From matthijs at NLnetLabs.nl Thu Apr 1 10:46:14 2010 From: matthijs at NLnetLabs.nl (Matthijs Mekking) Date: Thu, 01 Apr 2010 12:46:14 +0200 Subject: [Opendnssec-develop] v1.1 RC1 In-Reply-To: References: <4BB31EEC.6020707@nlnetlabs.nl> Message-ID: <4BB47976.3030606@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rickard Bellgrim wrote: > Then only thing left before an RC1 is to test the privdrops for zonefetcher. It's working for me, but I think some one else should test this as well. Matthijs -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJLtHl0AAoJEA8yVCPsQCW5wEQH/iUu6eQnuaGmIUKMbCWsPFWI fzvanKVUik+uLTRkSOrzI6FGJVLYHZ1R29CGzXA3hPulqHajuyCsQ5jNA5LlbgD1 i8ZUlogn1iHW7hkd5bVJk8knNGjU9gnYRK2trVn07exovY6yCYIKqu50BK2ywIyc XqVYahzBVNR1vA6lfmwxQpXZE7NCVbRRdD8VGNhYS9hcGSLRA6tB4aNanrO4BQmY F6EHVwgYSTPEW47eSDjES2eVbuzQsGriQXfdvKBll8+WjBnXjX2AxVGX+3QpJ+Zo J/7R2P76Qj2yswnAujhhawx6QfZDW6veBRxnddudghGS7sKscySuzEMfXNGdHhY= =7koQ -----END PGP SIGNATURE----- From owner-dnssec-trac at kirei.se Thu Apr 1 14:05:06 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Thu, 01 Apr 2010 14:05:06 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #94: IWBN to be notified when a key rolls over In-Reply-To: <087.a1ed4cda6b56b83f7f4d3bd7223d4f06@kirei.se> References: <087.a1ed4cda6b56b83f7f4d3bd7223d4f06@kirei.se> Message-ID: <096.7d2fa907bd668fc3918fb166d540bcd6@kirei.se> #94: IWBN to be notified when a key rolls over ---------------------------------------------------------------+------------ Reporter: St?phane Bortzmeyer | Owner: sion Type: enhancement | Status: accepted Priority: minor | Component: Enforcer Version: trunk | Keywords: ---------------------------------------------------------------+------------ Changes (by sion): * status: new => accepted Comment: You can now use the tag to take the DNSKEY set that should be published. This command could also be used to trigger your KSK rollover warning. I'm not sure that we will offer any more notification than this and what is sent to syslog. Are these two methods enough? -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Thu Apr 1 14:11:52 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Thu, 01 Apr 2010 14:11:52 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #121: Please remove db specific code from non-ksm directory In-Reply-To: <065.19cf52fa3e60504d69b0cf80fda7b07f@kirei.se> References: <065.19cf52fa3e60504d69b0cf80fda7b07f@kirei.se> Message-ID: <074.8e1d6643c9ae9e9b6236aa7dc997b65f@kirei.se> #121: Please remove db specific code from non-ksm directory ------------------------------------------+--------------------------------- Reporter: Ond?ej Sur? | Owner: sion Type: enhancement | Status: accepted Priority: minor | Component: Enforcer Version: trunk | Keywords: ------------------------------------------+--------------------------------- Changes (by sion): * status: new => accepted Comment: I'll schedule a task to tidy up a lot of the sql code, and include this. It is not likely to make v1.1 however. -- Ticket URL: OpenDNSSEC OpenDNSSEC From Alexd at nominet.org.uk Thu Apr 1 15:51:32 2010 From: Alexd at nominet.org.uk (Alexd at nominet.org.uk) Date: Thu, 1 Apr 2010 16:51:32 +0100 Subject: [Opendnssec-develop] Signer and binary? Message-ID: Hi - It might just be me, but it looks like the signer is now failing tests it used to pass. For example, the record in all.rr.binary.org : \nall.all.rr.binary.org. IN MB mb-madname.\000.example.com. appears in my signed zone as : nall.all.rr.binary.org. 1209600 IN MB mb-madname.\000.example.com. Of course, the auditor complains. Am I doing something wrong? Thanks! Alex. -------------- next part -------------- An HTML attachment was scrubbed... URL: From matthijs at NLnetLabs.nl Thu Apr 1 17:27:45 2010 From: matthijs at NLnetLabs.nl (Matthijs Mekking) Date: Thu, 01 Apr 2010 19:27:45 +0200 Subject: [Opendnssec-develop] Signer and binary? In-Reply-To: References: Message-ID: <4BB4D791.7080404@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, RFC 1035 says \X where X is any character other than a digit (0-9), is used to quote that character so that its special meaning does not apply. For example, "\." can be used to place a dot character in a label. So wireformat('\n') equals wireformat('n') and so it may convert to 'n'. So I think the quicksorter and the rest of the signer are correct? Matthijs Alexd at nominet.org.uk wrote: > Hi - > > It might just be me, but it looks like the signer is now failing tests > it used to pass. > > For example, the record in all.rr.binary.org : > > \nall.all.rr.binary.org. IN MB > mb-madname.\000.example.com. > > appears in my signed zone as : > > nall.all.rr.binary.org. 1209600 IN MB > mb-madname.\000.example.com. > > Of course, the auditor complains. > > Am I doing something wrong? > > Thanks! > > > Alex. > > > ------------------------------------------------------------------------ > > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJLtNePAAoJEA8yVCPsQCW5/0UIAMz7ZF79e931Wy255IhhjqZG CateydAMD0DynRkSaGZ2SFU63PNwmJM9/q+SjWLm2PbuQx5/U4dR2z19VmS2Wumq +3bBy6bXEHvDVUVF0MkLLS8EHIuMmPiuArxfMZ/+iVV3YTTLhviVnRK+TeJIDmYz l1oQKKmN36uTUCjUxXpeq8wuhr1lY2yGL/zaNo8F3+qY/yptXktWAvrduSaJ4pYQ 6T6eozRJSRBXVqYdA4WbGIvcxUJPkI8MqkEBNepFoiJfgnVcsizW3G7sGuwbvE03 9WHBE9CKvCkTIQKJkHKfFFHYmFBRXbwQUGa/SJDQih1ikDNA0RgcHyrQeTrYAVE= =kWRr -----END PGP SIGNATURE----- From rickard.bellgrim at iis.se Tue Apr 6 07:04:20 2010 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Tue, 6 Apr 2010 09:04:20 +0200 Subject: [Opendnssec-develop] v1.1 RC1 In-Reply-To: <4BB47976.3030606@nlnetlabs.nl> References: <4BB31EEC.6020707@nlnetlabs.nl> <4BB47976.3030606@nlnetlabs.nl> Message-ID: On 1 apr 2010, at 12.46, Matthijs Mekking wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Rickard Bellgrim wrote: >> Then only thing left before an RC1 is to test the privdrops for zonefetcher. > > It's working for me, but I think some one else should test this as well. Should we do an RC1 today? // Rickard From matthijs at NLnetLabs.nl Tue Apr 6 08:14:06 2010 From: matthijs at NLnetLabs.nl (Matthijs Mekking) Date: Tue, 06 Apr 2010 10:14:06 +0200 Subject: [Opendnssec-develop] v1.1 RC1 In-Reply-To: References: <4BB31EEC.6020707@nlnetlabs.nl> <4BB47976.3030606@nlnetlabs.nl> Message-ID: <4BBAED4E.9070604@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I believe there is a quicksorter issue open (filters a RR with weird but valid owner name without logging error) and there are two more stories to accept in the pivotal. But I hope we can do a rc1 today. Matthijs Rickard Bellgrim wrote: > On 1 apr 2010, at 12.46, Matthijs Mekking wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Rickard Bellgrim wrote: >>> Then only thing left before an RC1 is to test the privdrops for zonefetcher. >> It's working for me, but I think some one else should test this as well. > > Should we do an RC1 today? > > // Rickard_______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJLuu1NAAoJEA8yVCPsQCW5D2gIAJ/pHJMaUzRojkCjVwDmcHig F0uXa/wG6XEvzf/RdULQNgeUJlyTDKZWy4qF2QlDw1UeSBFL+EyfRZsWSZfLOXgk /OsUfKG0UZ8PrN+RzH+ZXK/YrgCF9TJTVqJPvDrLzZMpAvDIRWGbN8XPtUCNiGox xGyVBkuWVsCPNZcOJkKnlw7cyj0X/oubjN34XryQRVc5cqR81G4MQ72ckgiBTtiC