We trade in a number of retail sectors including food, travel, funerals, motors, childcare, pharmacy, post offices and IT. We are proud to be a successful co-operative, founded on co-operative values and principles that co-ops share throughout the world. This e-mail is confidential and is for the named recipient(s) only. If you are not the named recipient(s) please do not disseminate or copy this e-mail, but please delete it and any copies from your computer. The Midcounties Co-operative has taken reasonable precautions to ensure that any attachment to this e-mail has been checked for viruses. However, we cannot accept liability for any damage sustained as a result of any such viruses and advise you to carry out your own virus checks before opening any attachment. Furthermore, we do not accept responsibility for any change made to this message after it was sent by the sender. This Message has been Scanned by SurfControl(c) Email Filter From jelte at NLnetLabs.nl Fri Jun 26 19:13:08 2009 From: jelte at NLnetLabs.nl (Jelte Jansen) Date: Fri, 26 Jun 2009 21:13:08 +0200 Subject: [Opendnssec-develop] Latest version of ldns In-Reply-To: <584B0C4A9BE2D94E99D4003D446B066401460F96@coop-exchange.coop.local> References: <49DA0E7F.3000904@NLnetLabs.nl> <49DB0179.90609@nlnetlabs.nl> <69830D4127201D4EBD146B904119971896D17E@EXCHANGE.office.nic.se> <49DF0ADE.3050304@surfnet.nl><69830D4127201D4EBD146B9041199718B065F5@EXCHANGE.office.nic.se> <49E45A3E.4060606@NLnetLabs.nl> <584B0C4A9BE2D94E99D4003D446B066401460F96@coop-exchange.coop.local> Message-ID: <4A451DC4.50808@NLnetLabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jonathan Stanton wrote: > Hello there, > > I am trying to compile libhsm (trunk) however it keeps saying > > checking for ldns_sha1... no > .............. ldns library too old, please update it > > > I _am_ using the latest released version from nlnetlabs. Is there a specific version from somewhere else that I need to use? > > Many thanks > Hi, I'm the maintainer of the ldns project, which has seen some bugfixes and other additions that came up through the efforts of the OpenDNSSEC team. These modifications have not been released yet (since we only just found/added them), but they are essential for libhsm. I'm working on a new release of ldns (1.6.0), and plan on having it out in the next couple of weeks, and definitely before we put out something for OpenDNSSEC. Until that time, I'm afraid that you will have to use the subversion trunk of ldns (which can be found at http://www.nlnetlabs.nl/svn/ldns/trunk/) to compile libhsm. Jelte -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkpFHcQACgkQ4nZCKsdOncVXFQCgotjnc3hf6vedNd3ADBjptZlO qvwAn0IplcPteLOduVenzKvIXAI586LD =TUYc -----END PGP SIGNATURE----- From rickard.bondesson at iis.se Mon Jun 29 07:53:50 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Mon, 29 Jun 2009 09:53:50 +0200 Subject: [Opendnssec-develop] Meetings in July Message-ID: <69830D4127201D4EBD146B9041199718D254BF@EXCHANGE.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi During the meeting in Amsterdam we decided that we should have two meetings before the release during the IETF meeting. Friday 10th July, 14-16 CEST, telephone This meeting is focusing on the tasks we were given in Amsterdam. Everything can be found on www.pivotaltracker.com . We should also see if it is possible for us to prepare OpenDNSSEC for a technology preview. Assign new tasks to the working group. Sunday 26th July, 13-15 CEST, Stockholm GO or no-GO for OpenDNSSEC technology preview. Plan what we should do next. // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSkhzDuCjgaNTdVjaAQjckwf/WvbsgLYPAehuIoq2om7t8ccjEfIfGmxw 6cgq6m10nDhFKsghTwEr7/Pcva2wQxLBaElq5czHXUkpJVggxyi+DdsSguHoyXe6 emkUA+x/1G/wf6X1U9sLFNxV+qLUyZk6egn9TGBeVJgytsLmtbfa3X55N30QQfa5 oyrwBDW/0uHaeB1mNnprmEEeRi+iTpFbRr/dQsrpxDdVjzdOjQ2KTjsdTJbVOOBd DrGcFzdmiQvGeRojiQOha8pUcUQcrvVA1nZh9xJ24GZLDC4Pj9VlVGsjpPCT/FUR lgdmy0bSG//UzFKrNB/oEnC6hLEbEfQehsKFiDbOu9k4ST8NP+9fPg== =+9/9 -----END PGP SIGNATURE----- From rickard.bondesson at iis.se Mon Jun 29 08:04:09 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Mon, 29 Jun 2009 10:04:09 +0200 Subject: [Opendnssec-develop] Meetings in July In-Reply-To: <69830D4127201D4EBD146B9041199718D254BF@EXCHANGE.office.nic.se> References: <69830D4127201D4EBD146B9041199718D254BF@EXCHANGE.office.nic.se> Message-ID: <69830D4127201D4EBD146B9041199718D254C6@EXCHANGE.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > Sunday 26th July, 13-15 CEST, Stockholm > GO or no-GO for OpenDNSSEC technology preview. Plan what we > should do next. GO or no-GO is for the code release, the event will still happen since it is already in the pipe. But we would then have to point to a date (days or week in the future) when the code is available outside the trunk. The code is most likely ready for a technology preview, so this should be no problem. // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSkh1eeCjgaNTdVjaAQjkHwf9FzhjUprWYnY9zCCcAS6wIRfWJ16XJaSF CS/9KTApRcDf61StjWBBqfTgsDQLdZwTbPA2csr9COD2ZMPqok7Q7q7gnce2u/LF fVTpS6m9tKu6OWe0QWbmBDHUFlk0KoTyardLeqrWu6mnNBzgMWtLN2nliB8WpQ51 RDQw+3Hb/m5rIt19C9F/laJHbeXLalCn0dTj+JFzYyIkBIiDOtywVEORDCFg9ubt rKpslKdMbb0etxZ7AL4ezv0Pob59cVme1B9xfhX7wqvFLVbWcRkPusJISswsNoSY 82a/ZWy1s4GBNP8ByjWBplETHc7bZ6v7HWXIgyd/jkVtreSlTZ9EQg== =skKK -----END PGP SIGNATURE----- From Jonathan.Stanton at cit.coop Mon Jun 29 09:54:11 2009 From: Jonathan.Stanton at cit.coop (Jonathan Stanton) Date: Mon, 29 Jun 2009 10:54:11 +0100 Subject: [Opendnssec-develop] Feedback on newbie install. Message-ID: <584B0C4A9BE2D94E99D4003D446B0664014C548E@coop-exchange.coop.local> Hi there, I know that there is still no official release yet but I thought that I would give some feedback based on an install on a fresh install of Debian (squeeze/sid): It eventually went OK (had problems with using SVN to get latest version of ldns, fine if using XP failed on Debian), The guide at http://trac.opendnssec.org/wiki/Signer/Install was excellent and thumbs up to whoever produced it. The