From rickard.bellgrim at iis.se Wed Dec 1 08:39:59 2010 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Wed, 1 Dec 2010 09:39:59 +0100 Subject: [Opendnssec-develop] Fwd: opendnssec1.2.0rc2 probleempje (revision 4225) In-Reply-To: <4CEFA107.6000307@nlnetlabs.nl> References: <4CEFA107.6000307@nlnetlabs.nl> Message-ID: On 26 nov 2010, at 12.59, Matthijs Mekking wrote: > /usr/local/include/sqlite3.h:252: warning: ISO C90 does not support > 'long long' > /usr/local/include/sqlite3.h:253: warning: ISO C90 does not support > 'long long' > daemon_util.c: In function 'log_msg': > daemon_util.c:266: warning: implicit declaration of function 'vsyslog' > daemon_util.c: In function 'get_lite_lock': > daemon_util.c:986: error: storage size of 'tv' isn't known > daemon_util.c:1005: warning: implicit declaration of function 'select' > daemon_util.c:986: warning: unused variable 'tv' Are we missing some header files here? // Rickard From rick at openfortress.nl Wed Dec 1 13:52:34 2010 From: rick at openfortress.nl (Rick van Rein) Date: Wed, 1 Dec 2010 13:52:34 +0000 Subject: [Opendnssec-develop] Meeting notes 2010-12-01 Message-ID: <20101201135234.GD343@phantom.vanrein.org> Hey all, The notes of the just-finished meeting are now online, http://trac.opendnssec.org/wiki/Meetings/Minutes/2010-12-01 Cheers, -Rick From rickard.bellgrim at iis.se Wed Dec 1 14:43:58 2010 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Wed, 1 Dec 2010 15:43:58 +0100 Subject: [Opendnssec-develop] Next Enforcer design telephone meeting Message-ID: <49294227-8FE6-4992-B5DE-568DBD44A3AA@iis.se> Hi We are about to schedule (using Doodle) the next Enforcer design telephone meeting. Yuri and Ren? will present their progress regarding the design and work plan. The design will hopefully, after this meeting, be mature enough to be presented and discussed on OpenDNSSEC developer's list. But those who are interested are welcome to attend the telephone meeting. Vote here: http://www.doodle.com/pvnhc8audiakkgau // Rickard From rickard.bellgrim at iis.se Wed Dec 1 14:45:02 2010 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Wed, 1 Dec 2010 15:45:02 +0100 Subject: [Opendnssec-develop] Next OpenDNSSEC telephone meeting Message-ID: Hi The next OpenDNSSE telephone meeting will be on December 15th, 14:00-15:00 CET or 13:00-14:00 Nominet time. // Rickard From owner-dnssec-trac at kirei.se Mon Dec 6 09:05:33 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Mon, 06 Dec 2010 09:05:33 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #200: Log when a KSK has been rolled over In-Reply-To: <078.cb551d53671d99abad86ac8e95e60460@kirei.se> References: <078.cb551d53671d99abad86ac8e95e60460@kirei.se> Message-ID: <087.041541a93e0af646ccafebd3f20ac517@kirei.se> #200: Log when a KSK has been rolled over -----------------------------------------------------+---------------------- Reporter: Sebastian Castro | Owner: sion Type: enhancement | Status: accepted Priority: trivial | Component: Enforcer Version: trunk | Keywords: -----------------------------------------------------+---------------------- Changes (by sion): * status: new => accepted Comment: The transition to active occurs when the ds-seen command is run. We have a choice; either we log this message at that time, or when the key moves from retire to dead to indicate that the rollover is complete. My preference is for the latter as the former is already a manual process; but I am happy to code it either way. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Mon Dec 6 10:25:30 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Mon, 06 Dec 2010 10:25:30 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #202: ods-control stop hangs while stopping enforcer In-Reply-To: <078.0bc6f38db41e3ffc127e60161e82a2d6@kirei.se> References: <078.0bc6f38db41e3ffc127e60161e82a2d6@kirei.se> Message-ID: <087.6adfb1e0c3d94ec210b1119879528a6a@kirei.se> #202: ods-control stop hangs while stopping enforcer -----------------------------------------------------+---------------------- Reporter: Gilles Massen | Owner: sion Type: defect | Status: accepted Priority: major | Component: Enforcer Version: | Keywords: -----------------------------------------------------+---------------------- Changes (by sion): * status: new => accepted Old description: > "ods-control stop" always hangs with "Stopping enforcer". > > While looking at ods-control, it appears that the kill -TERM `cat > ...enforcerd.pid` stopps the process, but enforcerd fails to remove > enforcerd.pid. As result ods-control hangs in a while loop. > > This is on a OpenSuse 11.3. Privileges of signer and enforcer are non- > root (but the user has all permissions on pid and containing directory). New description: "ods-control stop" always hangs with "Stopping enforcer". While looking at ods-control, it appears that the kill -TERM `cat ...enforcerd.pid` stopps the process, but enforcerd fails to remove enforcerd.pid. As result ods-control hangs in a while loop. This is on a OpenSuse 11.3. Privileges of signer and enforcer are non-root (but the user has all permissions on pid and containing directory). -- Comment: I have tried to reproduce this on a 64-bit openSuse 11.3 VM with no success... There is now some extra code in the enforcer to log a message if the unlink fails which may help determine why this happens. Could you try again with svn r4251 or higher? -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Tue Dec 7 01:47:24 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 07 Dec 2010 01:47:24 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #200: Log when a KSK has been rolled over In-Reply-To: <078.cb551d53671d99abad86ac8e95e60460@kirei.se> References: <078.cb551d53671d99abad86ac8e95e60460@kirei.se> Message-ID: <087.aa6e19254f4cd2cbc1a896efa6a06bbf@kirei.se> #200: Log when a KSK has been rolled over -----------------------------------------------------+---------------------- Reporter: Sebastian Castro | Owner: sion Type: enhancement | Status: accepted Priority: trivial | Component: Enforcer Version: trunk | Keywords: -----------------------------------------------------+---------------------- Comment(by Sebastian Castro ): My preference is for the former rather the latter. Even being a manual process, it's up to OpenDNSSEC to known if the action has been carried out successfully. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Tue Dec 7 09:51:04 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 07 Dec 2010 09:51:04 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #202: ods-control stop hangs while stopping enforcer In-Reply-To: <078.0bc6f38db41e3ffc127e60161e82a2d6@kirei.se> References: <078.0bc6f38db41e3ffc127e60161e82a2d6@kirei.se> Message-ID: <087.28fd3563c8ec7bab8b9ca865b3cfaf38@kirei.se> #202: ods-control stop hangs while stopping enforcer -----------------------------------------------------+---------------------- Reporter: Gilles Massen | Owner: sion Type: defect | Status: accepted Priority: major | Component: Enforcer Version: | Keywords: -----------------------------------------------------+---------------------- Comment(by Gilles Massen ): I tried r4260. Same behaviour, nothing logged. I ran the enforcerd in an strace -f, and apparently it doesn't even try to unlink enforcerd.pid. The output from the strace after the kill -TERM is attached in to this ticket. Please let me know if I can help in any way. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Tue Dec 7 10:31:33 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 07 Dec 2010 10:31:33 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #202: ods-control stop hangs while stopping enforcer In-Reply-To: <078.0bc6f38db41e3ffc127e60161e82a2d6@kirei.se> References: <078.0bc6f38db41e3ffc127e60161e82a2d6@kirei.se> Message-ID: <087.b0420789a3465a4cbd148ccfc2a5e053@kirei.se> #202: ods-control stop hangs while stopping enforcer -----------------------------------------------------+---------------------- Reporter: Gilles Massen | Owner: sion Type: defect | Status: accepted Priority: major | Component: Enforcer Version: | Keywords: -----------------------------------------------------+---------------------- Comment(by sion): Do you get either of the messages: "Received SIGTERM, exiting..." or "all done! hsm_close result: %d" ? -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Tue Dec 7 10:41:21 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 07 Dec 2010 10:41:21 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #202: ods-control stop hangs while stopping enforcer In-Reply-To: <078.0bc6f38db41e3ffc127e60161e82a2d6@kirei.se> References: <078.0bc6f38db41e3ffc127e60161e82a2d6@kirei.se> Message-ID: <087.74204680d1d98098130af69b2bc2e5c5@kirei.se> #202: ods-control stop hangs while stopping enforcer -----------------------------------------------------+---------------------- Reporter: Gilles Massen | Owner: sion Type: defect | Status: accepted Priority: major | Component: Enforcer Version: | Keywords: -----------------------------------------------------+---------------------- Comment(by Gilles Massen ): Replying to [comment:3 sion]: No. The last thing logged is: ods-enforcerd: Sleeping for 1800 seconds -- Ticket URL: OpenDNSSEC OpenDNSSEC From sion at nominet.org.uk Tue Dec 7 11:49:33 2010 From: sion at nominet.org.uk (Sion Lloyd) Date: Tue, 7 Dec 2010 11:49:33 +0000 Subject: [Opendnssec-develop] DelegationSignerSubmitCommand Message-ID: <201012071149.33839.sion@nominet.org.uk> Morning. I have a story in pivotal about the records that should be passed to the DelegationSignerSubmitCommand. Currently we pass all the keys that are in use at the time that the command is called; including the old key. As the story states this is not following our stated rollover scheme as the old DS should be removed from the parent when the new one is introduced. The problem with not passing the old key is that if the "--no-retire" flag is issued to the ds-seen command then the key will be left in the zone but the DS will get removed... But when the DelegationSignerSubmitCommand is called we do not know if this flag will be used or not... So the question is, what shoud we do? 1) Pass all records and let the user remove the ones they don't want? 2) Pass just the new record and if the user wants the old one also they have to dig it out themselves? 3) Call DelegationSignerSubmitCommand again when ds-seen is run? 4) Something else? My first feeling was for (1) as it is easier to drop a record than to produce it. Then I thought (2) as it is consistent with the rollover scheme that we are using... Any ideas? Cheers, Sion From owner-dnssec-trac at kirei.se Tue Dec 7 15:26:47 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 07 Dec 2010 15:26:47 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #200: Log when a KSK has been rolled over In-Reply-To: <078.cb551d53671d99abad86ac8e95e60460@kirei.se> References: <078.cb551d53671d99abad86ac8e95e60460@kirei.se> Message-ID: <087.debd21c615e9d8509f6287f725781dff@kirei.se> #200: Log when a KSK has been rolled over -----------------------------------------------------+---------------------- Reporter: Sebastian Castro | Owner: sion Type: enhancement | Status: closed Priority: trivial | Component: Enforcer Version: trunk | Resolution: fixed Keywords: | -----------------------------------------------------+---------------------- Changes (by rb): * status: accepted => closed * resolution: => fixed Comment: We are now logging: Dec 7 15:13:20 fou ods-ksmutil: Key af47df4838d3fb80d3f8aa4bb6a880c4 made active After the ds-seen command. See r4261 -- Ticket URL: OpenDNSSEC OpenDNSSEC From rickard.bellgrim at iis.se Tue Dec 7 17:38:10 2010 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Tue, 7 Dec 2010 18:38:10 +0100 Subject: [Opendnssec-develop] DelegationSignerSubmitCommand In-Reply-To: <201012071149.33839.sion@nominet.org.uk> References: <201012071149.33839.sion@nominet.org.uk> Message-ID: On 7 dec 2010, at 06.49, Sion Lloyd wrote: > The problem with not passing the old key is that if the "--no-retire" flag is > issued to the ds-seen command then the key will be left in the zone but the DS > will get removed... But when the DelegationSignerSubmitCommand is called we do > not know if this flag will be used or not... I think we still have an confusion on what we have the --no-retire for. See discussion from 4 March 2010. You mention that --no-retire is for those who have overlapping KSKs. But is that even possible to do in OpenDNSSEC without hacking in the database? So the --no-retire will only delay the current rollover until the ksk-retire is given. And since we can only have one flow of keys within the zone, then we know that the new key is what we are going to rollover to. > So the question is, what shoud we do? > > 1) Pass all records and let the user remove the ones they don't want? > 2) Pass just the new record and if