From owner-dnssec-trac at kirei.se Thu Oct 1 08:39:08 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Thu, 01 Oct 2009 08:39:08 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #15: OpenDNSSEC relase names should be package management friendly In-Reply-To: <052.344f02e101c2cbfca0f49b9ed05fb58b@kirei.se> References: <052.344f02e101c2cbfca0f49b9ed05fb58b@kirei.se> Message-ID: <061.cf3189d90f4175955fe8620b137a1a21@kirei.se> #15: OpenDNSSEC relase names should be package management friendly ---------------------------+------------------------------------------------ Reporter: noa at resare.com | Owner: rb Type: enhancement | Status: closed Priority: minor | Component: Unknown Version: | Resolution: fixed Keywords: | ---------------------------+------------------------------------------------ Changes (by rb): * status: accepted => closed * resolution: => fixed Comment: We will continue with a schema like this: 1.0a1 1.0a2 1.0a3 1.0a4 1.0a5 1.0b1 1.0b2 ... 1.0 1.0.1 1.0.2 1.0.3 1.5a1 1.5b1 1.5 1.6 1.6.1 Which is package friendly, if you only package the final releases and not the test versions. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Thu Oct 1 09:41:55 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Thu, 01 Oct 2009 09:41:55 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #15: OpenDNSSEC relase names should be package management friendly In-Reply-To: <052.344f02e101c2cbfca0f49b9ed05fb58b@kirei.se> References: <052.344f02e101c2cbfca0f49b9ed05fb58b@kirei.se> Message-ID: <061.9dd5f3028f46a3de61efb0b757103a99@kirei.se> #15: OpenDNSSEC relase names should be package management friendly ---------------------------+------------------------------------------------ Reporter: noa at resare.com | Owner: rb Type: enhancement | Status: closed Priority: minor | Component: Unknown Version: | Resolution: fixed Keywords: | ---------------------------+------------------------------------------------ Comment(by noa at resare.com): Well, there are lots of legitimate reasons that one might want to package 1.5b1 in an rpm package. Perhaps some of your beta testers has standardized on a package management solution for all their software deployment. With your proposed naming strategy at least rpm will treat 1.5a1 as a later release than 1.5. Should an alpha or beta package ever propagate to an official packaging effort their release names will probably be mangled so that 1.5a1 becomes 1.5-0.1.a1 (As per https://fedoraproject.org/wiki/Packaging:NamingGuidelines#NonNumericRelease) which is unnecessarily confusing as it mixes the part of the versioning that indicates upstream version (before the dash) and the part that indicates updates in patches or other package level changes. A better solution IMHO would be 1.4.9.1 -> 1.4.9.2 -> 1.5 (and if the alpha or beta stability level indicators are wanted, they can be appended at the end of the numeric part, i.e. 1.4.9.1.alpha) -- Ticket URL: OpenDNSSEC OpenDNSSEC From Alexd at nominet.org.uk Thu Oct 1 12:24:30 2009 From: Alexd at nominet.org.uk (Alexd at nominet.org.uk) Date: Thu, 1 Oct 2009 13:24:30 +0100 Subject: [Opendnssec-develop] kasp_check Message-ID: Hi All - Just to let you know that the kasp_check program (which lives in OpenDNSSEC/auditor) is now functionally complete. kasp_check <-c, --conf path/to/conf.xml> <-k, --kasp path/to/kasp.xml> I'd be very grateful for any comments / bug reports anyone may come up with! Thanks, Alex. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Alexd at nominet.org.uk Thu Oct 1 13:23:02 2009 From: Alexd at nominet.org.uk (Alexd at nominet.org.uk) Date: Thu, 1 Oct 2009 14:23:02 +0100 Subject: [Opendnssec-develop] Help with autogen.sh Message-ID: Hi - I am still having issues building OpenDNSSEC. When I run "sh autogen.sh" in OpenDNSSEC, I get : configure.ac:32: required file `../../ltmain.sh' not found This is raised by libhsm. Does anybody know what is wrong, and how I can get round this issue to successfully build OpenDNSSEC? Thanks! Alex. -------------- next part -------------- An HTML attachment was scrubbed... URL: From owner-dnssec-trac at kirei.se Thu Oct 1 17:45:00 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Thu, 01 Oct 2009 17:45:00 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #34: Softhsm +lib Message-ID: <061.47f61d576ede9063deccf51eb68338e5@kirei.se> #34: Softhsm +lib ------------------------------------+--------------------------------------- Reporter: archi.laurent at gmail.com | Owner: rb Type: defect | Status: new Priority: critical | Component: SoftHSM Version: trunk | Keywords: ------------------------------------+--------------------------------------- Hello all, Im beginning with Opendnssec with the last version, and after compilation i can see this many errors : open("/usr/local/opendnssec/lib/tls/i686/sse2/cmov/libsofthsm.so.1", O_RDONLY) = -1 ENOENT (No such file or directory) stat64("/usr/local/opendnssec/lib/tls/i686/sse2/cmov", 0xbfc43270) = -1 ENOENT (No such file or directory) open("/usr/local/opendnssec/lib/tls/i686/sse2/libsofthsm.so.1", O_RDONLY) = -1 ENOENT (No such file or directory) stat64("/usr/local/opendnssec/lib/tls/i686/sse2", 0xbfc43270) = -1 ENOENT (No such file or directory) open("/usr/local/opendnssec/lib/tls/i686/cmov/libsofthsm.so.1", O_RDONLY) = -1 ENOENT (No such file or directory) stat64("/usr/local/opendnssec/lib/tls/i686/cmov", 0xbfc43270) = -1 ENOENT (No such file or directory) open("/usr/local/opendnssec/lib/tls/i686/libsofthsm.so.1", O_RDONLY) = -1 ENOENT (No such file or directory) stat64("/usr/local/opendnssec/lib/tls/i686", 0xbfc43270) = -1 ENOENT (No such file or directory) open("/usr/local/opendnssec/lib/tls/sse2/cmov/libsofthsm.so.1", O_RDONLY) = -1 ENOENT (No such file or directory) stat64("/usr/local/opendnssec/lib/tls/sse2/cmov", 0xbfc43270) = -1 ENOENT (No such file or directory) open("/usr/local/opendnssec/lib/tls/sse2/libsofthsm.so.1", O_RDONLY) = -1 ENOENT (No such file or directory) stat64("/usr/local/opendnssec/lib/tls/sse2", 0xbfc43270) = -1 ENOENT (No such file or directory) open("/usr/local/opendnssec/lib/tls/cmov/libsofthsm.so.1", O_RDONLY) = -1 ENOENT (No such file or directory) ...and more ... and now find this my argument for compilation : ./configure --prefix=/usr/local/opendnssec --sysconfdir=/etc --localstatedir=/var --with-botan=/usr/local && make && make install Many thanks for help me. Best regards -- ----~o00o-----//{ ??`(_)??` }\\-----o00o~------ Laurent Archambault Under Linux -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Fri Oct 2 11:08:45 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 02 Oct 2009 11:08:45 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #34: Softhsm +lib In-Reply-To: <061.47f61d576ede9063deccf51eb68338e5@kirei.se> References: <061.47f61d576ede9063deccf51eb68338e5@kirei.se> Message-ID: <070.dd20892f2dcb66e4fcf087cb250cdb1d@kirei.se> #34: Softhsm +lib ------------------------------------+--------------------------------------- Reporter: archi.laurent at gmail.com | Owner: rb Type: defect | Status: assigned Priority: critical | Component: SoftHSM Version: trunk | Resolution: Keywords: | ------------------------------------+--------------------------------------- Changes (by rb): * status: new => assigned Comment: Is the problem that OpenDNSSEC can not find the SoftHSM library? Does your library path in conf.xml match the place where you installed SoftHSM? -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Fri Oct 2 11:40:52 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 02 Oct 2009 11:40:52 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #31: keepcounter serial option In-Reply-To: <065.a4adaf3764c9d14a225bf1f5e27f49a4@kirei.se> References: <065.a4adaf3764c9d14a225bf1f5e27f49a4@kirei.se> Message-ID: <074.4cb815d62400b33cd73b2dff8d751a88@kirei.se> #31: keepcounter serial option ----------------------------------------+----------------------------------- Reporter: opendnssec.simon at arlott.org | Owner: matthijs Type: enhancement | Status: closed Priority: minor | Component: Signer Version: trunk | Resolution: fixed Keywords: | ----------------------------------------+----------------------------------- Comment(by opendnssec.simon at arlott.org): Replying to [comment:6 matthijs]: > Replying to [comment:5 opendnssec.simon at arlott.org]: > > If a slave nameserver misses the updates when this happens, it'll look like the master has an old serial. > > If all the NOTIFY stuff works, the slave nameserver would not miss it. If it does miss it (what are the odds?), NOTIFY doesn't actually imply an immediate zone transfer... the slave (if BIND) may have limits on concurrent transfers (transfers-per-ns). > it will eventually expire and stop serving it's old dns data. According to the specification, the secondary has to discard the obsoleted zone and do a fresh transfer. Ok, but the zone keys are likely to expire before the data does. -- Ticket URL: OpenDNSSEC OpenDNSSEC From rickard.bondesson at iis.se Fri Oct 2 12:22:59 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Fri, 2 Oct 2009 14:22:59 +0200 Subject: [Opendnssec-develop] Meeting next week Message-ID: <6E3879CE-8662-4437-A1E3-9783D67E3FE0@iis.se> I am suggesting that we should have a telephone meeting next Thursday, 13-15 CEST. Will get back next week with an agenda. From owner-dnssec-trac at kirei.se Fri Oct 2 14:18:34 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 02 Oct 2009 14:18:34 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #35: Signer does not detect change to SOA record Message-ID: <063.ab96974c8c8c1da6f39fd827a6c9dce1@kirei.se> #35: Signer does not detect change to SOA record --------------------------------------+------------------------------------- Reporter: jonathan.stanton at cit.coop | Owner: matthijs Type: defect | Status: new Priority: major | Component: Signer Version: trunk | Keywords: --------------------------------------+------------------------------------- trunk r2098 When the only change to a zone file is to the SOA record the signer does not detect the change. Oct 2 15:14:27 uks-dnssec-01 ods-signerd: signer stderr: signer: number of signatures created: 1 (within a second) Oct 2 15:14:27 uks-dnssec-01 ods-signerd: No new signatures, keeping zone -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Fri Oct 2 15:23:52 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 02 Oct 2009 15:23:52 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #34: Softhsm +lib In-Reply-To: <061.47f61d576ede9063deccf51eb68338e5@kirei.se> References: <061.47f61d576ede9063deccf51eb68338e5@kirei.se> Message-ID: <070.d63c785627f8d88197b15572f4fbd68d@kirei.se> #34: Softhsm +lib ------------------------------------+--------------------------------------- Reporter: archi.laurent at gmail.com | Owner: rb Type: defect | Status: assigned Priority: critical | Component: SoftHSM Version: trunk | Resolution: Keywords: | ------------------------------------+--------------------------------------- Comment(by archi.laurent at gmail.com): I add this : Softhsm run without problem, but it's strange to see this (exemple) strace softhsm .... open("/usr/local/opendnssec/lib/tls/i686/sse2/cmov/libsofthsm.so.1", O_RDONLY) = -1 ENOENT == (No such file or directory) == and this library is installed here : == /usr/local/opendnssec/lib/libsofthsm.so.1 == Thanks a lot -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Mon Oct 5 08:09:42 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Mon, 05 Oct 2009 08:09:42 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #35: Signer does not detect change to SOA record In-Reply-To: <063.ab96974c8c8c1da6f39fd827a6c9dce1@kirei.se> References: <063.ab96974c8c8c1da6f39fd827a6c9dce1@kirei.se> Message-ID: <072.be4144b39c5ec92bd1ca57d3aa61cbf4@kirei.se> #35: Signer does not detect change to SOA record --------------------------------------+------------------------------------- Reporter: jonathan.stanton at cit.coop | Owner: matthijs Type: defect | Status: closed Priority: major | Component: Signer Version: trunk | Resolution: duplicate Keywords: | --------------------------------------+------------------------------------- Changes (by matthijs): * status: new => closed * resolution: => duplicate Comment: duplicate of #33 -- Ticket URL: OpenDNSSEC OpenDNSSEC From rickard.bondesson at iis.se Mon Oct 5 08:30:29 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Mon, 5 Oct 2009 10:30:29 +0200 Subject: [Opendnssec-develop] Re: Meeting next week In-Reply-To: <6E3879CE-8662-4437-A1E3-9783D67E3FE0@iis.se> References: <6E3879CE-8662-4437-A1E3-9783D67E3FE0@iis.se> Message-ID: <983F17705339E24699AA251B458249B50CC48CAE84@EXCHANGE2K7.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 I sent a suggestion last Friday for a telephone meeting this Thursday, but I got feedback that it collided with the RIPE DNS meeting. What time would you prefer? Thursday 14:00-15:00 CEST or Friday 11:00-12:00 CEST Please vote on: http://www.doodle.com/64q3tgqkkdi9a598 // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSsmupeCjgaNTdVjaAQitQgf/Y4cfxZOqN5ccnsS86aK+5V/9nfLsOBeS MpeKjVabltYFWtCBVO5yW2vqBJxWmQRW+H5o/1n6xAW1IO8GsYugnSxZqUdsHEJu Fh9YVk90ohP5zp7cI8eN8i9TSuDXsLWtEF4cmzLMBGx88XifW3veScTuM/WimSIC V8oYxShQsxtpTGDs3qJy6op4MSd5A3WvSv3zQvYtNSmrRBZRO8ieyg+2qTM4/olw rdU8R+0KK6BvWkUA0mNZUPmLwQUWiZg89/Z+pLiR6Fa+NODQ7UEvYnlVzsWqgm/t 2dPI0QQ8eJDExILvG/jH3+pn1+MNCOvzySyZ4c2v8th7zY+vVBM/jw== =NKAK -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From owner-dnssec-trac at kirei.se Mon Oct 5 12:27:26 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Mon, 05 Oct 2009 12:27:26 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #33: signer doesn't handle changes in SOA record In-Reply-To: <065.882be2547268c674f8684c7b5e7c6b45@kirei.se> References: <065.882be2547268c674f8684c7b5e7c6b45@kirei.se> Message-ID: <074.78608b11a2f6176beab4a1e308c758f6@kirei.se> #33: signer doesn't handle changes in SOA record ----------------------------------------+----------------------------------- Reporter: opendnssec.simon at arlott.org | Owner: matthijs Type: defect | Status: closed Priority: minor | Component: Signer Version: trunk | Resolution: fixed Keywords: | ----------------------------------------+----------------------------------- Changes (by matthijs): * status: accepted => closed * resolution: => fixed Comment: SOA will be recognized as changed if NAME, CLASS, RDLENGTH, MNAME, RNAME, REFRESH, RETRY or EXPIRE has changed. SOA will also be recognized as changed if TTL has changed, and the TTL value is not configured. SOA will also be recognized as changed if serial has changed, and the Serial value is not keep. SOA will also be recognized as changed if Minimum has changed, and the Minimum value is not configured. -- Ticket URL: OpenDNSSEC OpenDNSSEC From jakob at kirei.se Tue Oct 6 06:37:26 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Tue, 6 Oct 2009 08:37:26 +0200 Subject: [Opendnssec-develop] Code Reviews In-Reply-To: References: Message-ID: <9A65390F-DE8F-4C8C-BD6C-637EBD318D2E@kirei.se> On 29 sep 2009, at 11.00, alexd at nominet.org.uk wrote: > I remember (from some time ago) that we decided to defer code > reviews until the beta release. > > Now that we're thinking of tagging the release (hopefully this > week), it seems like a good idea to try to schedule some reviews. > > How should this work? When should we try to do the reviews? Should > we be trying to use any tools to help this (e.g. Crucible)? time to resurrect this! jakob From rickard.bondesson at iis.se Tue Oct 6 08:38:01 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Tue, 6 Oct 2009 10:38:01 +0200 Subject: [Opendnssec-develop] Re: Meeting next week (on Friday) In-Reply-To: <6E3879CE-8662-4437-A1E3-9783D67E3FE0@iis.se> References: <6E3879CE-8662-4437-A1E3-9783D67E3FE0@iis.se> Message-ID: <983F17705339E24699AA251B458249B50CC48CB160@EXCHANGE2K7.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 The meeting will be on Friday in accordance with the Doodle. Date: Friday 9 October Time: 11:00-12:00 CEST Please see the agenda (or update it): http://trac.opendnssec.org/wiki/Meetings/Agenda/2009-10-09 // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSssB6eCjgaNTdVjaAQh9JAf/X5uxL2/KmDRMBATpHb/HI/A5f9qeeA2n 0B1yjZqQLyWC9xP7xlrGl348iTaSA65pRgpuaFZ/xiWFrNRn7BoQEUL6/uFJqn3O nNPR/pnHhRCJ3fnYjSWAymfS/g6CPoY7njoz7usRc5VcC9Zyr2TuheRcQjxNdEVX b3Vcq7C/2XKdw1by3rgNn8pAbIlN1aH/EZJRZnbFKxRa/y3bcFa+0AZphUFHdfsV a1vzoHvIT9nNdhQTDDFRXRZVXtFhvyexxyHn4jbhY3KhyjmW2hlm7YlWFJjV9Alm TdUxJZGRlRDPyCmglhUS8Ti/dlCiMIq5yZeWcy4p/5TtLIZXUK1AFA== =2aOB -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From owner-dnssec-trac at kirei.se Tue Oct 6 13:27:18 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 06 Oct 2009 13:27:18 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #36: Make clean doesn't (only) clean Message-ID: <061.a56de9237fd1e9d78797f890a9ae44e4@kirei.se> #36: Make clean doesn't (only) clean ------------------------------------+--------------------------------------- Reporter: robert at dk-hostmaster.dk | Owner: rb Type: defect | Status: new Priority: minor | Component: SoftHSM Version: trunk | Keywords: ------------------------------------+--------------------------------------- robert at signer:~/new/OpenDNSSEC-trunk/softHSM$ svn up At revision 2101. robert at signer:~/new/OpenDNSSEC-trunk/softHSM$ make clean cd . && /bin/sh /home/robert/new/OpenDNSSEC-trunk/softHSM/missing --run aclocal-1.10 -I m4 cd . && /bin/sh /home/robert/new/OpenDNSSEC-trunk/softHSM/missing --run automake-1.10 --foreign cd . && /bin/sh /home/robert/new/OpenDNSSEC-trunk/softHSM/missing --run autoconf /bin/sh ./config.status --recheck running CONFIG_SHELL=/bin/sh /bin/sh ./configure --prefix=/usr/local --with-sqlite3=/usr --no-create --no-recursion -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Tue Oct 6 13:33:52 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 06 Oct 2009 13:33:52 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #36: Make clean doesn't (only) clean In-Reply-To: <061.a56de9237fd1e9d78797f890a9ae44e4@kirei.se> References: <061.a56de9237fd1e9d78797f890a9ae44e4@kirei.se> Message-ID: <070.ef1a7cd4e07c2fe844e0eb25e5089194@kirei.se> #36: Make clean doesn't (only) clean ------------------------------------+--------------------------------------- Reporter: robert at dk-hostmaster.dk | Owner: rb Type: defect | Status: closed Priority: minor | Component: SoftHSM Version: trunk | Resolution: wontfix Keywords: | ------------------------------------+--------------------------------------- Changes (by jakob): * status: new => closed * resolution: => wontfix Comment: unfortunately this is how autoconf works - if the configure and/or makefile has been changed, it will rerun configure before actually cleaning. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Tue Oct 6 14:25:12 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 06 Oct 2009 14:25:12 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #37: xmllint for the auditor Message-ID: <061.5a0d57988e0e92d046cc0b4b331d1705@kirei.se> #37: xmllint for the auditor ------------------------------------+--------------------------------------- Reporter: robert at dk-hostmaster.dk | Owner: alex Type: defect | Status: new Priority: trivial | Component: Auditor Version: trunk | Keywords: ------------------------------------+--------------------------------------- Maybe not a bug. Hard to tell since I just use the Debian package system... configure complains that xmllint isn't available. On Debian it comes as libxml2-utils but there's no info in the README that such a dependency exist, but maybe that'd be a good idea. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Tue Oct 6 14:59:39 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 06 Oct 2009 14:59:39 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #37: xmllint for the auditor In-Reply-To: <061.5a0d57988e0e92d046cc0b4b331d1705@kirei.se> References: <061.5a0d57988e0e92d046cc0b4b331d1705@kirei.se> Message-ID: <070.1d454f73334351ff911d38292e338558@kirei.se> #37: xmllint for the auditor ------------------------------------+--------------------------------------- Reporter: robert at dk-hostmaster.dk | Owner: alex Type: defect | Status: closed Priority: trivial | Component: Auditor Version: trunk | Resolution: fixed Keywords: | ------------------------------------+--------------------------------------- Changes (by pawal): * status: new => closed * resolution: => fixed Comment: I added this documentation to the wiki, http://trac.opendnssec.org/wiki/Signer/Using and the README. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Tue Oct 6 16:00:56 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 06 Oct 2009 16:00:56 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #38: Keygend could use more informational error messages Message-ID: <061.23030cd0ce8aecff95e9829221f6fb97@kirei.se> #38: Keygend could use more informational error messages ------------------------------------+--------------------------------------- Reporter: robert at dk-hostmaster.dk | Owner: rb Type: enhancement | Status: new Priority: trivial | Component: Unknown Version: trunk | Keywords: ------------------------------------+--------------------------------------- Here I am again. Your casual spammer. It would be very informative to know which variable needs to be set. 2 files attached. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Tue Oct 6 17:01:51 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 06 Oct 2009 17:01:51 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #39: ksmutil + error : Relax-NG validity error (?) Message-ID: <061.fbef4c330028b714c677043c36a51614@kirei.se> #39: ksmutil + error : Relax-NG validity error (?) ------------------------------------+--------------------------------------- Reporter: archi.laurent at gmail.com | Owner: matthijs Type: defect | Status: new Priority: minor | Component: Signer Version: trunk | Keywords: Relax-NG validity error ------------------------------------+--------------------------------------- Hi all, and many thanks for Opendnssec ...i wait the 30 octover. But actually i has this error, and i don't understand why : ksmutil zone add -z archi.amt -p default -i /var/opendnssec/unsigned/archi.amt -o /var/opendnssec/signed/archi.amt zonelist filename set to /etc/opendnssec/zonelist.xml. /etc/opendnssec/ == == conf.xml:38: element KeygenInterval: Relax-NG == validity error : Did not expect element KeygenInterval there /etc/opendnssec/conf.xml:53: element SignerThreads: Relax-NG == validity error : Did not expect element SignerThreads there Error validating file "/etc/opendnssec/conf.xml" -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Tue Oct 6 17:04:23 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 06 Oct 2009 17:04:23 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #38: Keygend could use more informational error messages In-Reply-To: <061.23030cd0ce8aecff95e9829221f6fb97@kirei.se> References: <061.23030cd0ce8aecff95e9829221f6fb97@kirei.se> Message-ID: <070.83a294dfc96dad700fe05c8a1954e5e6@kirei.se> #38: Keygend could use more informational error messages ------------------------------------+--------------------------------------- Reporter: robert at dk-hostmaster.dk | Owner: rb Type: enhancement | Status: new Priority: trivial | Component: Unknown Version: trunk | Resolution: Keywords: | ------------------------------------+--------------------------------------- Comment(by robert at dk-hostmaster.dk): It seems unknown content of conf.xml doesn't mention the offending line nor directive either. Attaching log2.txt -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Tue Oct 6 18:26:03 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 06 Oct 2009 18:26:03 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #39: ksmutil + error : Relax-NG validity error (?) In-Reply-To: <061.fbef4c330028b714c677043c36a51614@kirei.se> References: <061.fbef4c330028b714c677043c36a51614@kirei.se> Message-ID: <070.402fe10828b0d92a0684de929541a20f@kirei.se> #39: ksmutil + error : Relax-NG validity error (?) ------------------------------------+--------------------------------------- Reporter: archi.laurent at gmail.com | Owner: matthijs Type: defect | Status: closed Priority: minor | Component: Signer Version: trunk | Resolution: fixed Keywords: Relax-NG validity error | ------------------------------------+--------------------------------------- Changes (by jakob): * status: new => closed * resolution: => fixed Comment: SignerThreads and KeygenInterval has been deprecated and I forgot to note this in the NEWS file, sorry. I've added a not about this now. * SignerThreads was removed as the signer is not threaded (yet). * KeygenInterval was removed when keygend and communicated was merged into enforcerd. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Tue Oct 6 18:27:13 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 06 Oct 2009 18:27:13 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #38: Keygend could use more informational error messages In-Reply-To: <061.23030cd0ce8aecff95e9829221f6fb97@kirei.se> References: <061.23030cd0ce8aecff95e9829221f6fb97@kirei.se> Message-ID: <070.83539cb2e01372567a969af2207aba23@kirei.se> #38: Keygend could use more informational error messages ------------------------------------+--------------------------------------- Reporter: robert at dk-hostmaster.dk | Owner: sion Type: enhancement | Status: assigned Priority: trivial | Component: Unknown Version: trunk | Resolution: Keywords: | ------------------------------------+--------------------------------------- Changes (by jakob): * owner: rb => sion * status: new => assigned -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Wed Oct 7 10:21:53 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Wed, 07 Oct 2009 10:21:53 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #38: Keygend could use more informational error messages In-Reply-To: <061.23030cd0ce8aecff95e9829221f6fb97@kirei.se> References: <061.23030cd0ce8aecff95e9829221f6fb97@kirei.se> Message-ID: <070.acc6dcefa0d6777609b689e988469179@kirei.se> #38: Keygend could use more informational error messages ------------------------------------+--------------------------------------- Reporter: robert at dk-hostmaster.dk | Owner: sion Type: enhancement | Status: assigned Priority: trivial | Component: Unknown Version: trunk | Resolution: Keywords: | ------------------------------------+--------------------------------------- Comment(by sion): I think that there are 2 issues here. The first is possibly build related, but keygend shouldn't be run any more. The new binary is ods-enforcerd. Maybe a make clean is needed? The second issue is the lack of logging; this is addressed in svn rev 2123. If you could confirm that make clean or running ods-enforcerd works then I will close this ticket. Cheers, Sion -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Wed Oct 7 17:38:31 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Wed, 07 Oct 2009 17:38:31 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #40: with Sqlite (available for Mysql too) Message-ID: <061.54bf25b63a52e4978003f6d398a9ba5c@kirei.se> #40: with Sqlite (available for Mysql too) ------------------------------------+--------------------------------------- Reporter: archi.laurent at gmail.com | Owner: sion Type: defect | Status: new Priority: blocker | Component: Enforcer Version: trunk | Keywords: ------------------------------------+--------------------------------------- Hi all, After read many documentation, and same many tickets, i have no see something for create the table in SQL... and after this error is really normal. Damage i progress with opendnssec...sniff ksmutil zone add -z archi.amt -p default -i /var/opendnssec/unsigned/archi.amt -o /var/opendnssec/signed/archi.amt zonelist filename set to /etc/opendnssec/zonelist.xml. == SQLite database set to: /home/opendnssec/slot0.db ERROR: error executing SQL - no such table: dbadmin Failed to connect to database == thanks a lot for help me. -- Ticket URL: OpenDNSSEC OpenDNSSEC From rick at openfortress.nl Wed Oct 7 18:31:39 2009 From: rick at openfortress.nl (Rick van Rein) Date: Wed, 7 Oct 2009 18:31:39 +0000 Subject: [Opendnssec-develop] Meeting notes 2009-09-23 Message-ID: <20091007183139.GB19694@phantom.vanrein.org> Hello, I've just placed the meeting notes online for the meeting of 2009-09-23. I apologise for the delay. I could not reconstruct what was being said in the first paragraph of "Issues from Pivotal Tracker" and would invite people with a good memory of it to jump in and correct. Sion, this was related to your work. Best wishes, -Rick From owner-dnssec-trac at kirei.se Thu Oct 8 07:48:54 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Thu, 08 Oct 2009 07:48:54 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #40: with Sqlite (available for Mysql too) In-Reply-To: <061.54bf25b63a52e4978003f6d398a9ba5c@kirei.se> References: <061.54bf25b63a52e4978003f6d398a9ba5c@kirei.se> Message-ID: <070.6d392a00f654ceec747c78122bbb7f8f@kirei.se> #40: with Sqlite (available for Mysql too) ------------------------------------+--------------------------------------- Reporter: archi.laurent at gmail.com | Owner: sion Type: defect | Status: new Priority: blocker | Component: Enforcer Version: trunk | Resolution: Keywords: | ------------------------------------+--------------------------------------- Comment(by sion): Hi there, So the first thing I see is that the database looks like it might be for the softHSM (I'm only guessing this from the name). conf.xml should contain a link to a database (in the Enforcer/Datastore tag) which is different to the one in your SOFTHSM_CONF environment variable. If you still get the same error then it will likely be due to changes made to the database between the time when you made it and the beta release. To cope with these changes then run the migration scripts in "enforcer/utils". Assuming that your database was built with the last alpha release then you will need to run: sqlite3 < enforcer/utils/migrate_090922_1.sqlite3 sqlite3 < enforcer/utils/migrate_090930_1.sqlite3 sqlite3 < enforcer/utils/migrate_091002_1.sqlite3 Let me know if this works, Sion -- Ticket URL: OpenDNSSEC OpenDNSSEC From sion at nominet.org.uk Thu Oct 8 08:47:42 2009 From: sion at nominet.org.uk (sion at nominet.org.uk) Date: Thu, 8 Oct 2009 09:47:42 +0100 Subject: [Opendnssec-develop] Meeting notes 2009-09-23 In-Reply-To: <20091007183139.GB19694@phantom.vanrein.org> References: <20091007183139.GB19694@phantom.vanrein.org> Message-ID: > I could not reconstruct what was being said in the first paragraph > of "Issues from Pivotal Tracker" and would invite people with a good > memory of it to jump in and correct. Sion, this was related to your work. So I've updated the page with what I think is the right discussion. It was me pointing out that the performance with lots of zones not sharing keys has been flagged up as being poor. At the time this was not in pivotal, it is now. Sion From owner-dnssec-trac at kirei.se Thu Oct 8 17:52:39 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Thu, 08 Oct 2009 17:52:39 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #40: with Sqlite (available for Mysql too) In-Reply-To: <061.54bf25b63a52e4978003f6d398a9ba5c@kirei.se> References: <061.54bf25b63a52e4978003f6d398a9ba5c@kirei.se> Message-ID: <070.b76283332a904e9099e9d56a0beb59d0@kirei.se> #40: with Sqlite (available for Mysql too) ------------------------------------+--------------------------------------- Reporter: archi.laurent at gmail.com | Owner: sion Type: defect | Status: new Priority: blocker | Component: Enforcer Version: trunk | Resolution: Keywords: | ------------------------------------+--------------------------------------- Comment(by archi.laurent at gmail.com): Hello, and many thanks for your rapid answer, but i am sorry for this but i think the problem is here : == SQLite version 2.8.17 == .... sniff sorry best regards and thanks, you can closed this ticket. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Thu Oct 8 18:10:02 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Thu, 08 Oct 2009 18:10:02 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #40: with Sqlite (available for Mysql too) In-Reply-To: <061.54bf25b63a52e4978003f6d398a9ba5c@kirei.se> References: <061.54bf25b63a52e4978003f6d398a9ba5c@kirei.se> Message-ID: <070.3a5552b7d043e7ff345b294b320b9bad@kirei.se> #40: with Sqlite (available for Mysql too) ------------------------------------+--------------------------------------- Reporter: archi.laurent at gmail.com | Owner: sion Type: defect | Status: new Priority: blocker | Component: Enforcer Version: trunk | Resolution: Keywords: | ------------------------------------+--------------------------------------- Comment(by to be continue ... sorry): Ok now, my sqlite is better (!) --> SQLite version 3.6.10, but it's not good after i have the same problem when sqlite in 2.8.17. It's strange. sqlite3 slot0.db database_create.sqlite3 SQL error: near "database_create": syntax error I have the last version for all (opendnssec + softhsm) via svn ... Thnaks a lot and best regards -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Fri Oct 9 07:22:22 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 09 Oct 2009 07:22:22 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #40: with Sqlite (available for Mysql too) In-Reply-To: <061.54bf25b63a52e4978003f6d398a9ba5c@kirei.se> References: <061.54bf25b63a52e4978003f6d398a9ba5c@kirei.se> Message-ID: <070.7425d5c54c8e56e78eb267398867b66e@kirei.se> #40: with Sqlite (available for Mysql too) ------------------------------------+--------------------------------------- Reporter: archi.laurent at gmail.com | Owner: sion Type: defect | Status: new Priority: blocker | Component: Enforcer Version: trunk | Resolution: Keywords: | ------------------------------------+--------------------------------------- Comment(by sion): The sqlite command is not quite right, you need to redirect the create script in, so your example would become: sqlite3 slot0.db < database_create.sqlite3 Or you can run "ods-ksmutil setup". Sion -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Fri Oct 9 07:28:49 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 09 Oct 2009 07:28:49 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #40: with Sqlite (available for Mysql too) In-Reply-To: <061.54bf25b63a52e4978003f6d398a9ba5c@kirei.se> References: <061.54bf25b63a52e4978003f6d398a9ba5c@kirei.se> Message-ID: <070.f3820ecc26a8687a1536ca89faca47b2@kirei.se> #40: with Sqlite (available for Mysql too) ------------------------------------+--------------------------------------- Reporter: archi.laurent at gmail.com | Owner: sion Type: defect | Status: new Priority: blocker | Component: Enforcer Version: trunk | Resolution: Keywords: | ------------------------------------+--------------------------------------- Comment(by rb): You are probably also trying to patch the wrong database file. slot0.db is usually the default name of the SoftHSM database. You will find the correct path in your conf.xml ***** /home/rickard/opendnssec/enforcer.db ***** So don't confuse the datastore for OpenDNSSEC with the datastore for SoftHSM. The files does not exist when you install the system. But are created by the system ones you run the setup commands (ods-ksmutil setup, and softhsm --init-token). -- Ticket URL: OpenDNSSEC OpenDNSSEC From jakob at kirei.se Fri Oct 9 10:03:24 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Fri, 9 Oct 2009 12:03:24 +0200 Subject: [Opendnssec-develop] PropagationDelay Message-ID: <0A6336BC-AFA3-411E-A315-F7B338F8F124@kirei.se> what are resonable default values for Zone and Parent PropagationDelay ? the current - PT9999S - is not... jakob From rickard.bondesson at iis.se Fri Oct 9 10:28:56 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Fri, 9 Oct 2009 12:28:56 +0200 Subject: [Opendnssec-develop] PropagationDelay In-Reply-To: <0A6336BC-AFA3-411E-A315-F7B338F8F124@kirei.se> References: <0A6336BC-AFA3-411E-A315-F7B338F8F124@kirei.se> Message-ID: <983F17705339E24699AA251B458249B50CC48CB8E5@EXCHANGE2K7.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > what are resonable default values for Zone and Parent PropagationDelay > ? > the current - PT9999S - is not... If a registrant want to change something in our zone it takes maximum: 2 h (EPP -> zone generation . We generate the zone every second hour) 15 min (zone generation -> dnssec -> distribution points) 15 min (distribution points -> secondaries . Maximum time according to contract. Usually takes 3 min) So 9000 seconds If we want to change something in the root zone, it takes around 3 to 5 days. But other zones would be faster // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSs8QaOCjgaNTdVjaAQg3fgf/RwLbBzR0eOFS7Z5zIFqDdUXtc1wNAIqd 66W3YBWMLe5RmFWeVwvlP551VNmQBK1uUZxzZT6Z5vK+c8LXqFIVXEy0s4B1VI1W 9zDJ+cq5SBO8L90hJYShzyzxYKHl2NtqPu5ET1BnJ+I2Xj8VxB0TJ/t496/FUUYx Cj9jj2S6ZMm98TCnqbg/28aUEdZoUp/hrE7pO75pyZbpsQaFdHPltmzOKunDV8en epJ4DY7i5fu6lspEoK8a1Jpd0Gn+gpYL8scQQWZqW0acOcC+PlbSgunqL1cWwLTL qLEJ0rllIgLr0Ghb0Q1mVPlW36guNpNxf9yieoWCflcgKvovMPhw0w== =LDRO -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From rickard.bondesson at iis.se Fri Oct 9 11:08:34 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Fri, 9 Oct 2009 13:08:34 +0200 Subject: [Opendnssec-develop] Telephone meeting 23 Oct Message-ID: <983F17705339E24699AA251B458249B50CC48CB8F6@EXCHANGE2K7.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi The next telephone meeting will be on Friday the 23rd of October between 11 and 12 CEST. Agenda will come later. // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSs8ZsuCjgaNTdVjaAQhU2ggAo9J8ti1H8CWW1tv6S+XDu691C0rvv5kz SAp2F9eh0lwVfq7ZAkJdmJySlsKK/34oM7sT2Tboghe8p56jcWgptU/e6Epx22wo GfQAc8K9hMB/pCL/touyy5iKWUipNtVWUWdfCWWPpM2j4xLEcvNw2QP/j1P7gwnp Ia1XFDxry6NawOGk84ihbf5SR3eGQLBv2yZ06wdjbld65YWsu8ogPo1IEn/UJkmJ JmUT1Eot+1jt/qEiJfDw6TEA0+t/xFrjhoovGF1zKJGD34KpCr2TZ56rjGRSueDz dgRNZzTGrqzrRkzBhwVWiAN83J5KBacnADt1pYuGm6X+AHff2esgJw== =xFI1 -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From rickard.bondesson at iis.se Fri Oct 9 12:08:40 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Fri, 9 Oct 2009 14:08:40 +0200 Subject: [Opendnssec-develop] Code reviewing Message-ID: <983F17705339E24699AA251B458249B50CC48CB941@EXCHANGE2K7.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi The last code review we had was in April/May and a lot has happened since last time. We are aiming at having this code review between 19 and 23 October. So my question is who can perform code reviewing and what program languages you prefers? You can also ask other people if they can perform this task. Just get back to me and I will coordinate this effort. // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSs8nyOCjgaNTdVjaAQjDBgf9GIQo7JvEa19qkZuBv1osuBtQ9F2rsVe8 /2l/K/7qg6m78GcEStppmd+p2UHFUjsRMbiPnXkLg7pPfFIgdj3JaHthYpzKNY8H qsFrhbzf3b/lC4MiurvDCDlAtpA8b7nn6a9d3e7AA40B0EpAXwqbWDKdwIpa5cIa dyck6y03JtPJLG2EyIUfuhwmI7Kyiu743MEwYbG0AtnOSW2rrr0sG14uiUK2hOng HwgnXEd8YTxovxjiokGC61aYHt+cJhc8+T16z1tXj243tyKoVJhpVUdOPrIyKQ73 skWvQw7RK6WBov04Aevx068nnyXBtZ+bIA3GN1HrUCsSJ6i/dXHXnQ== =vHQJ -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From rickard.bondesson at iis.se Fri Oct 9 12:46:08 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Fri, 9 Oct 2009 14:46:08 +0200 Subject: [Opendnssec-develop] Testing the beta versions Message-ID: <983F17705339E24699AA251B458249B50CC48CB95D@EXCHANGE2K7.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi Before we can release version 1.0 of OpenDNSSEC, we must make sure that it is functioning properly and that is has a good quality. To be able to do this, we must put a lot of effort in testing the beta versions. Ask your colleges, friends, and others to download OpenDNSSEC. Set up the system and start signing zones. Make sure that they take notes of any problems they had. Try signing different types of zones with different types of resource records and size. Run with different policies other than the default one. Etc. Or you could also do this in a group with you as a teacher. Introduce them to OpenDNSSEC. Let them do everything and observe how they are doing. This is besides the structured tests that we, as developers, have to perform. // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSs8wkOCjgaNTdVjaAQhXZgf+M9wHCUA1JbGij5coONP5SxsWfdSBMJvr aEUvaa/XkSQo0N+tRu+Nx0Uo1fO0jTBy7ODKtqggpGgR63aDCKHNRpbw/7YwIE93 fVQadVGWr8B4JJbn68z85MCPtoE9sGuFtF3/gp3QUt2QY3yJnMZRQedLxn4YajHx +Hm+4c0WuzSmy3RSYM6vKMSWj4Gx2hywF/f4cmpGH6Lp9pBOPX+7jljtQGziVcsk CX2nrVDQIufnWaMeFoAtvPUd2U86MMVzJqok4978OjfE+fGvJRuipQxmvLhyGbtp aqBggwTbFZLxrK0thUccgw1Q3jZEOAPTBjO8e7yOKUP4OOgpw0R1wQ== =mop+ -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From owner-dnssec-trac at kirei.se Mon Oct 12 04:37:38 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Mon, 12 Oct 2009 04:37:38 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #41: "keep" setting for KASP.Policy.Zone.SOA.Serial doesn't seem to work Message-ID: <059.2161d1726bbceaf0ae1d8e372dc236a2@kirei.se> #41: "keep" setting for KASP.Policy.Zone.SOA.Serial doesn't seem to work ----------------------------------+----------------------------------------- Reporter: sebastian at nzrs.net.nz | Owner: matthijs Type: defect | Status: new Priority: minor | Component: Signer Version: trunk | Keywords: ----------------------------------+----------------------------------------- I'm generating a zone to test the signing process and defined to keep the serial number. Currently that feature doesn't work. If the output signed zone file exists, the serial on that file is used (not the serial from the input file). If the output signed zone file doesn't exist, get_serial fails and the zone is not signed. With this little patch the issue of not honoring the input file serial is solved. Index: Zone.py =================================================================== --- Zone.py (revision 2197) +++ Zone.py (working copy) @@ -664,6 +664,7 @@ "for " + self.zone_name) return None update_serial = 0 + prev_serial = soa_serial else: syslog.syslog(syslog.LOG_WARNING, "warning: unknown serial type " +\ -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Mon Oct 12 08:14:50 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Mon, 12 Oct 2009 08:14:50 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #41: "keep" setting for KASP.Policy.Zone.SOA.Serial doesn't seem to work In-Reply-To: <059.2161d1726bbceaf0ae1d8e372dc236a2@kirei.se> References: <059.2161d1726bbceaf0ae1d8e372dc236a2@kirei.se> Message-ID: <068.cd9b1e14305aedf7366523588b4bc8c2@kirei.se> #41: "keep" setting for KASP.Policy.Zone.SOA.Serial doesn't seem to work ----------------------------------+----------------------------------------- Reporter: sebastian at nzrs.net.nz | Owner: matthijs Type: defect | Status: closed Priority: minor | Component: Signer Version: trunk | Resolution: fixed Keywords: | ----------------------------------+----------------------------------------- Changes (by matthijs): * status: new => closed * resolution: => fixed Comment: Thanks for the patch. I've applied it in trunk and it will make the beta-3 release. -- Ticket URL: OpenDNSSEC OpenDNSSEC From Alexd at nominet.org.uk Mon Oct 12 08:22:32 2009 From: Alexd at nominet.org.uk (Alexd at nominet.org.uk) Date: Mon, 12 Oct 2009 09:22:32 +0100 Subject: [Opendnssec-develop] SHA2-signed zone Message-ID: Hi - This is probably really lazy, but.... I think I've got SHA2 support fully implemented in dnsruby. Before I make an official release, I'd really just like to check that it works with a SHA2-signed zone (I've used the examples in the draft - which Jelte will hopefully now fix). Can somebody please send me a SHA2-signed zone I could run the auditor on? Thanks! Alex. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jakob at kirei.se Mon Oct 12 08:37:37 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Mon, 12 Oct 2009 10:37:37 +0200 Subject: [Opendnssec-develop] SHA2-signed zone In-Reply-To: References: Message-ID: <70F6613D-2B33-4F97-B16C-D19AD0321F0F@kirei.se> On 12 okt 2009, at 10.22, Alexd at nominet.org.uk wrote: > Can somebody please send me a SHA2-signed zone I could run the > auditor on? done. j From Alexd at nominet.org.uk Mon Oct 12 10:34:49 2009 From: Alexd at nominet.org.uk (Alexd at nominet.org.uk) Date: Mon, 12 Oct 2009 11:34:49 +0100 Subject: [Opendnssec-develop] Auditor key tracking Message-ID: Hi - Stephen suggested a couple of enhancements to the auditor : a) Track SOA over time, to make sure it only ever goes up b) Warn/error if a key is observed to go straight into active use without first being prepublished for at least the zone SOA TTL (of course, the first time the auditor is run on a zone, it won't be able to raise this error) Is everyone happy for me to add these tests now? Are there any other "tracking over time" tests which anyone would like me to add? Thanks, Alex. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rick at openfortress.nl Mon Oct 12 10:44:07 2009 From: rick at openfortress.nl (Rick van Rein) Date: Mon, 12 Oct 2009 10:44:07 +0000 Subject: [Opendnssec-develop] Auditor key tracking In-Reply-To: References: Message-ID: <20091012104407.GG20518@phantom.vanrein.org> Hello, > Stephen suggested a couple of enhancements to the auditor : > > Is everyone happy for me to add these tests now? Yes, useful stuff. > Are there any other "tracking over time" tests which anyone would like me > to add? AFAIK the general idea would be "any RRdata error that could break the continued publication of a domain on some practical name server". -Rick From owner-dnssec-trac at kirei.se Wed Oct 14 15:59:01 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Wed, 14 Oct 2009 15:59:01 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #42: I don't understand why "now" Message-ID: <061.7092b7bd5b1bcd3c5a2e365f7a316fab@kirei.se> #42: I don't understand why "now" ------------------------------------+--------------------------------------- Reporter: archi.laurent at gmail.com | Owner: rb Type: defect | Status: new Priority: major | Component: Unknown Version: trunk | Keywords: table "dbadmin" ------------------------------------+--------------------------------------- Hi all, and thanks for your development Opendnssec. However I think when your development is more speed to compare at your documentation...it's not easy. just a small remark. For help you, i has joined at this ticket all myself commands (Ubuntu) : Compilation/opendnssec-1.0.0b2# make clean dep ; ./configure --prefix=/usr/local/opendnssec --sysconfdir=/etc --localstatedir=/var --with-ldns=/usr/local --with-botan=/usr/local && make && make install apt-get install python-4suite-xml (it's new now ! not before) echo "/usr/local/opendnssec/lib" >> /etc/ld.so.conf.d/libc.conf add in "/etc/environnement" :/usr/local/opendnssec/bin/ necessary for $PATH source /etc/environnement My softhsm.conf: # softHSM configuration file # /etc/softhsm.conf : 0:/home/opendnssec/slot0.db 4:/home/opendnssec/slot4.database ------------------/etc/opendnssec/conf.xml--------------------------------- /usr/local/opendnssec/lib/libsofthsm.so OpenDNSSEC mandrake local0 /etc/opendnssec/kasp.xml /etc/opendnssec/zonelist.xml /home/opendnssec/slot0.db> PT3600S /home/opendnssec/tmp 8 /home/opendnssec/tmp ------------------------------------------------------------------- 53 secret.archi.amt. hmac-sha256 sw0nMPCswVbes1tmQTm1pcMmpNRK+oGMYN+qKNR/BwQ= 192.168.1.1153 ----------/etc/opendnssec/zonelist.xml--------------------------- default /var/opendnssec/signconf/archi.amt.xml /var/opendnssec/unsigned/archi.amt /var/opendnssec/signed/archi.amt ------------------------------------------------------------------- softhsm --init-token --slot 0 --label "OpenDNSSEC" The SO PIN must have a length between 4 and 255 characters. Enter SO PIN: ________ The user PIN must have a length between 4 and 255 characters. Enter user PIN: _________ The token has been initialized. softhsm --init-token --slot 4 --label "token" The SO PIN must have a length between 4 and 255 characters. Enter SO PIN: _________ The user PIN must have a length between 4 and 255 characters. Enter user PIN: _______ The token has been initialized. ----just after, i think all databases are very small(ok):---- -rw-r--r-- 1 root root 5120 2009-10-14 17:30 slot0.db -rw-r--r-- 1 root root 5120 2009-10-14 17:31 slot4.database /usr/bin/sqlite3 /home/opendnssec/slot0.db < /mnt/Divers2/Compilation/OpenDNSSEC/enforcer/utils/database_create.sqlite3 root at serveur:/home/opendnssec# /usr/bin/sqlite3 /home/opendnssec/slot4.database < /mnt/Divers2/Compilation/OpenDNSSEC/enforcer/utils/database_create.sqlite3 root at serveur:/home/opendnssec# ls -l -rw-r--r-- 1 root root 27648 2009-10-14 17:34 slot0.db -rw-r--r-- 1 root root 27648 2009-10-14 17:35 slot4.database (ok it's better now !) ksmutil zone add -z archi.amt -p default -i /var/opendnssec/unsigned/archi.amt -o /var/opendnssec/signed/archi.amt zonelist filename set to /etc/opendnssec/zonelist.xml. SQLite database set to: /home/opendnssec/slot0.db> == File /home/opendnssec/slot0.db> does not exist, nothing to backup ERROR: error executing SQL - no such table: dbadmin Failed to connect to database == My database is already here, i don't understand where is teh probleme (?) == root at serveur:/home/opendnssec# ls slot0.db slot0.db> slot0.db>.our_lock slot4.database == My version is : SQLite version 3.6.10 And when i open the database "slot0.db" i can see this : == .dump dbadmin BEGIN TRANSACTION; CREATE TABLE "dbadmin" ( "version" INTEGER NOT NULL DEFAULT (1), "description" TEXT ); INSERT INTO "dbadmin" VALUES(1,'This needs to be in sync with the version defined in database.h'); COMMIT; == Many thanks for help me, because actually i am blocked by a mistery problem. Best regards. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Wed Oct 14 16:43:41 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Wed, 14 Oct 2009 16:43:41 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #42: I don't understand why "now" In-Reply-To: <061.7092b7bd5b1bcd3c5a2e365f7a316fab@kirei.se> References: <061.7092b7bd5b1bcd3c5a2e365f7a316fab@kirei.se> Message-ID: <070.9cb044d4cee56e1abe64ce917e790125@kirei.se> #42: I don't understand why "now" ------------------------------------+--------------------------------------- Reporter: archi.laurent at gmail.com | Owner: rb Type: defect | Status: new Priority: major | Component: Unknown Version: trunk | Resolution: Keywords: table "dbadmin" | ------------------------------------+--------------------------------------- Comment(by rb): Yeah, the documentation needs more attention. But there are some pointers to documentation on www.opendnssec.org Firsly, SoftHSM is like any other HSM. Thus not part of the OpenDNSSEC software. The Enforcer can not share it's database with SoftHSM. Please have different db path in softhsm.conf and conf.xml Before you start using an HSM you must initialize it. With SoftHSM you can do it with the command "softhsm" When you have set your configuration and policy, then you do "ods-ksmutil setup" Then you can start the daemons, ods-signerd and ods-enforcerd -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Wed Oct 14 16:47:37 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Wed, 14 Oct 2009 16:47:37 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #42: I don't understand why "now" In-Reply-To: <061.7092b7bd5b1bcd3c5a2e365f7a316fab@kirei.se> References: <061.7092b7bd5b1bcd3c5a2e365f7a316fab@kirei.se> Message-ID: <070.d99bb6ddc7b423c78025992fb83c43b5@kirei.se> #42: I don't understand why "now" ------------------------------------+--------------------------------------- Reporter: archi.laurent at gmail.com | Owner: rb Type: defect | Status: new Priority: major | Component: Unknown Version: trunk | Resolution: Keywords: table "dbadmin" | ------------------------------------+--------------------------------------- Comment(by rb): The database patches only apply if you want to migrate an old database to current version. But it looks like you never had a running OpenDNSSEC. So "ods-ksmutil setup" is sufficient to setup a database when run the first time. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Thu Oct 15 07:32:56 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Thu, 15 Oct 2009 07:32:56 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #42: I don't understand why "now" In-Reply-To: <061.7092b7bd5b1bcd3c5a2e365f7a316fab@kirei.se> References: <061.7092b7bd5b1bcd3c5a2e365f7a316fab@kirei.se> Message-ID: <070.1ac8fbd51e43c71b65af4d6aedfb1643@kirei.se> #42: I don't understand why "now" ------------------------------------+--------------------------------------- Reporter: archi.laurent at gmail.com | Owner: rb Type: defect | Status: new Priority: major | Component: Unknown Version: trunk | Resolution: Keywords: table "dbadmin" | ------------------------------------+--------------------------------------- Comment(by sion): So the issue may be due to the conf.xml line: /home/opendnssec/slot0.db> Note that there is an extra ">" here; which is being interpreted as part of the database name. I'd recommend changing it to: /home/opendnssec/enforcer.db so that there are no ">" characters in the name; and it looks different to the SoftHSM database. -- Ticket URL: OpenDNSSEC OpenDNSSEC From rickard.bondesson at iis.se Thu Oct 15 12:55:47 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Thu, 15 Oct 2009 14:55:47 +0200 Subject: [Opendnssec-develop] Re: Code reviewing In-Reply-To: <983F17705339E24699AA251B458249B50CC48CB941@EXCHANGE2K7.office.nic.se> References: <983F17705339E24699AA251B458249B50CC48CB941@EXCHANGE2K7.office.nic.se> Message-ID: <983F17705339E24699AA251B458249B50CC4937A20@EXCHANGE2K7.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 It is now me, Sion, and Alex. Is there anyone else who can do code reviewing? > Hi > > The last code review we had was in April/May and a lot has happened > since last time. We are aiming at having this code review between 19 > and > 23 October. > > So my question is who can perform code reviewing and what program > languages you prefers? You can also ask other people if they can > perform this task. Just get back to me and I will coordinate this > effort. > > // Rickard > > > * Rickard Bondesson > * 0x537558DA(L) > > > -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBStcb0+CjgaNTdVjaAQjATAf+KKo6c2eXodfJSUl80BjC7ZS7vAXlDYdw MDWnUyXcdk58WndWaDAwDkfMnagDZp4Q7YjUtBDS+jmmLVRcUDTn5cKITfGhLUtG lH7WOO6ISAFWZv5YBNWusLYOiVjC4inTJ9meTkFwtbEC63+oSy31/op98gWMSDS+ FXsHFSs7TkqxX7nV1+3TW54wn3yESWUplEFXjUs38e3y8tjqnVpZ54WUBfDg2vd7 X5QH9SDatjKxT6UyAflfThhclK0L0lq11PIkdM1S4gevR3MsKmLO0DECtPkXCNnQ C509iJMtBcc7GQdK6kCSlS5gHCX82J7WWzQNAixA8ulY6odVTCyetw== =qWwp -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From rickard.bondesson at iis.se Thu Oct 15 14:45:10 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Thu, 15 Oct 2009 16:45:10 +0200 Subject: [Opendnssec-develop] RFC5011 not implemented Message-ID: <983F17705339E24699AA251B458249B50CC4937AB6@EXCHANGE2K7.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi When going through the functionality of OpenDNSSEC, I see that we have not implemented RFC5011. And I think that it is nothing that you can code during a couple of hours and then be finished. Any comments? // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBStc1duCjgaNTdVjaAQiGXwf/TIcdxmzVeZdZ1x5ZtfjaWCUIcIy+TkPY HwOQ28GQFWqYBJtZad4rRq62iB1Qy8/SGLA7yTCiGKFw12GoSJ/tynAxRUN1iba+ IWvEWgg9eJDM6/sbTyBeLCj3efrfySjZWtXVISGx3qJW6Gzjsb0ElKpdJIWbo5yx c/nuUyyOxBOLW2NJ057sfvopSG94DDlsoc91FW9E6qqKkxAomC1Vsw9JYei0njtL t7f/ACIr1yGtqHxRuCXZISo6gg91VprRtJMwL1Or/fAars/1KKAT78CNE7Qy3PfZ jDcEXr2ECAQ9qcwav1GfWGscQGDRQdMRLdPlxCY7Nn+eNd2PeCdh7A== =D9eO -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From Stephen.Morris at nominet.org.uk Thu Oct 15 18:02:31 2009 From: Stephen.Morris at nominet.org.uk (Stephen.Morris at nominet.org.uk) Date: Thu, 15 Oct 2009 19:02:31 +0100 Subject: [Opendnssec-develop] RFC5011 not implemented In-Reply-To: <983F17705339E24699AA251B458249B50CC4937AB6@EXCHANGE2K7.office.nic.se> References: <983F17705339E24699AA251B458249B50CC4937AB6@EXCHANGE2K7.office.nic.se> Message-ID: Rickard Bondesson wrote on 15/10/2009 15:45:10: > Hi > > When going through the functionality of OpenDNSSEC, I see that we have not > implemented RFC5011. And I think that it is nothing that you can code during a > couple of hours and then be finished. > > Any comments? You are right. Although you can mess around with the key timing and safety margins to get the appropriate hold-down time before and after the key is used, I would think it needs a bit of work in both KASP and the signer to handle the revoke bit. Ideally, we would want a option that would automatically modify any policy to operate within the constraints set by the RFC. I suggest we put it on the feature list for 1.1. It's too late to include it now. Stephen BTW, I've just updated the key timing draft and included an interpretation of how RFC 5011 affects the key roll process - see http://tools.ietf.org/html/draft-morris-dnsop-dnssec-key-timing-01. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rickard.bondesson at iis.se Thu Oct 15 19:29:56 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Thu, 15 Oct 2009 21:29:56 +0200 Subject: [Opendnssec-develop] RFC5011 not implemented In-Reply-To: References: <983F17705339E24699AA251B458249B50CC4937AB6@EXCHANGE2K7.office.nic.se> Message-ID: <80061309-34AD-45AD-A4A6-458EE5228D0A@iis.se> And then you also have section "6.6. Trust Point Deletion" which requires operator interaction before the key is added to the zone. So for now I think we need to put a comment in the rng that says that it is not implented yet. 15 okt 2009 kl. 20.03 skrev "Stephen.Morris at nominet.org.uk" >: Rickard Bondesson > wrote on 15/10/2009 15:45:10: > Hi > > When going through the functionality of OpenDNSSEC, I see that we have not > implemented RFC5011. And I think that it is nothing that you can code during a > couple of hours and then be finished. > > Any comments? You are right. Although you can mess around with the key timing and safety margins to get the appropriate hold-down time before and after the key is used, I would think it needs a bit of work in both KASP and the signer to handle the revoke bit. Ideally, we would want a option that would automatically modify any policy to operate within the constraints set by the RFC. I suggest we put it on the feature list for 1.1. It's too late to include it now. Stephen BTW, I've just updated the key timing draft and included an interpretation of how RFC 5011 affects the key roll process - see http://tools.ietf.org/html/draft-morris-dnsop-dnssec-key-timing-01. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Alexd at nominet.org.uk Mon Oct 19 09:48:36 2009 From: Alexd at nominet.org.uk (Alexd at nominet.org.uk) Date: Mon, 19 Oct 2009 10:48:36 +0100 Subject: [Opendnssec-develop] Missing TTLs in zone files Message-ID: Hi - I have been sent a few zone files where the problem seems to be a missing TTL. No TTLs are defined in RRs, and the $TTL directive is missing. The signer seems to deal with this by assigning the SOA RR a TTL of 0, and assigning a TTL of 3600 (which is from the SOA Minimum field) to the remaining RRs. Is this the correct behaviour? Should the auditor also do this? We had thought that maybe *all* of the RRs should take the default of the SOA Minimum? (i.e. the SOA RR, and all other RRs) Thanks, Alex. -------------- next part -------------- An HTML attachment was scrubbed... URL: From matthijs at NLnetLabs.nl Mon Oct 19 10:13:51 2009 From: matthijs at NLnetLabs.nl (Matthijs Mekking) Date: Mon, 19 Oct 2009 12:13:51 +0200 Subject: [Opendnssec-develop] Missing TTLs in zone files In-Reply-To: References: Message-ID: <4ADC3BDF.4080901@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > We had thought that maybe *all* of the RRs should take the default of > the SOA Minimum? (i.e. the SOA RR, and all other RRs) I looked it up and that seems to be the proper action, according to RFC 1034: A key item in the SOA is the 86400 second minimum TTL, which means that all authoritative data in the zone has at least that TTL, although higher values may be explicitly specified. Best regards, Matthijs Alexd at nominet.org.uk wrote: > Hi - > > I have been sent a few zone files where the problem seems to be a > missing TTL. No TTLs are defined in RRs, and the $TTL directive is missing. > > The signer seems to deal with this by assigning the SOA RR a TTL of 0, > and assigning a TTL of 3600 (which is from the SOA Minimum field) to the > remaining RRs. > > Is this the correct behaviour? Should the auditor also do this? > > We had thought that maybe *all* of the RRs should take the default of > the SOA Minimum? (i.e. the SOA RR, and all other RRs) > > Thanks, > > > Alex. > > > ------------------------------------------------------------------------ > > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJK3DvUAAoJEA8yVCPsQCW5ZJQH/1nAtrnTM/Sq/6pZlvfOxMKO gCND7FgoSmHsO2DU3fYNsR9xkXMNZUqesefSPJ19aQUPKcoHBaHOgW5E0SjYAEjQ DPiZyuONGTdJQVESs2wAQPQ7ffr+8zud+zSf1GIE7mFiCsFXNqOY8yDOxFN+BSfB 8CBJ45q1fwsRswdmCUeutJUpW98vWkMSa8/VERN17I34viEby9J3A7STipZlAApf 7pf6kxcYHIBTfX1EXMYeEhXrahL0dhkKq/X1FOFlbyDV/pelcpTKgJRbjGOfVBW+ yxC0xRd5lyutNoHs0eCWovanbFfNKCk6n7OnKt49WUyobRtuS3Q6GjrDE8j22Yk= =bZd6 -----END PGP SIGNATURE----- From Ray.Bellis at nominet.org.uk Mon Oct 19 10:21:45 2009 From: Ray.Bellis at nominet.org.uk (Ray.Bellis at nominet.org.uk) Date: Mon, 19 Oct 2009 11:21:45 +0100 Subject: [Opendnssec-develop] Missing TTLs in zone files In-Reply-To: <4ADC3BDF.4080901@nlnetlabs.nl> References: <4ADC3BDF.4080901@nlnetlabs.nl> Message-ID: > I looked it up and that seems to be the proper action, according to RFC > 1034: > > A key item in the SOA is the 86400 second minimum TTL, which means that > all authoritative data in the zone has at least that TTL, although > higher values may be explicitly specified. The minimum TTL field isn't used for that any more - it's now the negative caching TTL (RFC 2308). Ray -------------- next part -------------- An HTML attachment was scrubbed... URL: From roy at nominet.org.uk Mon Oct 19 10:23:52 2009 From: roy at nominet.org.uk (Roy Arends) Date: Mon, 19 Oct 2009 12:23:52 +0200 Subject: [Opendnssec-develop] Missing TTLs in zone files In-Reply-To: References: <4ADC3BDF.4080901@nlnetlabs.nl> Message-ID: opendnssec-develop-bounces at lists.opendnssec.org wrote on 10/19/2009 12:21:45 PM: > Ray.Bellis at nominet.org.uk > Sent by: opendnssec-develop-bounces at lists.opendnssec.org > > 10/19/2009 12:21 PM > > To > > Matthijs Mekking > > cc > > Opendnssec-develop at lists.opendnssec.org, Alexd at nominet.org.uk > > Subject > > Re: [Opendnssec-develop] Missing TTLs in zone files > > > > I looked it up and that seems to be the proper action, according to RFC > > 1034: > > > > A key item in the SOA is the 86400 second minimum TTL, which means that > > all authoritative data in the zone has at least that TTL, although > > higher values may be explicitly specified. > > The minimum TTL field isn't used for that any more - it's now the > negative caching TTL (RFC 2308). Hi Ray, Where do modern implementations get their 'default TTL' value from if the per record TTL and TTL directives are omitted? Thanks, Roy -------------- next part -------------- An HTML attachment was scrubbed... URL: From Ray.Bellis at nominet.org.uk Mon Oct 19 10:34:13 2009 From: Ray.Bellis at nominet.org.uk (Ray.Bellis at nominet.org.uk) Date: Mon, 19 Oct 2009 11:34:13 +0100 Subject: [Opendnssec-develop] Missing TTLs in zone files In-Reply-To: References: <4ADC3BDF.4080901@nlnetlabs.nl> Message-ID: > Hi Ray, > > Where do modern implementations get their 'default TTL' value from > if the per record TTL and TTL directives are omitted? Damned good question. RFC 2308 appears to be silent on that issue, except to say: "Where a server does not require RRs to include the TTL value explicitly, it should provide a mechanism, ** not being the value of the MINIMUM field of the SOA record **, from which the missing TTL values are obtained." (my emphasis). Ray -------------- next part -------------- An HTML attachment was scrubbed... URL: From Stephen.Morris at nominet.org.uk Mon Oct 19 10:44:47 2009 From: Stephen.Morris at nominet.org.uk (Stephen.Morris at nominet.org.uk) Date: Mon, 19 Oct 2009 11:44:47 +0100 Subject: [Opendnssec-develop] Missing TTLs in zone files In-Reply-To: References: <4ADC3BDF.4080901@nlnetlabs.nl> Message-ID: Ray.Bellis at nominet.org.uk wrote on 19/10/2009 11:34:13: > > Hi Ray, > > > > Where do modern implementations get their 'default TTL' value from > > if the per record TTL and TTL directives are omitted? > > Damned good question. RFC 2308 appears to be silent on that issue, except to say: > > "Where a server does not require RRs to include the TTL value explicitly, it > should provide a mechanism, ** not being the value of the MINIMUM field of the > SOA record **, from which the missing TTL values are obtained." (my emphasis). > > Ray Two options: 1) Add an entry in the policy configuration file to specify a default TTL. (This fits in with the idea of "providing a mechanism from which the missing TTL values are obtained".) 