main issue that I had was the errors reported with the "make autogen build" step. It failed complaining that it could not find the "m4" directory. I solved this by running the following command at the base of the working copy: cd softHSM; ln -s ../m4 m4; cd .. cd libhsm; ln -s ../m4 m4; cd .. cd libksm; ln -s ../m4 m4; cd .. cd enforcer; ln -s ../m4 m4; cd .. cd signer; ln -s ../m4 m4;cd .. After this was done all compiled fine. Is there another guide on configuring the signer engine? I have initialised the softHSM. The zonefile.xml.sample refers to a SignerConfiguration file at /var/opendnssec/signconf/example.com.xml which does not exist. Any idea where I can find this file? Thanks for all your work on the project. Jonathan -------------------------------------------------------------------------- Please don't print this email unless you really need to... -------------------------------------------------------------------------- Co-operative IT is part of The Midcounties Co-operative The Midcounties Co-operative is an innovative co-operative business, owned by its customers and staff in the 9 counties it spans. We trade in a number of retail sectors including food, travel, funerals, motors, childcare, pharmacy, post offices and IT. We are proud to be a successful co-operative, founded on co-operative values and principles that co-ops share throughout the world. This e-mail is confidential and is for the named recipient(s) only. If you are not the named recipient(s) please do not disseminate or copy this e-mail, but please delete it and any copies from your computer. The Midcounties Co-operative has taken reasonable precautions to ensure that any attachment to this e-mail has been checked for viruses. However, we cannot accept liability for any damage sustained as a result of any such viruses and advise you to carry out your own virus checks before opening any attachment. Furthermore, we do not accept responsibility for any change made to this message after it was sent by the sender. This Message has been Scanned by SurfControl(c) Email Filter -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 3679 bytes Desc: not available URL: From Antoin.Verschuren at sidn.nl Mon Jun 29 10:24:54 2009 From: Antoin.Verschuren at sidn.nl (Antoin Verschuren) Date: Mon, 29 Jun 2009 12:24:54 +0200 Subject: [Opendnssec-develop] Feedback on newbie install. References: <584B0C4A9BE2D94E99D4003D446B0664014C548E@coop-exchange.coop.local> Message-ID: <850A39016FA57A4887C0AA3C8085F949DD3E85@KAEVS1.SIDN.local> Don't know about the configuration, but one of the things I noticed on the excellent install page is that developers assume that subversion is already installed on a base system, which it isn't, at least not on LTS Ubuntu 8.04. Install "subversion" should be mentioned as a pre-requisite. "autoconf", "libtool" and "uuid-dev" are also not installed on a base system. Antoin Verschuren Technical Policy Advisor SIDN Utrechtseweg 310, PO Box 5022, 6802 EA Arnhem, The Netherlands P: +31 26 3525500 F: +31 26 3525505 M: +31 6 23368970 mailto:antoin.verschuren at sidn.nl xmpp:antoin at jabber.sidn.nl http://www.sidn.nl/ > -----Original Message----- > From: opendnssec-develop-bounces at lists.opendnssec.org [mailto:opendnssec- > develop-bounces at lists.opendnssec.org] On Behalf Of Jonathan Stanton > Sent: Monday, June 29, 2009 11:54 AM > To: Opendnssec-develop at lists.opendnssec.org > Subject: [Opendnssec-develop] Feedback on newbie install. > > Hi there, > > I know that there is still no official release yet but I thought that I > would give some feedback based on an install on a fresh install of Debian > (squeeze/sid): > > It eventually went OK (had problems with using SVN to get latest version > of ldns, fine if using XP failed on Debian), The guide at > http://trac.opendnssec.org/wiki/Signer/Install was excellent and thumbs up > to whoever produced it. > > The main issue that I had was the errors reported with the ?make autogen > build? step. It failed complaining that it could not find the ?m4? > directory. I solved this by running the following command at the base of > the working copy: > > cd softHSM; ln -s ../m4 m4; cd .. > > cd libhsm; ln -s ../m4 m4; cd .. > > cd libksm; ln -s ../m4 m4; cd .. > > cd enforcer; ln -s ../m4 m4; cd .. > > cd signer; ln -s ../m4 m4;cd .. > > > > After this was done all compiled fine. > > > > Is there another guide on configuring the signer engine? > > I have initialised the softHSM. The zonefile.xml.sample refers to a > SignerConfiguration file at /var/opendnssec/signconf/example.com.xml which > does not exist. Any idea where I can find this file? > > > > Thanks for all your work on the project. > > > > Jonathan > > > > ________________________________ > > ..thinking of the future..Please don't print this email unless you really > need to... > > ________________________________ > > Co-operative IT is part of The Midcounties Co-operative > The Midcounties Co-operative is an innovative co-operative business, owned > by its customers and staff in the 9 counties it spans. We trade in a > number of retail sectors including food, travel, funerals, motors, > childcare, pharmacy, post offices and IT. We are proud to be a successful > co-operative, founded on co-operative values and principles that co-ops > share throughout the world. > This e-mail is confidential and is for the named recipient(s) only. If you > are not the named recipient(s) please do not disseminate or copy this e- > mail, but please delete it and any copies from your computer. The > Midcounties Co-operative has taken reasonable precautions to ensure that > any attachment to this e-mail has been checked for viruses. However, we > cannot accept liability for any damage sustained as a result of any such > viruses and advise you to carry out your own virus checks before opening > any attachment. Furthermore, we do not accept responsibility for any > change made to this message after it was sent by the sender. > This Message has been Scanned by SurfControl(c) Email Filter From rickard.bondesson at iis.se Mon Jun 29 10:36:10 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Mon, 29 Jun 2009 12:36:10 +0200 Subject: [Opendnssec-develop] Feedback on newbie install. In-Reply-To: <584B0C4A9BE2D94E99D4003D446B0664014C548E@coop-exchange.coop.local> References: <584B0C4A9BE2D94E99D4003D446B0664014C548E@coop-exchange.coop.local> Message-ID: <69830D4127201D4EBD146B9041199718D254F4@EXCHANGE.