the user wants the old one also they have > to dig it out themselves? > 3) Call DelegationSignerSubmitCommand again when ds-seen is run? > 4) Something else? > > My first feeling was for (1) as it is easier to drop a record than to produce > it. Then I thought (2) as it is consistent with the rollover scheme that we > are using... Any ideas? I think OpenDNSSEC should know what keys (DS RR) that should be in the parent. And that is those who should be sent. // Rickard From sion at nominet.org.uk Wed Dec 8 15:16:00 2010 From: sion at nominet.org.uk (Sion Lloyd) Date: Wed, 8 Dec 2010 15:16:00 +0000 Subject: [Opendnssec-develop] DelegationSignerSubmitCommand In-Reply-To: References: <201012071149.33839.sion@nominet.org.uk> Message-ID: <201012081516.00220.sion@nominet.org.uk> On Tuesday 07 Dec 2010 5:38:10 pm Rickard Bellgrim wrote: > On 7 dec 2010, at 06.49, Sion Lloyd wrote: > > The problem with not passing the old key is that if the "--no-retire" > > flag is issued to the ds-seen command then the key will be left in the > > zone but the DS will get removed... But when the > > DelegationSignerSubmitCommand is called we do not know if this flag will > > be used or not... > > I think we still have an confusion on what we have the --no-retire for. See > discussion from 4 March 2010. > > You mention that --no-retire is for those who have overlapping KSKs. But is > that even possible to do in OpenDNSSEC without hacking in the database? If you never retire the old key it will always be used... I am not saying that this is a good idea, but it is possible. > So the --no-retire will only delay the current rollover until the > ksk-retire is given. And since we can only have one flow of keys within > the zone, then we know that the new key is what we are going to rollover > to. If the user doesn't issue the ksk-retire command, either because they forget or because they don't want to, then they could just accumulate keys... again I am not saying that this is a good idea, just that it is possible. Should we disable this option if it is not compatible with our rollover scheme? > > So the question is, what shoud we do? > > > > 1) Pass all records and let the user remove the ones they don't want? > > 2) Pass just the new record and if the user wants the old one also they > > have to dig it out themselves? > > 3) Call DelegationSignerSubmitCommand again when ds-seen is run? > > 4) Something else? > > > > My first feeling was for (1) as it is easier to drop a record than to > > produce it. Then I thought (2) as it is consistent with the rollover > > scheme that we are using... Any ideas? > > I think OpenDNSSEC should know what keys (DS RR) that should be in the > parent. And that is those who should be sent. > > // Rickard From rickard.bellgrim at iis.se Wed Dec 8 15:38:46 2010 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Wed, 8 Dec 2010 16:38:46 +0100 Subject: [Opendnssec-develop] DelegationSignerSubmitCommand In-Reply-To: <201012081516.00220.sion@nominet.org.uk> References: <201012071149.33839.sion@nominet.org.uk> <201012081516.00220.sion@nominet.org.uk> Message-ID: <88845CAE-1937-4C86-945A-1801FCA3A5D7@iis.se> On 8 dec 2010, at 10.16, Sion Lloyd wrote: >> So the --no-retire will only delay the current rollover until the >> ksk-retire is given. And since we can only have one flow of keys within >> the zone, then we know that the new key is what we are going to rollover >> to. > > If the user doesn't issue the ksk-retire command, either because they forget > or because they don't want to, then they could just accumulate keys... again I > am not saying that this is a good idea, just that it is possible. > Should we disable this option if it is not compatible with our rollover > scheme? The rollover procedures are still quite a mess. Could you perhaps propose how we should do this in a clean way, so that the DelegationSignerSubmitCommand also function as intended? // Rickard From sion at nominet.org.uk Wed Dec 8 16:14:03 2010 From: sion at nominet.org.uk (Sion Lloyd) Date: Wed, 8 Dec 2010 16:14:03 +0000 Subject: [Opendnssec-develop] DelegationSignerSubmitCommand In-Reply-To: <88845CAE-1937-4C86-945A-1801FCA3A5D7@iis.se> References: <201012071149.33839.sion@nominet.org.uk> <201012081516.00220.sion@nominet.org.uk> <88845CAE-1937-4C86-945A-1801FCA3A5D7@iis.se> Message-ID: <201012081614.03709.sion@nominet.org.uk> > The rollover procedures are still quite a mess. Could you perhaps propose > how we should do this in a clean way, so that the > DelegationSignerSubmitCommand also function as intended? > The only way I can think to make this clean is to force a pure rollover scheme on the user... This would mean disabling the no-retire flag and having the dssub command only send the new key. Is this too draconian and restrictive though? Keep in mind that this might be the only KSK rollover scheme available for the next two releases... Is it too late in the release to introduce a new flag or rollover option "strict" which forces this behaviour? (I think so, but will work on this if we think it is really needed.) We could document the current situation and fix this either after the release in 1.2 or for 1.3 (which I believe will not have the new enforcer code)? Sion From rickard.bellgrim at iis.se Thu Dec 9 10:15:09 2010 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Thu, 9 Dec 2010 11:15:09 +0100 Subject: [Opendnssec-develop] DelegationSignerSubmitCommand In-Reply-To: <201012081614.03709.sion@nominet.org.uk> References: <201012071149.33839.sion@nominet.org.uk> <201012081516.00220.sion@nominet.org.uk> <88845CAE-1937-4C86-945A-1801FCA3A5D7@iis.se> <201012081614.03709.sion@nominet.org.uk> Message-ID: <6F37D712-E0F4-4437-B532-49E38D92D146@iis.se> On 8 dec 2010, at 11.14, Sion Lloyd wrote: >> The rollover procedures are still quite a mess. Could you perhaps propose >> how we should do this in a clean way, so that the >> DelegationSignerSubmitCommand also function as intended? >> > > The only way I can think to make this clean is to force a pure rollover scheme > on the user... This would mean disabling the no-retire flag and having the > dssub command only send the new key. > > Is this too draconian and restrictive though? Keep in mind that this might be > the only KSK rollover scheme available for the next two releases... What do you Jakob say about this? > Is it too late in the release to introduce a new flag or rollover option > "strict" which forces this