2) Flag it as an error. If a user is telling OpenDNSSEC to sign a zone and hasn't specified a TTL, and OpenDNSSEC doesn't allow a default TTL to be specified, how can the user expect to get anything other than a random value? Although my gut instinct is to go for (2), I think (1) might be more acceptable, especially in the case of thousands of zones all being signed using the same policy. Stephen -------------- next part -------------- An HTML attachment was scrubbed... URL: From Ray.Bellis at nominet.org.uk Mon Oct 19 10:44:49 2009 From: Ray.Bellis at nominet.org.uk (Ray.Bellis at nominet.org.uk) Date: Mon, 19 Oct 2009 11:44:49 +0100 Subject: [Opendnssec-develop] Missing TTLs in zone files In-Reply-To: References: <4ADC3BDF.4080901@nlnetlabs.nl> Message-ID: OK, BIND Changelog #834, says that BIND does take the SOA minimum TTL field in the absence of $TTL, but always throws a warning about it. So as far as I can see, strictly speaking it's illegal not to have a $TTL, but implementations fudge it. Presumably this is because 2308 failed to say anything about what happens if $TTL is omitted. Ray -------------- next part -------------- An HTML attachment was scrubbed... URL: From matthijs at NLnetLabs.nl Mon Oct 19 10:49:36 2009 From: matthijs at NLnetLabs.nl (Matthijs Mekking) Date: Mon, 19 Oct 2009 12:49:36 +0200 Subject: [Opendnssec-develop] Missing TTLs in zone files In-Reply-To: References: <4ADC3BDF.4080901@nlnetlabs.nl> Message-ID: <4ADC4440.8000402@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 It is implementation dependent, although we should not derive it from the Minimum field. (why explicitly not?). Our current mechanism is to set the default TTL to 3600, if no $TTL and explicit TTL at the RR. The SOA TTL becomes 3600 only if no $TTL and explicit TTL at the RR *and* the is not set in the signer configuration. So we are conform the specification, is this the mechanism we want? Matthijs Ray.Bellis at nominet.org.uk wrote: > >> Hi Ray, >> >> Where do modern implementations get their 'default TTL' value from >> if the per record TTL and TTL directives are omitted? > > Damned good question. RFC 2308 appears to be silent on that issue, > except to say: > > "Where a server does not require RRs to include the TTL value > explicitly, it should provide a mechanism, ** not being the value of the > MINIMUM field of the SOA record **, from which the missing TTL values > are obtained." (my emphasis). > > Ray > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJK3EQ+AAoJEA8yVCPsQCW5W+4H/0sG1sFqPLSl32Yzgnsx3RZx +ZdGYgzatnYVJeY7XyeK+FcN4Cz4jfTikMmta+mYqyB2GM1FREdTPqiDQaZsNJR1 PgfTOkMxm5cFDTpzyraGqII8e+/fGdApFMHfe4W6JoDCpF2SZXOlzgTB/mIsJr8Z y07jovBodyOaivS5OewUzUDq3HFPe8m8f7g9FbbJ3IBQfC8Azs8xEcet+mk/Bs2Y B44COFUke2boVNo2zN0StxLhp3LU7j9ZczTLRRWNFOfqBo/SSNLkDFpdynUdIGbi bLSvBcV27jUPlOLCLSWyPYS9TJtAc7VtEHcdmkoEgTnSk4bkB1BEXVUJfDuittA= =aSiF -----END PGP SIGNATURE----- From roy at nominet.org.uk Mon Oct 19 10:51:43 2009 From: roy at nominet.org.uk (Roy Arends) Date: Mon, 19 Oct 2009 12:51:43 +0200 Subject: [Opendnssec-develop] Missing TTLs in zone files In-Reply-To: References: <4ADC3BDF.4080901@nlnetlabs.nl> Message-ID: Stephen Morris wrote on 10/19/2009 12:44:47 PM: > > Ray.Bellis at nominet.org.uk wrote on 19/10/2009 11:34:13: > > > > Hi Ray, > > > > > > Where do modern implementations get their 'default TTL' value from > > > if the per record TTL and TTL directives are omitted? > > > > Damned good question. RFC 2308 appears to be silent on that > issue, except to say: > > > > "Where a server does not require RRs to include the TTL value > explicitly, it > > should provide a mechanism, ** not being the value of the MINIMUM > field of the > > SOA record **, from which the missing TTL values are obtained." > (my emphasis). > > > > Ray > > Two options: > > 1) Add an entry in the policy configuration file to specify a > default TTL. (This fits in with the idea of "providing a mechanism > from which the missing TTL values are obtained".) > > 2) Flag it as an error. If a user is telling OpenDNSSEC to sign a > zone and hasn't specified a TTL, and OpenDNSSEC doesn't allow a > default TTL to be specified, how can the user expect to get anything > other than a random value? > > Although my gut instinct is to go for (2), I think (1) might be more > acceptable, especially in the case of thousands of zones all being > signed using the same policy. How about 3) In absence of an explicit TTL and a $TTL directive, the SOA Minimum value is used. That is what all modern implementations use. I think the default behavior of BIND (i.e. named, and several of its tools), is to still use the "SOA Minimum Field", issue a notice, and move on. For instance named-compilezone compiles the following zone: @ IN SOA a a 111 2222 3333 4444 5555 NS a a A 192.0.1.123 issues the following information: /usr/sbin/named-compilezone -o example.zone example example.file example.file:1: no TTL specified; using SOA MINTTL instead zone example/IN: loaded serial 111 dump zone to example.zone...done OK which results in the following zone: example. 5555 IN SOA a.example. a.example. 111 2222 3333 4444 5555 example. 5555 IN NS a.example. a.example. 5555 IN A 192.0.1.123 This way lies in the path of least surprise. Kind regards, Roy -------------- next part -------------- An HTML attachment was scrubbed... URL: From roy at nominet.org.uk Mon Oct 19 10:59:21 2009 From: roy at nominet.org.uk (Roy Arends) Date: Mon, 19 Oct 2009 12:59:21 +0200 Subject: [Opendnssec-develop] Missing TTLs in zone files In-Reply-To: <4ADC4440.8000402@nlnetlabs.nl> References: <4ADC3BDF.4080901@nlnetlabs.nl> <4ADC4440.8000402@nlnetlabs.nl> Message-ID: Matthijs Mekking wrote on 10/19/2009 12:49:36 PM: > It is implementation dependent, although we should not derive it from > the Minimum field. (why explicitly not?). > > Our current mechanism is to set the default TTL to 3600, if no $TTL and > explicit TTL at the RR. The SOA TTL becomes 3600 only if no $TTL and > explicit TTL at the RR *and* the is not set in the signer > configuration. > > So we are conform the specification, is this the mechanism we want? As I mentioned in another mail, I think we should follow the path of least surprised, which includes: (1) not fail hard (exit with error) (2) issue a warning (3) use the SOA Minimum value because it was defined the default mechanism before 2308, and Its What Others Do. (4) Not issue SOA records with zero ttl (at least make them the same as other records) (see below). How did we came up with 3600 ? (which is fairly short). How does negative caching algorithms treat an SOA with zero TTL? Doesn't it obsolete negative caching, since it needs the SOA for every negative response? Kind regards, Roy -------------- next part -------------- An HTML attachment was scrubbed... URL: From rickard.bondesson at iis.se Mon Oct 19 11:11:50 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Mon, 19 Oct 2009 13:11:50 +0200 Subject: [Opendnssec-develop] Missing TTLs in zone files In-Reply-To: References: Message-ID: <983F17705339E24699AA251B458249B50CC4937FE6@EXCHANGE2K7.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > The signer seems to deal with this by assigning the SOA RR a TTL of 0, > and assigning a TTL of 3600 (which is from the SOA Minimum field) to > the remaining RRs. The SOA RR TTL = 0 was in these cases derived from the policy Zone/SOA/TTL, so that is correct. -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBStxJduCjgaNTdVjaAQjNFwgAjSrLQ0T/HnETs2znamDelVjETWi+eids iTBEaYxUsFjNz9Fbbk0iYSLfURjhUWS/jiQLGaG5/E/bTXSrCrt9ZnWSuE8j8Jw2 6t5CrI2qmXhTKSFF7KSvMC/IhwySzNdJ+vcIxCGfIQ7TovREzxjp+gFjmQqCDVgb GuTcK1aRG8+PNaj6/fJEPhbyw7GcClT5V01f/2VNZ6C5Yykv3XVrXe9E30OIK5CA v5NkllTkughQs6z2PwmZvl4y2AHRBa7AS2IBdSqno974IIEFykh7ZNdld/E4nsKF wmjX9oGDJHtNA7D0DP+ZLkAnsi4+ABWs38+jLmYf6PlAtRzm7FRZZA== =/WOP -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From Alexd at nominet.org.uk Mon Oct 19 11:31:29 2009 From: Alexd at nominet.org.uk (Alexd at nominet.org.uk) Date: Mon, 19 Oct 2009 12:31:29 +0100 Subject: [Opendnssec-develop] Missing TTLs in zone files In-Reply-To: References: <4ADC3BDF.4080901@nlnetlabs.nl> <4ADC4440.8000402@nlnetlabs.nl> Message-ID: > (3) use the SOA Minimum value because it was > defined the default mechanism before 2308, and Its What Others Do. Unless it's overridden by the kasp.xml //SOA/Minimum element in the policy? -------------- next part -------------- An HTML attachment was scrubbed... URL: From rickard.bondesson at iis.se Mon Oct 19 11:41:23 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Mon, 19 Oct 2009 13:41:23 +0200 Subject: [Opendnssec-develop] Missing TTLs in zone files In-Reply-To: References: <4ADC3BDF.4080901@nlnetlabs.nl> <4ADC4440.8000402@nlnetlabs.nl> Message-ID: <983F17705339E24699AA251B458249B50CC4938001@EXCHANGE2K7.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > How does negative caching algorithms treat an SOA with zero TTL? > Doesn't it obsolete negative caching, since it needs the SOA for every > negative response? Yeah, SOA TTL = 0 means no negative caching. RFC2308 3 - Negative Answers from Authoritative Servers "The TTL of this record is set from the minimum of the MINIMUM field of the SOA record and the TTL of the SOA itself" -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBStxQY+CjgaNTdVjaAQg95Af9GhoU/l24mpvglZL/ji7YXf6u4LnYOBa4 5XExcXhManyl4HCOoS705RLXKEMJt+ael4WZmtcnrbb2psf/rNsrkgF0qCzHutPh qvCrZuKEK2S4Ff6/f3Acm5yaSpOPMbAXpit8hnXdh7ZneYAPE6puiaRYqElLCXcg HYfZexlw3CVCh9nYrgHwUceUiNGGC3rxJV8zwsLAOrT6L3OJW66m/8XQDAfVCtEL CN7qlrlit4pHAOAg3fsx3sqlQdl4VvlZURDFh2XrCuJByVjsWCQ3qMPJ+z/HfzGD cpndQAPgMpUyAh3BCGEySm/eYQySgSS3cuVM5sLU0tbTaitgGCVztg== =v1fE -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From rickard.bondesson at iis.se Mon Oct 19 13:02:09 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Mon, 19 Oct 2009 15:02:09 +0200 Subject: [Opendnssec-develop] Missing TTLs in zone files In-Reply-To: References: <4ADC3BDF.4080901@nlnetlabs.nl> Message-ID: <983F17705339E24699AA251B458249B50CC493806E@EXCHANGE2K7.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 It looks like we have this solution if I read you all correctly: In absence of an explicit TTL and a $TTL directive, the SOA Minimum from the policy (Zone/SOA/TTL) is used. If SOA Minimum is not defined in the policy, then use 3600 seconds (but it should be defined in the policy since that element is not optional in the KASP). Does everyone agree? -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBStxjUeCjgaNTdVjaAQi2OAf/Q0QwM4yBP7iIZAPEW+5dwYRUjzykWueG w736QabELzxJEwfMBmdBA8043mSdHpjxN3E38y+rahcXGeUHfaw4ysAdMx37Ns2M F74y6lSlNE8p860TP1iF/SXO2jjwDdUeYkf51VQXKkQgsDtni3NrI3bFCggwZZcz 0wlogxO30hvOC2ckk0R3Pr35gN61d2PaQiMPkBRwy+tWloyuPs70bWInVNBudmx2 3KEjpRqX0A+cy3qG8SONrONqJ6wAKdIzbuEz3z1t53O/vKzwT7+w5mkTtEoWlqTX 53v94VtY4Z97zAAfF4N2Ye4w0EHvphI50nCXTeuMWNBzG/uuKV7wqQ== =MIEK -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From roy at nominet.org.uk Mon Oct 19 13:12:22 2009 From: roy at nominet.org.uk (Roy Arends) Date: Mon, 19 Oct 2009 15:12:22 +0200 Subject: [Opendnssec-develop] Missing TTLs in zone files In-Reply-To: <983F17705339E24699AA251B458249B50CC493806E@EXCHANGE2K7.office.nic.se> References: <4ADC3BDF.4080901@nlnetlabs.nl> <983F17705339E24699AA251B458249B50CC493806E@EXCHANGE2K7.office.nic.se> Message-ID: Rickard Bondesson wrote on 10/19/2009 03:02:09 PM: > It looks like we have this solution if I read you all correctly: > > In absence of an explicit TTL and a $TTL directive, the SOA Minimum > from the policy (Zone/SOA/TTL) is used. If SOA Minimum is not > defined in the policy, then use 3600 seconds (but it should be > defined in the policy since that element is not optional in the KASP). > > Does everyone agree? No I don't. It seems it is _implemented_ this way, grew organically the way it is, and now we're defending the 'choice' for these defaults. I suggest: In absence of an explicit TTL and a $TTL directive, the SOA Minimum from the policy is used (Zone/SOA/TTL). If the SOA Minimum is not defined in the policy, then use the zone's SOA Minumum field value. Furthermore, make the policy statement (Zone/SOA/TTL) optional. Roy -------------- next part -------------- An HTML attachment was scrubbed... URL: From jakob at kirei.se Mon Oct 19 13:14:12 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Mon, 19 Oct 2009 15:14:12 +0200 Subject: [Opendnssec-develop] Missing TTLs in zone files In-Reply-To: References: <4ADC3BDF.4080901@nlnetlabs.nl> <983F17705339E24699AA251B458249B50CC493806E@EXCHANGE2K7.office.nic.se> Message-ID: <3A5EC34B-140B-4BF6-85E1-9C698F657497@kirei.se> On 19 okt 2009, at 15.12, Roy Arends wrote: > No I don't. It seems it is _implemented_ this way, grew organically > the way it is, and now we're defending the 'choice' for these > defaults. > > I suggest: In absence of an explicit TTL and a $TTL directive, the > SOA Minimum from the policy is used (Zone/SOA/TTL). > If the SOA Minimum is not defined in the policy, then use the zone's > SOA Minumum field value. I agree. > Furthermore, make the policy statement (Zone/SOA/TTL) optional. +1 jakob From rickard.bondesson at iis.se Mon Oct 19 13:30:23 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Mon, 19 Oct 2009 15:30:23 +0200 Subject: [Opendnssec-develop] Missing TTLs in zone files In-Reply-To: References: <4ADC3BDF.4080901@nlnetlabs.nl> <983F17705339E24699AA251B458249B50CC493806E@EXCHANGE2K7.office.nic.se> Message-ID: <983F17705339E24699AA251B458249B50CC493808B@EXCHANGE2K7.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > I suggest: In absence of an explicit TTL and a $TTL directive, the SOA > Minimum from the policy is used (Zone/SOA/TTL). > If the SOA Minimum is not defined in the policy, then use the zone's > SOA Minumum field value. +1 > Furthermore, make the policy statement (Zone/SOA/TTL) optional. Isn't it needed for the timing of the key rollovers? Ingc = min(TTLsoa, SOAmin) -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBStxp7+CjgaNTdVjaAQgF0Qf/RP21pfeyoEDEBD42ZvXIj2uGx8xmGknX aOSxIa6B3+Mn6fY8IlS+UGULNmdBfRRKQX6HyanqgTFholQeoy+znXLtRbTUeuWY 9ZvfBfNKkfQxau2oD9lWEkEpDJJGrwlyMXvCr+h99UCSZs9CkFFijn6aJKwjLMRV R/nxIPxNgSW6SX6SfVgxMeFG3DbGQvG4dFgVjMPEQlgz5KbxtLpMZwy5p1ptPCOs ubN3solthfHJlAPjQkbv8/rbArruBE/E3SsWXOYDdVaz/AYUS5qmR63tcidfPdu7 wfPXaDcSLUYnDBLcsvy+JY3HDqxkNY+/PQYpzpVefDsLWAkVb5O2JA== =ofdN -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From matthijs at NLnetLabs.nl Mon Oct 19 13:37:12 2009 From: matthijs at NLnetLabs.nl (Matthijs Mekking) Date: Mon, 19 Oct 2009 15:37:12 +0200 Subject: [Opendnssec-develop] Missing TTLs in zone files In-Reply-To: <3A5EC34B-140B-4BF6-85E1-9C698F657497@kirei.se> References: <4ADC3BDF.4080901@nlnetlabs.nl> <983F17705339E24699AA251B458249B50CC493806E@EXCHANGE2K7.office.nic.se> <3A5EC34B-140B-4BF6-85E1-9C698F657497@kirei.se> Message-ID: <4ADC6B88.8050705@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I agree with this also, with two minor comments (see below) and if no objections, I will modify the signer to act this way. So the preference order is: 1. if type is SOA: SOA TTL from the xml configuration 2. explicit TTL 3. $TTL directive 4. SOA Minimum from the xml configuration 5. SOA Minimum from the unsigned zone file Matthijs Jakob Schlyter wrote: > On 19 okt 2009, at 15.12, Roy Arends wrote: > >> No I don't. It seems it is _implemented_ this way, grew organically >> the way it is, and now we're defending the 'choice' for these defaults. >> >> I suggest: In absence of an explicit TTL and a $TTL directive, the SOA >> Minimum from the policy is used (Zone/SOA/TTL). Zone/SOA/TTL -> SOA/Minimum from the signer configuration (which should match the Zone/SOA/Minimum from kasp.xml) >> If the SOA Minimum is not defined in the policy, then use the zone's >> SOA Minumum field value. > > I agree. > >> Furthermore, make the policy statement (Zone/SOA/TTL) optional. > > +1 > > > jakob > > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJK3GuDAAoJEA8yVCPsQCW5irAIAKi2TeAb2iR+Y2jPwVWRkGFg e8utyvAo7yXXlMfLQwHUBmfmCfM8J3WvAi+2Jx93ZOiwSc8oM6uF4z7GTqSBetzy cWxD31vE1hAC4TnVXhPdVHO7WAdZqHBXjHTGZ7co60FvLBmAAtrm0r6kbyc5n79M aLXJr3w6p0tQXDPbFh0Ex0oxv2/8u20GTP/9sR39/aOB+uA3G7Jo5WuKZFHs6LtI 9vtal+PDMJvTu9/gVCum+Y7XVB/+iZ56QHBIVFnoyuU1SUpgr+0fQGv6okkoPHua 4WloFvXHoB4oa0Gh6AsGeTkRtq0RGjgJ2l2qDnLfz0dVmPhkkUn1WOPwjP6A9WU= =BakM -----END PGP SIGNATURE----- From rickard.bondesson at iis.se Mon Oct 19 13:49:54 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Mon, 19 Oct 2009 15:49:54 +0200 Subject: [Opendnssec-develop] Missing TTLs in zone files In-Reply-To: <4ADC6B88.8050705@nlnetlabs.nl> References: <4ADC3BDF.4080901@nlnetlabs.nl> <983F17705339E24699AA251B458249B50CC493806E@EXCHANGE2K7.office.nic.se> <3A5EC34B-140B-4BF6-85E1-9C698F657497@kirei.se> <4ADC6B88.8050705@nlnetlabs.nl> Message-ID: <983F17705339E24699AA251B458249B50CC49380AD@EXCHANGE2K7.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > Zone/SOA/TTL -> SOA/Minimum from the signer configuration (which should > match the Zone/SOA/Minimum from kasp.xml) Yeah, sorry. The TTL should default to Zone/SOA/Minimum (or SOA/Minimum in the signers case). And not Zone/SOA/TTL as I said by mistake. -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBStxuguCjgaNTdVjaAQgnKAgApjZrVJjF4pAssXTuFDKNW9LXUBz7u+XB pNphD0AchJdCvDSxSBwb3k9PIc+TxZF6plJu9biF8YkwPQRt+ep1KW985A1gpGjC XTnL4UkU2uEa92v/Zf40siS/6LzguJkCQAezQDFR5qCS6oypAJ0OARD7QN3FOqb7 lNl6Z7AO8v2dqmerIPaillDF7y6G3+aeXGzAqPpIjEPxa4sEgFo8nZ8EJ0qZKiSE heEC8fQYbnRS8gDEIcZevi67752gG2hZbrFRyAymXhUvO74y7NwIg6u3b3d+xRBl 3nmq5ZKA1NYRdxu/+5KBR+HXPy76/S9qAFtLoXQD9Q0Je1dWSmxMIw== =3LkV -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From rickard.bondesson at iis.se Tue Oct 20 11:59:12 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Tue, 20 Oct 2009 13:59:12 +0200 Subject: [Opendnssec-develop] Re: Code reviewing In-Reply-To: <983F17705339E24699AA251B458249B50CC48CB941@EXCHANGE2K7.office.nic.se> References: <983F17705339E24699AA251B458249B50CC48CB941@EXCHANGE2K7.office.nic.se> Message-ID: <983F17705339E24699AA251B458249B50CC49382C9@EXCHANGE2K7.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > Hi > > The last code review we had was in April/May and a lot has happened > since last time. We are aiming at having this code review between 19 > and > 23 October. > > So my question is who can perform code reviewing and what program > languages you prefers? You can also ask other people if they can > perform this task. Just get back to me and I will coordinate this > effort. > > // Rickard It is only me, Sion, and Alex that wants to do code reviewing. We are also up to our ears with testing and bug fixing. But if we get any time left over this week or next week, we can review as follows: Alex: Enforcer Sion: Signer Rickard: Auditor Some hints of what to think of: http://web.archive.org/web/20080502234830/http://www.macadamian.com/codereview.htm // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSt2mEOCjgaNTdVjaAQh9gwgAgdDD1BGNXyqTlmoxSRLO6mpS+iw/d2qe 36pyR+YYa6ENRhbjcL/CTIc20HX4OIAFzKIW5xHFCh/KvaAA+lZi5u7dgIkXJogL K9DL1J9930hVmk+xU5CFOqwLZ5a8nT352XXBloQpkm1e06L9orlxhcc7V3z4m5gM 2NZnZA7c2FnuVcKvweQMg5bMBpxZo1HVEzVgtOaSM9srB2SaTyE8AfTvnvKKihZ0 LaH23Z3Dtol8eUCnlDHvlHHvm/X9z43OzzOZDXswMFJvd9naVGEr+trvUqCd6Xlc RVb+FNfW+RcqQoIJBfZnNeQ1gqGJQy7OuILnzsUWMhwFFwLuaMiGNQ== =0ZVT -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From patrik.wallstrom at iis.se Tue Oct 20 13:01:51 2009 From: patrik.wallstrom at iis.se (=?iso-8859-1?Q?Patrik_Wallstr=F6m?=) Date: Tue, 20 Oct 2009 15:01:51 +0200 Subject: [Opendnssec-develop] testing the system Message-ID: <12E38DFE-6E55-43AA-83B3-8214913E5D72@iis.se> How many of you have actually been running the system on real zones? This is what has happened to me during the last month or so when testing with the .SE zone file, regardless of version. This is from trunk: Oct 20 12:52:58 dnssecsigner ods-signerd: Writing file to zone_reader: /var/opendnssec/tmp/se.sorted Oct 20 12:53:23 dnssecsigner ods-signerd: Error reading input zone Oct 20 12:53:23 dnssecsigner ods-signerd: [Errno 32] Broken pipe Oct 20 12:53:23 dnssecsigner ods-signerd: Sorting failed It is important that as many as possible of us run OpenDNSSEC on actual zones now, for more than a minute or so. In other attempts, I have been testing the system with 1000 zones. This is something that does not currently work either. Maybe we have a tester or two that are actually willing to test the stuff now...? -- Patrik Wallstr?m Project Manager, R&D .SE (Stiftelsen f?r Internetinfrastruktur) E-mail: patrik.wallstrom at iis.se Web: http://www.iis.se/ From Stephen.Morris at nominet.org.uk Tue Oct 20 16:04:57 2009 From: Stephen.Morris at nominet.org.uk (Stephen.Morris at nominet.org.uk) Date: Tue, 20 Oct 2009 17:04:57 +0100 Subject: [Opendnssec-develop] testing the system In-Reply-To: <12E38DFE-6E55-43AA-83B3-8214913E5D72@iis.se> References: <12E38DFE-6E55-43AA-83B3-8214913E5D72@iis.se> Message-ID: Patrik Wallstr?m wrote on 20/10/2009 14:01:51: > How many of you have actually been running the system on real zones? > > This is what has happened to me during the last month or so when > testing with the .SE zone file, regardless of version. This is from > trunk: > > Oct 20 12:52:58 dnssecsigner ods-signerd: Writing file to > zone_reader: /var/opendnssec/tmp/se.sorted > Oct 20 12:53:23 dnssecsigner ods-signerd: Error reading input zone > Oct 20 12:53:23 dnssecsigner ods-signerd: [Errno 32] Broken pipe > Oct 20 12:53:23 dnssecsigner ods-signerd: Sorting failed > > It is important that as many as possible of us run OpenDNSSEC on > actual zones now, for more than a minute or so. > > In other attempts, I have been testing the system with 1000 zones. > This is something that does not currently work either. > > Maybe we have a tester or two that are actually willing to test the > stuff now...? > > -- > Patrik Wallstr?m > Project Manager, R&D > .SE (Stiftelsen f?r Internetinfrastruktur) > E-mail: patrik.wallstrom at iis.se > Web: http://www.iis.se/ I have managed to get one of our developers assigned to testing OpenDNSSEC for the next couple of weeks. The tests will be aimed on the scenarios used in signing .uk, which really means focusing on key rollovers and signing a small number of small zones. It would useful if someone could concentrate on testing scenarios with large zones. Stephen -------------- next part -------------- An HTML attachment was scrubbed... URL: From rickard.bondesson at iis.se Wed Oct 21 06:51:06 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Wed, 21 Oct 2009 08:51:06 +0200 Subject: [Opendnssec-develop] Re: Telephone meeting 23 Oct In-Reply-To: <983F17705339E24699AA251B458249B50CC48CB8F6@EXCHANGE2K7.office.nic.se> References: <983F17705339E24699AA251B458249B50CC48CB8F6@EXCHANGE2K7.office.nic.se> Message-ID: <983F17705339E24699AA251B458249B50CC49383F3@EXCHANGE2K7.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > Hi > > The next telephone meeting will be on Friday the 23rd of October > between > 11 and 12 CEST. Agenda will come later. You can find a draft agenda here: http://trac.opendnssec.org/wiki/Meetings/Agenda/2009-10-23 // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSt6vWeCjgaNTdVjaAQhZDwf/XJfFIF8tfqKYQHk4uqTzZdqi+potwf3O GWJAAIGMsPxqGgolpSV/wtfTrMDL/OKpCeLlDvrAQdSYDL2StzBQ39PZBMacCtlv L3H4bBSm8A9Pvz28P0oacLsCplyTMeCO7OMnyI+5bXFNS5fY+frv9kl2xzYnJTMi Ugg3pyQsxbvZqnsW5SVLC8VJQLcGj3BGSjh57OHdvGLzoMrC9VDTMXMuYvZXyW46 OkLu9JKTvHO7csiN9SJ4boTOlGxnno8zF/d4N6FVwIvgzyugcdjzmjxg7XyU10bc txMsnbR+z7D/YO7GItXucb/Z73EPbi8Ue+MtpSfnvSVN602IDK0yOQ== =OBqm -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From Alexd at nominet.org.uk Fri Oct 23 07:40:53 2009 From: Alexd at nominet.org.uk (Alexd at nominet.org.uk) Date: Fri, 23 Oct 2009 08:40:53 +0100 Subject: [Opendnssec-develop] Long strings in TXT records Message-ID: Hi - We have had an issue with long (> 255 bytes) strings in TXT records. The signer bombs out, saying this is illegal (as it is). However, BIND automagically parses these RRs into RRs with lots of little strings, rather than one long string. So, these zone files *do* load in BIND. So, do we : a) Refuse to recognise illegal TXT RRs, even though they load in BIND b) Do the BIND "split" thing - taking care to always split on the same boundary (somehow) ? Thanks! Alex. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rick.zijlker at sidn.nl Fri Oct 23 08:46:59 2009 From: rick.zijlker at sidn.nl (Rick Zijlker) Date: Fri, 23 Oct 2009 10:46:59 +0200 Subject: [Opendnssec-develop] Problem with signing Message-ID: <850A39016FA57A4887C0AA3C8085F9499904C2@KAEVS1.SIDN.local> Hey, (First of all, I think we should decide where I should send these kinds of issues in upcoming teleconf) I am having troubles signing my own created zone. At first it seemed creation in notepad (copy/paste) resulted in tabs and nonbreakable spaces, but when opening it with vi and removing strange marks it looks like the zone is signed, though it didn't get in /var/opendnssec/signed/. I do see a signed zone in the /var/opendnssec/tmp. I looks like the auditor fails to approve the zone after signing. This is the log: Oct 23 10:17:18 OpenDNSSEC ods-signerd: Received command: 'sign rick.nl' Oct 23 10:17:18 OpenDNSSEC ods-signerd: Scheduling task to sign zone rick.nl at 1256222026.15 with resign time 7200 Oct 23 10:17:18 OpenDNSSEC ods-signerd: acquire cond Oct 23 10:17:18 OpenDNSSEC ods-signerd: notify Oct 23 10:17:18 OpenDNSSEC ods-signerd: release cond Oct 23 10:17:18 OpenDNSSEC ods-signerd: Releasing lock on engine Oct 23 10:17:18 OpenDNSSEC ods-signerd: Sending response: Zone scheduled for immediate resign Oct 23 10:17:18 OpenDNSSEC ods-signerd: Done handling command Oct 23 10:17:18 OpenDNSSEC ods-signerd: worker 6 acquiring lock Oct 23 10:17:18 OpenDNSSEC ods-signerd: worker 6 acquired lock Oct 23 10:17:18 OpenDNSSEC ods-signerd: worker 6 released lock Oct 23 10:17:18 OpenDNSSEC ods-signerd: Got task for worker 6 Oct 23 10:17:18 OpenDNSSEC ods-signerd: Worker 6 run task Oct 23 10:17:18 OpenDNSSEC ods-signerd: Zone action to perform: 4 Oct 23 10:17:18 OpenDNSSEC ods-signerd: Run command: '/home/rick/opendnssec-1.0.0b3/libexec/opendnssec/get_serial -f /var/opendnssec/signed/rick.nl' Oct 23 10:17:18 OpenDNSSEC ods-signerd: Connection closed by peer Oct 23 10:17:18 OpenDNSSEC ods-signerd: Warning: get_serial returned 1 Oct 23 10:17:18 OpenDNSSEC ods-signerd: Run command: '/home/rick/opendnssec-1.0.0b3/libexec/opendnssec/get_serial -f /var/opendnssec/unsigned/rick.nl' Oct 23 10:17:18 OpenDNSSEC ods-signerd: Sorting zone: rick.nl Oct 23 10:17:18 OpenDNSSEC ods-signerd: Run command: '/home/rick/opendnssec-1.0.0b3/libexec/opendnssec/sorter -o rick.nl -f /var/opendnssec/unsigned/rick.nl -w /var/opendnssec/tmp/rick.nl.sorted' Oct 23 10:17:18 OpenDNSSEC ods-signerd: Done sorting Oct 23 10:17:18 OpenDNSSEC ods-signerd: Preprocessing zone: rick.nl Oct 23 10:17:18 OpenDNSSEC ods-signerd: No information yet for key 2c304446329cfc61d44347a6190237da Oct 23 10:17:18 OpenDNSSEC ods-signerd: Generating DNSKEY RR for 2c304446329cfc61d44347a6190237da Oct 23 10:17:18 OpenDNSSEC ods-signerd: create_dnskey status: 0 Oct 23 10:17:18 OpenDNSSEC ods-signerd: equality: True Oct 23 10:17:18 OpenDNSSEC ods-signerd: Found key 2c304446329cfc61d44347a6190237da Oct 23 10:17:18 OpenDNSSEC ods-signerd: No information yet for key 3e0819dacb6ca862c203d9bae2af72e7 Oct 23 10:17:18 OpenDNSSEC ods-signerd: Generating DNSKEY RR for 3e0819dacb6ca862c203d9bae2af72e7 Oct 23 10:17:18 OpenDNSSEC ods-signerd: create_dnskey status: 0 Oct 23 10:17:18 OpenDNSSEC ods-signerd: equality: True Oct 23 10:17:18 OpenDNSSEC ods-signerd: Found key 3e0819dacb6ca862c203d9bae2af72e7 Oct 23 10:17:18 OpenDNSSEC ods-signerd: No information yet for key e5f3d02beeffebfba63a936f5b398827 Oct 23 10:17:18 OpenDNSSEC ods-signerd: Generating DNSKEY RR for e5f3d02beeffebfba63a936f5b398827 Oct 23 10:17:18 OpenDNSSEC ods-signerd: create_dnskey status: 0 Oct 23 10:17:18 OpenDNSSEC ods-signerd: equality: True Oct 23 10:17:18 OpenDNSSEC ods-signerd: Found key e5f3d02beeffebfba63a936f5b398827 Oct 23 10:17:18 OpenDNSSEC ods-signerd: No information yet for key 4317bef176ad00d35678f379139bd7be Oct 23 10:17:18 OpenDNSSEC ods-signerd: Generating DNSKEY RR for 4317bef176ad00d35678f379139bd7be Oct 23 10:17:18 OpenDNSSEC ods-signerd: create_dnskey status: 0 Oct 23 10:17:18 OpenDNSSEC ods-signerd: equality: True Oct 23 10:17:18 OpenDNSSEC ods-signerd: Found key 4317bef176ad00d35678f379139bd7be Oct 23 10:17:18 OpenDNSSEC ods-signerd: Run command: '/home/rick/opendnssec-1.0.0b3/libexec/opendnssec/zone_reader -o rick.nl -w /var/opendnssec/tmp/rick.nl.processed -n -t 5 -a 1 -s 966bdb757dda3254' Oct 23 10:17:18 OpenDNSSEC ods-signerd: Writing file to zone_reader: /var/opendnssec/tmp/rick.nl.sorted Oct 23 10:17:18 OpenDNSSEC ods-signerd: Done preprocessing Oct 23 10:17:18 OpenDNSSEC ods-signerd: NSEC(3)ing zone: rick.nl Oct 23 10:17:18 OpenDNSSEC ods-signerd: Run command: '/home/rick/opendnssec-1.0.0b3/libexec/opendnssec/nsec3er -o rick.nl -t 5 -a 1 -i /var/opendnssec/tmp/rick.nl.processed -w /var/opendnssec/tmp/rick.nl.nsecced -m 3600 -s 966bdb757dda3254 -p' Oct 23 10:17:18 OpenDNSSEC ods-signerd: stderr from nseccer: nsec3er: 2 NSEC3 records generated within a second Oct 23 10:17:18 OpenDNSSEC ods-signerd: Run command: '/home/rick/opendnssec-1.0.0b3/libexec/opendnssec/signer -c /etc/opendnssec/conf.xml -p /var/opendnssec/tmp/rick.nl.signed -w /var/opendnssec/tmp/rick.nl.signed2 -r' Oct 23 10:17:18 OpenDNSSEC ods-signerd: write to subp: Oct 23 10:17:18 OpenDNSSEC ods-signerd: write to subp: :origin rick.nl Oct 23 10:17:18 OpenDNSSEC ods-signerd: write to subp: :soa_ttl 3600 Oct 23 10:17:18 OpenDNSSEC ods-signerd: write to subp: :soa_minimum 3600 Oct 23 10:17:18 OpenDNSSEC ods-signerd: Run command: '/home/rick/opendnssec-1.0.0b3/libexec/opendnssec/get_serial -f /var/opendnssec/signed/rick.nl' Oct 23 10:17:18 OpenDNSSEC ods-signerd: Warning: get_serial returned 1 Oct 23 10:17:18 OpenDNSSEC ods-signerd: set serial to 1256285838 Oct 23 10:17:18 OpenDNSSEC ods-signerd: write to subp: :expiration 20091030081718 Oct 23 10:17:18 OpenDNSSEC ods-signerd: write to subp: :expiration_denial 20091030081718 Oct 23 10:17:18 OpenDNSSEC ods-signerd: write to subp: :jitter 43200 Oct 23 10:17:18 OpenDNSSEC ods-signerd: write to subp: :inception 20091023081218 Oct 23 10:17:18 OpenDNSSEC ods-signerd: write to subp: :refresh 20091027081718 Oct 23 10:17:18 OpenDNSSEC ods-signerd: write to subp: :refresh_denial 20091027081718 Oct 23 10:17:18 OpenDNSSEC ods-signerd: use signature key: 2c304446329cfc61d44347a6190237da Oct 23 10:17:18 OpenDNSSEC ods-signerd: write to subp: :add_ksk 2c304446329cfc61d44347a6190237da 7 257 Oct 23 10:17:18 OpenDNSSEC ods-signerd: use signature key: e5f3d02beeffebfba63a936f5b398827 Oct 23 10:17:18 OpenDNSSEC ods-signerd: write to subp: :add_zsk e5f3d02beeffebfba63a936f5b398827 7 256 Oct 23 10:17:19 OpenDNSSEC ods-signerd: signer stderr: Warning: unable to open /var/opendnssec/tmp/rick.nl.signed: No such file or directory, performing full zone sign Oct 23 10:17:19 OpenDNSSEC ods-signerd: signer stderr: signer: number of signatures created: 8 (8 rr/sec) Oct 23 10:17:19 OpenDNSSEC ods-signerd: Created 8 new signatures Oct 23 10:17:19 OpenDNSSEC ods-signerd: Run command: '/home/rick/opendnssec-1.0.0b3/libexec/opendnssec/finalizer -f /var/opendnssec/tmp/rick.nl.signed' Oct 23 10:17:19 OpenDNSSEC ods-signerd: Running auditor on zone Oct 23 10:17:19 OpenDNSSEC ods-signerd: Run command: '/home/rick/opendnssec-1.0.0b3/bin/ods-auditor -c /etc/opendnssec/conf.xml -s /var/opendnssec/tmp/rick.nl.finalized -z rick.nl' Oct 23 10:17:19 OpenDNSSEC ods-auditor[25215]: SOA differs : from 2002022401 to 1256285838 Oct 23 10:17:19 OpenDNSSEC ods-auditor[25215]: Auditing rick.nl zone : NSEC3 SIGNED Oct 23 10:17:19 OpenDNSSEC ods-auditor[25215]: non-DNSSEC RRSet MX included in Output that was not present in Input : rick.nl.^I3600^IIN^IMX^I10 mail.another.nl Oct 23 10:17:19 OpenDNSSEC ods-auditor[25215]: non-DNSSEC RRSet NS included in Output that was not present in Input : rick.nl.^I3600^IIN^INS^Ins1.rick.nl Oct 23 10:17:19 OpenDNSSEC ods-auditor[25215]: non-DNSSEC RRSet NS included in Output that was not present in Input : rick.nl.^I3600^IIN^INS^Ins2.smokeyjoe.nl Oct 23 10:17:19 OpenDNSSEC ods-auditor[25215]: Output zone does not contain non-DNSSEC RRSet : MX, IN.rick.nl.^I3600^IIN^IMX^I10 mail.another.nl Oct 23 10:17:19 OpenDNSSEC ods-auditor[25215]: Output zone does not contain non-DNSSEC RRSet : NS, IN.rick.nl.^I3600^IIN^INS^Ins1.rick.nl Oct 23 10:17:19 OpenDNSSEC ods-auditor[25215]: Output zone does not contain non-DNSSEC RRSet : NS, IN.rick.nl.^I3600^IIN^INS^Ins2.smokeyjoe.nl Oct 23 10:17:19 OpenDNSSEC ods-auditor[25215]: Finished auditing rick.nl zone Oct 23 10:17:19 OpenDNSSEC ods-signerd: Auditor result: 3 Oct 23 10:17:19 OpenDNSSEC ods-signerd: worker 6 acquiring lock Oct 23 10:17:19 OpenDNSSEC ods-signerd: worker 6 acquired lock Oct 23 10:17:19 OpenDNSSEC ods-signerd: no task for worker 6, sleep for 7199.10040998 Oct 23 10:17:19 OpenDNSSEC ods-signerd: worker 6 released lock by going to wait (for ttime) It looks like the auditor is still seeing those "unbreakable spaces/tabs" but it did get signed in tmp directory: rick.nl. 3600 IN NS ns1.rick.nl. rick.nl. 3600 IN NS ns2.smokeyjoe.nl. rick.nl. 3600 IN RRSIG NS 7 2 3600 20091030194701 20091023081218 27705 rick.nl. eQiIdpoxOID2BXS+Xu0jWahVmNs0hv3MNByswPtlGWM2giM2vXUwRharE2IVk2m0hjwQg1On kdnJadaOBrWu HjZxKgeyjoKpm0goVtnCGIn0PROhISDsEDCo33rJ8M1QSsnchMdKIvqj7kTMJRJx0NGfTPiP mqiAhK+WrvoAzL8= ;{id = 27705} rick.nl. 3600 IN SOA ns1.rick.nl. testing.sidn.nl. 1256285838 10800 15 604800 3600 rick.nl. 3600 IN RRSIG SOA 7 2 3600 20091030185204 20091023081218 27705 rick.nl. WMibcrk9lSPnBVRC6gnfGozqGJsnLm9GNQmW8rfY0aH/11Xj8fUNiiqBakWAybqVBjemsV+L BOz7CzwIr9I ArlfComR71dfgsp98EF3DXH7gwrp/Vllm7LuDaGRfQwzjeWN28ZWOfHenE4WcCLrVFwoOFbr bQalSwELyT8giwO0= ;{id = 27705} rick.nl. 3600 IN MX 10 mail.another.nl. rick.nl. 3600 IN RRSIG MX 7 2 3600 20091030091015 20091023081218 27705 rick.nl. jjeOA5048MnjinIx6tZ+GLYbC5KAX1+Sbr0RCVcLIrhxzvweq9Lvb7RfO0lXfKp6WNdeL9cb pftvXgmhTqiw 5PJM9W6aNyBFbBQkxg4j4frbgm/12RALgjQICWwai23BZoc/zWspjXqTIU5Y3FA5MlTd97pw i0sINsUIUiBQ1ZY= ;{id = 27705} rick.nl. 3600 IN DNSKEY 256 3 7 AwEAAcN9OF8aaiCh2NfFARLR/DxMDub3uOYUUztWK5NCbOTVCfTksSQt9rPa3qBL4xb2JJAt IjDNRaG488MX6zHf4VwlaRUmgxVYjdhJc3PfHj9wrTjHXfQSDHkOF7CSDy8yC H24nJuvUbWEvSrMiD0cjDNAwz0UNW8y70eEeviWsBdN ;{id = 13785 (zsk), size = 1024b} rick.nl. 3600 IN DNSKEY 256 3 7 AwEAAcXPdaCJluJEwT3S8zngMpyfFP6+JXcnDrvtsc+NmyUiXWgN+ogzgtQqmVWqFIAmoMjy xqjCQ5/rN7xXT493datGVZZHC/wPuJPOKewb15kUZqafVwaIo7TvnsvdLKUkt aQOegAtDKAypoxcO9hdLmxZl3pq7kgqEQfNK0Fmile9 ;{id = 27705 (zsk), size = 1024b} rick.nl. 3600 IN DNSKEY 257 3 7 AwEAAcQb6HcoPFuIv8Y+SoBeFiZOScraHpfjPNP0IN3RQCtbMZRr9hx53KY6wFkDRlt8NDfc 8DyTN2szESFD+JdKl48eTyesfr6EkZeKJL66VK1BVLGQXuLPl93YI7SlULLf9 ywnvnfvTZm3IptxHdkMFMQpKO4scyAHBR6znxAyth/sv1d+HXm/hRW3CCHE1mtNzkDph7SJQ duvvvLvf1orX25u2m97Jt17L4n/TyyCokCJMbNWRv9/KeyivkQGRubYZ4Blqupp410TrW9IS lqA+zFFOLwcIfxqMxI/LkGnaFfeYAF6qO4Tga RiTvTe4gDQiHsjdOcIU+tk7XIgWA01r+M= ;{id = 16924 (ksk), size = 2048b} rick.nl. 3600 IN DNSKEY 257 3 7 AwEAAeAJE+WLsnpbFqn0W7ibmN/zdYNZIbOM+yQrhYKNCpeZDlmszF91V43gJceqiQEUGd++ WOpw6WRIYmomiCdeONaiDmfcqMqf9UXDspvvNFEm7mmQDD5nKJOwuNdnSr/gC ldtobDKDDHxox/arCE2orRU2j3Vj75RLfb55P5/xSrpiK7WCCm3Qc1O7z/Hjh1MktcYYQm+n Gahb33gRpO8x/Ggg5XFQmTH05nSghX4EW0NFYCinzr3+EqpocXu/kHC/kGO0/52ApqoGUFUx I8abx09xn7OioNlwREjFN59u3qCrQmZKxMAeT IbtbioUUOS7ElYZ0pH/xTy0KxNnuMKZAU= ;{id = 51688 (ksk), size = 2048b} rick.nl. 3600 IN RRSIG DNSKEY 7 2 3600 20091030161913 20091023081218 51688 rick.nl. vVsxCOHP/lXXK8fgg7W2iu9Op7vmAPVCDhC6Wa0PFEBefdPg1/qQgPqawbZHhz21+gpa+PaP YYjLN2Nl nO9YTrmK56KFoLy3PQyLs7yoTO1yJplgv6Tf2W+NWchGyLfpYebVT1oIrqgZYM0uWdhyQhvc 5qwz+byqz5628L7YahcPoPzpT7tZiBWe3rzDLa6YhZeW1Xy1Wb3mgjtd8+K6hqmboX8/KPsb 7Gi7VFR7YitxyX0WUC56hsL0+4FRxk+VGX19m q3ggKuoiqf/HikAM80xUmS2Yl9fIk055seZ6of7lqT8X4tz3b1wPRZzOItG/rWAJkaf515bp Jrd9sIPBA== ;{id = 51688} rick.nl. 3600 IN NSEC3PARAM 1 0 5 966bdb757dda3254 rick.nl. 3600 IN RRSIG NSEC3PARAM 7 2 3600 20091030110711 20091023081218 27705 rick.nl. A+zexK2G5SvdryBlbNPjGTHCxkZ5boC4SxV4Dd6QjSAGFT9Z+6TCXrL2bbGCID5plTG1me7b 9R9j ew77v5Z7wsUa8yD2FQZvELNXiIdy2lFIwkOZsGOxuWVsqa4BiEbev0l8prgrbZZA8W1v/h+A PV6OU1CylQ4/QxB003OqSvg= ;{id = 27705} 11eqbeh2s0vuilhit39dlbbsjo0v2hsi.rick.nl. 3600 IN NSEC3 1 1 5 966bdb757dda3254 j2cg9d4i1bppja2qffn1qp5ndv64hvpa NS SOA MX RRSIG DNSKEY NSEC3PARAM ; flags: optout 11eqbeh2s0vuilhit39dlbbsjo0v2hsi.rick.nl. 3600 IN RRSIG NSEC3 7 3 3600 20091030121613 20091023081218 27705 rick.nl. CXsJKFty2SEnmLgvSpj0aWiPFk1PUPieA/8UzqEFD7Z/3YFjM OnuAhGDjhuSShIHlBtf+736EXFcxF6PBEYftSPXaqUUkPxIei/BHfbpP/HIqULrw+viNcDg3 0zqyJ28GlWP1e8a28gVdP/5Lupgjk3N6QLlLCRkUSBWNIsw9F8= ;{id = 27705} www.rick.nl. 3600 IN A 192.168.0.2 www.rick.nl. 3600 IN RRSIG A 7 3 3600 20091030082704 20091023081218 27705 rick.nl. uIKQ0BMPqRzBFXDqIoKyXKf8mMeTenPPXWgqz4WRhXdsXu95rP2+aZeiXXPl2FoVqu0cqTLs Q//TKr6/U7uET tjbM56V6AH468MCYSGTf1KVcKAKSV5pzivu+oAcPEgZJxuts8dSl2Q1Rgq3BSw41QnCpxnyA 3kN/TtNXQmBe8Q= ;{id = 27705} j2cg9d4i1bppja2qffn1qp5ndv64hvpa.rick.nl. 3600 IN NSEC3 1 1 5 966bdb757dda3254 11eqbeh2s0vuilhit39dlbbsjo0v2hsi A RRSIG ; flags: optout j2cg9d4i1bppja2qffn1qp5ndv64hvpa.rick.nl. 3600 IN RRSIG NSEC3 7 3 3600 20091030190530 20091023081218 27705 rick.nl. sjTlrI5xL0xJAJsxn+pT0PleMIZ4/aH9WfVNR+66AOQJMYtOO 7otlMX3sjTQEI+ffxVTxoocXxozUAQ+X0dikUhsn0gSQ16kDusnqAWg80+PBp0ZqmkRXgKLu ruk2G949ssJS4aQ52nZl1JzFiP3GT6Se0FJSkqTLykGnbawepw= ;{id = 27705} ; Last refresh stats: existing: 0, removed 0, created 8 Although this signed zone doesn't seem right to me. Haven't checked it right now. I feel like there is missing entries. Cheers, Rick -------------- next part -------------- An HTML attachment was scrubbed... URL: From rick at openfortress.nl Fri Oct 23 10:36:31 2009 From: rick at openfortress.nl (Rick van Rein) Date: Fri, 23 Oct 2009 10:36:31 +0000 Subject: [Opendnssec-develop] Template for reports on testing an code review Message-ID: <20091023103631.GA8974@phantom.vanrein.org> Stephen, You are very clear in your request for documentation backing having done code reviews and tests. You summed up lists of items you would like to see in them. Clearly, you have a better background in ISO-9000 than most of us (at least more than I). With this in mind, is it perhaps an idea that you create a template for such reports, so testers/reviewers only need to fill it out? It'll help searching through them at a later time for the people who are keen on ISO-9000 issues and it'll help to ensure that the reports do not miss out on information that is easily overlooked otherwise. Cheers, -Rick From owner-dnssec-trac at kirei.se Fri Oct 23 14:36:54 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 23 Oct 2009 14:36:54 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #40: with Sqlite (available for Mysql too) In-Reply-To: <061.54bf25b63a52e4978003f6d398a9ba5c@kirei.se> References: <061.54bf25b63a52e4978003f6d398a9ba5c@kirei.se> Message-ID: <070.147f8f56d29902d7a50623929c8fa768@kirei.se> #40: with Sqlite (available for Mysql too) ------------------------------------+--------------------------------------- Reporter: archi.laurent at gmail.com | Owner: sion Type: defect | Status: closed Priority: blocker | Component: Enforcer Version: trunk | Resolution: fixed Keywords: | ------------------------------------+--------------------------------------- Changes (by rb): * status: new => closed * resolution: => fixed -- Ticket URL: OpenDNSSEC OpenDNSSEC From matthijs at NLnetLabs.nl Mon Oct 26 10:03:03 2009 From: matthijs at NLnetLabs.nl (Matthijs Mekking) Date: Mon, 26 Oct 2009 11:03:03 +0100 Subject: [Opendnssec-develop] Problem with signing In-Reply-To: <850A39016FA57A4887C0AA3C8085F9499904C2@KAEVS1.SIDN.local> References: <850A39016FA57A4887C0AA3C8085F9499904C2@KAEVS1.SIDN.local> Message-ID: <4AE573D7.904@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Rick, Rick Zijlker wrote: > Hey, > > (First of all, I think we should decide where I should send these kinds > of issues in upcoming teleconf) Develop is the right location, imo. > I am having troubles signing my own created zone. At first it seemed > creation in notepad (copy/paste) resulted in tabs and nonbreakable > spaces, but when opening it with vi and removing strange marks it looks > like the zone is signed, though it didn?t get in > /var/opendnssec/signed/. I do see a signed zone in the > /var/opendnssec/tmp. I looks like the auditor fails to approve the zone > after signing. Correct, if you remove the from the configuration, the signer engine will output the zone. > This is the log: ... > It looks like the auditor is still seeing those ?unbreakable > spaces/tabs? but it did get signed in tmp directory: Looks like... ... > > Although this signed zone doesn?t seem right to me. Haven?t checked it > right now. I feel like there is missing entries. I did not encounter this. All 5 records were there in the signed zonefile, including signatures. Two NSEC3 records were added. To conclude, I think this is an auditor issue. Best regards, Matthijs -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJK5XPVAAoJEA8yVCPsQCW5IOkIAKFnaP0E/da6Ak0T0PBwDefL 21WJfxdC1KmNqDlnj8Cd6gM7X+yQ32GQaLH+lO3aJp3jcFch0izMrmqD1psjTCCr ood3JZe0gMLcAJk8JCBkrX/g2o8K9pvxxds+bw+O5lggNoM+HLCtiY0ZfVcqWyzF nyrg/NUrfGlbyC4B7WV/GWuw7mQsAwZXneRUPuT8V5vBBw+Much0SAIlZltk9cH/ bgodzcbPoqwzUlDkZxexXScttTCuxuxuRf9sua6jhL5sOMd9noHlT9wXuJ0zKiUK TaZkFkHaSL0E2GVxtthPQ3LE05ZcQZD+filnld4xJifzqkpTMrbqAbUsYvJF9KY= =5oXR -----END PGP SIGNATURE----- From Alexd at nominet.org.uk Mon Oct 26 10:10:57 2009 From: Alexd at nominet.org.uk (Alexd at nominet.org.uk) Date: Mon, 26 Oct 2009 10:10:57 +0000 Subject: [Opendnssec-develop] Problem with signing In-Reply-To: <4AE573D7.904@nlnetlabs.nl> References: <850A39016FA57A4887C0AA3C8085F9499904C2@KAEVS1.SIDN.local> <4AE573D7.904@nlnetlabs.nl> Message-ID: > To conclude, I think this is an auditor issue. This temporary auditor issue was resolved on Friday. I am not aware of any current issues with the auditor. Alex. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rick.zijlker at sidn.nl Mon Oct 26 10:59:43 2009 From: rick.zijlker at sidn.nl (Rick Zijlker) Date: Mon, 26 Oct 2009 11:59:43 +0100 Subject: [Opendnssec-develop] Problem with signing References: <850A39016FA57A4887C0AA3C8085F9499904C2@KAEVS1.SIDN.local> <4AE573D7.904@nlnetlabs.nl> Message-ID: <850A39016FA57A4887C0AA3C8085F9499904C7@KAEVS1.SIDN.local> Hey all, Thanks for all the replies. I just installed to beta4 but it looks like there is still some reference to beta3: rick at OpenDNSSEC:~/opendnssec-1.0.0b4/bin$ sudo ods-control start Starting signer engine... OpenDNSSEC signer engine version 1.0.0b3 Zone list updated: 0 removed, 1 added, 0 updated running as pid 18234 Starting enforcer... OpenDNSSEC ods-enforcerd started (version 1.0.0b3), pid 18236 Anyhow, I still get the same messages when signing my zone. Included full log now, just in case it's needed: Oct 26 11:43:48 OpenDNSSEC ods-signerd: Preprocessing zone: rick.nl Oct 26 11:43:48 OpenDNSSEC ods-signerd: No information yet for key 86a68fb1d4c5f13e136fea49f516b901 Oct 26 11:43:48 OpenDNSSEC ods-signerd: Generating DNSKEY RR for 86a68fb1d4c5f13e136fea49f516b901 Oct 26 11:43:48 OpenDNSSEC ods-signerd: create_dnskey status: 0 Oct 26 11:43:48 OpenDNSSEC ods-signerd: equality: True Oct 26 11:43:48 OpenDNSSEC ods-signerd: Found key 86a68fb1d4c5f13e136fea49f516b901 Oct 26 11:43:48 OpenDNSSEC ods-signerd: No information yet for key 9ddcc27e593f30262d2e9ed07fc62050 Oct 26 11:43:48 OpenDNSSEC ods-signerd: Generating DNSKEY RR for 9ddcc27e593f30262d2e9ed07fc62050 Oct 26 11:43:48 OpenDNSSEC ods-signerd: create_dnskey status: 0 Oct 26 11:43:48 OpenDNSSEC ods-signerd: equality: True Oct 26 11:43:48 OpenDNSSEC ods-signerd: Found key 9ddcc27e593f30262d2e9ed07fc62050 Oct 26 11:43:48 OpenDNSSEC ods-signerd: No information yet for key 4ca3fc29814d44c9fa6f65ce15d3002e Oct 26 11:43:48 OpenDNSSEC ods-signerd: Generating DNSKEY RR for 4ca3fc29814d44c9fa6f65ce15d3002e Oct 26 11:43:48 OpenDNSSEC ods-signerd: create_dnskey status: 0 Oct 26 11:43:48 OpenDNSSEC ods-signerd: equality: True Oct 26 11:43:48 OpenDNSSEC ods-signerd: Found key 4ca3fc29814d44c9fa6f65ce15d3002e Oct 26 11:43:48 OpenDNSSEC ods-signerd: No information yet for key c3bb107f6ee9c397d231cb7a78b30a4e Oct 26 11:43:48 OpenDNSSEC ods-signerd: Generating DNSKEY RR for c3bb107f6ee9c397d231cb7a78b30a4e Oct 26 11:43:48 OpenDNSSEC ods-signerd: create_dnskey status: 0 Oct 26 11:43:48 OpenDNSSEC ods-signerd: equality: True Oct 26 11:43:48 OpenDNSSEC ods-signerd: Found key c3bb107f6ee9c397d231cb7a78b30a4e Oct 26 11:43:48 OpenDNSSEC ods-signerd: Run command: '/usr/local/libexec/opendnssec/zone_reader -o rick.nl -w /var/opendnssec/tmp/rick.nl.processed -n -t 5 -a 1 -s 4b6e62787e55936b' Oct 26 11:43:48 OpenDNSSEC ods-signerd: Writing file to zone_reader: /var/opendnssec/tmp/rick.nl.sorted Oct 26 11:43:48 OpenDNSSEC ods-signerd: Done preprocessing Oct 26 11:43:48 OpenDNSSEC ods-signerd: NSEC(3)ing zone: rick.nl Oct 26 11:43:48 OpenDNSSEC ods-signerd: Run command: '/usr/local/libexec/opendnssec/nsec3er -o rick.nl -t 5 -a 1 -i /var/opendnssec/tmp/rick.nl.processed -w /var/opendnssec/tmp/rick.nl.nsecced -m 3600 -s 4b6e62787e55936b -p' Oct 26 11:43:48 OpenDNSSEC ods-signerd: stderr from nseccer: nsec3er: 2 NSEC3 records generated within a second Oct 26 11:43:48 OpenDNSSEC ods-signerd: Run command: '/usr/local/libexec/opendnssec/signer -c /etc/opendnssec/conf.xml -p /var/opendnssec/tmp/rick.nl.signed -w /var/opendnssec/tmp/rick.nl.signed2 -r' Oct 26 11:43:48 OpenDNSSEC ods-signerd: write to subp: Oct 26 11:43:48 OpenDNSSEC ods-signerd: write to subp: :origin rick.nl Oct 26 11:43:48 OpenDNSSEC ods-signerd: write to subp: :soa_ttl 3600 Oct 26 11:43:48 OpenDNSSEC ods-signerd: write to subp: :soa_minimum 3600 Oct 26 11:43:48 OpenDNSSEC ods-signerd: Run command: '/usr/local/libexec/opendnssec/get_serial -f /var/opendnssec/signed/rick.nl' Oct 26 11:43:48 OpenDNSSEC ods-signerd: Warning: get_serial returned 1 Oct 26 11:43:48 OpenDNSSEC ods-signerd: set serial to 1256553828 Oct 26 11:43:48 OpenDNSSEC ods-signerd: write to subp: :expiration 20091102104348 Oct 26 11:43:48 OpenDNSSEC ods-signerd: write to subp: :expiration_denial 20091102104348 Oct 26 11:43:48 OpenDNSSEC ods-signerd: write to subp: :jitter 43200 Oct 26 11:43:48 OpenDNSSEC ods-signerd: write to subp: :inception 20091026103848 Oct 26 11:43:48 OpenDNSSEC ods-signerd: write to subp: :refresh 20091030104348 Oct 26 11:43:48 OpenDNSSEC ods-signerd: write to subp: :refresh_denial 20091030104348 Oct 26 11:43:48 OpenDNSSEC ods-signerd: use signature key: 86a68fb1d4c5f13e136fea49f516b901 Oct 26 11:43:48 OpenDNSSEC ods-signerd: write to subp: :add_ksk 86a68fb1d4c5f13e136fea49f516b901 7 257 Oct 26 11:43:48 OpenDNSSEC ods-signerd: use signature key: 4ca3fc29814d44c9fa6f65ce15d3002e Oct 26 11:43:48 OpenDNSSEC ods-signerd: write to subp: :add_zsk 4ca3fc29814d44c9fa6f65ce15d3002e 7 256 Oct 26 11:43:48 OpenDNSSEC ods-signerd: signer stderr: Warning: unable to open /var/opendnssec/tmp/rick.nl.signed: No such file or directory, performing full zone sign Oct 26 11:43:48 OpenDNSSEC ods-signerd: signer stderr: signer: number of signatures created: 8 (within a second) Oct 26 11:43:48 OpenDNSSEC ods-signerd: Created 8 new signatures Oct 26 11:43:48 OpenDNSSEC ods-signerd: Run command: '/usr/local/libexec/opendnssec/finalizer -f /var/opendnssec/tmp/rick.nl.signed' Oct 26 11:43:48 OpenDNSSEC ods-signerd: Running auditor on zone Oct 26 11:43:48 OpenDNSSEC ods-signerd: Run command: '/usr/local/bin/ods-auditor -c /etc/opendnssec/conf.xml -s /var/opendnssec/tmp/rick.nl.finalized -z rick.nl' Oct 26 11:43:49 OpenDNSSEC ods-auditor[18269]: SOA differs : from 2002022401 to 1256553828 Oct 26 11:43:49 OpenDNSSEC ods-auditor[18269]: Auditing rick.nl zone : NSEC3 SIGNED Oct 26 11:43:49 OpenDNSSEC ods-auditor[18269]: non-DNSSEC RRSet MX included in Output that was not present in Input : rick.nl.