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > cd softHSM; ln -s ../m4 m4; cd .. > > cd libhsm; ln -s ../m4 m4; cd .. > > cd libksm; ln -s ../m4 m4; cd .. > > cd enforcer; ln -s ../m4 m4; cd .. > > cd signer; ln -s ../m4 m4;cd .. Will have a look at this. These directories should exist. > Is there another guide on configuring the signer engine? There are currently no guides becides the .rnc files for each xml file. > I have initialised the softHSM. The zonefile.xml.sample > refers to a SignerConfiguration file at > /var/opendnssec/signconf/example.com.xml which does not > exist. Any idea where I can find this file? This file should be generated by the communicated when it is running. Signconf is just if you want to run Signer Engine without the KASP Enforcer. ******************************* How to start everything: # Edit conf.xml Add paths, fix time, and repo. # Edit kasp.xml # Edit zonelist.xml # Create and load the kasp kaspimport -f /home/rickard/opendnssec/enforcer.db -i # Start Signer Engine signer_engine # Start keygend keygend -u rickard -d -P /home/rickard/opendnssec/keygend.pid & # Start communicator communicated -u rickard -d -P /home/rickard/opendnssec/communicated.pid & # Stop Signer Engine signer_engine_cli stop (ps waux | grep Engine) # Stop keygend sudo killall -9 keygend # Stop communicated sudo killall -9 communicated ******************************* // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSkiZGuCjgaNTdVjaAQir5Af+PpZ0XhF3IpZIpOAUqkcjzATjpqrIIph0 dwx9sdf7Ia880HOz2NIyrMlcjIiTbcpQQAnBNKhSAW1B6P9Vr1z8SGvBeu+whK0h hmXzTO+iW2svljqzsllSopAMnNTyCU6z1KYirCUo7br54YEGXMDv+iA417SgRG4R 3SMEvpMf0fQz23YUpWJdDjtiQHve+gqVuYETe8VEGNVCRqYk1TI4FJkAGzTtcVnu VhK3PxK+SAqKomhaGJ2wfEFSJQXXHOybyC985cLBlMl8M46yaolyY1rLI5YPV9r8 jqFjuwlkv0HL5/bu5u/6eYf/90dIBI974dcLv1W5ywwGYmGKYsREYg== =+87s -----END PGP SIGNATURE----- From rickard.bondesson at iis.se Mon Jun 29 10:37:35 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Mon, 29 Jun 2009 12:37:35 +0200 Subject: [Opendnssec-develop] Feedback on newbie install. In-Reply-To: <850A39016FA57A4887C0AA3C8085F949DD3E85@KAEVS1.SIDN.local> References: <584B0C4A9BE2D94E99D4003D446B0664014C548E@coop-exchange.coop.local> <850A39016FA57A4887C0AA3C8085F949DD3E85@KAEVS1.SIDN.local> Message-ID: <69830D4127201D4EBD146B9041199718D254F5@EXCHANGE.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > "autoconf", "libtool" and "uuid-dev" are also not installed > on a base system. UUID should not be needed any more. Are there any dependencies left? // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSkiZb+CjgaNTdVjaAQg0HAf/SoMpPfVEwNnMiDiebun5FVrAhDMQts1h iCel3CUoqee5ZLcmsegNwpICqYsVZQEn8jG3G1vVZ57nbFtIdzSHnCA4HWbV9gLm AUIlI64WqctLPSQ+y12kyJHzX81DUV36lf3En5smorIGnY49YS5NRzh3IDDlhlAs PGaNlDdhGaXI04K73nBSeSZ7IqdELAgLv0Jof+UPbSul2F2FTw5ckDcS8d0al7W3 s7mhOOy7bT/LV7lYSbNRGFSnkFasL1ha85PujhBjEnND17tT/w+b4+dTnysPwDt2 DboxNspampdqDxBl1vEvkf1AsAndUV0b0K2QczDLdIDPgJ61flOAqA== =610f -----END PGP SIGNATURE----- From Jonathan.Stanton at cit.coop Mon Jun 29 13:04:58 2009 From: Jonathan.Stanton at cit.coop (Jonathan Stanton) Date: Mon, 29 Jun 2009 14:04:58 +0100 Subject: [Opendnssec-develop] Error: unknown command: refresh_denial Message-ID: <584B0C4A9BE2D94E99D4003D446B0664014C56C6@coop-exchange.coop.local> Hi, I am having issues in signing what I believe to be a basic zone file. In the logs I am getting the following error message: OpenDNSSEC signer engine: signer stderr: ; Error: unknown command: refresh_denial There is another entry (which might be related) which is : OpenDNSSEC signer engine: write to subp: : expiration_denial 20090713134015 Is this something simple to fix at my end or is it just because I am using pre release trunk code (if the later I have no problem waiting). Is this also the best list to post these requests to or is there another one you would prefer these to go to? Many thanks Jonathan -------------------------------------------------------------------------- Please don't print this email unless you really need to... -------------------------------------------------------------------------- Co-operative IT is part of The Midcounties Co-operative The Midcounties Co-operative is an innovative co-operative business, owned by its customers and staff in the 9 counties it spans. We trade in a number of retail sectors including food, travel, funerals, motors, childcare, pharmacy, post offices and IT. We are proud to be a successful co-operative, founded on co-operative values and principles that co-ops share throughout the world. This e-mail is confidential and is for the named recipient(s) only. If you are not the named recipient(s) please do not disseminate or copy this e-mail, but please delete it and any copies from your computer. The Midcounties Co-operative has taken reasonable precautions to ensure that any attachment to this e-mail has been checked for viruses. However, we cannot accept liability for any damage sustained as a result of any such viruses and advise you to carry out your own virus checks before opening any attachment. Furthermore, we do not accept responsibility for any change made to this message after it was sent by the sender. This Message has been Scanned by SurfControl(c) Email Filter -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 3679 bytes Desc: not available URL: From rickard.bondesson at iis.se Mon Jun 29 13:52:36 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Mon, 29 Jun 2009 15:52:36 +0200 Subject: [Opendnssec-develop] Sun SCA6000 on Ubuntu Message-ID: <69830D4127201D4EBD146B9041199718D25536@EXCHANGE.