behaviour? (I think so, but will work on this if we > think it is really needed.) Yeah, new feature is too late. And another flag will confuse it even more. > We could document the current situation and fix this either after the release > in 1.2 or for 1.3 (which I believe will not have the new enforcer code)? Ok, yes. The option is to fix this in 1.2 or 1.3. Do we have any comments on this? // Rickard From rickard.bellgrim at iis.se Mon Dec 13 10:10:34 2010 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Mon, 13 Dec 2010 11:10:34 +0100 Subject: [Opendnssec-develop] Next Enforcer design telephone meeting In-Reply-To: <49294227-8FE6-4992-B5DE-568DBD44A3AA@iis.se> References: <49294227-8FE6-4992-B5DE-568DBD44A3AA@iis.se> Message-ID: <4F29C103-0F4C-4B58-8B25-FCA7219A7584@iis.se> On 1 dec 2010, at 15.43, Rickard Bellgrim wrote: We are about to schedule (using Doodle) the next Enforcer design telephone meeting. Yuri and Ren? will present their progress regarding the design and work plan. The design will hopefully, after this meeting, be mature enough to be presented and discussed on OpenDNSSEC developer's list. But those who are interested are welcome to attend the telephone meeting. Vote here: http://www.doodle.com/pvnhc8audiakkgau The meeting is scheduled for: 20th December, Monday, 15:00-16:30 CET. The contact details will be sent to the attendees. Currently: Rickard, Roland, Yuri, and Ren?. We can perhaps use SURFnets teleconf system. If not, then I will send the phone number to our teleconf system. // Rickard -------------- next part -------------- An HTML attachment was scrubbed... URL: From sion at nominet.org.uk Mon Dec 13 10:36:14 2010 From: sion at nominet.org.uk (Sion Lloyd) Date: Mon, 13 Dec 2010 10:36:14 +0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #202: ods-control stop hangs while stopping enforcer In-Reply-To: <087.74204680d1d98098130af69b2bc2e5c5@kirei.se> References: <078.0bc6f38db41e3ffc127e60161e82a2d6@kirei.se> <087.74204680d1d98098130af69b2bc2e5c5@kirei.se> Message-ID: <201012131036.14448.sion@nominet.org.uk> On Tuesday 07 Dec 2010 10:41:21 am OpenDNSSEC wrote: > #202: ods-control stop hangs while stopping enforcer The reason for this _might_ be that the pkcs11 provider is overwriting the signal handlers... Can anyone think of a reason not to change the SIGTERM sent by ods-control to a SIGUSR1? Sion From rickard.bellgrim at iis.se Mon Dec 13 10:58:22 2010 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Mon, 13 Dec 2010 11:58:22 +0100 Subject: [Opendnssec-develop] Next OpenDNSSEC telephone meeting In-Reply-To: References: Message-ID: <4F585D9D-94C7-40C4-B528-AAFF586BF670@iis.se> On 1 dec 2010, at 15.45, Rickard Bellgrim wrote: > The next OpenDNSSE telephone meeting will be on December 15th, 14:00-15:00 CET or 13:00-14:00 Nominet time. And you can find the draft agenda here: http://trac.opendnssec.org/wiki/Meetings/Agenda/2010-12-15 // Rickard From rickard.bellgrim at iis.se Tue Dec 14 08:38:26 2010 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Tue, 14 Dec 2010 09:38:26 +0100 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #202: ods-control stop hangs while stopping enforcer In-Reply-To: <201012131036.14448.sion@nominet.org.uk> References: <078.0bc6f38db41e3ffc127e60161e82a2d6@kirei.se> <087.74204680d1d98098130af69b2bc2e5c5@kirei.se> <201012131036.14448.sion@nominet.org.uk> Message-ID: <452C8270-421F-4909-9415-432ACE46284B@iis.se> On 13 dec 2010, at 11.36, Sion Lloyd wrote: > The reason for this _might_ be that the pkcs11 provider is overwriting the > signal handlers... Can anyone think of a reason not to change the SIGTERM sent > by ods-control to a SIGUSR1? No, I think we also could add SIGUSR1, but still handle SIGTERM. Then ods-control can send SIGUSR1. But this will be a workaround for pkcs11 providers who highjack the SIGTERM. Could there be cases where SIGUSR1 is highjacked? // Rickard From rickard.bellgrim at iis.se Tue Dec 14 08:40:43 2010 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Tue, 14 Dec 2010 09:40:43 +0100 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #202: ods-control stop hangs while stopping enforcer In-Reply-To: <452C8270-421F-4909-9415-432ACE46284B@iis.se> References: <078.0bc6f38db41e3ffc127e60161e82a2d6@kirei.se> <087.74204680d1d98098130af69b2bc2e5c5@kirei.se> <201012131036.14448.sion@nominet.org.uk> <452C8270-421F-4909-9415-432ACE46284B@iis.se> Message-ID: <1F82D68C-7414-4B70-8148-318AA11018D5@iis.se> On 14 dec 2010, at 09.38, Rickard Bellgrim wrote: >> The reason for this _might_ be that the pkcs11 provider is overwriting the >> signal handlers... Can anyone think of a reason not to change the SIGTERM sent >> by ods-control to a SIGUSR1? > > No, I think we also could add SIGUSR1, but still handle SIGTERM. Then ods-control can send SIGUSR1. > > But this will be a workaround for pkcs11 providers who highjack the SIGTERM. Could there be cases where SIGUSR1 is highjacked? Or initialize the signal handling after that the HSM has been initialized? // Rickard From rickard.bellgrim at iis.se Tue Dec 14 08:55:19 2010 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Tue, 14 Dec 2010 09:55:19 +0100 Subject: [Opendnssec-develop] DelegationSignerSubmitCommand In-Reply-To: <6F37D712-E0F4-4437-B532-49E38D92D146@iis.se> References: <201012071149.33839.sion@nominet.org.uk> <201012081516.00220.sion@nominet.org.uk> <88845CAE-1937-4C86-945A-1801FCA3A5D7@iis.se> <201012081614.03709.sion@nominet.org.uk> <6F37D712-E0F4-4437-B532-49E38D92D146@iis.se> Message-ID: On 9 dec 2010, at 11.15, Rickard Bellgrim wrote: >>> The rollover procedures are still quite a mess. Could you perhaps propose >>> how we should do this in a clean way, so that the >>> DelegationSignerSubmitCommand also function as intended? >>> >> >> The only way I can think to make this clean is to force a pure rollover scheme >> on the user... This would mean disabling the no-retire flag and having the >> dssub command only send the new key. >> >> Is this too draconian and restrictive though? Keep in mind that this might be >> the only KSK rollover scheme available for the next two releases... > > What do you Jakob say about this? After some discussion with Jakob... Maybe it is too late to disable the no-retire flag, but we can add it to known issues that it will break DNSSEC. Then make sure that the DSSC will send the correct set of keys. // Rickard From sion at nominet.org.uk Tue Dec 14 10:32:06 2010 From: sion at nominet.org.uk (Sion Lloyd) Date: Tue, 14 Dec 2010 10:32:06 +0000 Subject: [Opendnssec-develop] DelegationSignerSubmitCommand In-Reply-To: References: <201012071149.33839.sion@nominet.org.uk> <6F37D712-E0F4-4437-B532-49E38D92D146@iis.se> Message-ID: <201012141032.06708.sion@nominet.org.uk> On Tuesday 14 Dec 2010 8:55:19 am Rickard Bellgrim wrote: > On 9 dec 2010, at 11.15, Rickard Bellgrim wrote: > >>> The rollover procedures are still quite a mess. Could you perhaps > >>> propose how we should do this in a clean way, so that the > >>> DelegationSignerSubmitCommand also function as intended? > >> > >> The only way I can think to make this clean is to force a pure rollover > >> scheme on the user... This would mean disabling the no-retire flag and > >> having the dssub command only send the new key. > >> > >> Is this too draconian and restrictive though? Keep in mind that this > >> might be the only KSK rollover scheme available for the next two > >> releases... > > > > What do you Jakob say about this? > > After some discussion with Jakob... > > Maybe it is too late to disable the no-retire flag, but we can add it to > known issues that it will break DNSSEC. > > Then make sure that the DSSC will send the correct set of keys. Okay. So only the new key (and any standby) will get included, and the user will have to add in the old key if they want to use no-retire. Sion From jakob at kirei.se Tue Dec 14 10:34:25 2010 From: jakob at kirei.se (Jakob Schlyter) Date: Tue, 14 Dec 2010 11:34:25 +0100 Subject: [Opendnssec-develop] DelegationSignerSubmitCommand In-Reply-To: <201012141032.06708.sion@nominet.org.uk> References: <201012071149.33839.sion@nominet.org.uk> <6F37D712-E0F4-4437-B532-49E38D92D146@iis.se> <201012141032.06708.sion@nominet.org.uk> Message-ID: <2B5A3999-FE02-4B4D-BDB4-DB21EA7AA3C8@kirei.se> On 14 dec 2010, at 11.32, Sion Lloyd wrote: > Okay. So only the new key (and any standby) will get included, and the user > will have to add in the old key if they want to use no-retire. Correct. jakob From owner-dnssec-trac at kirei.se Wed Dec 15 12:25:44 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Wed, 15 Dec 2010 12:25:44 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #202: ods-control stop hangs while stopping enforcer In-Reply-To: <078.0bc6f38db41e3ffc127e60161e82a2d6@kirei.se> References: <078.0bc6f38db41e3ffc127e60161e82a2d6@kirei.se> Message-ID: <087.5024da2ecfe2f021f8e5182cae3f5c36@kirei.se> #202: ods-control stop hangs while stopping enforcer -----------------------------------------------------+---------------------- Reporter: Gilles Massen | Owner: sion Type: defect | Status: accepted Priority: major | Component: Enforcer Version: | Keywords: -----------------------------------------------------+---------------------- Comment(by rb): Does r4269 fix it for you? -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Fri Dec 17 12:48:53 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 17 Dec 2010 12:48:53 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #202: ods-control stop hangs while stopping enforcer In-Reply-To: <078.0bc6f38db41e3ffc127e60161e82a2d6@kirei.se> References: <078.0bc6f38db41e3ffc127e60161e82a2d6@kirei.se> Message-ID: <087.69a258f5296bc40befc8335475d9fcc5@kirei.se> #202: ods-control stop hangs while stopping enforcer -----------------------------------------------------+---------------------- Reporter: Gilles Massen | Owner: sion Type: defect | Status: closed Priority: major | Component: Enforcer Version: | Resolution: fixed Keywords: | -----------------------------------------------------+---------------------- Changes (by sion): * status: accepted => closed * resolution: => fixed -- Ticket URL: OpenDNSSEC OpenDNSSEC From rickard.bellgrim at iis.se Fri Dec 17 13:28:39 2010 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Fri, 17 Dec 2010 14:28:39 +0100 Subject: [Opendnssec-develop] RC3 Message-ID: Hi We only have on issue left "Dropping privileges before starting Zonefetcher". Matthijs will have time on Monday to fix this. Then we will do the RC3. // Rickard From Roland.vanRijswijk at surfnet.nl Mon Dec 20 08:18:02 2010 From: Roland.vanRijswijk at surfnet.nl (Roland van Rijswijk) Date: Mon, 20 Dec 2010 09:18:02 +0100 Subject: [Opendnssec-develop] Next Enforcer design telephone meeting In-Reply-To: <4F29C103-0F4C-4B58-8B25-FCA7219A7584@iis.se> References: <49294227-8FE6-4992-B5DE-568DBD44A3AA@iis.se> <4F29C103-0F4C-4B58-8B25-FCA7219A7584@iis.se> Message-ID: <2F3A8D38-BB1E-49C3-82C6-5F6053E46291@surfnet.nl> Hi guys, > The meeting is scheduled for: > 20th December, Monday, 15:00-16:30 CET. > > The contact details will be sent to the attendees. Currently: Rickard, Roland, Yuri, and Ren?. We can perhaps use SURFnets teleconf system. If not, then I will send the phone number to our teleconf system. Here are the conference details: Please dial-in to our conferencing system (alas, no VoIP yet): +31-30-2040323 The conference PIN is: 030003 I will open up the lines 5 minutes before the conference starts. Cheers, Roland -- Roland M. van Rijswijk -- SURFnet Middleware Services -- t: +31-30-2305388 -- e: roland.vanrijswijk at surfnet.nl From jakob at kirei.se Mon Dec 20 13:53:32 2010 From: jakob at kirei.se (Jakob Schlyter) Date: Mon, 20 Dec 2010 14:53:32 +0100 Subject: [Opendnssec-develop] Next Enforcer design telephone meeting In-Reply-To: <2F3A8D38-BB1E-49C3-82C6-5F6053E46291@surfnet.nl> References: <49294227-8FE6-4992-B5DE-568DBD44A3AA@iis.se> <4F29C103-0F4C-4B58-8B25-FCA7219A7584@iis.se> <2F3A8D38-BB1E-49C3-82C6-5F6053E46291@surfnet.nl> Message-ID: I'm sorry, but I have to decline today's teleconf due to child care administrativa. I would appreciate if someone can take minutes. jakob From roland.vanrijswijk at surfnet.nl Mon Dec 20 14:16:20 2010 From: roland.vanrijswijk at surfnet.nl (Roland van Rijswijk) Date: Mon, 20 Dec 2010 15:16:20 +0100 Subject: [Opendnssec-develop] Next Enforcer design telephone meeting In-Reply-To: References: <49294227-8FE6-4992-B5DE-568DBD44A3AA@iis.se> <4F29C103-0F4C-4B58-8B25-FCA7219A7584@iis.se> <2F3A8D38-BB1E-49C3-82C6-5F6053E46291@surfnet.nl> Message-ID: I'm taking notes for you. On 20 dec 2010, at 14:53, Jakob Schlyter wrote: > I'm sorry, but I have to decline today's teleconf due to child care administrativa. I would appreciate if someone can take minutes. > > jakob > -- Roland M. van Rijswijk -- SURFnet Middleware Services -- t: +31-30-2305388 -- e: roland.vanrijswijk at surfnet.nl From Roland.vanRijswijk at surfnet.nl Mon Dec 20 15:04:41 2010 From: Roland.vanRijswijk at surfnet.nl (Roland van Rijswijk) Date: Mon, 20 Dec 2010 16:04:41 +0100 Subject: [Opendnssec-develop] Meeting minutes Enforcer TNG meeting 2010-12-20 Message-ID: <83AC3054-7D51-46F4-85E9-D5E21E7CBEDB@surfnet.nl> Hi guys, I've posted the meeting minutes for the Enforcer TNG meeting of today: http://trac.opendnssec.org/wiki/Meetings/Minutes/2010-12-20 Please edit the notes if you feel they are incorrect or incomplete. Cheers, Roland -- Roland M. van Rijswijk -- SURFnet Middleware Services -- t: +31-30-2305388 -- e: roland.vanrijswijk at surfnet.nl From matthijs at NLnetLabs.nl Tue Dec 21 10:02:07 2010 From: matthijs at NLnetLabs.nl (Matthijs Mekking) Date: Tue, 21 Dec 2010 11:02:07 +0100 Subject: [Opendnssec-develop] key policy draft Message-ID: <4D107B1F.4020905@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I have written a key policy draft, that describes the timelines of possible key rollovers. It is largely a copy of the key timing draft. The key rollovers described in the key timing draft have been rewritten to match our current terminology (with key goals, unraveled key states, rollover considerations). I have introduced Single Type Signing Scheme (STSS) rollovers, which are a combination of ZSK and KSK rollovers. There is also some text about policy rollover: enabling and disabling dnssec, algorithm rollover and changing signing scheme. Best regards, Matthijs -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJNEHsfAAoJEA8yVCPsQCW5/swH/j4eKuOXUQVzSvIkhWiD0I6K 6Tbyj9uFgSD8pfRum8WTAYgZgyqxjMS+PExkWP52mpQ+yRy045aP1GG7Ou6UGZhj WnvpInMvLga7EE3WB6NqYSLWjqCtuRIsPgjjXCp4u6vcQqbJ+T7NvUG8g+G7xgYE c97UG9JwK57J2RsPYh61wGjfa3X0EjikSDCIGV0rCfuJ+lz5Y/C8l2JJ/p8y2+Ps pdeHrICl5XpKho8XmyCm0HDqUAPb6Jllk1IcATfhCH6YXEzDiQX4Aj0kqNKlM+Xb DLT0SyHN+cn8kyMvO7cgekr29U7fB/feCT/6zpchvfZrnNAarffzWtkrDLr8clc= =Wl9O -----END PGP SIGNATURE----- -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: draft-mekking-dnsop-dnssec-key-policy-00.txt URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: draft-mekking-dnsop-dnssec-key-policy-00.txt.sig Type: application/octet-stream Size: 287 bytes Desc: not available URL: From rickard.bellgrim at iis.se Tue Dec 21 12:00:02 2010 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Tue, 21 Dec 2010 13:00:02 +0100 Subject: [Opendnssec-develop] RC3 In-Reply-To: References: Message-ID: <0332760D-01E7-4A75-AC24-347EBDE4F89F@iis.se> On 17 dec 2010, at 14.28, Rickard Bellgrim wrote: > We only have on issue left "Dropping privileges before starting Zonefetcher". Matthijs will have time on Monday to fix this. Then we will do the RC3. This has now been fixed by Matthijs. We are just waiting on Markus Lauer to confirm that it is working. Is there someone else who can confirm that this is working? Just so that we can do the release. (I am not running with the zonefetcher) // Rickard From antoin.verschuren at sidn.nl Tue Dec 21 14:08:41 2010 From: antoin.verschuren at sidn.nl (Antoin Verschuren) Date: Tue, 21 Dec 2010 15:08:41 +0100 Subject: [Opendnssec-develop] Introducing Nick van den Heuvel Message-ID: <4D10B4E9.2060101@sidn.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Guys, I'd like to introduce Nick to our team. Nick is going to take over the OpenDNSSEC testing from Rick. Nick has been trained for the past months, and he will work with Rick to take over the testing the next weeks. They will jointly develop and run the tests for version 1.2, and Nick will be in the lead starting next year. During the last meeting, I could not inform you all about the status, so starting from next meeting after the holidays, Nick will join our teleconferences to inform us all about the status of the testing. Please welcome Nick, and Roy, can you please add Nick to the relevant malinglists ? (otr, develop, user). - -- Antoin Verschuren Technical Policy Advisor SIDN Utrechtseweg 310, PO Box 5022, 6802 EA Arnhem, The Netherlands P: +31 26 3525500 F: +31 26 3525505 M: +31 6 23368970 mailto:antoin.verschuren at sidn.nl xmpp:antoin at jabber.sidn.nl http://www.sidn.nl/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJNELTpAAoJEDqHrM883AgnnTQH/RmIqYQG0q9+NGYCkys7DInJ qVUbt4BXg3nZQ/LRCrhhd7FvIhKrDWY4kFe/3xIX4485KbCj/kBlQ1kAAl+BgIAH KUkzam/G9UZn6zrjWCZnxJ22dOVkg/A1gCwumKHdE4b5SietgEsMJM9OMdsUVVox Dx14cUf3Q8RYrx+jFMY9K1Rok8iy5gauGtw9gFaB+Mg5o4aPDe476d9jUBPGg1Dd Qv6zrB9eK92Q2JbCVDEM0mxPjDxq95U/yEKNtC5uLncQ0KrDbpomBLbhyje40sP1 y8GJu/+HdIkttXrnuKiVYOlBQDt1M+2Cb5hxo+YKeJvQcMsDZL4vY4ydAr+Y8zg= =dzHP -----END PGP SIGNATURE----- From antoin.verschuren at sidn.nl Tue Dec 21 14:19:03 2010 From: antoin.verschuren at sidn.nl (Antoin Verschuren) Date: Tue, 21 Dec 2010 15:19:03 +0100 Subject: [Opendnssec-develop] Requirements for release 1.2 Message-ID: <4D10B757.4080508@sidn.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Guys, I'm a bit lost searching for the detailed requirements for release 1.2. For release 1.0 and 1.1, we had detailed requirements on our wiki: http://trac.opendnssec.org/wiki/ProjectPlan/Requirements For release 1.2, I can only find some generic promises: http://www.opendnssec.org/about/release-plan/ which are not sufficiant when you want to do user acceptance testing. Did I miss something, or have we developed version 1.2 without knowing what should be in there ? - -- Antoin Verschuren Technical Policy Advisor SIDN Utrechtseweg 310, PO Box 5022, 6802 EA Arnhem, The Netherlands P: +31 26 3525500 F: +31 26 3525505 M: +31 6 23368970 mailto:antoin.verschuren at sidn.nl xmpp:antoin at jabber.sidn.nl http://www.sidn.nl/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJNELdXAAoJEDqHrM883AgnZZ4H/1EtjwHi4pN09+uIB/XcZj6l jZdrY5i+DHVPUV1+0YKPqgixc2E1DeEsvZoGHIHxaTbeHhGqj71fuy/1PPCgGlz1 3CwDHveJsGveb+q4Jtwt7gd+nPZFhjOqmaQFeaq0pBT0EY9pPTsmIAExD/hqIt9d 61h6RFM80RrgLRPBkNcw+JcQXFIg83NRCElPNenrdZf/Wvvv2waS0MCZY8bWu1cW eViQkNZeVXeK/6FW3XTcnSp7TzaO7qn6Nd4eveXbAfI7C6TKC+If5HwshspWIWgY EMP65p+JCgPj/ghquI8JFZorx96awYptw/+Eqoi0VYx04w/Uf48Mt1ztOiqVvsw= =sb7x -----END PGP SIGNATURE----- From rickard.bellgrim at iis.se Tue Dec 21 14:25:46 2010 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Tue, 21 Dec 2010 15:25:46 +0100 Subject: [Opendnssec-develop] Requirements for release 1.2 In-Reply-To: <4D10B757.4080508@sidn.nl> References: <4D10B757.4080508@sidn.nl> Message-ID: On 21 dec 2010, at 15.19, Antoin Verschuren wrote: I'm a bit lost searching for the detailed requirements for release 1.2. For release 1.0 and 1.1, we had detailed requirements on our wiki: http://trac.opendnssec.org/wiki/ProjectPlan/Requirements For release 1.2, I can only find some generic promises: http://www.opendnssec.org/about/release-plan/ which are not sufficiant when you want to do user acceptance testing. Did I miss something, or have we developed version 1.2 without knowing what should be in there ? For 1.2 we still have same requirements as before, but with the addition of the items in the release plan. // Rickard -------------- next part -------------- An HTML attachment was scrubbed... URL: From antoin.verschuren at sidn.nl Tue Dec 21 14:42:16 2010 From: antoin.verschuren at sidn.nl (Antoin Verschuren) Date: Tue, 21 Dec 2010 15:42:16 +0100 Subject: [Opendnssec-develop] Requirements for release 1.2 In-Reply-To: References: <4D10B757.4080508@sidn.nl> Message-ID: <4D10BCC8.2020505@sidn.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 21-12-10 15:25, Rickard Bellgrim wrote: > > On 21 dec 2010, at 15.19, Antoin Verschuren wrote: > >> I'm a bit lost searching for the detailed requirements for release 1.2. >> For release 1.0 and 1.1, we had detailed requirements on our wiki: >> http://trac.opendnssec.org/wiki/ProjectPlan/Requirements >> For release 1.2, I can only find some generic promises: >> http://www.opendnssec.org/about/release-plan/ >> which are not sufficiant when you want to do user acceptance testing. >> >> Did I miss something, or have we developed version 1.2 without knowing >> what should be in there ? > > For 1.2 we still have same requirements as before, but with the addition > of the items in the release plan. So could you please quantify what "improved handling" means ? Should I get 6 zones with 1 key or 18 zones with 1 key ? Or how much "Performance improvements for large numbers of zones" we should get ? Should it be 5 minutes faster, for howmany zones ? Or how about "Log statistics in a better way" ? are no more logs also "better" logs ? It's not defined anywhere. Can I assume: - -"Improved handling of shared keys" means: It MUST be possible to sign 50.000 zones with one key - -"Performance improvements for large numbers of zones" means: It MUST be possible to sign 50.000 zones with less than 50 records in 30 minutes ? - -What is a "better way" to log statistics ? - -- Antoin Verschuren Technical Policy Advisor SIDN Utrechtseweg 310, PO Box 5022, 6802 EA Arnhem, The Netherlands P: +31 26 3525500 F: +31 26 3525505 M: +31 6 23368970 mailto:antoin.verschuren at sidn.nl xmpp:antoin at jabber.sidn.nl http://www.sidn.nl/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJNELzIAAoJEDqHrM883AgnHyEIAIo12NI9PU/W3Y33YG1tVGHO Qf9ouzL68fPs5AbRjAZ3dDK1TB7Mbl9LQ/rviUw/Xvt5lYxYmZscixapFe1scf4z 7HmWE8QHdKzJo5XkYdLHA5kmTCSR54FjJ37VRHRJ6lK2CJ9v2DZfa3ZATegA/b9m KCKBI0Ml/8VO+bctRJP3Ka7pe/QHJtsFNZ2vNrY1o0uWYe6gmfYJpyl52z9FHfEN /89/wwWcvvgxlKY9OgU9nG+ajCT8Pz4jXSGlZk/rmlDlu1KiTeBN9PlbXGBmFtqd bCFQR5nMXvcMPIseTKr+n7ssH5W23EQ/ctpsMzWjXghBBtP+ijHZF3btZjJai84= =nXG9 -----END PGP SIGNATURE----- From rickard.bellgrim at iis.se Tue Dec 21 16:00:24 2010 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Tue, 21 Dec 2010 17:00:24 +0100 Subject: [Opendnssec-develop] Requirements for release 1.2 In-Reply-To: <4D10BCC8.2020505@sidn.nl> References: <4D10B757.4080508@sidn.nl> <4D10BCC8.2020505@sidn.nl> Message-ID: <5F587AFD-34C2-4BB2-BAEA-E13756DB58E6@iis.se> On 21 dec 2010, at 15.42, Antoin Verschuren wrote: > So could you please quantify what "improved handling" means ? Should I > get 6 zones with 1 key or 18 zones with 1 key ? > Or how much "Performance improvements for large numbers of zones" we > should get ? Should it be 5 minutes faster, for howmany zones ? > Or how about "Log statistics in a better way" ? are no more logs also > "better" logs ? > It's not defined anywhere. > Can I assume: > - -"Improved handling of shared keys" means: It MUST be possible to sign > 50.000 zones with one key > - -"Performance improvements for large numbers of zones" means: It MUST be > possible to sign 50.000 zones with less than 50 records in 30 minutes ? > - -What is a "better way" to log statistics ? Improved handling of shared keys - It was a known issue for v1.1 that shared keys did not work so good when adding new zones. Performance improvements for large numbers of zones - The requirements is 50 000 zones but no requirements on the "user experience". Initial testing shows that we can handle around 10 000 zones. Log statistics in a better way - The Signer Engine statistics was spread out on different syslog messages. They are now in one place. I can also recommend reading the NEWS file. It present what new features and bugfixes we have. http://trac.opendnssec.org/browser/trunk/OpenDNSSEC/NEWS Another problem is that we have no requirements on how well we should handle 50 000 zones. How responsive the system should be, etc? So it is not all about how long it takes to sign 50 000 zones. But also how long time it takes to add them, and add one extra zone, update signconfs, get a new zone signed, etc. // Rickard From rick.zijlker at sidn.nl Wed Dec 22 10:52:54 2010 From: rick.zijlker at sidn.nl (Rick Zijlker) Date: Wed, 22 Dec 2010 10:52:54 +0000 Subject: [Opendnssec-develop] Missing exception handling by signerd when lacking permission Message-ID: Hi, Back on OpenDNSSEC for this and next week. While preparing the test environment for Nick with 1.2rc2 I stumbled upon an installation error. When starting by using "ods-control start" I received a "Can't connect() to engine" error. Apparently the signerd didn't start because of a lack of permission, but it took some debugging before we found out, since signerd pretends to be starting without problems, but afterwards the signer fails. The location containing the slot0.db softhsm repo (/var/softhsm) was inaccessible by signerd. After changing the owner it worked without trouble. It would be nice to have exception handling by signerd when it fails on permission and not continue starting so it becomes hard to trace the cause of the failing signer. What do you think? Cheers -------------- next part -------------- An HTML attachment was scrubbed... URL: From rick.zijlker at sidn.nl Wed Dec 22 12:07:36 2010 From: rick.zijlker at sidn.nl (Rick Zijlker) Date: Wed, 22 Dec 2010 12:07:36 +0000 Subject: [Opendnssec-develop] Strange characters in DNSKEY string in logging Message-ID: Hi, At rollover, ODS shows the new DNSKEY RR in the logging screen as follows: Dec 22 12:21:06 DEVELOPER15 ods-enforcerd: ods.#0113600#011IN#011DNSKEY#011257 3 7 AwEAAeTLVVpoTvptMD5vPCepKeuQHKGtF4yd2eUP+6RIkS4a76Ii+p0xT3Gc6dEemc3y5x5kRAwdS4Dth1dsLrhpRAb7rmS8FuNPLw7iM42HOPzGSibP6uLuEH6EkHohfC+t/bGOngzT7RrYPKX27WKa0l5q65QU4MznIVH2tA3eVLkebg+q2hrxG6c66rADPdQPRqY5txm64hb6KszlnonMoDX3Cu9JK6LwWQObUCkBe4h4WvlZ9be1ip7Lsz4zIyBWpYQ7wEi/X3IEfdsriIdLh19C2FKdLVg87PufS8uVKWW+oDfy9OoPWCtVJy81U1ZI+cXmako0OT9qLahV9M5M6xc= ;{id = 8149 (ksk), size = 2048b} As you can see spaces have been replaced by "#0". I don't think that is intended. Cheers -------------- next part -------------- An HTML attachment was scrubbed... URL: From rickard.bellgrim at iis.se Wed Dec 22 18:36:59 2010 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Wed, 22 Dec 2010 19:36:59 +0100 Subject: [Opendnssec-develop] Missing exception handling by signerd when lacking permission In-Reply-To: References: Message-ID: On 22 dec 2010, at 11.52, Rick Zijlker wrote: > When starting by using ?ods-control start? I received a ?Can?t connect() to engine? error. Apparently the signerd didn?t start because of a lack of permission, but it took some debugging before we found out, since signerd pretends to be starting without problems, but afterwards the signer fails. > > The location containing the slot0.db softhsm repo (/var/softhsm) was inaccessible by signerd. After changing the owner it worked without trouble. It would be nice to have exception handling by signerd when it fails on permission and not continue starting so it becomes hard to trace the cause of the failing signer. What do you think? The Signer Engine did not start in this case because it could not initialize the HSM, in your case SoftHSM. SoftHSM could not be initialize because of the bad permission. But I think Matthijs can answer more on the error messages. // Rickard From rickard.bellgrim at iis.se Wed Dec 22 18:38:28 2010 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Wed, 22 Dec 2010 19:38:28 +0100 Subject: [Opendnssec-develop] Strange characters in DNSKEY string in logging In-Reply-To: References: Message-ID: <41542F5C-8381-4D81-8F30-2FC0AC9F94E5@iis.se> On 22 dec 2010, at 13.07, Rick Zijlker wrote: > Hi, > > At rollover, ODS shows the new DNSKEY RR in the logging screen as follows: > Dec 22 12:21:06 DEVELOPER15 ods-enforcerd: ods.#0113600#011IN#011DNSKEY#011257 3 7 AwEAAeTLVVpoTvptMD5vPCepKeuQHKGtF4yd2eUP+6RIkS4a76Ii+p0xT3Gc6dEemc3y5x5kRAwdS4Dth1dsLrhpRAb7rmS8FuNPLw7iM42HOPzGSibP6uLuEH6EkHohfC+t/bGOngzT7RrYPKX27WKa0l5q65QU4MznIVH2tA3eVLkebg+q2hrxG6c66rADPdQPRqY5txm64hb6KszlnonMoDX3Cu9JK6LwWQObUCkBe4h4WvlZ9be1ip7Lsz4zIyBWpYQ7wEi/X3IEfdsriIdLh19C2FKdLVg87PufS8uVKWW+oDfy9OoPWCtVJy81U1ZI+cXmako0OT9qLahV9M5M6xc= ;{id = 8149 (ksk), size = 2048b} > > As you can see spaces have been replaced by ?#0?. I don?t think that is intended. The tabs in the DNSKEY RR are converted into that format by syslog. Maybe the Enforcer should convert it into spaces? // Rickard From rickard.bellgrim at iis.se Thu Dec 23 09:19:36 2010 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Thu, 23 Dec 2010 10:19:36 +0100 Subject: [Opendnssec-develop] Strange characters in DNSKEY string in logging In-Reply-To: <41542F5C-8381-4D81-8F30-2FC0AC9F94E5@iis.se> References: <41542F5C-8381-4D81-8F30-2FC0AC9F94E5@iis.se> Message-ID: <0ED6F3E3-48B9-4F34-84A9-83944EB01C63@iis.se> On 22 dec 2010, at 19.38, Rickard Bellgrim wrote: > The tabs in the DNSKEY RR are converted into that format by syslog. Maybe the Enforcer should convert it into spaces? Fixed in r4278 // Rickard From rickard.bellgrim at iis.se Thu Dec 23 09:39:35 2010 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Thu, 23 Dec 2010 10:39:35 +0100 Subject: [Opendnssec-develop] Missing exception handling by signerd when lacking permission In-Reply-To: References: Message-ID: <7FE6FE6B-CE81-4570-82F4-2A9EC7A2D8D7@iis.se> On 22 dec 2010, at 11.52, Rick Zijlker wrote: > When starting by using ?ods-control start? I received a ?Can?t connect() to engine? error. Apparently the signerd didn?t start because of a lack of permission, but it took some debugging before we found out, since signerd pretends to be starting without problems, but afterwards the signer fails. > > The location containing the slot0.db softhsm repo (/var/softhsm) was inaccessible by signerd. After changing the owner it worked without trouble. It would be nice to have exception handling by signerd when it fails on permission and not continue starting so it becomes hard to trace the cause of the failing signer. What do you think? I think there is nothing we can do about this in version 1.2. We need to change the behavior of the start up sequence. But we do log to syslog where the debug information can be found. // Rickard From owner-dnssec-trac at kirei.se Sun Dec 26 20:47:48 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Sun, 26 Dec 2010 20:47:48 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #203: potential format string bugs in enforcerd Message-ID: <047.f491b11751384349ee6955beec602321@kirei.se> #203: potential format string bugs in enforcerd ----------------------+----------------------------------------------------- Reporter: anonymous | Owner: sion Type: defect | Status: new Priority: major | Component: Enforcer Version: trunk | Keywords: ----------------------+----------------------------------------------------- There are some potential format string bugs in enforcerd, leading to potential crashes. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Mon Dec 27 10:29:48 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Mon, 27 Dec 2010 10:29:48 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #203: potential format string bugs in enforcerd In-Reply-To: <047.f491b11751384349ee6955beec602321@kirei.se> References: <047.f491b11751384349ee6955beec602321@kirei.se> Message-ID: <056.d77d3c2a4b60a4ef6e1e9a292cf48966@kirei.se> #203: potential format string bugs in enforcerd ----------------------+----------------------------------------------------- Reporter: anonymous | Owner: sion Type: defect | Status: closed Priority: major | Component: Enforcer Version: trunk | Resolution: fixed Keywords: | ----------------------+----------------------------------------------------- Changes (by rb): * status: new => closed * resolution: => fixed Comment: Thanks, fixed in r4279 -- Ticket URL: OpenDNSSEC OpenDNSSEC