^I3600^IIN^IMX^I10 mail.another.nl Oct 26 11:43:49 OpenDNSSEC ods-auditor[18269]: non-DNSSEC RRSet NS included in Output that was not present in Input : rick.nl.^I3600^IIN^INS^Ins1.rick.nl Oct 26 11:43:49 OpenDNSSEC ods-auditor[18269]: non-DNSSEC RRSet NS included in Output that was not present in Input : rick.nl.^I3600^IIN^INS^Ins2.smokeyjoe.nl Oct 26 11:43:49 OpenDNSSEC ods-auditor[18269]: Output zone does not contain non-DNSSEC RRSet : MX, IN.rick.nl.^I3600^IIN^IMX^I10 mail.another.nl Oct 26 11:43:49 OpenDNSSEC ods-auditor[18269]: Output zone does not contain non-DNSSEC RRSet : NS, IN.rick.nl.^I3600^IIN^INS^Ins1.rick.nl Oct 26 11:43:49 OpenDNSSEC ods-auditor[18269]: Output zone does not contain non-DNSSEC RRSet : NS, IN.rick.nl.^I3600^IIN^INS^Ins2.smokeyjoe.nl Oct 26 11:43:49 OpenDNSSEC ods-auditor[18269]: Finished auditing rick.nl zone Oct 26 11:43:49 OpenDNSSEC ods-signerd: Auditor result: 3 Oct 26 11:43:49 OpenDNSSEC ods-signerd: worker 1 acquiring lock Oct 26 11:43:49 OpenDNSSEC ods-signerd: worker 1 acquired lock Oct 26 11:43:49 OpenDNSSEC ods-signerd: no task for worker 1, sleep for 7198.98547602 Oct 26 11:43:49 OpenDNSSEC ods-signerd: worker 1 released lock by going to wait (for ttime) Im going to try to import the zone into BIND to check if it also rejects the zone file. Maybe there is something terribly wrong with it. Cheers, Rick From: Alexd at nominet.org.uk [mailto:Alexd at nominet.org.uk] Sent: maandag 26 oktober 2009 11:11 To: Matthijs Mekking Cc: opendnssec-develop at lists.opendnssec.org; opendnssec-develop-bounces at lists.opendnssec.org; Rick Zijlker Subject: Re: [Opendnssec-develop] Problem with signing > To conclude, I think this is an auditor issue. This temporary auditor issue was resolved on Friday. I am not aware of any current issues with the auditor. Alex. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Alexd at nominet.org.uk Mon Oct 26 11:53:58 2009 From: Alexd at nominet.org.uk (Alexd at nominet.org.uk) Date: Mon, 26 Oct 2009 11:53:58 +0000 Subject: [Opendnssec-develop] Problem with signing In-Reply-To: <850A39016FA57A4887C0AA3C8085F9499904C7@KAEVS1.SIDN.local> References: <850A39016FA57A4887C0AA3C8085F9499904C2@KAEVS1.SIDN.local> <4AE573D7.904@nlnetlabs.nl> <850A39016FA57A4887C0AA3C8085F9499904C7@KAEVS1.SIDN.local> Message-ID: Hi Rick - > Thanks for all the replies. I just installed to beta4 Unfortunately the beta was tagged early on Friday, and the fix for this issue did not make it into the beta (it was released later on Friday afternoon). Indeed, the beta4 actually introduced this bug (as it was a trunk change mid last week which caused the issue in the first place). I am not aware of any issues with the trunk revision of the auditor. Sorry I didn't make this explicit before. Thanks, Alex. -------------- next part -------------- An HTML attachment was scrubbed... URL: From Alexd at nominet.org.uk Mon Oct 26 15:32:57 2009 From: Alexd at nominet.org.uk (Alexd at nominet.org.uk) Date: Mon, 26 Oct 2009 15:32:57 +0000 Subject: [Opendnssec-develop] Standby key issue Message-ID: Hi - In my kasp.xml, I have : 5 PT40M softHSM 1 This means there should always be one prepublished KSK. In the resultant zone file, there is only one KSK, which is used to sign the zone. So, the auditor is complaining that there should be an additional prepublished KSK (1 Standby). Is the auditor right? If so, which component should this story be aimed at? Thanks, Alex. -------------- next part -------------- An HTML attachment was scrubbed... URL: From sion at nominet.org.uk Mon Oct 26 15:55:13 2009 From: sion at nominet.org.uk (sion at nominet.org.uk) Date: Mon, 26 Oct 2009 15:55:13 +0000 Subject: [Opendnssec-develop] Standby key issue In-Reply-To: References: Message-ID: > In my kasp.xml, I have : > > > 5 > PT40M > softHSM > 1 > > > This means there should always be one prepublished KSK. > > In the resultant zone file, there is only one KSK, which is used to > sign the zone. So, the auditor is complaining that there should be > an additional prepublished KSK (1 Standby). > > Is the auditor right? If so, which component should this story be aimed at? Yes, the auditor is correct. If 2 ksks are defined in the signconf xml file (the location is defined in the SignerConfiguration tag of zonelist.xml) then the issue is somewhere in the signer. Otherwise it is in the enforcer; note though that if you have ManualKeyGeneration turned on (in conf.xml) then there may not be enough keys generated to satisfy the policy. The enforcer should have logged something to syslog if it has run out of keys. Sion From rickard.bondesson at iis.se Mon Oct 26 15:58:10 2009 From: rickard.bondesson at iis.se (Rickard Bondesson) Date: Mon, 26 Oct 2009 16:58:10 +0100 Subject: [Opendnssec-develop] Standby key issue In-Reply-To: References: Message-ID: <983F17705339E24699AA251B458249B50CC4998814@EXCHANGE2K7.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > Is the auditor right? If so, which component should this story be aimed > at? Yeah, the auditor is right. Have a look in the corresponding zone config that the enforcer gives to the signer. Is there two keys with flag 257 with tag Publish and one of them with the KSK tag? If yes, then the problem is in the signer. If no, then the problem is in the enforcer. -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSuXHEuCjgaNTdVjaAQisXggAigY34xiQknn0AI1S480J0r0Kgs0tZSUo ISSvAT/C8yk7TGnKZCJwbuYBOUJdM5V48Fn0ZArVfGwkPxGWVUqWWQW0aIdGJtc+ CTrU0vokdgyNXDfhRjeqZzURS/Hx4c1j2Eu+q2ayTmgWP/9A2HRNXoaIFbL2+JFQ 7qYcXdm03PA/W8IfTJBQp/hTbZwgDM41qd8u8LyJv7dWe0j+Gcr1G5fIL1HD1/lm DRr+aRs7aB7YkmOwCT5hFdB+Kaym+7RC7NXf6ezIHpwLi9WD+fuU8JBNtZV2MIyi Mul2NHRWzz/v+M0ccowEvWcVYZm5EvZHy4/sJ76poPOAuRC44ht11A== =MrY+ -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From rick.zijlker at sidn.nl Tue Oct 27 09:36:54 2009 From: rick.zijlker at sidn.nl (Rick Zijlker) Date: Tue, 27 Oct 2009 10:36:54 +0100 Subject: [Opendnssec-develop] Reference to beta 3 Message-ID: <850A39016FA57A4887C0AA3C8085F9499904C9@KAEVS1.SIDN.local> Hey all, My log shows the signer is failing because of a reference to beta 3: Oct 27 10:33:39 OpenDNSSEC ods-signerd: worker 2 acquiring lock Oct 27 10:33:39 OpenDNSSEC ods-signerd: worker 2 acquired lock Oct 27 10:33:39 OpenDNSSEC ods-signerd: worker 2 released lock Oct 27 10:33:39 OpenDNSSEC ods-signerd: Got task for worker 2 Oct 27 10:33:39 OpenDNSSEC ods-signerd: Worker 2 run task Oct 27 10:33:39 OpenDNSSEC ods-signerd: Zone action to perform: 6 Oct 27 10:33:39 OpenDNSSEC ods-signerd: Run command: '/home/rick/opendnssec-1.0.0b3/libexec/opendnssec/signer -c /etc/opendnssec/conf.xml -p /var/opendnssec/tmp/rick.nl.signed -w /var/opendnssec/tmp/rick.nl.signed2 -r' Oct 27 10:33:39 OpenDNSSEC ods-signerd: command not found: /home/rick/opendnssec-1.0.0b3/libexec/opendnssec/signer Oct 27 10:33:39 OpenDNSSEC ods-signerd: worker 2 acquiring lock Oct 27 10:33:39 OpenDNSSEC ods-signerd: worker 2 acquired lock Oct 27 10:33:39 OpenDNSSEC ods-signerd: no task for worker 2, sleep for 7199.99035478 Oct 27 10:33:39 OpenDNSSEC ods-signerd: worker 2 released lock by going to wait (for ttime) Is this a configurable setting? I can't find it in the config files. Opendnssec-1.0.0b3 does not exist. Opendnssec-1.0.0b4 does. Cheers, Rick -------------- next part -------------- An HTML attachment was scrubbed... URL: From owner-dnssec-trac at kirei.se Tue Oct 27 13:36:56 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 27 Oct 2009 13:36:56 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #43: ods-signer parser is too strict with white spaces Message-ID: <066.d3d766f2fd2a1ea725377b3a4fd61cb4@kirei.se> #43: ods-signer parser is too strict with white spaces -----------------------------------------+---------------------------------- Reporter: bortzmeyer+opendnssec at nic.fr | Owner: matthijs Type: enhancement | Status: new Priority: minor | Component: Signer Version: trunk | Keywords: -----------------------------------------+---------------------------------- ods-signer should really trim whitespace at the beginning of a command: cmd> sign bortzmeyer.fr Zone scheduled for immediate resign cmd> sign bortzmeyer.fr unknown command -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Tue Oct 27 15:22:06 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 27 Oct 2009 15:22:06 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #44: subdomains create invalid NSEC3 records Message-ID: <056.3d190c1e101de5c2cbf3cbfe6f416aa8@kirei.se> #44: subdomains create invalid NSEC3 records -------------------------------+-------------------------------------------- Reporter: tom at nominet.org.uk | Owner: matthijs Type: defect | Status: new Priority: major | Component: Signer Version: trunk | Keywords: -------------------------------+-------------------------------------------- I think this is a signer issue... some.host.at.bubbles IN A 10.5.1.116 This will cause the signer to create invalid NSEC3 records (1 for each subdomain of 'bubbles') -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Tue Oct 27 15:39:20 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 27 Oct 2009 15:39:20 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #43: ods-signer parser is too strict with white spaces In-Reply-To: <066.d3d766f2fd2a1ea725377b3a4fd61cb4@kirei.se> References: <066.d3d766f2fd2a1ea725377b3a4fd61cb4@kirei.se> Message-ID: <075.3adb10302d605ce9988a187aef0dc042@kirei.se> #43: ods-signer parser is too strict with white spaces -----------------------------------------+---------------------------------- Reporter: bortzmeyer+opendnssec at nic.fr | Owner: matthijs Type: enhancement | Status: new Priority: minor | Component: Signer Version: trunk | Resolution: Keywords: | -----------------------------------------+---------------------------------- Comment(by rb): Should now be fixed in r2349 -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Tue Oct 27 15:39:35 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 27 Oct 2009 15:39:35 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #45: Multiple ORIGIN directives confuses signer Message-ID: <056.31a48952f5526630e47f1b07efe14291@kirei.se> #45: Multiple ORIGIN directives confuses signer -------------------------------+-------------------------------------------- Reporter: tom at nominet.org.uk | Owner: rb Type: defect | Status: new Priority: major | Component: Unknown Version: trunk | Keywords: -------------------------------+-------------------------------------------- $ORIGIN tom. @ IN NS bubbles bubbles IN A 10.5.1.116 $ORIGIN test.tom. @ IN NS ns1.tom. IN NS ns2.tom. IN NS ns3.tom. With this input, the signer will only correctly process the line containing ns1.tom. The last two lines will be output as... bubbles.tom IN NS ns2.tom. bubbles.tom IN NS ns3.tom. (See attached zonefile) -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Tue Oct 27 16:27:46 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 27 Oct 2009 16:27:46 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #45: Multiple ORIGIN directives confuses signer In-Reply-To: <056.31a48952f5526630e47f1b07efe14291@kirei.se> References: <056.31a48952f5526630e47f1b07efe14291@kirei.se> Message-ID: <065.db528cf7357203cc91f83445b455bc41@kirei.se> #45: Multiple ORIGIN directives confuses signer -------------------------------+-------------------------------------------- Reporter: tom at nominet.org.uk | Owner: rb Type: defect | Status: new Priority: major | Component: Unknown Version: trunk | Resolution: Keywords: | -------------------------------+-------------------------------------------- Comment(by rb): You forgot to attach the zone file. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Tue Oct 27 16:32:55 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 27 Oct 2009 16:32:55 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #34: Softhsm +lib In-Reply-To: <061.47f61d576ede9063deccf51eb68338e5@kirei.se> References: <061.47f61d576ede9063deccf51eb68338e5@kirei.se> Message-ID: <070.ac58f66d08e94b4eeb1d4c94125d3881@kirei.se> #34: Softhsm +lib ------------------------------------+--------------------------------------- Reporter: archi.laurent at gmail.com | Owner: rb Type: defect | Status: assigned Priority: critical | Component: SoftHSM Version: trunk | Resolution: Keywords: | ------------------------------------+--------------------------------------- Comment(by rb): I think that your OS is searching for the library. Thus the ENOENT, until it finds the library. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Tue Oct 27 16:34:30 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 27 Oct 2009 16:34:30 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #42: I don't understand why "now" In-Reply-To: <061.7092b7bd5b1bcd3c5a2e365f7a316fab@kirei.se> References: <061.7092b7bd5b1bcd3c5a2e365f7a316fab@kirei.se> Message-ID: <070.845a8f17b714547e489a913b2c12952e@kirei.se> #42: I don't understand why "now" ------------------------------------+--------------------------------------- Reporter: archi.laurent at gmail.com | Owner: rb Type: defect | Status: closed Priority: major | Component: Unknown Version: trunk | Resolution: fixed Keywords: table "dbadmin" | ------------------------------------+--------------------------------------- Changes (by rb): * status: new => closed * resolution: => fixed -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Tue Oct 27 16:35:14 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 27 Oct 2009 16:35:14 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #38: Keygend could use more informational error messages In-Reply-To: <061.23030cd0ce8aecff95e9829221f6fb97@kirei.se> References: <061.23030cd0ce8aecff95e9829221f6fb97@kirei.se> Message-ID: <070.8274d8e52b1643e005ca2982ff9c93a0@kirei.se> #38: Keygend could use more informational error messages ------------------------------------+--------------------------------------- Reporter: robert at dk-hostmaster.dk | Owner: sion Type: enhancement | Status: closed Priority: trivial | Component: Unknown Version: trunk | Resolution: fixed Keywords: | ------------------------------------+--------------------------------------- Changes (by rb): * status: assigned => closed * resolution: => fixed -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Tue Oct 27 16:36:32 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 27 Oct 2009 16:36:32 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #45: Multiple ORIGIN directives confuses signer In-Reply-To: <056.31a48952f5526630e47f1b07efe14291@kirei.se> References: <056.31a48952f5526630e47f1b07efe14291@kirei.se> Message-ID: <065.61a5808e9eafe1a194d0cfc24c178ac6@kirei.se> #45: Multiple ORIGIN directives confuses signer -------------------------------+-------------------------------------------- Reporter: tom at nominet.org.uk | Owner: rb Type: defect | Status: new Priority: major | Component: Unknown Version: trunk | Resolution: Keywords: | -------------------------------+-------------------------------------------- Comment(by sion): attach file is not working, the snippet above contains the important lines any way. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Tue Oct 27 16:37:44 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 27 Oct 2009 16:37:44 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #44: subdomains create invalid NSEC3 records In-Reply-To: <056.3d190c1e101de5c2cbf3cbfe6f416aa8@kirei.se> References: <056.3d190c1e101de5c2cbf3cbfe6f416aa8@kirei.se> Message-ID: <065.bbdde3983e413a0e645e29bc4dbcdb34@kirei.se> #44: subdomains create invalid NSEC3 records -------------------------------+-------------------------------------------- Reporter: tom at nominet.org.uk | Owner: matthijs Type: defect | Status: new Priority: major | Component: Signer Version: trunk | Resolution: Keywords: | -------------------------------+-------------------------------------------- Comment(by sion): Note that this is also the only sibling glue in the file that we were looking at. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Tue Oct 27 16:44:20 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 27 Oct 2009 16:44:20 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #45: Multiple ORIGIN directives confuses signer In-Reply-To: <056.31a48952f5526630e47f1b07efe14291@kirei.se> References: <056.31a48952f5526630e47f1b07efe14291@kirei.se> Message-ID: <065.5460cc134f2c85c32a47a5d9514fab44@kirei.se> #45: Multiple ORIGIN directives confuses signer -------------------------------+-------------------------------------------- Reporter: tom at nominet.org.uk | Owner: rb Type: defect | Status: new Priority: major | Component: Unknown Version: trunk | Resolution: Keywords: | -------------------------------+-------------------------------------------- Comment(by rb): What is the name of the zone? bubbles.tom? Because you have the "@" for the first ns. Then will ns2 and ns3 get the same owner. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Tue Oct 27 16:47:13 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 27 Oct 2009 16:47:13 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #45: Multiple ORIGIN directives confuses signer In-Reply-To: <056.31a48952f5526630e47f1b07efe14291@kirei.se> References: <056.31a48952f5526630e47f1b07efe14291@kirei.se> Message-ID: <065.43899fff8eea665de28239db6913fde9@kirei.se> #45: Multiple ORIGIN directives confuses signer -------------------------------+-------------------------------------------- Reporter: tom at nominet.org.uk | Owner: rb Type: defect | Status: new Priority: major | Component: Unknown Version: trunk | Resolution: Keywords: | -------------------------------+-------------------------------------------- Comment(by rb): Ahh, no.... should be: The value substituted for @ is either: * The last $ORIGIN directive encountered in the file. OR * If no $ORIGIN directive is present - BIND synthesizes one from the value of the zone name in the named.conf file -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Wed Oct 28 08:25:55 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Wed, 28 Oct 2009 08:25:55 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #43: ods-signer parser is too strict with white spaces In-Reply-To: <066.d3d766f2fd2a1ea725377b3a4fd61cb4@kirei.se> References: <066.d3d766f2fd2a1ea725377b3a4fd61cb4@kirei.se> Message-ID: <075.80de7534463b767e1fe2b44bdbf8ca03@kirei.se> #43: ods-signer parser is too strict with white spaces -----------------------------------------+---------------------------------- Reporter: bortzmeyer+opendnssec at nic.fr | Owner: matthijs Type: enhancement | Status: closed Priority: minor | Component: Signer Version: trunk | Resolution: fixed Keywords: | -----------------------------------------+---------------------------------- Changes (by matthijs): * status: new => closed * resolution: => fixed -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Wed Oct 28 08:45:55 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Wed, 28 Oct 2009 08:45:55 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #45: Multiple ORIGIN directives confuses signer In-Reply-To: <056.31a48952f5526630e47f1b07efe14291@kirei.se> References: <056.31a48952f5526630e47f1b07efe14291@kirei.se> Message-ID: <065.e2b690d5841c92ce3e7d96d0c1b1926c@kirei.se> #45: Multiple ORIGIN directives confuses signer -------------------------------+-------------------------------------------- Reporter: tom at nominet.org.uk | Owner: rb Type: defect | Status: closed Priority: major | Component: Unknown Version: trunk | Resolution: fixed Keywords: | -------------------------------+-------------------------------------------- Changes (by matthijs): * status: new => closed * resolution: => fixed Comment: This is a LDNS bug, where the previous domain name does not get updated if owner name is @. fixed in ldns trunk 3084, please use that trunk for now. A full LDNS release is in the make. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Wed Oct 28 08:52:07 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Wed, 28 Oct 2009 08:52:07 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #44: subdomains create invalid NSEC3 records In-Reply-To: <056.3d190c1e101de5c2cbf3cbfe6f416aa8@kirei.se> References: <056.3d190c1e101de5c2cbf3cbfe6f416aa8@kirei.se> Message-ID: <065.f230edf78030e448d14136d5aa53e4dd@kirei.se> #44: subdomains create invalid NSEC3 records -------------------------------+-------------------------------------------- Reporter: tom at nominet.org.uk | Owner: matthijs Type: defect | Status: new Priority: major | Component: Signer Version: trunk | Resolution: Keywords: | -------------------------------+-------------------------------------------- Comment(by matthijs): Would it be possible to get the zonefile (attached or in my mail inbox?) -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Wed Oct 28 10:37:02 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Wed, 28 Oct 2009 10:37:02 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #44: subdomains create invalid NSEC3 records In-Reply-To: <056.3d190c1e101de5c2cbf3cbfe6f416aa8@kirei.se> References: <056.3d190c1e101de5c2cbf3cbfe6f416aa8@kirei.se> Message-ID: <065.5dd06408bd53f87e1785d04eed5f49a0@kirei.se> #44: subdomains create invalid NSEC3 records -------------------------------+-------------------------------------------- Reporter: tom at nominet.org.uk | Owner: matthijs Type: defect | Status: new Priority: major | Component: Signer Version: trunk | Resolution: Keywords: | -------------------------------+-------------------------------------------- Comment(by matthijs): Do you mean invalid NSEC3 RRs as in bogus NSEC3 RRs or invalid as in 'there should not be a NSEC3 RR here'? -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Wed Oct 28 10:53:20 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Wed, 28 Oct 2009 10:53:20 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #44: subdomains create invalid NSEC3 records In-Reply-To: <056.3d190c1e101de5c2cbf3cbfe6f416aa8@kirei.se> References: <056.3d190c1e101de5c2cbf3cbfe6f416aa8@kirei.se> Message-ID: <065.5931d3321313736e0c0535f99e6303c2@kirei.se> #44: subdomains create invalid NSEC3 records -------------------------------+-------------------------------------------- Reporter: tom at nominet.org.uk | Owner: matthijs Type: defect | Status: new Priority: major | Component: Signer Version: trunk | Resolution: Keywords: | -------------------------------+-------------------------------------------- Comment(by sion): (from memory) The auditor reported that 3 of the NSEC3 records were invalid. Those records did not have their Type bitmap set (at least not in the display). -- Ticket URL: OpenDNSSEC OpenDNSSEC From rickard.bellgrim at iis.se Wed Oct 28 11:07:09 2009 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Wed, 28 Oct 2009 12:07:09 +0100 Subject: [Opendnssec-develop] Meeting 20091030 Message-ID: <983F17705339E24699AA251B458249B50CC4998B64@EXCHANGE2K7.office.nic.se> Hi I think I forgot to mention that we decided to have a meeting this Friday between 11 and 12 CET (not CEST). An agenda will come up on the wiki soon. // Rickard From owner-dnssec-trac at kirei.se Wed Oct 28 11:13:03 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Wed, 28 Oct 2009 11:13:03 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #44: subdomains create invalid NSEC3 records In-Reply-To: <056.3d190c1e101de5c2cbf3cbfe6f416aa8@kirei.se> References: <056.3d190c1e101de5c2cbf3cbfe6f416aa8@kirei.se> Message-ID: <065.3cfd13d8b615bdb3c630f85f38a99ba1@kirei.se> #44: subdomains create invalid NSEC3 records -------------------------------+-------------------------------------------- Reporter: tom at nominet.org.uk | Owner: matthijs Type: defect | Status: new Priority: major | Component: Signer Version: trunk | Resolution: Keywords: | -------------------------------+-------------------------------------------- Comment(by matthijs): is that with ldns trunk? cause a similar problem was fixed in ldns trunk (r3064 and up) -- Ticket URL: OpenDNSSEC OpenDNSSEC From rick.zijlker at sidn.nl Wed Oct 28 11:22:46 2009 From: rick.zijlker at sidn.nl (Rick Zijlker) Date: Wed, 28 Oct 2009 12:22:46 +0100 Subject: [Opendnssec-develop] Uninstalling Message-ID: <850A39016FA57A4887C0AA3C8085F9499904CB@KAEVS1.SIDN.local> Hey all, What is the correct way of uninstalling/removing a previous version of OpenDNSSEC to install a new one? Cause I installed Beta4 and am getting Beta3 errors in my log. I did the following steps: ./ods-control stop Rm -r /home/rick/opendnssec-1.0.0b3 Rm -r /home/rick/softhsm-1.0.0 Rm -r /var/opendnssec Rm -r /var/softhsm Rm -r /etc/opendnssec Rm -r /etc/softhsm.conf I just kept these in place: /home/rick/ldns-1.6.1 /home/rick/Botan-1.9.0 Am I missing anything? Cheers, Rick *My syslog* Oct 28 10:33:39 OpenDNSSEC ods-signerd: worker 2 acquiring lock Oct 28 10:33:39 OpenDNSSEC ods-signerd: worker 2 acquired lock Oct 28 10:33:39 OpenDNSSEC ods-signerd: worker 2 released lock Oct 28 10:33:39 OpenDNSSEC ods-signerd: Got task for worker 2 Oct 28 10:33:39 OpenDNSSEC ods-signerd: Worker 2 run task Oct 28 10:33:39 OpenDNSSEC ods-signerd: Zone action to perform: 6 Oct 28 10:33:39 OpenDNSSEC ods-signerd: Run command: '/home/rick/opendnssec-1.0.0b3/libexec/opendnssec/signer -c /etc/opendnssec/conf.xml -p /var/opendnssec/tmp/rick.nl.signed -w / var/opendnssec/tmp/rick.nl.signed2 -r' Oct 28 10:33:39 OpenDNSSEC ods-signerd: command not found: /home/rick/opendnssec-1.0.0b3/libexec/opendnssec/signer Oct 28 10:33:39 OpenDNSSEC ods-signerd: worker 2 acquiring lock Oct 28 10:33:39 OpenDNSSEC ods-signerd: worker 2 acquired lock Oct 28 10:33:39 OpenDNSSEC ods-signerd: no task for worker 2, sleep for 7199.9905622 Oct 28 10:33:39 OpenDNSSEC ods-signerd: worker 2 released lock by going to wait (for ttime) -------------- next part -------------- An HTML attachment was scrubbed... URL: From patrik.wallstrom at iis.se Wed Oct 28 13:43:55 2009 From: patrik.wallstrom at iis.se (=?iso-8859-1?Q?Patrik_Wallstr=F6m?=) Date: Wed, 28 Oct 2009 14:43:55 +0100 Subject: [Opendnssec-develop] number of signatures generated Message-ID: I really don't understand the logging messages I see when test-signing the .SE zone. This is what is appended to the end of the signed zone: ; Last refresh stats: existing: 870678, removed 1, created 6143 The number of generated signatures corresponds to the log message: Oct 28 12:29:13 dnssecsigner ods-signerd: signer stderr: signer: number of signatures created: 6143 (62 rr/sec) Oct 28 12:29:13 dnssecsigner ods-signerd: Created 6143 new signatures The parameters I use when test-signing is a lot shorted signature lifetimes (2 days, with 6 hour jitter) than our real system. Which means that a lot more signatures should be dropped and generated. So my guess is that these counters don't really work... could this be true? From our real system, signing the same zone a day earlier: Oct 27 13:27:28 zonesign mksigned[14097]: signzone success = 876229 Oct 27 13:27:28 zonesign mksigned[14097]: signzone retained = 839845 Oct 27 13:27:28 zonesign mksigned[14097]: signzone generated = 36384 -- Patrik Wallstr?m Project Manager, R&D .SE (Stiftelsen f?r Internetinfrastruktur) E-mail: patrik.wallstrom at iis.se Web: http://www.iis.se/ From Stephen.Morris at nominet.org.uk Wed Oct 28 13:56:11 2009 From: Stephen.Morris at nominet.org.uk (Stephen.Morris at nominet.org.uk) Date: Wed, 28 Oct 2009 13:56:11 +0000 Subject: [Opendnssec-develop] Re: Template for reports on testing an code review In-Reply-To: <20091023103631.GA8974@phantom.vanrein.org> References: <20091023103631.GA8974@phantom.vanrein.org> Message-ID: Rick van Rein wrote on 23/10/2009 11:36:31: > Stephen, > > You are very clear in your request for documentation backing having done > code reviews and tests. You summed up lists of items you would like > to see in them. Clearly, you have a better background in ISO-9000 > than most of us (at least more than I). > > With this in mind, is it perhaps an idea that you create a template for > such reports, so testers/reviewers only need to fill it out? It'll help > searching through them at a later time for the people who are keen on > ISO-9000 issues and it'll help to ensure that the reports do not miss > out on information that is easily overlooked otherwise. > > > Cheers, > -Rick I could do a template, but I don't want to be too prescriptive. Providing each report contains the following information: Files checked and their revision Date of review Reviewer Comments on the files ... that should be enough. If the review raises issues that are sufficient to warrant a change, a story should be raised in Pivotal Tracker and the ID of the story added to the review. Reviews should be passed to Rickard, who should file them. (If we decide its worth it, at some time we could publish them on the wiki) Stephen -------------- next part -------------- An HTML attachment was scrubbed... URL: From matthijs at NLnetLabs.nl Wed Oct 28 14:33:08 2009 From: matthijs at NLnetLabs.nl (Matthijs Mekking) Date: Wed, 28 Oct 2009 15:33:08 +0100 Subject: [Opendnssec-develop] number of signatures generated In-Reply-To: References: Message-ID: <4AE85624.209@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Could be true, but from the source code of the signer it looks pretty straight-forward: created_sigs++ after hsm_sign_rrset and removed_sigs++ when not printing current signature. Though created_sigs could be decreased when type covered is SOA. Matthijs Patrik Wallstr?m wrote: > I really don't understand the logging messages I see when test-signing > the .SE zone. > > This is what is appended to the end of the signed zone: > > ; Last refresh stats: existing: 870678, removed 1, created 6143 > > The number of generated signatures corresponds to the log message: > Oct 28 12:29:13 dnssecsigner ods-signerd: signer stderr: signer: > number of signatures created: 6143 (62 rr/sec) > Oct 28 12:29:13 dnssecsigner ods-signerd: Created 6143 new signatures > > The parameters I use when test-signing is a lot shorted signature > lifetimes (2 days, with 6 hour jitter) than our real system. Which > means that a lot more signatures should be dropped and generated. So > my guess is that these counters don't really work... could this be true? > > From our real system, signing the same zone a day earlier: > Oct 27 13:27:28 zonesign mksigned[14097]: signzone success = 876229 > Oct 27 13:27:28 zonesign mksigned[14097]: signzone retained = 839845 > Oct 27 13:27:28 zonesign mksigned[14097]: signzone generated = 36384 > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJK6FYXAAoJEA8yVCPsQCW5xAcIALYzaIixAD2XXKm5b2q908mt IEVvziz8I3GcMiazubFScKts4AKFofF0IDQudfgqiy6AVQ1MJJHosWbWuFrELyG7 kK/dKpDZnV88ciRHNGmLhX4l8aQKjO6Hb9Xw0OddpYyl0h9Zw1EKoQYZAGqbLvcV DuO5Wuonv7MureihNtuMK7p28OqMvxFD9vLPXpZ0iJ3/2UqeFczQ8oQslL1j7ds5 vdwudKaCJcHzrV9gJKwfxGcatNIH7x14zd22ueiqwVri+6oPWi4kRoPqilliUqvi V6uyKCsoDJPP6b4IMPH/rujxj/595Bc7eCl0HdpNp+iSAu2L3mID8OHvmR9w5SE= =yoIn -----END PGP SIGNATURE----- From Alexd at nominet.org.uk Wed Oct 28 14:42:25 2009 From: Alexd at nominet.org.uk (Alexd at nominet.org.uk) Date: Wed, 28 Oct 2009 14:42:25 +0000 Subject: [Opendnssec-develop] Fw: Cannot sign .FR, stops at fr.in.sorted Message-ID: Anyone have any idea about this? Stephane has disabled the auditor, but still cannot sign fr. - please see below. Thanks, Alex. ----- Forwarded by Alex Dalitz/Nominet on 28/10/2009 14:41 ----- Stephane Bortzmeyer 28/10/2009 14:36 To Alexd at nominet.org.uk cc Stephane Bortzmeyer Subject Re: Cannot sign .FR, stops at fr.in.sorted On Wed, Oct 28, 2009 at 01:58:06PM +0000, Alexd at nominet.org.uk wrote a message of 32 lines which said: > Does disabling the audior leave you with a successfully signed zone? No, same problem. I suppressed in conf.xml, I restarted the daemons and requested a signing. The auditor did not run (obviously) but I still had no /var/opendnssec/signed:fr as I expected. Last lines in the log (note the spurious mention of the auditor which did not run actually, with the time it takes, I would have noticed): Oct 28 15:34:10 jezabel ods-signerd: Running auditor on zone Oct 28 15:34:10 jezabel ods-signerd: Run command: '/usr/local/bin/ods-auditor -c /etc/opendnssec/conf.xml -s /var/opendnssec/tmp/fr.finalized -z fr' Oct 28 15:34:11 jezabel ods-signerd: Auditor result: 1 Oct 28 15:34:11 jezabel ods-signerd: worker 3 acquiring lock Oct 28 15:34:11 jezabel ods-signerd: worker 3 acquired lock Oct 28 15:34:11 jezabel ods-signerd: no task for worker 3, sleep for 6821.41999006 Oct 28 15:34:11 jezabel ods-signerd: worker 3 released lock by going to wait (for ttime) -------------- next part -------------- An HTML attachment was scrubbed... URL: From matthijs at NLnetLabs.nl Wed Oct 28 14:50:18 2009 From: matthijs at NLnetLabs.nl (Matthijs Mekking) Date: Wed, 28 Oct 2009 15:50:18 +0100 Subject: [Opendnssec-develop] Fw: Cannot sign .FR, stops at fr.in.sorted In-Reply-To: References: Message-ID: <4AE85A2A.1070405@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Note that the signer will still call the auditor if the signer configuration is not updated. The signer configuration is generated from the policy configuration, by default kasp.xml. Best regards, Matthijs Alexd at nominet.org.uk wrote: > Anyone have any idea about this? > > Stephane has disabled the auditor, but still cannot sign fr. - please > see below. > > Thanks, > > > Alex. > > ----- Forwarded by Alex Dalitz/Nominet on 28/10/2009 14:41 ----- > *Stephane Bortzmeyer * > > 28/10/2009 14:36 > > > To > Alexd at nominet.org.uk > cc > Stephane Bortzmeyer > Subject > Re: Cannot sign .FR, stops at fr.in.sorted > > > > > > > > > On Wed, Oct 28, 2009 at 01:58:06PM +0000, > Alexd at nominet.org.uk wrote > a message of 32 lines which said: > >> Does disabling the audior leave you with a successfully signed zone? > > No, same problem. I suppressed in conf.xml, I restarted the > daemons and requested a signing. The auditor did not run (obviously) > but I still had no /var/opendnssec/signed:fr as I expected. > > Last lines in the log (note the spurious mention of the auditor which > did not run actually, with the time it takes, I would have noticed): > > Oct 28 15:34:10 jezabel ods-signerd: Running auditor on zone > Oct 28 15:34:10 jezabel ods-signerd: Run command: > '/usr/local/bin/ods-auditor -c /etc/opendnssec/conf.xml -s > /var/opendnssec/tmp/fr.finalized -z fr' > Oct 28 15:34:11 jezabel ods-signerd: Auditor result: 1 > Oct 28 15:34:11 jezabel ods-signerd: worker 3 acquiring lock > Oct 28 15:34:11 jezabel ods-signerd: worker 3 acquired lock > Oct 28 15:34:11 jezabel ods-signerd: no task for worker 3, sleep for > 6821.41999006 > Oct 28 15:34:11 jezabel ods-signerd: worker 3 released lock by going to > wait (for ttime) > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJK6FooAAoJEA8yVCPsQCW5d5QIAKbytFgyFCNeOI+JjcaQZLdZ jv5ahChO1dgFw21xr5NFG5qZtYJSqORoDKqvLhEbcZpyL8WTZnru8ubkPTRJIqqN tvd4h7t1m3/tO6PZ1PYzU0u+JdRL6Au0E36Z9Nc/pjMigVcuOANpKmRoxdM+rLSy Gb2WB/70UOtwOHtCBF+73GiTcuipVUymxmgy5t3Dd5fqzYQL8yrXaXgxenS6WaIc QpG+UhKEC5DeRHGnEMWl5IHuAKVUcEu78JJa0sLOLaRlkA1BaHiWrzLqWBgsPXMT K8ezvilwok89llSyBJd5rHTxjDJPeE9itW7Ci0Q/SMpSbwjM464JIgtgGQRT1Ts= =jGkK -----END PGP SIGNATURE----- From patrik.wallstrom at iis.se Thu Oct 29 08:18:04 2009 From: patrik.wallstrom at iis.se (=?iso-8859-1?Q?Patrik_Wallstr=F6m?=) Date: Thu, 29 Oct 2009 09:18:04 +0100 Subject: [Opendnssec-develop] number of signatures generated In-Reply-To: <4AE85624.209@nlnetlabs.nl> References: <4AE85624.209@nlnetlabs.nl> Message-ID: <38C54998-71CF-4783-8222-543C66D4ED27@iis.se> On Oct 28, 2009, at 3:33 PM, Matthijs Mekking wrote: > Could be true, but from the source code of the signer it looks pretty > straight-forward: created_sigs++ after hsm_sign_rrset and > removed_sigs++ > when not printing current signature. > > Though created_sigs could be decreased when type covered is SOA. It looks a little better now, I was a bit premature in my conclusion. I have seen much larger numbers of signatures dropped now, but I don't archive all my signed zones so I don't have the history available to me. (Since it is not logged, only the number of created signatures are logged.) -- Patrik Wallstr?m Project Manager, R&D .SE (Stiftelsen f?r Internetinfrastruktur) E-mail: patrik.wallstrom at iis.se Web: http://www.iis.se/ From patrik.wallstrom at iis.se Thu Oct 29 08:20:16 2009 From: patrik.wallstrom at iis.se (=?iso-8859-1?Q?Patrik_Wallstr=F6m?=) Date: Thu, 29 Oct 2009 09:20:16 +0100 Subject: [Opendnssec-develop] comments in the signed file Message-ID: We have a number of added comments in the signed zonefile. It might be useful for a small zone, but in a large zone I believe it just adds a lot of unnecessary overhead. Examples: se. 172800 IN RRSIG NS 5 1 172800 20091030184655 20091028181011 52338 se. JhRoDmVZYUMTjACdN4DhDENu6YHQF38LYhEdTADuaMOEFzZUgu1dpahrd2tuq2Od7vJtyZ2xtSB5Seg8Bs1M1sVRVgHTuW5ZD1E +rcvGeiKgV+yRKnUZCK3HgRWLL1lHIY +hoplieKsTWYsymI5ulRFQsqZ1Px9Hc35HIGao51k= ;{id = 52338} 0-3.se. 3600 IN DS 58458 5 2 8396798fabde22a1f6fc2966ae5a18bf744927bde512c6b984260552ee45442c ; xobon-kyvym-zupyt-vemup-cytez-supik-koroh-pyker-zetog-nonor-tanic- decor-nocad-kecah-dyryg-hacyd-syxex I think it's ok to have it on the DNSKEY record, but for those above I really want to disable that output. It is not very useful. What do you guys think? -- Patrik Wallstr?m Project Manager, R&D .SE (Stiftelsen f?r Internetinfrastruktur) E-mail: patrik.wallstrom at iis.se Web: http://www.iis.se/ From jakob at kirei.se Thu Oct 29 11:27:43 2009 From: jakob at kirei.se (Jakob Schlyter) Date: Thu, 29 Oct 2009 07:27:43 -0400 Subject: [Opendnssec-develop] comments in the signed file In-Reply-To: References: Message-ID: <8C64506D-B2DB-4086-96F6-B54F0F4C1A65@kirei.se> On 29 okt 2009, at 04.20, Patrik Wallstr?m wrote: > I think it's ok to have it on the DNSKEY record, but for those above I > really want to disable that output. It is not very useful. > > What do you guys think? I agree. jakob From matthijs at NLnetLabs.nl Thu Oct 29 11:50:18 2009 From: matthijs at NLnetLabs.nl (Matthijs Mekking) Date: Thu, 29 Oct 2009 12:50:18 +0100 Subject: [Opendnssec-develop] comments in the signed file In-Reply-To: <8C64506D-B2DB-4086-96F6-B54F0F4C1A65@kirei.se> References: <8C64506D-B2DB-4086-96F6-B54F0F4C1A65@kirei.se> Message-ID: <4AE9817A.8080403@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 For me it is something with a low priority, the only reason I can think of is that the signed zonefile gets a bit smaller in size. Matthijs Jakob Schlyter wrote: > On 29 okt 2009, at 04.20, Patrik Wallstr?m wrote: > >> I think it's ok to have it on the DNSKEY record, but for those above I >> really want to disable that output. It is not very useful. >> >> What do you guys think? > > I agree. > > jakob > > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJK6YF3AAoJEA8yVCPsQCW5wn4H/2K0/m4f1nBOPnLQ6qzguon5 q5KNy4fFGLoq4iAUfOP0jbXGpFKTPPHPRiSr9YtZHKxlw2SF/bFGiUuK0RRtUi1q qCKHRnrPilRuCcvVduOPAYBwdqpqe89BI1Du4RJ5I2297YIVOGYFXAyONcPp+HvL Jow8HQLsvJ9GtYEUyy4G5ySjSm/EjGNX3KoKFXWARz5vmVcZeO6r9OsiEmj7/Kjg m83gyjU4aw0CP1NMX4NjMBTlPRQ2JPshE6U2Vt0LS1Gyn7KbAC36Te4CEDSy6uxP HZyX0T4AeENPXMJ4xe2WkWav7QOVXRxKHX+BiieaEcobrAXrEYMSkVDXIryxXQ4= =YhwO -----END PGP SIGNATURE----- From owner-dnssec-trac at kirei.se Thu Oct 29 11:59:20 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Thu, 29 Oct 2009 11:59:20 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #46: Vanishing records Message-ID: <042.a41e53f6fb5e272058ea3d3b82de95b1@kirei.se> #46: Vanishing records -------------------+-------------------------------------------------------- Reporter: sion | Owner: matthijs Type: defect | Status: new Priority: major | Component: Signer Version: trunk | Keywords: -------------------+-------------------------------------------------------- Take a simple zone, e.g.: ; $ORIGIN tom. $TTL 86400 @ IN SOA bubbles.tom root.bubbles.tom ( 5 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 1 ) ; Negative Cache TTL ; @ IN NS bubbles bubbles IN A 10.5.1.110 www IN A 10.5.1.100 www2 IN A 10.5.1.101 www3 IN A 10.5.1.100 www4 IN A 10.5.1.100 www5 IN A 10.5.1.100 www6 IN A 10.5.1.103 and sign it. (We are using NSEC3.) delete the 3 rows www3 -> www5 call "ods-signer sign tom" the auditor returns a message along the lines of: Output zone does not contain non-DNSSEC RRSet : A, www6.tom.#01186400#011IN#011A#01110.5.1.103 which is correct, the output zone is missing that record. If we call "ods-signer sign tom" again the problem seems to get fixed. Note that if we do the same with a large zone, lots of records vanish. Then if we call sign again a smaller subset of those vanish; until, on repeating often enough the zone will be correct. This is with trunk r2363 -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Thu Oct 29 13:16:12 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Thu, 29 Oct 2009 13:16:12 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #46: Vanishing records In-Reply-To: <042.a41e53f6fb5e272058ea3d3b82de95b1@kirei.se> References: <042.a41e53f6fb5e272058ea3d3b82de95b1@kirei.se> Message-ID: <051.752a24ce4bb4233c212808a52d38259e@kirei.se> #46: Vanishing records -------------------+-------------------------------------------------------- Reporter: sion | Owner: matthijs Type: defect | Status: accepted Priority: major | Component: Signer Version: trunk | Resolution: Keywords: | -------------------+-------------------------------------------------------- Changes (by matthijs): * status: new => accepted Comment: Tried it but works for me. (r2365) -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Thu Oct 29 15:32:03 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Thu, 29 Oct 2009 15:32:03 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #46: Vanishing records In-Reply-To: <042.a41e53f6fb5e272058ea3d3b82de95b1@kirei.se> References: <042.a41e53f6fb5e272058ea3d3b82de95b1@kirei.se> Message-ID: <051.e578c87efa9de6eb388078036ec78ca0@kirei.se> #46: Vanishing records -------------------+-------------------------------------------------------- Reporter: sion | Owner: matthijs Type: defect | Status: accepted Priority: major | Component: Signer Version: trunk | Resolution: Keywords: | -------------------+-------------------------------------------------------- Comment(by sion): It stopped working here too, after doing a ksmutil setup. So on a hunch we put the old salt back into the signconf file. The issue came back... So, with the zone as sent previously and the rest of kasp.xml as per the sample, the following salt: 1 5 a8c113e3bd8b364b shows the issue. Whereas if we change the salt to be "5a6e8fdfef5e9336" the issue goes away. (At least for the deletes detailed in the initial report.) -- Ticket URL: OpenDNSSEC OpenDNSSEC From rickard.bellgrim at iis.se Thu Oct 29 16:23:17 2009 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Thu, 29 Oct 2009 17:23:17 +0100 Subject: [Opendnssec-develop] Discarding RRSIG from input zone Message-ID: <983F17705339E24699AA251B458249B51F19446FA0@EXCHANGE2K7.