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi I have successfully converted and installed the packages, updated the kernel module code, and got libhsm talking to the card. The problem is that SHA1 and its friends are not enabled by default. Does anyone know how to enable them? // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSkjHJOCjgaNTdVjaAQj6dgf/cbETkgbnBCS23mU1zYKvDlXOJaeZzeIH cslMayboadEC2KSX9yQEuUxuXrgv2x1WNo9QCwlX6uSTvTFzkCM2lO0VlSjIfxPF UVDp2HQSp/3QN4Eo5ERXvTBMlyy0EA5yuSrwKrNf/WRKESKZdmQ3j8G71hn2zjg6 /KRo9vbn4o2dJf7nXXmT1XjwfLEc9VjAedwswour51K+Sf1Qh1ocRerbPzk+emwS MGteXGaVnZqBefFdastX/Aq0SRFr3SbzpDaI5XzkDYuha+OCcUgltoIIWWjt6nA2 /Yj4ryCieTu3U7w9ui4AaEYBEjb88fY35cboME084xwkshyDkrSofg== =zExT -----END PGP SIGNATURE----- From jelte at NLnetLabs.nl Mon Jun 29 13:58:39 2009 From: jelte at NLnetLabs.nl (Jelte Jansen) Date: Mon, 29 Jun 2009 15:58:39 +0200 Subject: [Opendnssec-develop] Error: unknown command: refresh_denial In-Reply-To: <584B0C4A9BE2D94E99D4003D446B0664014C56C6@coop-exchange.coop.local> References: <584B0C4A9BE2D94E99D4003D446B0664014C56C6@coop-exchange.coop.local> Message-ID: <4A48C88F.2020706@NLnetLabs.nl> Jonathan Stanton wrote: > Hi, > > I am having issues in signing what I believe to be a basic zone file. > In the logs I am getting the following error message: > > OpenDNSSEC signer engine: signer stderr: ; Error: unknown command: > refresh_denial > this can happen if the checkout was somewhere last week, this should have been fixed on friday (when i finished the new signature refresh code) > > > Is this something simple to fix at my end or is it just because I am > using pre release trunk code (if the later I have no problem waiting). > Is this also the best list to post these requests to or is there another > one you would prefer these to go to? > a bit of both, and a simple fix would be svn up :) I personally don't mind people testing stuff out while it's still cooling, au contraire, but please do expect things to break now and again. atm this is the only list, until we release something I guess, so this will have to do. Jelte From roy at nominet.org.uk Mon Jun 29 14:02:15 2009 From: roy at nominet.org.uk (roy at nominet.org.uk) Date: Mon, 29 Jun 2009 16:02:15 +0200 Subject: [Opendnssec-develop] Sun SCA6000 on Ubuntu In-Reply-To: <69830D4127201D4EBD146B9041199718D25536@EXCHANGE.office.nic.se> References: <69830D4127201D4EBD146B9041199718D25536@EXCHANGE.office.nic.se> Message-ID: Rickard Bondesson wrote on 06/29/2009 03:52:36 PM: > Hi > > I have successfully converted and installed the packages, updated > the kernel module code, and got libhsm talking to the card. The > problem is that SHA1 and its friends are not enabled by default. > Does anyone know how to enable them? Odd. I thought it was enable by default. When you do a scadiag -g mcaN (where N is a number), what fingerprint do you get. If it is 20 bytes, it is sha1. Roy From roy at nominet.org.uk Mon Jun 29 14:05:57 2009 From: roy at nominet.org.uk (roy at nominet.org.uk) Date: Mon, 29 Jun 2009 16:05:57 +0200 Subject: [Opendnssec-develop] Sun SCA6000 on Ubuntu In-Reply-To: References: <69830D4127201D4EBD146B9041199718D25536@EXCHANGE.office.nic.se> Message-ID: Roy Arends wrote on 06/29/2009 04:02:15 PM: > Rickard Bondesson wrote on 06/29/2009 03:52:36 PM: > > > Hi > > > > I have successfully converted and installed the packages, updated > > the kernel module code, and got libhsm talking to the card. The > > problem is that SHA1 and its friends are not enabled by default. > > Does anyone know how to enable them? > > Odd. I thought it was enable by default. > > When you do a scadiag -g mcaN (where N is a number), what fingerprint do > you get. If it is 20 bytes, it is sha1. Another idea: Add enable-multi-part-sha1=1; to the /kernel/drv/mca.conf This should enable CKM_SHA_1 Roy From rickard.bondesson at iis.se Mon Jun 29 14:07:00 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Mon, 29 Jun 2009 16:07:00 +0200 Subject: [Opendnssec-develop] Sun SCA6000 on Ubuntu In-Reply-To: References: <69830D4127201D4EBD146B9041199718D25536@EXCHANGE.office.nic.se> Message-ID: <69830D4127201D4EBD146B9041199718D2553A@EXCHANGE.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > Odd. I thought it was enable by default. > > When you do a scadiag -g mcaN (where N is a number), what > fingerprint do you get. If it is 20 bytes, it is sha1. I am thinking about the PKCS#11-interface. Only get: sudo pkcs11-tool --module=/usr/lib/pkcs11/libopencryptoki.so --slot 0 -p user:test1234 -M Supported mechanisms: DES-CBC, wrap, unwrap, encrypt, decrypt, other flags=0x20000 DES3-CBC, wrap, unwrap, encrypt, decrypt, other flags=0x20000 AES-CBC, wrap, unwrap, encrypt, decrypt, other flags=0x20000 DES-CBC-PAD, wrap, unwrap, encrypt, decrypt, other flags=0x20000 DES3-CBC-PAD, wrap, unwrap, encrypt, decrypt, other flags=0x20000 AES-CBC-PAD, wrap, unwrap, encrypt, decrypt, other flags=0x20000 RSA-X-509, sign, verify, wrap, unwrap, encrypt, decrypt, other flags=0x25000 RSA-PKCS, sign, verify, wrap, unwrap, encrypt, decrypt, other flags=0x25000 DSA, sign, verify DH-PKCS-KEY-PAIR-GEN, keypairgen DH-PKCS-DERIVE, other flags=0x80000 RSA-PKCS-KEY-PAIR-GEN, keypairgen DSA-KEY-PAIR-GEN, keypairgen DES-KEY-GEN, other flags=0x8000 DES2-KEY-GEN, other flags=0x8000 DES3-KEY-GEN, other flags=0x8000 AES-KEY-GEN, other flags=0x8000 -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSkjKhOCjgaNTdVjaAQjysAf/XGQjEWoO5kRc1Qk9Odw5ZSBIme+z9G/o ck5hvqwjLjTXuGciXYgQXfcaCAK6OONO1gHLlrsBa4UzgpegFYA7RG/rftLKzbtj ius8bk1qrpffnZQ0BTJn1+a/7hd/PHkje3mcP16MhvC+EOq1prXBBfw+U011psRt J/yxoBOZ6O3BfN1cGg3vzuzgcFMvzZegg/SdNW0djtSeZySc4bLvg6AyNwPbjOi4 tqMoXU0bccSIr45hYdu8Xv1IXWkznsQcb3sdZB9hdc1ZXlQ4vVpIj/cvdEN4TxSj bZ+3Zj4iy4YDNUC5dGgiTb7oQ0TqmpMk1plvwygBSCaNt6j7VWJ9vg== =LM0U -----END PGP SIGNATURE----- From rickard.bondesson at iis.se Mon Jun 29 14:10:03 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Mon, 29 Jun 2009 16:10:03 +0200 Subject: [Opendnssec-develop] Sun SCA6000 on Ubuntu In-Reply-To: References: <69830D4127201D4EBD146B9041199718D25536@EXCHANGE.office.nic.se> Message-ID: <69830D4127201D4EBD146B9041199718D2553C@EXCHANGE.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > Another idea: > > Add enable-multi-part-sha1=1; to the /kernel/drv/mca.conf > > This should enable CKM_SHA_1 Tried that one too. Do not have the /kernel/drv on Ubuntu. The driver is located at /opt/sun/sca6000/bin/drv/mca_2.6.24-23-server.ko so I put it there but no luck. // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSkjLO+CjgaNTdVjaAQj/9gf9GqNaS49PLtd0XxW3KjmCUsZU2fZb2zrW E079pyZvhidsMm3h7PETJHXr4qdepT+sgwUpwdBrX4yrtv9irLiAAPyfbrfPRHVe DRwSoHfCD8rjDFpidIdavHVypuDCo/SrltJPwAKgdB3VZJEnCZeqhQLVaesuJwuU 0J+9tCzEZ0oHJyPB2Q9RhU3PAtQgainIU9EOPRhMqILi+n6zA3rjR4JpgdDiMMG1 gnwSrhiNTxiN8QWb4Y1LTK7BOZGaaMFOM8PLprstV/hlcbLoFqtoEAysYx2d6Gae +9dOpjOuzE2+22WO2e8zLC/db5Egkl445w0nUOaCNc/Y+wjtQjxYWA== =lUn1 -----END PGP SIGNATURE----- From Ray.Bellis at nominet.org.uk Mon Jun 29 14:17:03 2009 From: Ray.Bellis at nominet.org.uk (Ray.Bellis at nominet.org.uk) Date: Mon, 29 Jun 2009 15:17:03 +0100 Subject: [Opendnssec-develop] Sun SCA6000 on Ubuntu In-Reply-To: <69830D4127201D4EBD146B9041199718D2553C@EXCHANGE.office.nic.se> References: <69830D4127201D4EBD146B9041199718D25536@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718D2553C@EXCHANGE.office.nic.se> Message-ID: > Tried that one too. Do not have the /kernel/drv on Ubuntu. The > driver is located at /opt/sun/sca6000/bin/drv/mca_2.6.24-23- > server.ko so I put it there but no luck. Linux modules normally get their config from /etc/modules.conf (or /etc/conf.modules on some distros). Alternatively I seem to recall that they can also be supplied as additional arguments to 'modprobe' if you're loading the module by hand. Ray -------------- next part -------------- An HTML attachment was scrubbed... URL: From Ray.Bellis at nominet.org.uk Mon Jun 29 14:32:14 2009 From: Ray.Bellis at nominet.org.uk (Ray.Bellis at nominet.org.uk) Date: Mon, 29 Jun 2009 15:32:14 +0100 Subject: [Opendnssec-develop] Sun SCA6000 on Ubuntu In-Reply-To: References: <69830D4127201D4EBD146B9041199718D25536@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718D2553C@EXCHANGE.office.nic.se> Message-ID: > Linux modules normally get their config from /etc/modules.conf (or / > etc/conf.modules on some distros). > > Alternatively I seem to recall that they can also be supplied as > additional arguments to 'modprobe' if you're loading the module by hand. I've checked the SCA600 driver source - it does indeed use Linux's standard module parameter mechanism. However I believe you may need to use underscores (_) instead of hyphens (-) in the parameter name. Ray -------------- next part -------------- An HTML attachment was scrubbed... URL: From rickard.bondesson at iis.se Mon Jun 29 16:57:27 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Mon, 29 Jun 2009 18:57:27 +0200 Subject: [Opendnssec-develop] Sun SCA6000 on Ubuntu In-Reply-To: References: <69830D4127201D4EBD146B9041199718D25536@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718D2553C@EXCHANGE.office.nic.se> Message-ID: <69830D4127201D4EBD146B9041199718D2556E@EXCHANGE.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > I've checked the SCA600 driver source - it does indeed use > Linux's standard module parameter mechanism. > > However I believe you may need to use underscores (_) instead > of hyphens (-) in the parameter name. Since the start up script uses insmod I had to add mca_enable_multi_part_sha1=1 in the start up script. The next question is to get SHA256 like on the solaris machine. Because I can not see any options for that... Result with hsmspeed: 64 threads, 100000 signatures per thread, 13046.24 sig/s (RSA 1024 bits) // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSkjyd+CjgaNTdVjaAQirjQf/f/FWH8hjRZlTG9pMO+LIE0YZVe6fWt3G Q9WaUMB0/42183auux/s+ZZ5Vr57zKbWBAk3eX+Ew88yGwBmmjRG3sk7jORLe3wL Z/jNSXGJm0Nho1ItATPBJI8xKyTv7oqv7L0rBk8TUP4MGHD/Tv9f35dimF83BTCx stU2Cgb2Rtsl+481ONk9jO7Sjw4zPNls3kkKRIF7VsvCdzqkdoSutyPQPO+Nb4a5 LyPxNH6yvUIqCwIgn1fTO41xivvsnPRg2THlBeztLYG9O6iWVHQuZOEtfE+DIODF SgKAs9Ib2V4abC6TajSVsZpbGl9H9gGvlXnDoVuZTfavHMuHhC3prA== =S82y -----END PGP SIGNATURE----- From roy at nominet.org.uk Mon Jun 29 17:41:42 2009 From: roy at nominet.org.uk (roy at nominet.org.uk) Date: Mon, 29 Jun 2009 19:41:42 +0200 Subject: [Opendnssec-develop] Sun SCA6000 on Ubuntu In-Reply-To: <69830D4127201D4EBD146B9041199718D2556E@EXCHANGE.office.nic.se> References: <69830D4127201D4EBD146B9041199718D25536@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718D2553C@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718D2556E@EXCHANGE.office.nic.se> Message-ID: Rickard Bondesson wrote on 06/29/2009 06:57:27 PM: > > I've checked the SCA600 driver source - it does indeed use > > Linux's standard module parameter mechanism. > > > > However I believe you may need to use underscores (_) instead > > of hyphens (-) in the parameter name. > > Since the start up script uses insmod I had to add > mca_enable_multi_part_sha1=1 in the start up script. The next > question is to get SHA256 like on the solaris machine. Because I can > not see any options for that... Try mca_enable_sha512=1 This is the sha2 family. > Result with hsmspeed: > 64 threads, 100000 signatures per thread, 13046.24 sig/s (RSA 1024 bits) That is about the topspeed you could get from an sca6000. Cool! Roy From rickard.bondesson at iis.se Tue Jun 30 10:50:48 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Tue, 30 Jun 2009 12:50:48 +0200 Subject: [Opendnssec-develop] Sun SCA6000 on Ubuntu In-Reply-To: References: <69830D4127201D4EBD146B9041199718D25536@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718D2553C@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718D2556E@EXCHANGE.office.nic.se> Message-ID: <69830D4127201D4EBD146B9041199718D25600@EXCHANGE.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > Try mca_enable_sha512=1 > > This is the sha2 family. This will only enable sha512. SCA6K does not have any support for sha256. I believe that sha256 is provided by the libpkcs11 on Solaris. So on a non-Solaris OS, you will use the libopencryptoki which does not do that. // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSknuCOCjgaNTdVjaAQh1lgf+Ioug1RplbF+Fz/ek12UFmKRF9EnNWeIj EjCm4zZBHz2h1NbN/8azN33BaJXErwn2kb7GCS/b1W0Ia3V3w3LWIhcHiXVR3vwz Ct3r23eb9ciUHxjr7wI+IcOwz8vOkfoTuTOVUHKp9Je53Gi9KE9U+WxdSq39CqIc gcyoWNFy2IhjUY6qwHi7DogiUtGJY4dmwofeFpt4WN0ASax1pw0sxYIWMe9zENqn fXVSU8+kzHZG1qaxtoKW3R9QdguQa/+TbSNSHYJ27we50GTsM8QOhoUuKNs1zP7D mVUOrcg6Hywu6xMJGt1ID7/m/jAsOicCKnCLDr2puyrw+RukYb02xA== =KpEi -----END PGP SIGNATURE----- From roy at nominet.org.uk Tue Jun 30 11:25:47 2009 From: roy at nominet.org.uk (roy at nominet.org.uk) Date: Tue, 30 Jun 2009 13:25:47 +0200 Subject: [Opendnssec-develop] Sun SCA6000 on Ubuntu In-Reply-To: <69830D4127201D4EBD146B9041199718D25600@EXCHANGE.office.nic.se> References: <69830D4127201D4EBD146B9041199718D25536@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718D2553C@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718D2556E@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718D25600@EXCHANGE.office.nic.se> Message-ID: "Rickard Bondesson" wrote on 06/30/2009 12:50:48 PM: > > Try mca_enable_sha512=1 > > > > This is the sha2 family. > > This will only enable sha512. SCA6K does not have any support for > sha256. I believe that sha256 is provided by the libpkcs11 on > Solaris. So on a non-Solaris OS, you will use the libopencryptoki > which does not do that. My mistake. sha512 is part of the sha2 family. This leads to a new question, In case of lack of support for certain functions by an HSM, do we provide an alternative just for that function? We might use softHSM just for the hashing, right? Roy From jakob at kirei.se Tue Jun 30 11:29:01 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Tue, 30 Jun 2009 07:29:01 -0400 Subject: [Opendnssec-develop] Sun SCA6000 on Ubuntu In-Reply-To: References: <69830D4127201D4EBD146B9041199718D25536@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718D2553C@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718D2556E@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718D25600@EXCHANGE.office.nic.se> Message-ID: <448B18D5-6A56-4784-BCAA-3622E07E46BF@kirei.se> we don't just any hash functions int the HSM at the moment, we hash using ldns. jakob From jelte at NLnetLabs.nl Tue Jun 30 11:29:00 2009 From: jelte at NLnetLabs.nl (Jelte Jansen) Date: Tue, 30 Jun 2009 13:29:00 +0200 Subject: [Opendnssec-develop] Sun SCA6000 on Ubuntu In-Reply-To: References: <69830D4127201D4EBD146B9041199718D25536@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718D2553C@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718D2556E@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718D25600@EXCHANGE.office.nic.se> Message-ID: <4A49F6FC.5060606@NLnetLabs.nl> roy at nominet.org.uk wrote: > > In case of lack of support for certain functions by an HSM, do we provide > an alternative just for that function? We might use softHSM just for the > hashing, right? > that would require a configured softHSM only to provide hashing functions, in which case it would be much easier to use the hash functions that are now built into ldns. But we don't do such a thing at the moment. Jelte From jakob at kirei.se Tue Jun 30 11:33:18 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Tue, 30 Jun 2009 07:33:18 -0400 Subject: [Opendnssec-develop] Sun SCA6000 on Ubuntu In-Reply-To: <4A49F6FC.5060606@NLnetLabs.nl> References: <69830D4127201D4EBD146B9041199718D25536@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718D2553C@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718D2556E@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718D25600@EXCHANGE.office.nic.se> <4A49F6FC.5060606@NLnetLabs.nl> Message-ID: On 30 jun 2009, at 07.29, Jelte Jansen wrote: > roy at nominet.org.uk wrote: >> In case of lack of support for certain functions by an HSM, do we >> provide >> an alternative just for that function? We might use softHSM just >> for the >> hashing, right? > > that would require a configured softHSM only to provide hashing > functions, in which case it would be much easier to use the hash > functions that are now built into ldns. But we don't do such a thing > at the moment. oh, my bad - I thought we only used the ldns functions. would that be an easy change? or something we can detect at runtime? jakob From rickard.bondesson at iis.se Tue Jun 30 11:33:21 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Tue, 30 Jun 2009 13:33:21 +0200 Subject: [Opendnssec-develop] Sun SCA6000 on Ubuntu In-Reply-To: <4A49F6FC.5060606@NLnetLabs.nl> References: <69830D4127201D4EBD146B9041199718D25536@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718D2553C@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718D2556E@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718D25600@EXCHANGE.office.nic.se> <4A49F6FC.5060606@NLnetLabs.nl> Message-ID: <69830D4127201D4EBD146B9041199718D2560F@EXCHANGE.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 We should do the hashing in the host and not via an HSM. What do you think of that? Then we would only need to do signing and key generation in the hsm. // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSkn4AeCjgaNTdVjaAQheCAf/QOsfLdMGxmXbHiAAQBLE06m21HPZ93M4 PpeffKJwGdle57CF7/IDvwn2UG0N4Od6reo6BIOhSHWHfwgUPp4we7oO1t2eAp31 MGUHP4SlEGlDfEiWdu0Vg+hKUl0qUsOV2TNocxCVaXZUhRsrqndZgS6lv170VKue srQRzRCDgF356Ao+rI5UhGMOoToOi2BlcbxOVuXhZEnv+95ncJLrYEgWk3Brw4Ek NTZiDwDSOdQRNcnh/LOIYuS0NVUQDr/KOjYsYMVSPLhCbZTxDW9RjaaZC0NjGtp3 VfcGnudXGfM1sJQ0CXfMSHx1qPwb6jcsK6iPfctMvxpYdS+Jwcz7KQ== =wZfp -----END PGP SIGNATURE----- From roy at nominet.org.uk Tue Jun 30 11:38:43 2009 From: roy at nominet.org.uk (roy at nominet.org.uk) Date: Tue, 30 Jun 2009 13:38:43 +0200 Subject: [Opendnssec-develop] Sun SCA6000 on Ubuntu In-Reply-To: <69830D4127201D4EBD146B9041199718D2560F@EXCHANGE.office.nic.se> References: <69830D4127201D4EBD146B9041199718D25536@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718D2553C@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718D2556E@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718D25600@EXCHANGE.office.nic.se> <4A49F6FC.5060606@NLnetLabs.nl> <69830D4127201D4EBD146B9041199718D2560F@EXCHANGE.office.nic.se> Message-ID: "Rickard Bondesson" wrote on 06/30/2009 01:33:21 PM: > We should do the hashing in the host and not via an HSM. What do you > think of that? Then we would only need to do signing and key > generation in the hsm. I agree Roy From jelte at NLnetLabs.nl Tue Jun 30 11:36:22 2009 From: jelte at NLnetLabs.nl (Jelte Jansen) Date: Tue, 30 Jun 2009 13:36:22 +0200 Subject: [Opendnssec-develop] Sun SCA6000 on Ubuntu In-Reply-To: References: <69830D4127201D4EBD146B9041199718D25536@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718D2553C@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718D2556E@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718D25600@EXCHANGE.office.nic.se> <4A49F6FC.5060606@NLnetLabs.nl> Message-ID: <4A49F8B6.6090804@NLnetLabs.nl> resending to list, thought i did reply-to-all Jakob Schlyter wrote: > > oh, my bad - I thought we only used the ldns functions. would that be an > easy change? or something we can detect at runtime? > we do use the ldns functions, but only for nsec3 hashing (because that's entirely handled by ldns) for signature input hashing, i think it shouldn't be too hard to just try and use the hsm, and on CKR_BAD_MECHANISM (or whatever it was), fall back to ldns. In pivotal land i would give it 1 point :) Jelte From jakob at kirei.se Tue Jun 30 11:41:54 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Tue, 30 Jun 2009 07:41:54 -0400 Subject: [Opendnssec-develop] Sun SCA6000 on Ubuntu In-Reply-To: <69830D4127201D4EBD146B9041199718D2560F@EXCHANGE.office.nic.se> References: <69830D4127201D4EBD146B9041199718D25536@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718D2553C@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718D2556E@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718D25600@EXCHANGE.office.nic.se> <4A49F6FC.5060606@NLnetLabs.nl> <69830D4127201D4EBD146B9041199718D2560F@EXCHANGE.office.nic.se> Message-ID: On 30 jun 2009, at 07.33, Rickard Bondesson wrote: > We should do the hashing in the host and not via an HSM. What do you > think of that? Then we would only need to do signing and key > generation in the hsm. are there any HSM that does not support signing only (and thus MUST do the hashing itself)? jakob From roy at nominet.org.uk Tue Jun 30 11:42:36 2009 From: roy at nominet.org.uk (roy at nominet.org.uk) Date: Tue, 30 Jun 2009 13:42:36 +0200 Subject: [Opendnssec-develop] Sun SCA6000 on Ubuntu In-Reply-To: <4A49F8B6.6090804@NLnetLabs.nl> References: <69830D4127201D4EBD146B9041199718D25536@EXCHANGE.office.nic.se><69830D4127201D4EBD146B9041199718D2553C@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718D2556E@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718D25600@EXCHANGE.office.nic.se> <4A49F6FC.5060606@NLnetLabs.nl> <4A49F8B6.6090804@NLnetLabs.nl> Message-ID: Jelte Jansen wrote on 06/30/2009 01:36:22 PM: > Jakob Schlyter wrote: > > > > oh, my bad - I thought we only used the ldns functions. would that be an > > easy change? or something we can detect at runtime? > > > > we do use the ldns functions, but only for nsec3 hashing (because that's > entirely handled by ldns) > > for signature input hashing, i think it shouldn't be too hard to just try and > use the hsm, and on CKR_BAD_MECHANISM (or whatever it was), fall > back to ldns. Why bother? why use an hsm to do the hashing? Just because we can ... often ? > In pivotal land i would give it 1 point :) eh? Roy From roy at nominet.org.uk Tue Jun 30 11:43:52 2009 From: roy at nominet.org.uk (roy at nominet.org.uk) Date: Tue, 30 Jun 2009 13:43:52 +0200 Subject: [Opendnssec-develop] Sun SCA6000 on Ubuntu In-Reply-To: References: <69830D4127201D4EBD146B9041199718D25536@EXCHANGE.office.nic.se><69830D4127201D4EBD146B9041199718D2553C@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718D2556E@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718D25600@EXCHANGE.office.nic.se> <4A49F6FC.5060606@NLnetLabs.nl> <69830D4127201D4EBD146B9041199718D2560F@EXCHANGE.office.nic.se> Message-ID: Jakob Schlyter wrote on 06/30/2009 01:41:54 PM: > On 30 jun 2009, at 07.33, Rickard Bondesson wrote: > > > We should do the hashing in the host and not via an HSM. What do you > > think of that? Then we would only need to do signing and key > > generation in the hsm. > > are there any HSM that does not support signing only (and thus MUST do > the hashing itself)? I haven't seen them.... and that doesn't mean anything :-) Roy From jelte at NLnetLabs.nl Tue Jun 30 11:43:30 2009 From: jelte at NLnetLabs.nl (Jelte Jansen) Date: Tue, 30 Jun 2009 13:43:30 +0200 Subject: [Opendnssec-develop] Sun SCA6000 on Ubuntu In-Reply-To: References: <69830D4127201D4EBD146B9041199718D25536@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718D2553C@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718D2556E@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718D25600@EXCHANGE.office.nic.se> <4A49F6FC.5060606@NLnetLabs.nl> <69830D4127201D4EBD146B9041199718D2560F@EXCHANGE.office.nic.se> Message-ID: <4A49FA62.6030204@NLnetLabs.nl> Jakob Schlyter wrote: > On 30 jun 2009, at 07.33, Rickard Bondesson wrote: > >> We should do the hashing in the host and not via an HSM. What do you >> think of that? Then we would only need to do signing and key >> generation in the hsm. > > are there any HSM that does not support signing only (and thus MUST do > the hashing itself)? > i think there are some cheap ones that do that, but i certainly can't name them. Note that they will fail with the current code as well, since while both hashing and signing are done by the hsm (library) at the moment, they are performed separately. Jelte From jelte at NLnetLabs.nl Tue Jun 30 11:46:13 2009 From: jelte at NLnetLabs.nl (Jelte Jansen) Date: Tue, 30 Jun 2009 13:46:13 +0200 Subject: [Opendnssec-develop] Sun SCA6000 on Ubuntu In-Reply-To: References: <69830D4127201D4EBD146B9041199718D25536@EXCHANGE.office.nic.se><69830D4127201D4EBD146B9041199718D2553C@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718D2556E@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718D25600@EXCHANGE.office.nic.se> <4A49F6FC.5060606@NLnetLabs.nl> <4A49F8B6.6090804@NLnetLabs.nl> Message-ID: <4A49FB05.2080702@NLnetLabs.nl> roy at nominet.org.uk wrote: > > Why bother? why use an hsm to do the hashing? Just because we can ... often > ? > only for a potential optimization should the hsm also somehow accelerate hashing. AFAIK most HSMs don't do it, but implement it in the library they provide to talk to it. Note that we use them now because ldns only got hashing functionality very very recently. Jelte From roy at nominet.org.uk Tue Jun 30 11:50:14 2009 From: roy at nominet.org.uk (roy at nominet.org.uk) Date: Tue, 30 Jun 2009 13:50:14 +0200 Subject: [Opendnssec-develop] Sun SCA6000 on Ubuntu In-Reply-To: <4A49FB05.2080702@NLnetLabs.nl> References: <69830D4127201D4EBD146B9041199718D25536@EXCHANGE.office.nic.se><69830D4127201D4EBD146B9041199718D2553C@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718D2556E@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718D25600@EXCHANGE.office.nic.se> <4A49F6FC.5060606@NLnetLabs.nl> <4A49F8B6.6090804@NLnetLabs.nl> Message-ID: Jelte Jansen wrote on 06/30/2009 01:46:13 PM: > roy at nominet.org.uk wrote: > > > > Why bother? why use an hsm to do the hashing? Just because we can ... often > > ? > > > > only for a potential optimization should the hsm also somehow accelerate > hashing. AFAIK most HSMs don't do it, but implement it in the library they > provide to talk to it. > > Note that we use them now because ldns only got hashing > functionality very very > recently. I'll add pure hashing to hsm-speed, just to see if it accelerates hashing. Roy From rickard.bondesson at iis.se Tue Jun 30 12:06:46 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Tue, 30 Jun 2009 14:06:46 +0200 Subject: [Opendnssec-develop] Sun SCA6000 on Ubuntu In-Reply-To: <4A49FB05.2080702@NLnetLabs.nl> References: <69830D4127201D4EBD146B9041199718D25536@EXCHANGE.office.nic.se><69830D4127201D4EBD146B9041199718D2553C@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718D2556E@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718D25600@EXCHANGE.office.nic.se> <4A49F6FC.5060606@NLnetLabs.nl> <4A49F8B6.6090804@NLnetLabs.nl> <4A49FB05.2080702@NLnetLabs.nl> Message-ID: <69830D4127201D4EBD146B9041199718D2561A@EXCHANGE.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > only for a potential optimization should the hsm also somehow > accelerate hashing. AFAIK most HSMs don't do it, but > implement it in the library they provide to talk to it. So if most HSMs do hashing in the library, then we might gain speed by doing it ourself if we have optimized code? > Note that we use them now because ldns only got hashing > functionality very very recently. Where is the SHA-X code from? // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSkn/1uCjgaNTdVjaAQiGRAf8CbwRBwzMEa9W260bhk5hU9ZAfBodPOEx EmzFvGCnlU7WDYQHmeERK4WOXa63KZ7JqXn/smdy3XqipLHt1xH4WVHh0A7F4cZz LUcTvhfV6JXKYXtFGnP/taGz51mloREW8Pr8Qvbu3XRCRrgYjqI6x/TImF6Mv0+w RcP1DmjNZw/xcdyOZ4jZjQ+nwKrIBC9pvLcMAAIh6S98lpS/rH06syxXIjpPRuhE xsP5TES/RoXO8YiLj59nfDsUlFtH703/QWYJ3WaobNoUinfJu3WPscAfklhvmLkW gH84eiHPq6GC9x6c9KW4cm3+BgoOt6wQnI3vtrN+ed7FEvcy/QS4eQ== =3KrR -----END PGP SIGNATURE----- From jelte at NLnetLabs.nl Tue Jun 30 12:10:23 2009 From: jelte at NLnetLabs.nl (Jelte Jansen) Date: Tue, 30 Jun 2009 14:10:23 +0200 Subject: [Opendnssec-develop] Sun SCA6000 on Ubuntu In-Reply-To: <69830D4127201D4EBD146B9041199718D2561A@EXCHANGE.office.nic.se> References: <69830D4127201D4EBD146B9041199718D25536@EXCHANGE.office.nic.se><69830D4127201D4EBD146B9041199718D2553C@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718D2556E@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718D25600@EXCHANGE.office.nic.se> <4A49F6FC.5060606@NLnetLabs.nl> <4A49F8B6.6090804@NLnetLabs.nl> <4A49FB05.2080702@NLnetLabs.nl> <69830D4127201D4EBD146B9041199718D2561A@EXCHANGE.office.nic.se> Message-ID: <4A4A00AF.6080700@NLnetLabs.nl> Rickard Bondesson wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > >> only for a potential optimization should the hsm also somehow >> accelerate hashing. AFAIK most HSMs don't do it, but >> implement it in the library they provide to talk to it. > > So if most HSMs do hashing in the library, then we might gain speed by doing it ourself if we have optimized code? > yes >> Note that we use them now because ldns only got hashing >> functionality very very recently. > > Where is the SHA-X code from? > Some say it was forged in the fiery mountains of doom by the dark lord himself. Some say it was the result of mister Schneier screaming random sounds into a microphone. All I know is that I got it from OpenBSD. Jelte From roy at nominet.org.uk Tue Jun 30 12:15:57 2009 From: roy at nominet.org.uk (roy at nominet.org.uk) Date: Tue, 30 Jun 2009 14:15:57 +0200 Subject: [Opendnssec-develop] Sun SCA6000 on Ubuntu In-Reply-To: <4A4A00AF.6080700@NLnetLabs.nl> References: <69830D4127201D4EBD146B9041199718D25536@EXCHANGE.office.nic.se><69830D4127201D4EBD146B9041199718D2553C@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718D2556E@EXCHANGE.office.nic.se> <69830D4127201D4EBD146B9041199718D25600@EXCHANGE.office.nic.se> <4A49F6FC.5060606@NLnetLabs.nl> <4A49F8B6.6090804@NLnetLabs.nl> Message-ID: Jelte Jansen wrote on 06/30/2009 02:10:23 PM: > Some say it was forged in the fiery mountains of doom by the dark > lord himself. > Some say it was the result of mister Schneier screaming random sounds into a > microphone. > > All I know is that I got it from OpenBSD. OMGWTFBBQ ;-) From jelte at NLnetLabs.nl Tue Jun 30 13:44:00 2009 From: jelte at NLnetLabs.nl (Jelte Jansen) Date: Tue, 30 Jun 2009 15:44:00 +0200 Subject: [Opendnssec-develop] algorithm support Message-ID: <4A4A16A0.1090709@NLnetLabs.nl> Hi, the previous discussion raised a question for me, which has been answered, but I have a bit of a cache miss. Did we want RSA/MD5 support. (because ldns does not have that, and i'm not going to add it for 1.6) Jelte