C3USQrutR9rETpdj3q3BMrIAvZEQPqELUMqWG5cMKEdoe5reK53y1Mbr4B6CEWFl oi0qsIkF+B7i2X3scJftb6OYsxPMZ3ISsrcSfcHAXVolYmASs5PHnK0QeKa4WWU= =iGUt -----END PGP SIGNATURE----- From Stephen.Morris at nominet.org.uk Tue Apr 6 08:50:16 2010 From: Stephen.Morris at nominet.org.uk (Stephen.Morris at nominet.org.uk) Date: Tue, 6 Apr 2010 09:50:16 +0100 Subject: [Opendnssec-develop] Notes from Anaheim Meeting Message-ID: Apologies for the delay, but the notes from the Anaheim meeting have been posted on the wiki - http://trac.opendnssec.org/wiki/Meetings/Minutes/2010-03-23 As always, please let me know of any errors or omissions. Also, a reminder that we agreed at Anaheim to have a teleconference tomorrow (7 April) at 14:00 BST/15:00 CEST. Stephen -------------- next part -------------- An HTML attachment was scrubbed... URL: From rickard.bellgrim at iis.se Tue Apr 6 09:12:22 2010 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Tue, 6 Apr 2010 11:12:22 +0200 Subject: [Opendnssec-develop] Telephone meeting tomorrow (7 April) Message-ID: Hi Sorry that I have forgotten to remind you that we have a telephone meeting tomorrow. Date: Wednesday 7 April Time: 15:00-16:00 CEST, 14:00-15:00 BST Draft agenda that will be updated: http://trac.opendnssec.org/wiki/Meetings/Agenda/2010-04-07 // Rickard From Alexd at nominet.org.uk Tue Apr 6 12:04:54 2010 From: Alexd at nominet.org.uk (Alexd at nominet.org.uk) Date: Tue, 6 Apr 2010 13:04:54 +0100 Subject: [Opendnssec-develop] v1.1 RC1 In-Reply-To: References: <4BB31EEC.6020707@nlnetlabs.nl> <4BB47976.3030606@nlnetlabs.nl> Message-ID: > Should we do an RC1 today? Can I please suggest waiting until our conference tomorrow? Thanks, Alex. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jakob at kirei.se Tue Apr 6 13:09:49 2010 From: jakob at kirei.se (Jakob Schlyter) Date: Tue, 6 Apr 2010 15:09:49 +0200 Subject: [Opendnssec-develop] generic opendnssec slideset Message-ID: <6703A247-EB3F-4CD6-8199-F1F9478AF671@kirei.se> please review docs/opendnssec-generic-slideset.key in the repo (Apple Keynote required) jakob From rickard.bellgrim at iis.se Tue Apr 6 13:19:03 2010 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Tue, 6 Apr 2010 15:19:03 +0200 Subject: [Opendnssec-develop] Telephone meeting tomorrow (7 April) In-Reply-To: References: Message-ID: <9CEB5287-F38E-4200-8A46-6D3DEE1CD38C@iis.se> > Sorry that I have forgotten to remind you that we have a telephone meeting tomorrow. > > Date: Wednesday 7 April > > Draft agenda that will be updated: > http://trac.opendnssec.org/wiki/Meetings/Agenda/2010-04-07 Jakob wanted to reschedule the meeting one hour earlier and it was accepted by the others in the group. New time: Time: 14:00-15:00 CEST, 13:00-14:00 BST // Rickard From Antoin.Verschuren at sidn.nl Tue Apr 6 13:31:30 2010 From: Antoin.Verschuren at sidn.nl (Antoin Verschuren) Date: Tue, 6 Apr 2010 15:31:30 +0200 Subject: [Opendnssec-develop] Telephone meeting tomorrow (7 April) References: <9CEB5287-F38E-4200-8A46-6D3DEE1CD38C@iis.se> Message-ID: <850A39016FA57A4887C0AA3C8085F94901F5FBCC@KAEVS1.SIDN.local> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Oops, than I can't make it, have another appointment. I believe I was the reason it was scheduled an hour later. Antoin Verschuren Technical Policy Advisor SIDN Utrechtseweg 310, PO Box 5022, 6802 EA Arnhem, The Netherlands P: +31 26 3525500 F: +31 26 3525505 M: +31 6 23368970 mailto:antoin.verschuren at sidn.nl xmpp:antoin at jabber.sidn.nl http://www.sidn.nl/ > -----Original Message----- > From: opendnssec-develop-bounces at lists.opendnssec.org [mailto:opendnssec- > develop-bounces at lists.opendnssec.org] On Behalf Of Rickard Bellgrim > Sent: Tuesday, April 06, 2010 3:19 PM > To: Rickard Bellgrim > Cc: Opendnssec-develop at lists.opendnssec.org > Subject: Re: [Opendnssec-develop] Telephone meeting tomorrow (7 April) > > > > Sorry that I have forgotten to remind you that we have a telephone > meeting tomorrow. > > > > Date: Wednesday 7 April > > > > Draft agenda that will be updated: > > http://trac.opendnssec.org/wiki/Meetings/Agenda/2010-04-07 > > Jakob wanted to reschedule the meeting one hour earlier and it was > accepted by the others in the group. > > New time: > > Time: 14:00-15:00 CEST, 13:00-14:00 BST > > // Rickard_______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -----BEGIN PGP SIGNATURE----- Version: 9.6.3 (Build 3017) wsBVAwUBS7s3sjqHrM883AgnAQgE4Qf/X4ztWq6zNU/3abS77HY/FdbmLcmhCSs1 eNRQ6U5kjvEH1uHEk+PiovLhi35J5N1Z2eIzyNlpN3SWYmlutlpax/c56MXFa1AU uBpeWgJ93HZv5p289yGtROeHo8PWCq469cLyridR0cO6HthDJ2PwHQl78+ZYeA92 ACPyAlipUFmhPBGHgHHKFwh39t9B9OPzdxWj2vgPpSqpQXaUnsVxzclPGDtzCfvg EFNdxRcZIACIDeX36bO1mQsPVPZOStwvy7QHWXvSz95O66jkR++CUzeI+wVTqASs D2EHyxwtlL8B9KWT2ZoFadmbTcshm8W4vs1OtsdhxEMjxlIbjUHhXw== =XGL3 -----END PGP SIGNATURE----- From rickard.bellgrim at iis.se Tue Apr 6 14:50:03 2010 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Tue, 6 Apr 2010 16:50:03 +0200 Subject: [Opendnssec-develop] Telephone meeting tomorrow (7 April) In-Reply-To: <850A39016FA57A4887C0AA3C8085F94901F5FBCC@KAEVS1.SIDN.local> References: <9CEB5287-F38E-4200-8A46-6D3DEE1CD38C@iis.se> <850A39016FA57A4887C0AA3C8085F94901F5FBCC@KAEVS1.SIDN.local> Message-ID: <7157061D-264B-43D8-B183-5B600C8F5705@iis.se> Oops, than I can't make it, have another appointment. I believe I was the reason it was scheduled an hour later. Ahh, yeah. Now I remember. Sorry about that. This release is for SIDN, so it might be suitable that we have you on phone. Would you like us to move once again? Or could you perhaps give a short summery via email of the current status from your point of view? Automated testing? That the release of 1.1 is delayed (we are now in april, but will try to release rc1 tomorrow)? // Rickard -------------- next part -------------- An HTML attachment was scrubbed... URL: From sion at nominet.org.uk Tue Apr 6 15:27:25 2010 From: sion at nominet.org.uk (sion at nominet.org.uk) Date: Tue, 6 Apr 2010 16:27:25 +0100 Subject: [Opendnssec-develop] KSK Rollover Mechanism Message-ID: I've just noticed from the minutes of tomorrows meeting that I am charged with documenting the KSK rollover procedure... I think that I have updated the wiki pages where I can, but I don't think that I have access to the wordpress pages? Scheduled Rollover: 1) Pre publish key in zone 2) when key is ready, prompt for DS to be submitted (a message to syslog) - This is where the command specified in conf.xml:Configuration/Enforcer/ DelegationSignerSubmitCommand will be called. To use it prepare a scipt which accepts DNSKEY records on STDIN. 