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi The requirements says that "the signer MUST discard all DNSSEC RRs (except DNSKEY RRs) from the input data." I see that the Signer Engine is keeping the RRSIG (which does not belong to any RR). Is this a feature or a bug? -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSunBdeCjgaNTdVjaAQi0TAgAphz6aJqbkVerUF0tDyuux3Ovgfgio2eL QkUGhlEjijTrbMw5jKZyvg/QGgiOuBKOXalJCcD1/jXLll6wEAUMtLGWPv1xl7va N4hrxEbTI9FWBgieeINxT+P07RZ/lCxVmvb+Jc31Eq37tBeYjM99zgh5dorW5nLW /ctfLKKM1Igur2CIaZK+HZDVt5S/PhUmc8o0x4KepYNF2iR35Nz5wklJSFJDLqqy 7P/cMCOiWIYNeXRdS5fAnAYMcXnipUob7pnuBA2tpu03I7R49tFtpoZE51xMm6d9 7xCmriQDRmGekOWElJfBLgJXP7D2Nie01r8lpSIED6QE39rRWcCyAA== =Imfl -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From rick at openfortress.nl Thu Oct 29 19:18:16 2009 From: rick at openfortress.nl (Rick van Rein) Date: Thu, 29 Oct 2009 19:18:16 +0000 Subject: [Opendnssec-develop] Minutes of 2009-10-23 posted Message-ID: <20091029191816.GA11675@phantom.vanrein.org> Hello, I just published the minutes to last week's meeting: http://trac.opendnssec.org/wiki/Meetings/Minutes/2009-10-23 Any comments are welcome, of course. Best, -Rick From matthijs at NLnetLabs.nl Fri Oct 30 08:31:52 2009 From: matthijs at NLnetLabs.nl (Matthijs Mekking) Date: Fri, 30 Oct 2009 09:31:52 +0100 Subject: [Opendnssec-develop] Discarding RRSIG from input zone In-Reply-To: <983F17705339E24699AA251B458249B51F19446FA0@EXCHANGE2K7.office.nic.se> References: <983F17705339E24699AA251B458249B51F19446FA0@EXCHANGE2K7.office.nic.se> Message-ID: <4AEAA478.9080904@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The only reason I can think of keeping the RRSIG is that if a zone changes ownership (from zone administrator A to B), and you want it to keep the zone secure (not drop back to unsigned), you need to publish signatures of the other party. But in that case, only the signature of the DNSKEY RRset is necessary. Matthijs Rickard Bellgrim wrote: > Hi > > The requirements says that "the signer MUST discard all DNSSEC RRs > (except DNSKEY RRs) from the input data." > > I see that the Signer Engine is keeping the RRSIG (which does not belong > to any RR). Is this a feature or a bug? > - ------------------------------------------------------------------------ _______________________________________________ Opendnssec-develop mailing list Opendnssec-develop at lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJK6qRxAAoJEA8yVCPsQCW5t5sH/0hNsuLSCZSCy5IyWOeVgjvb AXsicg9DCvKDjCd1/0UcTnH+WRBFyR0WtMxoENz2Oyhg9wt2t0Pgtlu5kwBpXc5r d7D7riySnRkKtqYNqn9US6/cICEJlB0o4Sxn1zpfBmBcqO7jwXU15tbpos5rbwRb iONeEyRZg//0z70X82eqaMmGBd/DTn7+Wc7cOT/nhwHgp6MOhgN0pELoidp2tcx4 mmBRUuXZw7ZAoyn/jgPUpj77fUEoKuMT2y2cD3sens9kobThe84PlWcKCHiaohdO uu2JHNl97nByun+Mab6Ir/xZJyXdCVEY/M9uA2vY46zXvj5yRnw13UrOaxpU8a0= =FzqN -----END PGP SIGNATURE----- From rickard.bellgrim at iis.se Fri Oct 30 08:35:05 2009 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Fri, 30 Oct 2009 09:35:05 +0100 Subject: [Opendnssec-develop] Re: Meeting 20091030 In-Reply-To: <983F17705339E24699AA251B458249B50CC4998B64@EXCHANGE2K7.office.nic.se> References: <983F17705339E24699AA251B458249B50CC4998B64@EXCHANGE2K7.office.nic.se> Message-ID: <983F17705339E24699AA251B458249B51F1944701B@EXCHANGE2K7.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > Hi > > I think I forgot to mention that we decided to have a meeting this > Friday between 11 and 12 CET (not CEST). An agenda will come up on the > wiki soon. > > // Rickard Here is the agenda: http://trac.opendnssec.org/wiki/Meetings/Agenda/2009-10-30 -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSuqlOeCjgaNTdVjaAQisOgf+NDk3yGfAO6NOtJOJHW9r1C3b6aJyZfDN EIdaY8U0jcFCw9TThkzIjkXjYee7wSezbweoFQqC8c+4+nH074HAYvEfqk1a0wEO 4aveIG7GFYFt19Xazc/rW8wijB/8VoLIM3+4f1/d654J40cgmHsKnVAOtgkX6QdG UAMo/hJsZb2cWHaReFyAdl9j2unrUnElcoZY9YVPhEiCemiLxOVde+0martG/VuA bc5ldOdJwVmSw/WLNdmTALX87QMPG0D5Lja3brkD8+yQrBCN/JsTui5V2qLjp4Ku zcOoXEbew8Ura9JfazXFoFKKmoKMj37vIuU20di5rHqbbNG0jqINbQ== =sOyD -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From rickard.bellgrim at iis.se Fri Oct 30 08:45:34 2009 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Fri, 30 Oct 2009 09:45:34 +0100 Subject: [Opendnssec-develop] Discarding RRSIG from input zone In-Reply-To: <4AEAA478.9080904@nlnetlabs.nl> References: <983F17705339E24699AA251B458249B51F19446FA0@EXCHANGE2K7.office.nic.se> <4AEAA478.9080904@nlnetlabs.nl> Message-ID: <983F17705339E24699AA251B458249B51F19447039@EXCHANGE2K7.office.nic.se> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > The only reason I can think of keeping the RRSIG is that if a zone > changes ownership (from zone administrator A to B), and you want it to > keep the zone secure (not drop back to unsigned), you need to publish > signatures of the other party. > > But in that case, only the signature of the DNSKEY RRset is necessary. I am using the zone http://trac.opendnssec.org/browser/trunk/testing/zonedatatest/all.rr.org where I have a RRSIG for a A RR, which does not exist. Another interesting thing is that the Signer creates a RRSIG for this RRSIG. // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBSuqnruCjgaNTdVjaAQg3ygf/eYvtRacGXfI9F5m6fwtqKmXRTziPOz7a Zh3Na+mbm+2wqTUaNnyO8ff4N9ehKelVIpcmYmy5Cq9ZwUzQqEdIP1ZM7FFGrC7A ACRYNSUKd7QvouM48K/gHXjVatdjwZ5aF/wlLmcQAUNTzKDjFnWTbIigw5aOvdgF gJ8ReK9kLRVe1VA0zBVBDici/+GkcaTfEqB7IAWKpjWLx/uNf5pC2TWMbu3XKzyL 869lVLi4hdrkQAoUVM35upstL+M9Pa6HjRrr+fKvhZ6fE9LX85ZMhifDzuZIDd8T 3NV3olPVOMrNf/Gc5vBp82J9OM+BN9rJkFIsUZBlPsMfp9ihZDKJtQ== =akHZ -----END PGP SIGNATURE----- -------------- next part -------------- An HTML attachment was scrubbed... URL: From owner-dnssec-trac at kirei.se Fri Oct 30 09:28:53 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 30 Oct 2009 09:28:53 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #46: Vanishing records In-Reply-To: <042.a41e53f6fb5e272058ea3d3b82de95b1@kirei.se> References: <042.a41e53f6fb5e272058ea3d3b82de95b1@kirei.se> Message-ID: <051.48f3350d344f984e17f17e98a17015e3@kirei.se> #46: Vanishing records -------------------+-------------------------------------------------------- Reporter: sion | Owner: matthijs Type: defect | Status: accepted Priority: major | Component: Signer Version: trunk | Resolution: Keywords: | -------------------+-------------------------------------------------------- Comment(by matthijs): hm yes. The problem lies within the signer and relates to NSEC3 sorting. With that specific salt, the www2 records come after www3 in the NSEC3 sorting. However, in canonical order www2 is before www3. The signer picks this up as new data (although it is existing) and screws up the assumptions. Will investigate further. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Fri Oct 30 11:01:35 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 30 Oct 2009 11:01:35 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #44: subdomains create invalid NSEC3 records In-Reply-To: <056.3d190c1e101de5c2cbf3cbfe6f416aa8@kirei.se> References: <056.3d190c1e101de5c2cbf3cbfe6f416aa8@kirei.se> Message-ID: <065.c86304f5990c521857a716bdadc2d4e6@kirei.se> #44: subdomains create invalid NSEC3 records -------------------------------+-------------------------------------------- Reporter: tom at nominet.org.uk | Owner: matthijs Type: defect | Status: new Priority: major | Component: Signer Version: trunk | Resolution: Keywords: | -------------------------------+-------------------------------------------- Comment(by tom at nominet.org.uk): Ok. This turned out to be a problem with my auditor and its version of dnsruby. Apologies for thinking it was the signer :-) -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Fri Oct 30 11:08:30 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 30 Oct 2009 11:08:30 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #44: subdomains create invalid NSEC3 records In-Reply-To: <056.3d190c1e101de5c2cbf3cbfe6f416aa8@kirei.se> References: <056.3d190c1e101de5c2cbf3cbfe6f416aa8@kirei.se> Message-ID: <065.44c000abd35b84634bc984a5339e5076@kirei.se> #44: subdomains create invalid NSEC3 records -------------------------------+-------------------------------------------- Reporter: tom at nominet.org.uk | Owner: matthijs Type: defect | Status: new Priority: major | Component: Signer Version: trunk | Resolution: Keywords: | -------------------------------+-------------------------------------------- Comment(by matthijs): No worries. Is the problem solved or is there still the issue in the auditor (e.g. can I close this report or assign it to Alex?) -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Fri Oct 30 11:15:09 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 30 Oct 2009 11:15:09 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #44: subdomains create invalid NSEC3 records In-Reply-To: <056.3d190c1e101de5c2cbf3cbfe6f416aa8@kirei.se> References: <056.3d190c1e101de5c2cbf3cbfe6f416aa8@kirei.se> Message-ID: <065.e8c662ae8617db85c35e5ec0e699aca8@kirei.se> #44: subdomains create invalid NSEC3 records -------------------------------+-------------------------------------------- Reporter: tom at nominet.org.uk | Owner: matthijs Type: defect | Status: new Priority: major | Component: Signer Version: trunk | Resolution: Keywords: | -------------------------------+-------------------------------------------- Comment(by tom at nominet.org.uk): You can close the issue. Thanks! -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Fri Oct 30 11:22:21 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 30 Oct 2009 11:22:21 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #44: subdomains create invalid NSEC3 records In-Reply-To: <056.3d190c1e101de5c2cbf3cbfe6f416aa8@kirei.se> References: <056.3d190c1e101de5c2cbf3cbfe6f416aa8@kirei.se> Message-ID: <065.7962c45df522767bb166755c077e838a@kirei.se> #44: subdomains create invalid NSEC3 records -------------------------------+-------------------------------------------- Reporter: tom at nominet.org.uk | Owner: matthijs Type: defect | Status: closed Priority: major | Component: Signer Version: trunk | Resolution: invalid Keywords: | -------------------------------+-------------------------------------------- Changes (by matthijs): * status: new => closed * resolution: => invalid -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Fri Oct 30 11:26:32 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 30 Oct 2009 11:26:32 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #47: 2795sermilyoubofo77 2124 Message-ID: <047.cdcc3be8685588997742e70aa25d1aec@kirei.se> #47: 2795sermilyoubofo77 2124 ----------------------+----------------------------------------------------- Reporter: Lypepript | Owner: rb Type: task | Status: new Priority: major | Component: Unknown Version: trunk | ----------------------+----------------------------------------------------- -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Fri Oct 30 11:27:27 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 30 Oct 2009 11:27:27 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #48: 5875lifstandexsaycorn81 4939 Message-ID: <047.3a2da134efd622a24797fd5d35166214@kirei.se> #48: 5875lifstandexsaycorn81 4939 ----------------------+----------------------------------------------------- Reporter: Lypepript | Owner: rb Type: task | Status: new Priority: major | Component: Unknown Version: trunk | ----------------------+----------------------------------------------------- -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Fri Oct 30 11:28:50 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 30 Oct 2009 11:28:50 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #49: 5946tadentwonrefu69 2213 Message-ID: <047.140fd0c21da3822b3bdf40a6be137540@kirei.se> #49: 5946tadentwonrefu69 2213 ----------------------+----------------------------------------------------- Reporter: Lypepript | Owner: rb Type: task | Status: new Priority: major | Component: Unknown Version: trunk | ----------------------+----------------------------------------------------- -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Fri Oct 30 11:29:53 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 30 Oct 2009 11:29:53 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #50: 10prevtouchkimteman67 1529 Message-ID: <047.66f7ec9ab36d4880620f1b9327d5ca93@kirei.se> #50: 10prevtouchkimteman67 1529 ----------------------+----------------------------------------------------- Reporter: Lypepript | Owner: rb Type: task | Status: new Priority: major | Component: Unknown Version: trunk | ----------------------+----------------------------------------------------- -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Fri Oct 30 11:32:37 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 30 Oct 2009 11:32:37 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #51: 1624timscesnetzryse72 5159 Message-ID: <047.af18410fee7663f1601fdf43f9724955@kirei.se> #51: 1624timscesnetzryse72 5159 ----------------------+----------------------------------------------------- Reporter: Lypepript | Owner: rb Type: task | Status: new Priority: major | Component: Unknown Version: trunk | ----------------------+----------------------------------------------------- -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Fri Oct 30 11:34:41 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 30 Oct 2009 11:34:41 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #52: 5705sithoucozope70 5459 Message-ID: <047.ec113881252909853fbbad72b744d412@kirei.se> #52: 5705sithoucozope70 5459 ----------------------+----------------------------------------------------- Reporter: Lypepript | Owner: rb Type: task | Status: new Priority: major | Component: Unknown Version: trunk | ----------------------+----------------------------------------------------- -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Fri Oct 30 11:34:51 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 30 Oct 2009 11:34:51 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #47: 2795sermilyoubofo77 2124 In-Reply-To: <047.cdcc3be8685588997742e70aa25d1aec@kirei.se> References: <047.cdcc3be8685588997742e70aa25d1aec@kirei.se> Message-ID: <056.b8590927ca465f87181c3e5871fc9d8d@kirei.se> #47: 2795sermilyoubofo77 2124 ----------------------+----------------------------------------------------- Reporter: Lypepript | Owner: rb Type: task | Status: closed Priority: major | Component: Unknown Version: trunk | Resolution: invalid Keywords: | ----------------------+----------------------------------------------------- Changes (by rb): * status: new => closed * resolution: => invalid -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Fri Oct 30 11:35:10 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 30 Oct 2009 11:35:10 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #48: 5875lifstandexsaycorn81 4939 In-Reply-To: <047.3a2da134efd622a24797fd5d35166214@kirei.se> References: <047.3a2da134efd622a24797fd5d35166214@kirei.se> Message-ID: <056.15c74da3a5478a051b692442bf369e16@kirei.se> #48: 5875lifstandexsaycorn81 4939 ----------------------+----------------------------------------------------- Reporter: Lypepript | Owner: rb Type: task | Status: closed Priority: major | Component: Unknown Version: trunk | Resolution: invalid Keywords: | ----------------------+----------------------------------------------------- Changes (by rb): * status: new => closed * resolution: => invalid -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Fri Oct 30 11:35:23 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 30 Oct 2009 11:35:23 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #49: 5946tadentwonrefu69 2213 In-Reply-To: <047.140fd0c21da3822b3bdf40a6be137540@kirei.se> References: <047.140fd0c21da3822b3bdf40a6be137540@kirei.se> Message-ID: <056.89257548811c1ea8450ec33eba8f793f@kirei.se> #49: 5946tadentwonrefu69 2213 ----------------------+----------------------------------------------------- Reporter: Lypepript | Owner: rb Type: task | Status: closed Priority: major | Component: Unknown Version: trunk | Resolution: invalid Keywords: | ----------------------+----------------------------------------------------- Changes (by rb): * status: new => closed * resolution: => invalid -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Fri Oct 30 11:35:35 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 30 Oct 2009 11:35:35 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #50: 10prevtouchkimteman67 1529 In-Reply-To: <047.66f7ec9ab36d4880620f1b9327d5ca93@kirei.se> References: <047.66f7ec9ab36d4880620f1b9327d5ca93@kirei.se> Message-ID: <056.3550960e63a3b69a05f71117d2808758@kirei.se> #50: 10prevtouchkimteman67 1529 ----------------------+----------------------------------------------------- Reporter: Lypepript | Owner: rb Type: task | Status: closed Priority: major | Component: Unknown Version: trunk | Resolution: invalid Keywords: | ----------------------+----------------------------------------------------- Changes (by rb): * status: new => closed * resolution: => invalid -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Fri Oct 30 11:36:20 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 30 Oct 2009 11:36:20 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #53: 9248welfowohldisno91 2567 Message-ID: <047.821e8573ef7c3f08f71dd9cbe21d75f0@kirei.se> #53: 9248welfowohldisno91 2567 ----------------------+----------------------------------------------------- Reporter: Lypepript | Owner: rb Type: task | Status: new Priority: major | Component: Unknown Version: trunk | ----------------------+----------------------------------------------------- -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Fri Oct 30 11:37:24 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 30 Oct 2009 11:37:24 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #53: 9248welfowohldisno91 2567 In-Reply-To: <047.821e8573ef7c3f08f71dd9cbe21d75f0@kirei.se> References: <047.821e8573ef7c3f08f71dd9cbe21d75f0@kirei.se> Message-ID: <056.ae690fab3a179ce51979627d8f879388@kirei.se> #53: 9248welfowohldisno91 2567 ----------------------+----------------------------------------------------- Reporter: Lypepript | Owner: rb Type: task | Status: closed Priority: major | Component: Unknown Version: trunk | Resolution: invalid Keywords: | ----------------------+----------------------------------------------------- Changes (by rb): * status: new => closed * resolution: => invalid -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Fri Oct 30 11:37:36 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 30 Oct 2009 11:37:36 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #54: 1987footfascotwindso65 3880 Message-ID: <047.1b12ef94bd9a12fbbf6dde38160ebc42@kirei.se> #54: 1987footfascotwindso65 3880 ----------------------+----------------------------------------------------- Reporter: Lypepript | Owner: rb Type: task | Status: new Priority: major | Component: Unknown Version: trunk | ----------------------+----------------------------------------------------- -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Fri Oct 30 11:37:37 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 30 Oct 2009 11:37:37 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #51: 1624timscesnetzryse72 5159 In-Reply-To: <047.af18410fee7663f1601fdf43f9724955@kirei.se> References: <047.af18410fee7663f1601fdf43f9724955@kirei.se> Message-ID: <056.d0dc3ad91e0cc79ed64c6982caf46e20@kirei.se> #51: 1624timscesnetzryse72 5159 ----------------------+----------------------------------------------------- Reporter: Lypepript | Owner: rb Type: task | Status: closed Priority: major | Component: Unknown Version: trunk | Resolution: invalid Keywords: | ----------------------+----------------------------------------------------- Changes (by rb): * status: new => closed * resolution: => invalid -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Fri Oct 30 11:37:50 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 30 Oct 2009 11:37:50 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #52: 5705sithoucozope70 5459 In-Reply-To: <047.ec113881252909853fbbad72b744d412@kirei.se> References: <047.ec113881252909853fbbad72b744d412@kirei.se> Message-ID: <056.7edc414450c741a3a0bd335a0b59ffa4@kirei.se> #52: 5705sithoucozope70 5459 ----------------------+----------------------------------------------------- Reporter: Lypepript | Owner: rb Type: task | Status: closed Priority: major | Component: Unknown Version: trunk | Resolution: invalid Keywords: | ----------------------+----------------------------------------------------- Changes (by rb): * status: new => closed * resolution: => invalid -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Fri Oct 30 11:38:52 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 30 Oct 2009 11:38:52 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #55: 5971ccomemkoxkemark70 2619 Message-ID: <047.87626bbfd84dfe6e06dcdffbfc6fb4af@kirei.se> #55: 5971ccomemkoxkemark70 2619 ----------------------+----------------------------------------------------- Reporter: Lypepript | Owner: rb Type: task | Status: new Priority: major | Component: Unknown Version: trunk | ----------------------+----------------------------------------------------- -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Fri Oct 30 11:39:25 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 30 Oct 2009 11:39:25 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #54: 1987footfascotwindso65 3880 In-Reply-To: <047.1b12ef94bd9a12fbbf6dde38160ebc42@kirei.se> References: <047.1b12ef94bd9a12fbbf6dde38160ebc42@kirei.se> Message-ID: <056.c2cab4b148de736b18631cd1165f92cf@kirei.se> #54: 1987footfascotwindso65 3880 ----------------------+----------------------------------------------------- Reporter: Lypepript | Owner: rb Type: task | Status: closed Priority: major | Component: Unknown Version: trunk | Resolution: invalid Keywords: | ----------------------+----------------------------------------------------- Changes (by rb): * status: new => closed * resolution: => invalid -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Fri Oct 30 11:39:41 2009 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 30 Oct 2009 11:39:41 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #55: 5971ccomemkoxkemark70 2619 In-Reply-To: <047.87626bbfd84dfe6e06dcdffbfc6fb4af@kirei.se> References: <047.87626bbfd84dfe6e06dcdffbfc6fb4af@kirei.se> Message-ID: <056.4ee998640659a64b7009584639eac1ef@kirei.se> #55: 5971ccomemkoxkemark70 2619 ----------------------+----------------------------------------------------- Reporter: Lypepript | Owner: rb Type: task | Status: closed Priority: major | Component: Unknown Version: trunk | Resolution: invalid Keywords: | ----------------------+----------------------------------------------------- Changes (by rb): * status: new => closed * resolution: => invalid -- Ticket URL: OpenDNSSEC OpenDNSSEC From Stephen.Morris at nominet.org.uk Fri Oct 30 16:54:58 2009 From: Stephen.Morris at nominet.org.uk (Stephen.Morris at nominet.org.uk) Date: Fri, 30 Oct 2009 16:54:58 +0000 Subject: [Opendnssec-develop] Minutes of teleconference, 2009-10-30 Message-ID: Now available on the wiki: http://trac.opendnssec.org/wiki/Meetings/Minutes/2009-10-30 Stephen -------------- next part -------------- An HTML attachment was scrubbed... URL: