[Opendnssec-develop] Overview of 1.1.1 problems

Rick van Rein rick at openfortress.nl
Wed Aug 11 13:13:51 UTC 2010 

Hello,

As requested in today's phone meeting, here is a list of the issues that SURFnet
ran into with OpenDNSSEC 1.1.1.  We supplied patches for every new problem.

"incsoa"
	When we decide to sign a domain, we insert OpenDNSSEC in the
	path between the hidden master (the domain editor) and the
	public authoritatives.  Doing this for an already-published
	domain means that the SOA serial number must always be incremented
	by the signer.  The current code does not do that.  It is a bit
	of a matter of taste if/how this should be done in general, or
	if perhaps this should be an option, or...

	Anyhow, what we supplied as a patch is in Trac #165

"async ods-control"
	The use of asynchronous commands got us into trouble when we tried
	to implement a thorough key backup procedure based on stopping the
	KASP enforcer.  We propose a synchronising variation to replace it.

	Trac #168 (to be reviewed before inclusion in 1.1.2)

"pidfile"
	A known bug in 1.1.1 that really confuses users is the overlap in
	PID-file between enforcer daemon and zone_fetcher.

"LDNS"
	The zone_fetcher can freeze if the communication with its master
	runs into a bug in LDNS.  The recent release of LDNS resolves
	this issue, will be made a dependency for OpenDNSSEC 1.1.2.

"ods-signer exit"
	Minor, but ods-signer does not report success if it succeeded.

	Trac #166 solves this minor issue.

"2-phase key backup"
	Presented in Trac #161.

"zone_fetcher notify"
	The zone_fetcher in 1.1.1 will not reload the zonelist.xml file
	when the signer is sent an update command.  This meant that
	changing lists of zones could not be handled.

	Trac #167 resolves this.

"policy pruning"
	This one is more a proposal of an improvement than a patch that
	can go into the branch without further discussion; we merely
	made a stab at a possible user interface by adding a command
	"ods-ksmutil policy prune" to remove policies that have no
	zones attached.

	Trac #151 contains the corresponding patch.

It felt really good to be useful and supply code for a change  ;-)


Cheers,
 -Rick

More information about the Opendnssec-develop mailing list