3) wait for DS-Seen - This could be scripted with something that monitors DNS and calls the ds-seen command... We do not provide this currently. either 3a) old key retired in same command (by default) or 4) --no-retire passed to ds-seen; ksk-retire used later Emergency rollover: 1) key rollover --keytype KSK issued; old key retired and marked as "compromised" 2a) if there is a key in the ready state use it or 2b) if there is a standby key waiting, publish it or 2c) publish a new key into the zone 3) when the successor key is ready (which might involve the DS publication / ds-seen stuff from above) complete the rollover. The new command "ods-ksmutil ksk-retire" takes the zone and optionally some key identifiers as arguments. If no key identifiers are supplied then it retires the oldest key in the zone. It will fail if there is only one active key though. The logic also now accounts for the first key in the zone, and does not request the DS record to be published until the child propagation period is over. Sion From Antoin.Verschuren at sidn.nl Wed Apr 7 10:16:01 2010 From: Antoin.Verschuren at sidn.nl (Antoin Verschuren) Date: Wed, 7 Apr 2010 12:16:01 +0200 Subject: [Opendnssec-develop] Telephone meeting tomorrow (7 April) References: <9CEB5287-F38E-4200-8A46-6D3DEE1CD38C@iis.se> <850A39016FA57A4887C0AA3C8085F94901F5FBCC@KAEVS1.SIDN.local> <7157061D-264B-43D8-B183-5B600C8F5705@iis.se> Message-ID: <850A39016FA57A4887C0AA3C8085F94901F5FCB9@KAEVS1.SIDN.local> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Rick and Freddy will be on the call. I will Join at 14:30. Antoin Verschuren Technical Policy Advisor SIDN Utrechtseweg 310, PO Box 5022, 6802 EA Arnhem, The Netherlands P: +31 26 3525500 F: +31 26 3525505 M: +31 6 23368970 mailto:antoin.verschuren at sidn.nl xmpp:antoin at jabber.sidn.nl http://www.sidn.nl/ > -----Original Message----- > From: Rickard Bellgrim [mailto:rickard.bellgrim at iis.se] > Sent: Tuesday, April 06, 2010 4:50 PM > To: Antoin Verschuren > Cc: Opendnssec-develop at lists.opendnssec.org > Subject: Re: [Opendnssec-develop] Telephone meeting tomorrow (7 April) > > > Oops, than I can't make it, have another appointment. > I believe I was the reason it was scheduled an hour later. > > > > Ahh, yeah. Now I remember. Sorry about that. This release is for SIDN, so > it might be suitable that we have you on phone. > > Would you like us to move once again? > > Or could you perhaps give a short summery via email of the current status > from your point of view? Automated testing? That the release of 1.1 is > delayed (we are now in april, but will try to release rc1 tomorrow)? > > // Rickard -----BEGIN PGP SIGNATURE----- Version: 9.6.3 (Build 3017) wsBVAwUBS7xbYTqHrM883AgnAQgMgAgAlhjx56wmpYsMuzhzvVacuxItEMZHNZEC eVvMBz3SlgIR02vpFOjg6ypJ/s8Hnmt29x0OCKArEf1ndHdaIGL6zVHOZ7o4H6Hn kGJiU2P+QkHNo5i+4H+k2aZx5AXpyJsFIE+9MgBvPOE/seKvg86qMjOYumHzT7ap Ns6KCICxDnvyHD8f1sAOAD3QtARxsAP+GECJt47+hVQcJqlsyBZsKe2aIQ//zmFS RH5pAl73c6ab8wJZ/tSnjyqh11M6dB6xyI4pumZQ1RdhQA7AM9coaalEpw9AJG8X frmzgrzxMKK0qmBMQqgfJP6MIbA8l/QhvC4ExVo3Vwhs57DzVQu5bA== =w8Oe -----END PGP SIGNATURE----- From owner-dnssec-trac at kirei.se Thu Apr 8 13:20:04 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Thu, 08 Apr 2010 13:20:04 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #124: make regress doesn't fail on failed test Message-ID: <065.3a66ae05653e35909c338589ee7ccb3e@kirei.se> #124: make regress doesn't fail on failed test ------------------------------------------+--------------------------------- Reporter: Ond?ej Sur? | Owner: rb Type: defect | Status: new Priority: major | Component: Unknown Version: trunk | Keywords: ------------------------------------------+--------------------------------- Hi, I have found that make regress doesn't fail when xmllint founds a failed document (I have commented out example zone from signconf.xml in default debian configuration). Attached is patch to fix that. Ondrej -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Thu Apr 8 13:22:04 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Thu, 08 Apr 2010 13:22:04 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #124: make regress doesn't fail on failed test In-Reply-To: <065.3a66ae05653e35909c338589ee7ccb3e@kirei.se> References: <065.3a66ae05653e35909c338589ee7ccb3e@kirei.se> Message-ID: <074.6b4de616dce6362296d76d2bdaf7c02e@kirei.se> #124: make regress doesn't fail on failed test ------------------------------------------+--------------------------------- Reporter: Ond?ej Sur? | Owner: rb Type: defect | Status: new Priority: major | Component: Unknown Version: trunk | Keywords: ------------------------------------------+--------------------------------- Comment(by Ond?ej Sur? ): P.S.: Sorry, the component is conf/ -- Ticket URL: OpenDNSSEC OpenDNSSEC From Stephen.Morris at nominet.org.uk Thu Apr 8 16:43:37 2010 From: Stephen.Morris at nominet.org.uk (Stephen.Morris at nominet.org.uk) Date: Thu, 8 Apr 2010 17:43:37 +0100 Subject: [Opendnssec-develop] Notes from meeting of 2010-04-07 Message-ID: These can be found at http://trac.opendnssec.org/wiki/Meetings/Minutes/2010-04-07 As always, please let me know of any errors or omissions. Stephen -------------- next part -------------- An HTML attachment was scrubbed... URL: From patrik.wallstrom at iis.se Thu Apr 8 20:01:22 2010 From: patrik.wallstrom at iis.se (=?iso-8859-1?Q?Patrik_Wallstr=F6m?=) Date: Thu, 8 Apr 2010 22:01:22 +0200 Subject: [Opendnssec-develop] zonefetcher Message-ID: Hi! I am just testing the 1.1beta with zonefetcher and the DelegationSignerSubmitCommand. I configured zonelist with one zone, and the zonefetcher to receive zones from a nameserver. Start OpenDNSSEC, and waiting for magic to happen. It works fine. I use ods-ksmutil to add another zone. This works as well, but the zone is not fetched (immediately), is this supposed to happen? How do I know when it happens? When I restarted OpenDNSSEC, it fetched the new zone and signed it. Also, I saw no traces of calls to DelegationSignerSubmitCommand during this process. Shouldn't new keys be submitted immediately? -- Patrik Wallstr?m Project Manager, R&D .SE (Stiftelsen f?r Internetinfrastruktur) E-mail: patrik.wallstrom at iis.se Web: http://www.iis.se/ -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 194 bytes Desc: This is a digitally signed message part URL: From sion at nominet.org.uk Fri Apr 9 07:14:21 2010 From: sion at nominet.org.uk (sion at nominet.org.uk) Date: Fri, 9 Apr 2010 08:14:21 +0100 Subject: [Opendnssec-develop] Re: DelegationSignerSubmitCommand (was zonefetcher) In-Reply-To: References: Message-ID: > Also, I saw no traces of calls to DelegationSignerSubmitCommand > during this process. Shouldn't new keys be submitted immediately? When a new zone is added the system will wait for the zone to propagate before submitting DS records to the parent. I _think_ that this is correct behaviour, if I am wrong then please let me know. Sion From matthijs at NLnetLabs.nl Fri Apr 9 07:21:50 2010 From: matthijs at NLnetLabs.nl (Matthijs Mekking) Date: Fri, 09 Apr 2010 09:21:50 +0200 Subject: [Opendnssec-develop] zonefetcher In-Reply-To: References: Message-ID: <4BBED58E.8020507@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I think the zonefetcher needs to be restarted if there is a change in the zonelist. While the signer engine daemon can handle with updates, the zonefetcher cannot. Therefore, ods-signer has to be restarted. This should of course be improved. Best regards, Matthijs Patrik Wallstr?m wrote: > Hi! > > I am just testing the 1.1beta with zonefetcher and the DelegationSignerSubmitCommand. > > I configured zonelist with one zone, and the zonefetcher to receive zones from a nameserver. Start OpenDNSSEC, and waiting for magic to happen. It works fine. > > I use ods-ksmutil to add another zone. This works as well, but the zone is not fetched (immediately), is this supposed to happen? How do I know when it happens? > > When I restarted OpenDNSSEC, it fetched the new zone and signed it. > > Also, I saw no traces of calls to DelegationSignerSubmitCommand during this process. Shouldn't new keys be submitted immediately? > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJLvtWMAAoJEA8yVCPsQCW5KKAH/iwljitmGxj1NKSwVS7xbcSw pPBUHY2ODQqYykolQc1xOO7zW40EPKRPc1QPCbW2Wk+GQAL+uGZ+PLa1xc0xppw5 Vb7T/BLTzL6paITTHfEWA5JF07i5R36lLJYCsngr/CR+QVsL8P52WZPUYYiTvYGY V1VzSTDEPLkuRuCaZaUU4ZRFxbf10ZSvhsXvQGsKKBGmHgs1xAJIUUx4XQa7J8aY iIw4tgy9QZApZMOnMTYLl+kT47bi5TUwdq/C4parmm4FFV/5Qe4fLqQxIpkq92I1 XuypQoUfpcYFNZo+PKXlG081vPviuQbi1mD51amluihdqyIT4cy0xZJCWMzf8+8= =2/// -----END PGP SIGNATURE----- From sion at nominet.org.uk Fri Apr 9 07:22:33 2010 From: sion at nominet.org.uk (sion at nominet.org.uk) Date: Fri, 9 Apr 2010 08:22:33 +0100 Subject: [Opendnssec-develop] zonefetcher In-Reply-To: <4BBED58E.8020507@nlnetlabs.nl> References: <4BBED58E.8020507@nlnetlabs.nl> Message-ID: > I think the zonefetcher needs to be restarted if there is a change in > the zonelist. While the signer engine daemon can handle with updates, > the zonefetcher cannot. > > Therefore, ods-signer has to be restarted. This should of course be > improved. Should we make ksmutil do this at the end of a zone add command? From matthijs at NLnetLabs.nl Fri Apr 9 07:28:23 2010 From: matthijs at NLnetLabs.nl (Matthijs Mekking) Date: Fri, 09 Apr 2010 09:28:23 +0200 Subject: [Opendnssec-develop] zonefetcher In-Reply-To: References: <4BBED58E.8020507@nlnetlabs.nl> Message-ID: <4BBED717.3010003@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I think that may be the easiest solution for now. Later, we should make the zonefetcher be able to update the zonelist without the need to stop it. Matthijs sion at nominet.org.uk wrote: >> I think the zonefetcher needs to be restarted if there is a change in >> the zonelist. While the signer engine daemon can handle with updates, >> the zonefetcher cannot. >> >> Therefore, ods-signer has to be restarted. This should of course be >> improved. > > Should we make ksmutil do this at the end of a zone add command? > > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJLvtcVAAoJEA8yVCPsQCW5IKEIAKDPtRfmcprrzVuAE+8jSDKG yrAFdxXPvEeat+/9dIqcT6NKBBV3VBTvTr0edr22BKy1iB4GY5mtEnp2CRWcY8MA hTNdVKbpe5/rkmhdTVT8InGjNqBRodGl9wQuQRruiFVNVk+pRMZ/rkKeKJ5jkoLG JA9bT3BGYqlRaSKVQcna9aJqA8Z+GvEUus3R2KMN7SpLp84yXrzilkdINMdwA2nP C/8kuO87aPxyOwZhML2Mqrt/5H7jxoW925KJvcqg7EvE57Nnjo96vwF6izf4QraR Bx2tCdTX9DpFZOKVJLb2dn5Z21ZVkyIK/vOeGFBl6egoDHLGieit18k4knQPSpk= =TQmG -----END PGP SIGNATURE----- From Stephen.Morris at nominet.org.uk Fri Apr 9 09:02:30 2010 From: Stephen.Morris at nominet.org.uk (Stephen.Morris at nominet.org.uk) Date: Fri, 9 Apr 2010 10:02:30 +0100 Subject: [Opendnssec-develop] Re: DelegationSignerSubmitCommand (was zonefetcher) In-Reply-To: References: Message-ID: sion at nominet.org.uk wrote on 09/04/2010 08:14:21: > > Also, I saw no traces of calls to DelegationSignerSubmitCommand > > during this process. Shouldn't new keys be submitted immediately? > > When a new zone is added the system will wait for the zone to propagate > before submitting DS records to the parent. I _think_ that this is correct > behaviour, if I am wrong then please let me know. > > Sion That's the right behaviour when a key is added to the zone for the first time: without such a delay the most pessimistic scenario is that a DS record submitted to the parent at the same time gets published immediately. In this case we could end up with a validating resolver retrieving the DS record from the parent but accessing a copy of the zone from a nameserver that has not yet received the update adding the key. Under these circumstances the resolver would report a bogus zone. Stephen -------------- next part -------------- An HTML attachment was scrubbed... URL: From owner-dnssec-trac at kirei.se Mon Apr 12 09:37:35 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Mon, 12 Apr 2010 09:37:35 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #125: Can't setuid in ods-auditor Message-ID: <063.6198b94bdc4e75a0cf14f9b2b61e44be@kirei.se> #125: Can't setuid in ods-auditor --------------------------------------+------------------------------------- Reporter: jaroslav.benkovsky@? | Owner: alex Type: defect | Status: new Priority: minor | Component: Auditor Version: 1.0.0 | Keywords: --------------------------------------+------------------------------------- I am testing the DEB packages of OpenDNSSEC, which use opendnssec:opendnssec as user:group for all daemons. It appears that ods- auditor dies because it can't setuid, being already run setuid by ods- signerd. To disguise the error, it does not log anything, just writes to stdout: {{{ Couldn't set User, Group to "opendnssec", "opendnssec" : (uninitialized constant KASPAuditor::Runner::Etc) }}} Commenting out User/Group in Auditor's config in conf.xml helps. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Tue Apr 13 07:54:54 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 13 Apr 2010 07:54:54 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #125: Can't setuid in ods-auditor In-Reply-To: <063.6198b94bdc4e75a0cf14f9b2b61e44be@kirei.se> References: <063.6198b94bdc4e75a0cf14f9b2b61e44be@kirei.se> Message-ID: <072.f193c024721e22f4e75126979def7413@kirei.se> #125: Can't setuid in ods-auditor --------------------------------------+------------------------------------- Reporter: jaroslav.benkovsky@? | Owner: alex Type: defect | Status: new Priority: minor | Component: Auditor Version: 1.0.0 | Keywords: --------------------------------------+------------------------------------- Comment(by alex): Hi - Could you please confirm the version of Ruby you are using? ('ruby -v') Thanks! Alex. -- Ticket URL: OpenDNSSEC OpenDNSSEC From AlexD at nominet.org.uk Tue Apr 13 10:02:05 2010 From: AlexD at nominet.org.uk (Alex Dalitz) Date: Tue, 13 Apr 2010 10:02:05 +0000 Subject: [Opendnssec-develop] Tests Message-ID: Hi - Some of the components have unit tests which depend on some other libraries. For example, the enforcer requires cunit, and the auditor uses timecop. I?m not currently sure about the signer tests. Should the configure program take an option to check for these test dependencies, should the user wish to run the tests? Thanks! Alex. -------------- next part -------------- An HTML attachment was scrubbed... URL: From owner-dnssec-trac at kirei.se Tue Apr 13 22:34:13 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 13 Apr 2010 22:34:13 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #126: eppclient manpages are not installed Message-ID: <055.8d09a93efae4e7413529b6da42e1b3c3@kirei.se> #126: eppclient manpages are not installed ------------------------------+--------------------------------------------- Reporter: tom@? | Owner: rb Type: defect | Status: new Priority: major | Component: Unknown Version: trunk | Keywords: ------------------------------+--------------------------------------------- Default make install does not install eppclient/eppclientd/eppclientd.conf man pages. This is happening with both trunk and 1.1.0_beta version. Furthermore, it would be nice when eppclient(d) would emit some output when running the command with --help or --version, as they are installed as regular binaries in a standard PATH. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Wed Apr 14 07:17:16 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Wed, 14 Apr 2010 07:17:16 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #126: eppclient manpages are not installed In-Reply-To: <055.8d09a93efae4e7413529b6da42e1b3c3@kirei.se> References: <055.8d09a93efae4e7413529b6da42e1b3c3@kirei.se> Message-ID: <064.1a4f4adbb66e8b39c6f0a85d36df9105@kirei.se> #126: eppclient manpages are not installed ------------------------------+--------------------------------------------- Reporter: tom@? | Owner: rb Type: defect | Status: accepted Priority: major | Component: Unknown Version: trunk | Keywords: ------------------------------+--------------------------------------------- Changes (by rb): * status: new => accepted Comment: The installation of man pages is now fixed with r3188. I can fix the --help and --version on Friday. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Wed Apr 14 07:22:07 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Wed, 14 Apr 2010 07:22:07 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #125: Can't setuid in ods-auditor In-Reply-To: <063.6198b94bdc4e75a0cf14f9b2b61e44be@kirei.se> References: <063.6198b94bdc4e75a0cf14f9b2b61e44be@kirei.se> Message-ID: <072.0c8d744671bd5ca1203cc026feb5b750@kirei.se> #125: Can't setuid in ods-auditor --------------------------------------+------------------------------------- Reporter: jaroslav.benkovsky@? | Owner: alex Type: defect | Status: new Priority: minor | Component: Auditor Version: 1.0.0 | Keywords: --------------------------------------+------------------------------------- Comment(by rb): The problem is that the Auditor cannot change GID/UID, because it is called by the Signer which have already dropped its privileges. -- Ticket URL: OpenDNSSEC OpenDNSSEC From jakob at kirei.se Wed Apr 14 09:43:24 2010 From: jakob at kirei.se (Jakob Schlyter) Date: Wed, 14 Apr 2010 11:43:24 +0200 Subject: [Opendnssec-develop] Tests In-Reply-To: References: Message-ID: On 13 apr 2010, at 12.02, Alex Dalitz wrote: > Some of the components have unit tests which depend on some other libraries. For example, the enforcer requires cunit, and the auditor uses timecop. I?m not currently sure about the signer tests. Should the configure program take an option to check for these test dependencies, should the user wish to run the tests? if the tools are needed for building OpenDNSSEC, it might be good to test for them. if not we might just keep them in a separate test module? jakob From Alex.Dalitz at nominet.org.uk Wed Apr 14 09:46:15 2010 From: Alex.Dalitz at nominet.org.uk (Alex Dalitz) Date: Wed, 14 Apr 2010 09:46:15 +0000 Subject: [Opendnssec-develop] Tests In-Reply-To: Message-ID: >> Some of the components have unit tests which depend on some other libraries. >> For example, the enforcer requires cunit, and the auditor uses timecop. I?m >> not currently sure about the signer tests. Should the configure program take >> an option to check for these test dependencies, should the user wish to run >> the tests? > > if the tools are needed for building OpenDNSSEC, it might be good to test for > them. if not we might just keep them in a separate test module? In fact, the auditor no longer uses timecop, so cunit is the only dependency we currently have for testing. It is not needed to build OpenDNSSEC, but is needed to run the (enforcer) unit tests (which people may well wish to run when they are available as a simple command, and extended). Alex. From rickard.bellgrim at iis.se Fri Apr 16 10:40:09 2010 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Fri, 16 Apr 2010 12:40:09 +0200 Subject: [Opendnssec-develop] Fwd: Ash (code sprint) References: Message-ID: Hi Yeah, but maybe we can wait until tomorrow to see how the situation evolves. // Rickard Begin forwarded message: From: Alex Dalitz > Date: 16 april 2010 09.11.45 CEST To: Rickard Bellgrim > Subject: Ash Hi Rickard - Do you think we should postpone the code sprint due to the closure of much of European air space? Thanks, Alex. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rickard.bellgrim at iis.se Sat Apr 17 15:50:27 2010 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Sat, 17 Apr 2010 17:50:27 +0200 Subject: [Opendnssec-develop] Fwd: Ash (code sprint) In-Reply-To: References: Message-ID: <37356B06-2CDE-4C5B-8001-4E7F90066725@iis.se> Ok, so it looks like the situation is not getting better. Should we cancel the code sprint, and just have a phone call on Wednesday? Is there some way that we can make use of the Internet? // Rickard 16 apr 2010 kl. 12.40 skrev "Rickard Bellgrim" >: Hi Yeah, but maybe we can wait until tomorrow to see how the situation evolves. // Rickard Begin forwarded message: From: Alex Dalitz <Alex.Dalitz at nominet.org.uk> Date: 16 april 2010 09.11.45 CEST To: Rickard Bellgrim <rickard.bellgrim at iis.se> Subject: Ash Hi Rickard - Do you think we should postpone the code sprint due to the closure of much of European air space? Thanks, Alex. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jakob at kirei.se Sat Apr 17 18:02:41 2010 From: jakob at kirei.se (Jakob Schlyter) Date: Sat, 17 Apr 2010 20:02:41 +0200 Subject: [Opendnssec-develop] Fwd: Ash (code sprint) In-Reply-To: <37356B06-2CDE-4C5B-8001-4E7F90066725@iis.se> References: <37356B06-2CDE-4C5B-8001-4E7F90066725@iis.se> Message-ID: <1B2C9F64-287B-4647-9719-4BDDFD95BDF6@kirei.se> When are people scheduled to fly? -- Sent from my iPhone, hence this mail might be briefer than normal. On 17 apr 2010, at 17.50, Rickard Bellgrim wrote: > Ok, so it looks like the situation is not getting better. Should we > cancel the code sprint, and just have a phone call on Wednesday? Is > there some way that we can make use of the Internet? > > // Rickard > > 16 apr 2010 kl. 12.40 skrev "Rickard Bellgrim" >: > >> Hi >> >> Yeah, but maybe we can wait until tomorrow to see how the situation >> evolves. >> >> // Rickard >> >> Begin forwarded message: >> >>> From: Alex Dalitz >>> Date: 16 april 2010 09.11.45 CEST >>> To: Rickard Bellgrim >>> Subject: Ash >>> >>> Hi Rickard - >>> >>> Do you think we should postpone the code sprint due to the closure >>> of much of European air space? >>> >>> Thanks, >>> >>> >>> Alex. >> >> > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -------------- next part -------------- An HTML attachment was scrubbed... URL: From Stephen.Morris at nominet.org.uk Sat Apr 17 19:43:45 2010 From: Stephen.Morris at nominet.org.uk (Stephen Morris) Date: Sat, 17 Apr 2010 19:43:45 +0000 Subject: [Opendnssec-develop] Fwd: Ash (code sprint) In-Reply-To: <1B2C9F64-287B-4647-9719-4BDDFD95BDF6@kirei.se> Message-ID: On 17/04/2010 19:02, "Jakob Schlyter" wrote: > When are people scheduled to fly? Alex is due to fly out Monday morning. Sion is due to fly out Monday evening. However, he has been in Barcelona this week and is still there. He has a flight back to the UK scheduled for tomorrow evening. I was planning on attending the planning meeting on Wednesday and the R&D workshop on Thursday/Friday, so am scheduled to fly out on Tuesday afternoon. My feeling is that unless the situation clears by tomorrow afternoon, we should cancel. If the no-fly situation persists until Sunday evening (and we should know by Sunday afternoon), Sion won't be able to get there, and it will be doubtful whether Alex's flight will get off the ground. Stephen From owner-dnssec-trac at kirei.se Sun Apr 18 07:37:11 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Sun, 18 Apr 2010 07:37:11 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #126: eppclient manpages are not installed In-Reply-To: <055.8d09a93efae4e7413529b6da42e1b3c3@kirei.se> References: <055.8d09a93efae4e7413529b6da42e1b3c3@kirei.se> Message-ID: <064.468bc77cb7d31d5feabee86bf5333953@kirei.se> #126: eppclient manpages are not installed ------------------------------+--------------------------------------------- Reporter: tom@? | Owner: rb Type: defect | Status: closed Priority: major | Component: Unknown Version: trunk | Resolution: fixed Keywords: | ------------------------------+--------------------------------------------- Changes (by rb): * status: accepted => closed * resolution: => fixed Comment: -h, --help, -v and --version has been added in r3211 -- Ticket URL: OpenDNSSEC OpenDNSSEC From rickard.bellgrim at iis.se Mon Apr 19 06:28:40 2010 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Mon, 19 Apr 2010 08:28:40 +0200 Subject: [Opendnssec-develop] Fwd: Ash (code sprint) In-Reply-To: References: Message-ID: <62F32D29-F468-483C-AA6B-D02985DFB3C7@iis.se> My feeling is that unless the situation clears by tomorrow afternoon, we should cancel. If the no-fly situation persists until Sunday evening (and we should know by Sunday afternoon), Sion won't be able to get there, and it will be doubtful whether Alex's flight will get off the ground. The code sprint is now canceled due to the current situation. Swedish airspace is open, but Schiphol and Heathrow is still closed. Lets have a phone meeting on Wednesday. 15-16 CEST? // Rickard -------------- next part -------------- An HTML attachment was scrubbed... URL: From jakob at kirei.se Mon Apr 19 11:18:03 2010 From: jakob at kirei.se (Jakob Schlyter) Date: Mon, 19 Apr 2010 13:18:03 +0200 Subject: [Opendnssec-develop] Fwd: Ash (code sprint) In-Reply-To: <62F32D29-F468-483C-AA6B-D02985DFB3C7@iis.se> References: <62F32D29-F468-483C-AA6B-D02985DFB3C7@iis.se> Message-ID: On 19 apr 2010, at 08.28, Rickard Bellgrim wrote: >> >> My feeling is that unless the situation clears by tomorrow afternoon, we >> should cancel. If the no-fly situation persists until Sunday evening (and >> we should know by Sunday afternoon), Sion won't be able to get there, and it >> will be doubtful whether Alex's flight will get off the ground. > > The code sprint is now canceled due to the current situation. Swedish airspace is open, but Schiphol and Heathrow is still closed. > > Lets have a phone meeting on Wednesday. 15-16 CEST? I'd prefer 14-15 CEST if possible, as I have to leave 15.30. j From Stephen.Morris at nominet.org.uk Mon Apr 19 12:00:46 2010 From: Stephen.Morris at nominet.org.uk (Stephen Morris) Date: Mon, 19 Apr 2010 12:00:46 +0000 Subject: [Opendnssec-develop] Fwd: Ash (code sprint) In-Reply-To: Message-ID: I'm afraid that I won't be able to make that conference. Stephen On 19/04/2010 12:18, "Jakob Schlyter" wrote: > On 19 apr 2010, at 08.28, Rickard Bellgrim wrote: > >>> >>> My feeling is that unless the situation clears by tomorrow afternoon, we >>> should cancel. If the no-fly situation persists until Sunday evening (and >>> we should know by Sunday afternoon), Sion won't be able to get there, and it >>> will be doubtful whether Alex's flight will get off the ground. >> >> The code sprint is now canceled due to the current situation. Swedish >> airspace is open, but Schiphol and Heathrow is still closed. >> >> Lets have a phone meeting on Wednesday. 15-16 CEST? > > I'd prefer 14-15 CEST if possible, as I have to leave 15.30. > > j > From rickard.bellgrim at iis.se Mon Apr 19 14:45:45 2010 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Mon, 19 Apr 2010 16:45:45 +0200 Subject: [Opendnssec-develop] Fwd: Ash (code sprint) In-Reply-To: References: Message-ID: <85F20159-9D30-4631-ABF5-A04324A24F86@iis.se> Hi Lets have a Doodle about this: http://www.doodle.com/nni95nhhr4v5f4iu // Rickard On 19 apr 2010, at 14.00, Stephen Morris wrote: I'm afraid that I won't be able to make that conference. Stephen On 19/04/2010 12:18, "Jakob Schlyter" > wrote: On 19 apr 2010, at 08.28, Rickard Bellgrim wrote: My feeling is that unless the situation clears by tomorrow afternoon, we should cancel. If the no-fly situation persists until Sunday evening (and we should know by Sunday afternoon), Sion won't be able to get there, and it will be doubtful whether Alex's flight will get off the ground. The code sprint is now canceled due to the current situation. Swedish airspace is open, but Schiphol and Heathrow is still closed. Lets have a phone meeting on Wednesday. 15-16 CEST? I'd prefer 14-15 CEST if possible, as I have to leave 15.30. j -------------- next part -------------- An HTML attachment was scrubbed... URL: From rickard.bellgrim at iis.se Tue Apr 20 07:48:46 2010 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Tue, 20 Apr 2010 09:48:46 +0200 Subject: [Opendnssec-develop] Meeting tomorrow 2010-04-21 Message-ID: <301738A6-EF73-494C-8C18-BE2687565341@iis.se> Hi We have now scheduled a telephone meeting for tomorrow. Date: Wednesday 21 April Time: 11:00-12:00 CEST, 10:00-11:00 BST Draft agenda: http://trac.opendnssec.org/wiki/Meetings/Agenda/2010-04-21 // Rickard From AlexD at nominet.org.uk Thu Apr 22 15:03:03 2010 From: AlexD at nominet.org.uk (Alex Dalitz) Date: Thu, 22 Apr 2010 15:03:03 +0000 Subject: [Opendnssec-develop] OpenDNSSEC Continuous Integration server Message-ID: Hi - I'm pleased to announce the availability of a continuous integration server for OpenDNSSEC. It is my hope that we can install this on a public server somewhere, and configure it to email us whenever the build is broken. The system downloads the latest trunk of OpenDNSSEC, and builds and installs it. The unit tests (which exist) are run, then the system is configured to sign the zones example.com and unknown.rr.org. If these zones are successfully signed, the build is declared a success. If the build is a failure, then Hudson can be configured to perform a variety of notification actions. Old builds are kept (up to 100 by default I think). So you can look through the build history, and inspect the workspace for each build to diagnose issues - all through the browser. So - unit test and very basic integration tests are covered. I'd really like to add to the system with more acceptance tests as we develop them. Eventually, we can rely on Hudson to perform automatic regression testing of OpenDNSSEC on a regular basis. It is currently set up to build the OpenDNSSEC trunk, but we can easily add branch tests as well. To install a local copy, grab the latest trunk of OpenDNSSEC. Then : cd OpenDNSSEC/test/hudson make fetch Make install Make run You should then be able to go to http://localhost:8080 and view the Hudson status. The config is currently set to kick off once an hour, on the hour, but that is easily changed locally by configuring the Hudson job in the browser. You can also kick off a new build by clicking the "build now" link in the OpenDNSSEC job page. Please let me know if you have any issues, questions, suggestions, etc. Thanks, Alex. From sion at nominet.org.uk Thu Apr 22 15:22:22 2010 From: sion at nominet.org.uk (Sion Lloyd) Date: Thu, 22 Apr 2010 15:22:22 +0000 Subject: [Opendnssec-develop] RE: OpenDNSSEC Continuous Integration server In-Reply-To: References: Message-ID: > Please let me know if you have any issues, questions, suggestions, etc. > Thanks, > Alex. I've seen it working and it is really nice, thanks Alex. I'll try to get the enforcer unit tests playing nicely with it as soon as I can. Sion From owner-dnssec-trac at kirei.se Fri Apr 23 10:29:08 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 23 Apr 2010 10:29:08 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #125: Can't setuid in ods-auditor In-Reply-To: <063.6198b94bdc4e75a0cf14f9b2b61e44be@kirei.se> References: <063.6198b94bdc4e75a0cf14f9b2b61e44be@kirei.se> Message-ID: <072.926584353249225108a7518302bbd8b6@kirei.se> #125: Can't setuid in ods-auditor --------------------------------------+------------------------------------- Reporter: jaroslav.benkovsky@? | Owner: alex Type: defect | Status: new Priority: minor | Component: Auditor Version: 1.0.0 | Keywords: --------------------------------------+------------------------------------- Comment(by alex): Hi - Is this still a problem? If so, could you please confirm the Ruby version number? Thanks! Alex. -- Ticket URL: OpenDNSSEC OpenDNSSEC From rickard.bellgrim at iis.se Mon Apr 26 11:50:42 2010 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Mon, 26 Apr 2010 13:50:42 +0200 Subject: [Opendnssec-develop] Meeting 2010-04-29 Message-ID: <42841369-F499-435C-82C5-6074903400DE@iis.se> Hi The next telephone meeting is planned as followed: Date: Thursday 29 April Time: 11:00-12:00 CEST, 10:00-11:00 BST Draft agenda: http://trac.opendnssec.org/wiki/Meetings/Agenda/2010-04-29 // Rickard From jakob at kirei.se Thu Apr 29 08:27:31 2010 From: jakob at kirei.se (Jakob Schlyter) Date: Thu, 29 Apr 2010 10:27:31 +0200 Subject: [Opendnssec-develop] autoconf version? Message-ID: <7A705543-3002-402B-97F3-2611DE77C728@kirei.se> what version of autoconf can we rely on? we currently require 2.61, but there are features in 2.62 that might be needed for some tests. jakob From AlexD at nominet.org.uk Thu Apr 29 13:49:14 2010 From: AlexD at nominet.org.uk (Alex Dalitz) Date: Thu, 29 Apr 2010 13:49:14 +0000 Subject: [Opendnssec-develop] Code sprint in Oxford? Message-ID: Hi - I think we discussed a two-day code sprint, some time in late May or June (to be decided by a doodle poll). I can confirm that Nominet would be happy to host this. Thanks, Alex. From rickard.bellgrim at iis.se Thu Apr 29 14:49:56 2010 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Thu, 29 Apr 2010 16:49:56 +0200 Subject: [Opendnssec-develop] Code sprint in Oxford? In-Reply-To: References: Message-ID: I think we discussed a two-day code sprint, some time in late May or June (to be decided by a doodle poll). I can confirm that Nominet would be happy to host this. Great! And here is the Doodle: http://www.doodle.com/chwhx4f4ztw78twg // Rickard -------------- next part -------------- An HTML attachment was scrubbed... URL: From rick.zijlker at sidn.nl Thu Apr 29 15:03:27 2010 From: rick.zijlker at sidn.nl (Rick Zijlker) Date: Thu, 29 Apr 2010 17:03:27 +0200 Subject: [Opendnssec-develop] SHA-2 keys mixed up Message-ID: <850A39016FA57A4887C0AA3C8085F949014D874F@KAEVS1.SIDN.local> Hey, (using RC1 SVN checkout) When trying to sign with SHA-2 algorithms the auditor behaves strangely. It looks like he is checking for RSASHA256 RRSIG where I configured RSASHA512 and checking for RSASHA512 when I configured RSASHA256. I used RSASHA512 (kasp algorithm 10) as KSK I used RSASHA256 (kasp algorithm 8) as ZSK It looks like the signing was done exactly the other way around. " Apr 29 16:59:41 signer1 ods-auditor[20801]: Auditor started Apr 29 16:59:41 signer1 ods-auditor[20801]: Auditor starting on ods Apr 29 16:59:41 signer1 ods-auditor[20801]: SOA differs : from 1000 to 1272553181 Apr 29 16:59:41 signer1 ods-auditor[20801]: Auditing ods zone : NSEC3 SIGNED Apr 29 16:59:41 signer1 ods-auditor[20801]: RRSIGS should include algorithm RSASHA256 for ods, DNSKEY, have : RSASHA512 Apr 29 16:59:41 signer1 ods-auditor[20801]: RRSIGS should include algorithm RSASHA512 for ods, NS, have : RSASHA256 Apr 29 16:59:41 signer1 ods-auditor[20801]: RRSIGS should include algorithm RSASHA512 for ods, MX, have : RSASHA256 Apr 29 16:59:41 signer1 ods-auditor[20801]: RRSIGS should include algorithm RSASHA512 for ods, NSEC3PARAM, have : RSASHA256 Apr 29 16:59:41 signer1 ods-auditor[20801]: RRSIGS should include algorithm RSASHA512 for ods, SOA, have : RSASHA256 Apr 29 16:59:41 signer1 ods-auditor[20801]: RRSIGS should include algorithm RSASHA512 for 02ku2612atoobo27ukr87quljqikihon.ods, NSEC3, have : RSASHA256 " KASP: " 10 PT24H SoftHSM 1 8 PT8H SoftHSM 1 " Zone file DNSKEY records: " [root at signer1 ~]# more /var/opendnssec/tmp/ods.signed|grep DNSKEY ods. 1800 IN DNSKEY 256 3 8 AwEAAbIH/ion9EQRO8Yruj5XSnSqkhAy2OaS2ktp/a+fpaiK52atk7vgnPZUjWMAlQmegdo2 Vps6z9K+SNASBBRhpqX9UouWgWb4G/GaGnOYCHT+TChb8umq8MCKxBYN1LnCQAR18QIDQONt Vv+x/3DYfnkxsDAAqaowzKxFbAJ4G7BB ;{id = 8091 (zsk), size = 1024b} ods. 1800 IN DNSKEY 256 3 8 AwEAAbRJqcRzfzDPo+uRwNL3ath1QbKr3oBhlv944TEyX8tEjK/VEcNQC5VFS/JV8jacS/Gb fnGB04Ht+JCFkJvGfAIw4LjJ9TTzZ8oy3x5XgbNhDQn4xRpMG5T7mV4Guucx+e67nX8iBwOW 2fAyNxwwoGmJx12u3k6oQsD53u432OJR ;{id = 28443 (zsk), size = 1024b} ods. 1800 IN DNSKEY 257 3 10 AwEAAbAAiotJfy/Ivw4jRhU3lD3zPUp0CmVEbDndaggAgmeGuM3Qzx+Eenz2Yy3G/UpkuNXH 6wXRKARWCT0Wyq5HQce13uVZofvqPCxoEvqvaX88Gc+/sKN/jBQlTZTAtF17PHEohk/aTs4c /CoiZwwNy7NR4B1XiTJpeMgtjgLewCWz4V7oReVcW8ogN85e4k1BKhJIdiWB0vYGqx9t0t4a 9Em3GaODZh0VAwnuQEIe7QJOP4geOF5uJ74EJGbjZ6wdecnfVM3Sf6/duNqtN8dAMJ8jEQNU NKEFpRJss5RbIdYWEvEHMH075t+Ee7zyQyG3z49rXn4AqDM7AzzTbsqChP0= ;{id = 33133 (ksk), size = 2048b} ods. 1800 IN RRSIG DNSKEY 10 1 1800 20100429190836 20100429145841 33133 ods. AjD4JFkw3hVIj8Qh0Bnqp195eCb1m9UoV6vZZfB+7q+Ma4lYG2Ltj1Hbfz81gxy0rePgRA6r ZVnJ86zUIxgEmGs8XM9VQ9RfmNCdEkNem963Hp3yYarN5kB7WwtmGV/sq55Lt1ytv6/GW0kI vXnH+vBnxLoHD2Xq5u6rHTyG7Tgwhx/2NWhLEgINEKAdlEjufbMyfM+Z+YvoYof/CxSwQzZg Ik5ff/KCbItqAMFsDYrMGf9wh2cIELUfOoUQOYOS2oHSinHrEFtG6Ko1yPgHJLJt3xkDxMZ3 EJ5bk98O+MdZH1GQTEnCoB6kL9XPYq4Ebn1T8SJHzwLVYS2hYRkJdA== ;{id = 33133} 8dqhts2b5d7cfosiksnb8baps788o74o.ods. 1200 IN NSEC3 1 0 8 9adcb9a44c6c005c 8mboqi27kmodfu4o4l6q9vv1u883recr A NS SOA MX RRSIG DNSKEY NSEC3PARAM " Am I doing something wrong here? p.s. Queensday tomorrow, so will be reading replies on Monday. Cheers, Rick -------------- next part -------------- An HTML attachment was scrubbed... URL: From rickard.bellgrim at iis.se Thu Apr 29 15:20:44 2010 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Thu, 29 Apr 2010 17:20:44 +0200 Subject: [Opendnssec-develop] SHA-2 keys mixed up In-Reply-To: <850A39016FA57A4887C0AA3C8085F949014D874F@KAEVS1.SIDN.local> References: <850A39016FA57A4887C0AA3C8085F949014D874F@KAEVS1.SIDN.local> Message-ID: It looks like the signing was done exactly the other way around. I can confirm that the Auditor switch the algorithms around during this check. The signer does what it should. Alex, is it possible to fix before rc2? // Rickard -------------- next part -------------- An HTML attachment was scrubbed... URL: From AlexD at nominet.org.uk Thu Apr 29 15:26:09 2010 From: AlexD at nominet.org.uk (Alex Dalitz) Date: Thu, 29 Apr 2010 15:26:09 +0000 Subject: [Opendnssec-develop] SHA-2 keys mixed up In-Reply-To: Message-ID: It looks like the signing was done exactly the other way around. I can confirm that the Auditor switch the algorithms around during this check. The signer does what it should. Alex, is it possible to fix before rc2? Hang on... The Auditor requirements state : ? For each signed domain chosen for verification, the KA should check that: 1. There is an RRSIG record for each algorithm for which there is a DNSKEY RR (unless the domain is glue, an unsigned delegation or out of zone) [E] ? In this case, there isn?t an RRSIG for algorithm 8 ? only one for algorithm 10. So the auditor is simply pointing that out. Alex. -------------- next part -------------- An HTML attachment was scrubbed... URL: From owner-dnssec-trac at kirei.se Thu Apr 29 16:18:04 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Thu, 29 Apr 2010 16:18:04 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #127: Large SOA serial numbers are not handled properly by "signer" Message-ID: <076.a19d373382cd63fa43f3c906215ddd4a@kirei.se> #127: Large SOA serial numbers are not handled properly by "signer" ---------------------------------------------------+------------------------ Reporter: Anirban Mukherjee | Owner: matthijs Type: defect | Status: new Priority: major | Component: Signer Version: 1.0.0 | Keywords: ---------------------------------------------------+------------------------ If the SOA serial number of the input unsigned zone is larger than {{{2^31-1}}} (0x7fffffff or 2147483647), the generated signed zone always has a serial number of {{{2^31-1}}} if "keep" or "counter" is used. The problem seems to arise due to the use of the atol function in signer/tools/signer.c (handle_command function). Since atol converts to a signed long, its valid range limit is {{{(-)2^31 to 2^31-1}}}. A param value greater than {{{2^31 - 1}}} causes it to return LONG_MAX or {{{2^31-1}}}. A possible fix is to use strtoul instead of atol. Although this problem is seen for SOA, in theory it could occur for all the uint32_t parameters. The attached signer.c uses strtoul instead of atol for all uint32_t variables although this may not be strictly necessary e.g. TTL should never exceed {{{2^31-1}}}. A sample unsigned input zone with a large serial number and the corresponding signed zone with incorrect serial is also attached. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Thu Apr 29 18:53:57 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Thu, 29 Apr 2010 18:53:57 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #128: test Message-ID: <047.958a1108161dfa116d62303524d24f14@kirei.se> #128: test ----------------------+----------------------------------------------------- Reporter: anonymous | Owner: rb Type: defect | Status: new Priority: major | Component: Unknown Version: trunk | Keywords: ----------------------+----------------------------------------------------- -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Thu Apr 29 18:54:29 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Thu, 29 Apr 2010 18:54:29 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #129: test Message-ID: <047.60ba134f145862a9c0b2b305b2e7a12e@kirei.se> #129: test ----------------------+----------------------------------------------------- Reporter: anonymous | Owner: rb Type: defect | Status: new Priority: major | Component: Unknown Version: trunk | Keywords: ----------------------+----------------------------------------------------- -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Thu Apr 29 18:54:44 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Thu, 29 Apr 2010 18:54:44 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #129: test In-Reply-To: <047.60ba134f145862a9c0b2b305b2e7a12e@kirei.se> References: <047.60ba134f145862a9c0b2b305b2e7a12e@kirei.se> Message-ID: <056.8be37cb78f9f401ec859c5643f205efa@kirei.se> #129: test ----------------------+----------------------------------------------------- Reporter: anonymous | Owner: rb Type: defect | Status: new Priority: major | Component: Unknown Version: trunk | Keywords: ----------------------+----------------------------------------------------- Comment(by anonymous): test -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Thu Apr 29 18:55:10 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Thu, 29 Apr 2010 18:55:10 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #128: test In-Reply-To: <047.958a1108161dfa116d62303524d24f14@kirei.se> References: <047.958a1108161dfa116d62303524d24f14@kirei.se> Message-ID: <056.d88dd390f78792b9004e15d2d7f907b7@kirei.se> #128: test ----------------------+----------------------------------------------------- Reporter: anonymous | Owner: rb Type: defect | Status: closed Priority: major | Component: Unknown Version: trunk | Resolution: invalid Keywords: | ----------------------+----------------------------------------------------- Changes (by jakob): * status: new => closed * resolution: => invalid -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Thu Apr 29 18:55:19 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Thu, 29 Apr 2010 18:55:19 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #129: test In-Reply-To: <047.60ba134f145862a9c0b2b305b2e7a12e@kirei.se> References: <047.60ba134f145862a9c0b2b305b2e7a12e@kirei.se> Message-ID: <056.1521492ce9ada31ce220bc228a2db893@kirei.se> #129: test ----------------------+----------------------------------------------------- Reporter: anonymous | Owner: rb Type: defect | Status: closed Priority: major | Component: Unknown Version: trunk | Resolution: invalid Keywords: | ----------------------+----------------------------------------------------- Changes (by jakob): * status: new => closed * resolution: => invalid -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Thu Apr 29 19:09:50 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Thu, 29 Apr 2010 19:09:50 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #130: ods-ksmutil key export shows dead keys with option -e RETIRED Message-ID: <076.35cd537382034993128ec4179ffb73d8@kirei.se> #130: ods-ksmutil key export shows dead keys with option -e RETIRED ---------------------------------------------------+------------------------ Reporter: Anirban Mukherjee | Owner: rb Type: defect | Status: new Priority: major | Component: Unknown Version: 1.0.0 | Keywords: ---------------------------------------------------+------------------------ ods-ksmutil key export -z -t ZSK -e RETIRED shows DEAD keys instead of RETIRED keys. The attached modified source file enforcer/utils/ksmutil.c appears to show the keys correctly (modifications were made on the version of the source file present in the 1.0.0 release tarball) -- Ticket URL: OpenDNSSEC OpenDNSSEC