From rick.zijlker at sidn.nl Tue Jun 1 09:57:33 2010 From: rick.zijlker at sidn.nl (Rick Zijlker) Date: Tue, 1 Jun 2010 09:57:33 +0000 Subject: [Opendnssec-develop] Serial too large Message-ID: Hey, When resigning a zone which has a serial of 1000 and policy for the serial is "keep", and the zone still has that same serial, I get the following message: Jun 1 11:22:15 signer1 ods-signerd: Cannot keep input serial 1000, output serial 1000 is too large. Aborting operation How can an output serial be too large? On a sidenote, the zone was about to get a KSK rollover. At earlier signing I got this message which is correct and expected: Jun 1 11:12:11 signer1 ods-signerd: Error: serial setting is set to 'keep', but input serial has not increased. Aborting sign operation for ods Full log: Jun 1 11:22:14 signer1 ods-signerd: Scheduling task to sign zone ods at 1275384134.71 with resign time 180 Jun 1 11:22:14 signer1 ods-signerd: Scheduling task to sign zone ods at 1275384134.71 with resign time 180 Jun 1 11:22:14 signer1 ods-signerd: Zone ods added Jun 1 11:22:14 signer1 ods-signerd: opening socket: /var/run/opendnssec/engine.sock Jun 1 11:22:14 signer1 ods-signerd: Engine running Jun 1 11:22:14 signer1 ods-enforcerd: opendnssec-enforcer starting... Jun 1 11:22:14 signer1 ods-enforcerd: opendnssec-enforcer Parent exiting... Jun 1 11:22:14 signer1 ods-enforcerd: opendnssec-enforcer forked OK... Jun 1 11:22:14 signer1 ods-enforcerd: opendnssec-enforcer started (version 1.1.0rc3), pid 13521 Jun 1 11:22:14 signer1 ods-enforcerd: HSM opened successfully. Jun 1 11:22:14 signer1 ods-enforcerd: Reading config "/etc/opendnssec/conf.xml" Jun 1 11:22:14 signer1 ods-enforcerd: Reading config schema "/usr/local/share/opendnssec/conf.rng" Jun 1 11:22:14 signer1 ods-enforcerd: Communication Interval: 1800 Jun 1 11:22:14 signer1 ods-enforcerd: No DS Submit command supplied Jun 1 11:22:14 signer1 ods-enforcerd: SQLite database set to: /var/opendnssec/kasp.db Jun 1 11:22:14 signer1 ods-enforcerd: Log User set to: local0 Jun 1 11:22:14 signer1 ods-enforcerd: Switched log facility to: local0 Jun 1 11:22:14 signer1 ods-enforcerd: Connecting to Database... Jun 1 11:22:14 signer1 ods-enforcerd: Policy default found. Jun 1 11:22:14 signer1 ods-enforcerd: Key sharing is Off. Jun 1 11:22:14 signer1 ods-enforcerd: Policy gradual1 found. Jun 1 11:22:14 signer1 ods-enforcerd: Key sharing is Off. Jun 1 11:22:14 signer1 ods-enforcerd: zonelist filename set to /etc/opendnssec/zonelist.xml. Jun 1 11:22:14 signer1 ods-enforcerd: Zone ods found. Jun 1 11:22:14 signer1 ods-enforcerd: Policy for ods set to gradual1. Jun 1 11:22:14 signer1 ods-enforcerd: Config will be output to /var/opendnssec/signconf/ods.xml. Jun 1 11:22:15 signer1 ods-enforcerd: INFO: New DS records needed for the zone ods; details will follow Jun 1 11:22:15 signer1 ods-enforcerd: WARNING: KSK Retirement reached; please submit the new DS for ods and use ods-ksmutil key ksk-roll to roll the key. Jun 1 11:22:15 signer1 ods-enforcerd: No change to: /var/opendnssec/signconf/ods.xml Jun 1 11:22:15 signer1 ods-enforcerd: DSChanged Jun 1 11:22:15 signer1 ods-enforcerd: DS Record set has changed, the current set looks like: Jun 1 11:22:15 signer1 ods-enforcerd: ods. 3600 IN DNSKEY 257 3 7 AwEAAdipHfA+phxY3scDd7Go/ncAJm1WDfarQAz2jjmCFgSlG9SHvDzxpXIlO/ThDMU+IXC/LRyW9tMhedDA/ZKJ9fHjd+0MCa66o7SMSS4/ATozbzLwy/ENaFjtb6jAho3w/R9MPwajiKZQ2XtXO8DwjdglFklDHJKSbXeleaMRfDLzPRpx4DZxnE1sMgTSh2j707MrCm8vjZcrZDbR53vQfHztu/VHD9vv29ji426NYg5wqC1toUUHMMBCR70jZ1KO15Ubkpwf/FXRySxCuiZuO5KUpUWYWxh342l4ZGUwsLQ+fWZ04rhwAplXrvxRrq5NEMif9csFdZJyxxibOOGWlCE= ;{id = 45856 (ksk), size = 2048b} Jun 1 11:22:15 signer1 ods-enforcerd: ods. 3600 IN DNSKEY 257 3 7 AwEAAcNcbkEd+NhwfWk0WgVuUWJyfgBWLMwSF5ZRHD+9Sru5kRkKNXDl7IMpdiSjp/wSCFWjr2IR5/KMZe0Cf4laV63I8sJy6OWRpCF/Kk8EuDaE1T0MOP6GQkif9Fn+JUzwz/SESAMv/knY5+xwwGm4cMNuS8egmlsmUuNqnw3PqChJbLKKpDbzzBI5P98KY51kbVIdfLqMkf8X8B3y/5rc8xmBc0xhTY4ZbpP2dgm65dFeK8lCOF1FSSWwItc2qRT2jdG/60226CufjXnEeS7oChFKF0cP46ZXFRql6/3qOkfACwdVxAizWoraMU4JHp2rVvla2WmMBvhXJyDEl+xP/Qc= ;{id = 16581 (ksk), size = 2048b} Jun 1 11:22:15 signer1 ods-enforcerd: Once the new DS records are seen in DNS please issue the ds-seen command for zone ods with the following cka_ids, b48cfc3c80e11ed41eb21ab49d7666df, 12306205b8e5aa46abb276d57544680c Jun 1 11:22:15 signer1 ods-enforcerd: Disconnecting from Database... Jun 1 11:22:15 signer1 ods-enforcerd: Sleeping for 1800 seconds. Jun 1 11:22:15 signer1 ods-signerd: Zone action to perform: 3 Jun 1 11:22:15 signer1 ods-signerd: Cannot keep input serial 1000, output serial 1000 is too large. Aborting operation Jun 1 11:22:25 signer1 ods-enforcerd: Received SIGTERM, exiting... Jun 1 11:22:25 signer1 ods-enforcerd: all done! hsm_close result: 0 Jun 1 11:22:25 signer1 ods-signerd: Received command: 'stop' Jun 1 11:22:25 signer1 ods-signerd: close syslog Jun 1 11:22:25 signer1 python: Connection closed by peer Cheers, Rick -------------- next part -------------- An HTML attachment was scrubbed... URL: From owner-dnssec-trac at kirei.se Tue Jun 1 10:01:04 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 01 Jun 2010 10:01:04 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #136: signer silently drops weird SOA refresh/retry values In-Reply-To: <070.f879292d01a84bba9522e991cc2f26d5@kirei.se> References: <070.f879292d01a84bba9522e991cc2f26d5@kirei.se> Message-ID: <079.8efec3db5fba55846316cad31c235095@kirei.se> #136: signer silently drops weird SOA refresh/retry values ---------------------------------------------+------------------------------ Reporter: Tom Hendrikx | Owner: matthijs Type: defect | Status: new Priority: major | Component: Signer Version: trunk | Keywords: ---------------------------------------------+------------------------------ Comment(by matthijs): The problem seems to be that the quicksorter does not handle these bindish values correctly. I'll look into it. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Tue Jun 1 10:01:10 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 01 Jun 2010 10:01:10 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #136: signer silently drops weird SOA refresh/retry values In-Reply-To: <070.f879292d01a84bba9522e991cc2f26d5@kirei.se> References: <070.f879292d01a84bba9522e991cc2f26d5@kirei.se> Message-ID: <079.8428cd61e39014000895458c92b7b31e@kirei.se> #136: signer silently drops weird SOA refresh/retry values ---------------------------------------------+------------------------------ Reporter: Tom Hendrikx | Owner: matthijs Type: defect | Status: accepted Priority: major | Component: Signer Version: trunk | Keywords: ---------------------------------------------+------------------------------ Changes (by matthijs): * status: new => accepted -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Tue Jun 1 12:16:05 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 01 Jun 2010 12:16:05 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #136: signer silently drops weird SOA refresh/retry values In-Reply-To: <070.f879292d01a84bba9522e991cc2f26d5@kirei.se> References: <070.f879292d01a84bba9522e991cc2f26d5@kirei.se> Message-ID: <079.4d3d60d1c72d65729b2cd706b8a68be3@kirei.se> #136: signer silently drops weird SOA refresh/retry values ---------------------------------------------+------------------------------ Reporter: Tom Hendrikx | Owner: matthijs Type: defect | Status: closed Priority: major | Component: Signer Version: trunk | Resolution: fixed Keywords: | ---------------------------------------------+------------------------------ Changes (by matthijs): * status: accepted => closed * resolution: => fixed Comment: Hi Tom, I believe the 1.1 branch (branches/OpenDNSSEC-1.1/) r3460 fixes this problem. -- Ticket URL: OpenDNSSEC OpenDNSSEC From matthijs at NLnetLabs.nl Tue Jun 1 12:33:09 2010 From: matthijs at NLnetLabs.nl (Matthijs Mekking) Date: Tue, 01 Jun 2010 14:33:09 +0200 Subject: [Opendnssec-develop] Serial too large In-Reply-To: References: Message-ID: <4C04FE05.3010203@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Rick, I wrote my comments in between lines.... Rick Zijlker wrote: > Hey, > > When resigning a zone which has a serial of 1000 and policy for the > serial is ?keep?, and the zone still has that same serial, I get the > following message: > > Jun 1 11:22:15 signer1 ods-signerd: Cannot keep input serial 1000, > output serial 1000 is too large. Aborting operation > > How can an output serial be too large? On a sidenote, the zone was about > to get a KSK rollover. The output serial is too large if it is equal or larger than the input serial. However, if you are in a key rollover it will also look at the input serial. Thus if you do not increase the serial value in the input file, the key rollover will not be picked up by the signer (in the case of serial keep). I am not sure if this is desired behavior. Should we increase the serial when doing a rollover, even if the serial is set to keep? > At earlier signing I got this message which is correct and expected: > > Jun 1 11:12:11 signer1 ods-signerd: Error: serial setting is set to > 'keep', but input serial has not increased. Aborting sign operation for ods This message can appear when the actual signing is going on (adding/updating RRSIG records). If you for example re-sign every hour, but don't update the serial in the input file in the mean time, you'll see this error. The other, previous message you'll see when you need to sort the zone, because of a change in the signer configuration or a change in the input file. Best regards, Matthijs > Full log: > > Jun 1 11:22:14 signer1 ods-signerd: Scheduling task to sign zone ods at > 1275384134.71 with resign time 180 > > Jun 1 11:22:14 signer1 ods-signerd: Scheduling task to sign zone ods at > 1275384134.71 with resign time 180 > > Jun 1 11:22:14 signer1 ods-signerd: Zone ods added > > Jun 1 11:22:14 signer1 ods-signerd: opening socket: > /var/run/opendnssec/engine.sock > > Jun 1 11:22:14 signer1 ods-signerd: Engine running > > Jun 1 11:22:14 signer1 ods-enforcerd: opendnssec-enforcer starting... > > Jun 1 11:22:14 signer1 ods-enforcerd: opendnssec-enforcer Parent exiting... > > Jun 1 11:22:14 signer1 ods-enforcerd: opendnssec-enforcer forked OK... > > Jun 1 11:22:14 signer1 ods-enforcerd: opendnssec-enforcer started > (version 1.1.0rc3), pid 13521 > > Jun 1 11:22:14 signer1 ods-enforcerd: HSM opened successfully. > > Jun 1 11:22:14 signer1 ods-enforcerd: Reading config > "/etc/opendnssec/conf.xml" > > Jun 1 11:22:14 signer1 ods-enforcerd: Reading config schema > "/usr/local/share/opendnssec/conf.rng" > > Jun 1 11:22:14 signer1 ods-enforcerd: Communication Interval: 1800 > > Jun 1 11:22:14 signer1 ods-enforcerd: No DS Submit command supplied > > Jun 1 11:22:14 signer1 ods-enforcerd: SQLite database set to: > /var/opendnssec/kasp.db > > Jun 1 11:22:14 signer1 ods-enforcerd: Log User set to: local0 > > Jun 1 11:22:14 signer1 ods-enforcerd: Switched log facility to: local0 > > Jun 1 11:22:14 signer1 ods-enforcerd: Connecting to Database... > > Jun 1 11:22:14 signer1 ods-enforcerd: Policy default found. > > Jun 1 11:22:14 signer1 ods-enforcerd: Key sharing is Off. > > Jun 1 11:22:14 signer1 ods-enforcerd: Policy gradual1 found. > > Jun 1 11:22:14 signer1 ods-enforcerd: Key sharing is Off. > > Jun 1 11:22:14 signer1 ods-enforcerd: zonelist filename set to > /etc/opendnssec/zonelist.xml. > > Jun 1 11:22:14 signer1 ods-enforcerd: Zone ods found. > > Jun 1 11:22:14 signer1 ods-enforcerd: Policy for ods set to gradual1. > > Jun 1 11:22:14 signer1 ods-enforcerd: Config will be output to > /var/opendnssec/signconf/ods.xml. > > Jun 1 11:22:15 signer1 ods-enforcerd: INFO: New DS records needed for > the zone ods; details will follow > > Jun 1 11:22:15 signer1 ods-enforcerd: WARNING: KSK Retirement reached; > please submit the new DS for ods and use ods-ksmutil key ksk-roll to > roll the key. > > Jun 1 11:22:15 signer1 ods-enforcerd: No change to: > /var/opendnssec/signconf/ods.xml > > Jun 1 11:22:15 signer1 ods-enforcerd: DSChanged > > Jun 1 11:22:15 signer1 ods-enforcerd: DS Record set has changed, the > current set looks like: > > Jun 1 11:22:15 signer1 ods-enforcerd: ods. 3600 IN DNSKEY > 257 3 7 > AwEAAdipHfA+phxY3scDd7Go/ncAJm1WDfarQAz2jjmCFgSlG9SHvDzxpXIlO/ThDMU+IXC/LRyW9tMhedDA/ZKJ9fHjd+0MCa66o7SMSS4/ATozbzLwy/ENaFjtb6jAho3w/R9MPwajiKZQ2XtXO8DwjdglFklDHJKSbXeleaMRfDLzPRpx4DZxnE1sMgTSh2j707MrCm8vjZcrZDbR53vQfHztu/VHD9vv29ji426NYg5wqC1toUUHMMBCR70jZ1KO15Ubkpwf/FXRySxCuiZuO5KUpUWYWxh342l4ZGUwsLQ+fWZ04rhwAplXrvxRrq5NEMif9csFdZJyxxibOOGWlCE= > ;{id = 45856 (ksk), size = 2048b} > > Jun 1 11:22:15 signer1 ods-enforcerd: ods. 3600 IN DNSKEY > 257 3 7 > AwEAAcNcbkEd+NhwfWk0WgVuUWJyfgBWLMwSF5ZRHD+9Sru5kRkKNXDl7IMpdiSjp/wSCFWjr2IR5/KMZe0Cf4laV63I8sJy6OWRpCF/Kk8EuDaE1T0MOP6GQkif9Fn+JUzwz/SESAMv/knY5+xwwGm4cMNuS8egmlsmUuNqnw3PqChJbLKKpDbzzBI5P98KY51kbVIdfLqMkf8X8B3y/5rc8xmBc0xhTY4ZbpP2dgm65dFeK8lCOF1FSSWwItc2qRT2jdG/60226CufjXnEeS7oChFKF0cP46ZXFRql6/3qOkfACwdVxAizWoraMU4JHp2rVvla2WmMBvhXJyDEl+xP/Qc= > ;{id = 16581 (ksk), size = 2048b} > > Jun 1 11:22:15 signer1 ods-enforcerd: Once the new DS records are seen > in DNS please issue the ds-seen command for zone ods with the following > cka_ids, b48cfc3c80e11ed41eb21ab49d7666df, 12306205b8e5aa46abb276d57544680c > > Jun 1 11:22:15 signer1 ods-enforcerd: Disconnecting from Database... > > Jun 1 11:22:15 signer1 ods-enforcerd: Sleeping for 1800 seconds. > > Jun 1 11:22:15 signer1 ods-signerd: Zone action to perform: 3 > > Jun 1 11:22:15 signer1 ods-signerd: Cannot keep input serial 1000, > output serial 1000 is too large. Aborting operation > > Jun 1 11:22:25 signer1 ods-enforcerd: Received SIGTERM, exiting... > > Jun 1 11:22:25 signer1 ods-enforcerd: all done! hsm_close result: 0 > > Jun 1 11:22:25 signer1 ods-signerd: Received command: 'stop' > > Jun 1 11:22:25 signer1 ods-signerd: close syslog > > Jun 1 11:22:25 signer1 python: Connection closed by peer > > > > Cheers, > > Rick > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJMBP4DAAoJEA8yVCPsQCW5tdUIAJ5WjXi/Fn//31/hJetm1EfX RbAOzrTUm14qQYsfOVSGHSQbogKgFyu2715T6Uur2w96bf0OQ60eFScKAPxDquWp gCO8LNMxn+5A5ybhQFJTjc2DnJu5MtdOUYUjY7UGi44sMtz+RtDkEd61W8narfTP dP5r11P+ub/b+SYyuIH548NYkjUbqV/JijnUg8nKgjScgsg/EkE11ZclElkW70fB nl7i4ymoB1Q7ppQBDBcbNSvvUN/NWyzQ+rPIfFgFLsZ3TOlj3uvYPeEdJk80zhl8 CcWK8mVWww3URqKcG1k6587A2dZKvoNg5X/6ZXMaoJtzO2gzw9t83zwW/1I0onM= =jkP+ -----END PGP SIGNATURE----- From rickard.bellgrim at iis.se Tue Jun 1 12:41:37 2010 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Tue, 1 Jun 2010 14:41:37 +0200 Subject: [Opendnssec-develop] Serial too large In-Reply-To: <4C04FE05.3010203@nlnetlabs.nl> References: <4C04FE05.3010203@nlnetlabs.nl> Message-ID: On 1 jun 2010, at 14.33, Matthijs Mekking wrote: > Should we increase the serial when doing a rollover, even if the serial > is set to keep? No Updates of the signatures and the zone should only be possible when the serial has increased in the incoming zone when the serial is set to keep. Any changes are thus only done each time you release an updated zone from your provisioning system. You will thereby also get these warnings when the KASP Enforcer tells the Signer Engine that it should use new keys. Because the Engine tries to fulfill this request, but cannot do that until a new serial arrives. // Rickard From rick.zijlker at sidn.nl Wed Jun 2 11:45:22 2010 From: rick.zijlker at sidn.nl (Rick Zijlker) Date: Wed, 2 Jun 2010 11:45:22 +0000 Subject: [Opendnssec-develop] Serial too large In-Reply-To: <4C04FE05.3010203@nlnetlabs.nl> References: <4C04FE05.3010203@nlnetlabs.nl> Message-ID: > The output serial is too large if it is equal or larger than the input > serial. This has never happened before when resigning with equal serial. Many tests exists of resigning the exact same zonefile. I expected the first message (serial not increased) but not the second message (serial too long) in between these 2 resigns nothing was changed in the zone or config. I would expect the first message (serial not increased) to continue showing every resign. In my opinion at key rollover when serial set to 'keep', the zone should actually still sign the zone since the keys change, which means you need to resign the same zone. Even when it's the same zone serial. Some zones don't change for years but they do get rollovers. Cheers, Rick -----Original Message----- From: Matthijs Mekking [mailto:matthijs at NLnetLabs.nl] Sent: Tuesday, June 01, 2010 2:33 PM To: Rick Zijlker Cc: Opendnssec-develop at lists.opendnssec.org Subject: Re: [Opendnssec-develop] Serial too large -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Rick, I wrote my comments in between lines.... Rick Zijlker wrote: > Hey, > > When resigning a zone which has a serial of 1000 and policy for the > serial is ?keep?, and the zone still has that same serial, I get the > following message: > > Jun 1 11:22:15 signer1 ods-signerd: Cannot keep input serial 1000, > output serial 1000 is too large. Aborting operation > > How can an output serial be too large? On a sidenote, the zone was about > to get a KSK rollover. The output serial is too large if it is equal or larger than the input serial. However, if you are in a key rollover it will also look at the input serial. Thus if you do not increase the serial value in the input file, the key rollover will not be picked up by the signer (in the case of serial keep). I am not sure if this is desired behavior. Should we increase the serial when doing a rollover, even if the serial is set to keep? > At earlier signing I got this message which is correct and expected: > > Jun 1 11:12:11 signer1 ods-signerd: Error: serial setting is set to > 'keep', but input serial has not increased. Aborting sign operation for ods This message can appear when the actual signing is going on (adding/updating RRSIG records). If you for example re-sign every hour, but don't update the serial in the input file in the mean time, you'll see this error. The other, previous message you'll see when you need to sort the zone, because of a change in the signer configuration or a change in the input file. Best regards, Matthijs > Full log: > > Jun 1 11:22:14 signer1 ods-signerd: Scheduling task to sign zone ods at > 1275384134.71 with resign time 180 > > Jun 1 11:22:14 signer1 ods-signerd: Scheduling task to sign zone ods at > 1275384134.71 with resign time 180 > > Jun 1 11:22:14 signer1 ods-signerd: Zone ods added > > Jun 1 11:22:14 signer1 ods-signerd: opening socket: > /var/run/opendnssec/engine.sock > > Jun 1 11:22:14 signer1 ods-signerd: Engine running > > Jun 1 11:22:14 signer1 ods-enforcerd: opendnssec-enforcer starting... > > Jun 1 11:22:14 signer1 ods-enforcerd: opendnssec-enforcer Parent exiting... > > Jun 1 11:22:14 signer1 ods-enforcerd: opendnssec-enforcer forked OK... > > Jun 1 11:22:14 signer1 ods-enforcerd: opendnssec-enforcer started > (version 1.1.0rc3), pid 13521 > > Jun 1 11:22:14 signer1 ods-enforcerd: HSM opened successfully. > > Jun 1 11:22:14 signer1 ods-enforcerd: Reading config > "/etc/opendnssec/conf.xml" > > Jun 1 11:22:14 signer1 ods-enforcerd: Reading config schema > "/usr/local/share/opendnssec/conf.rng" > > Jun 1 11:22:14 signer1 ods-enforcerd: Communication Interval: 1800 > > Jun 1 11:22:14 signer1 ods-enforcerd: No DS Submit command supplied > > Jun 1 11:22:14 signer1 ods-enforcerd: SQLite database set to: > /var/opendnssec/kasp.db > > Jun 1 11:22:14 signer1 ods-enforcerd: Log User set to: local0 > > Jun 1 11:22:14 signer1 ods-enforcerd: Switched log facility to: local0 > > Jun 1 11:22:14 signer1 ods-enforcerd: Connecting to Database... > > Jun 1 11:22:14 signer1 ods-enforcerd: Policy default found. > > Jun 1 11:22:14 signer1 ods-enforcerd: Key sharing is Off. > > Jun 1 11:22:14 signer1 ods-enforcerd: Policy gradual1 found. > > Jun 1 11:22:14 signer1 ods-enforcerd: Key sharing is Off. > > Jun 1 11:22:14 signer1 ods-enforcerd: zonelist filename set to > /etc/opendnssec/zonelist.xml. > > Jun 1 11:22:14 signer1 ods-enforcerd: Zone ods found. > > Jun 1 11:22:14 signer1 ods-enforcerd: Policy for ods set to gradual1. > > Jun 1 11:22:14 signer1 ods-enforcerd: Config will be output to > /var/opendnssec/signconf/ods.xml. > > Jun 1 11:22:15 signer1 ods-enforcerd: INFO: New DS records needed for > the zone ods; details will follow > > Jun 1 11:22:15 signer1 ods-enforcerd: WARNING: KSK Retirement reached; > please submit the new DS for ods and use ods-ksmutil key ksk-roll to > roll the key. > > Jun 1 11:22:15 signer1 ods-enforcerd: No change to: > /var/opendnssec/signconf/ods.xml > > Jun 1 11:22:15 signer1 ods-enforcerd: DSChanged > > Jun 1 11:22:15 signer1 ods-enforcerd: DS Record set has changed, the > current set looks like: > > Jun 1 11:22:15 signer1 ods-enforcerd: ods. 3600 IN DNSKEY > 257 3 7 > AwEAAdipHfA+phxY3scDd7Go/ncAJm1WDfarQAz2jjmCFgSlG9SHvDzxpXIlO/ThDMU+IXC/LRyW9tMhedDA/ZKJ9fHjd+0MCa66o7SMSS4/ATozbzLwy/ENaFjtb6jAho3w/R9MPwajiKZQ2XtXO8DwjdglFklDHJKSbXeleaMRfDLzPRpx4DZxnE1sMgTSh2j707MrCm8vjZcrZDbR53vQfHztu/VHD9vv29ji426NYg5wqC1toUUHMMBCR70jZ1KO15Ubkpwf/FXRySxCuiZuO5KUpUWYWxh342l4ZGUwsLQ+fWZ04rhwAplXrvxRrq5NEMif9csFdZJyxxibOOGWlCE= > ;{id = 45856 (ksk), size = 2048b} > > Jun 1 11:22:15 signer1 ods-enforcerd: ods. 3600 IN DNSKEY > 257 3 7 > AwEAAcNcbkEd+NhwfWk0WgVuUWJyfgBWLMwSF5ZRHD+9Sru5kRkKNXDl7IMpdiSjp/wSCFWjr2IR5/KMZe0Cf4laV63I8sJy6OWRpCF/Kk8EuDaE1T0MOP6GQkif9Fn+JUzwz/SESAMv/knY5+xwwGm4cMNuS8egmlsmUuNqnw3PqChJbLKKpDbzzBI5P98KY51kbVIdfLqMkf8X8B3y/5rc8xmBc0xhTY4ZbpP2dgm65dFeK8lCOF1FSSWwItc2qRT2jdG/60226CufjXnEeS7oChFKF0cP46ZXFRql6/3qOkfACwdVxAizWoraMU4JHp2rVvla2WmMBvhXJyDEl+xP/Qc= > ;{id = 16581 (ksk), size = 2048b} > > Jun 1 11:22:15 signer1 ods-enforcerd: Once the new DS records are seen > in DNS please issue the ds-seen command for zone ods with the following > cka_ids, b48cfc3c80e11ed41eb21ab49d7666df, 12306205b8e5aa46abb276d57544680c > > Jun 1 11:22:15 signer1 ods-enforcerd: Disconnecting from Database... > > Jun 1 11:22:15 signer1 ods-enforcerd: Sleeping for 1800 seconds. > > Jun 1 11:22:15 signer1 ods-signerd: Zone action to perform: 3 > > Jun 1 11:22:15 signer1 ods-signerd: Cannot keep input serial 1000, > output serial 1000 is too large. Aborting operation > > Jun 1 11:22:25 signer1 ods-enforcerd: Received SIGTERM, exiting... > > Jun 1 11:22:25 signer1 ods-enforcerd: all done! hsm_close result: 0 > > Jun 1 11:22:25 signer1 ods-signerd: Received command: 'stop' > > Jun 1 11:22:25 signer1 ods-signerd: close syslog > > Jun 1 11:22:25 signer1 python: Connection closed by peer > > > > Cheers, > > Rick > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJMBP4DAAoJEA8yVCPsQCW5tdUIAJ5WjXi/Fn//31/hJetm1EfX RbAOzrTUm14qQYsfOVSGHSQbogKgFyu2715T6Uur2w96bf0OQ60eFScKAPxDquWp gCO8LNMxn+5A5ybhQFJTjc2DnJu5MtdOUYUjY7UGi44sMtz+RtDkEd61W8narfTP dP5r11P+ub/b+SYyuIH548NYkjUbqV/JijnUg8nKgjScgsg/EkE11ZclElkW70fB nl7i4ymoB1Q7ppQBDBcbNSvvUN/NWyzQ+rPIfFgFLsZ3TOlj3uvYPeEdJk80zhl8 CcWK8mVWww3URqKcG1k6587A2dZKvoNg5X/6ZXMaoJtzO2gzw9t83zwW/1I0onM= =jkP+ -----END PGP SIGNATURE----- From matthijs at NLnetLabs.nl Wed Jun 2 12:21:10 2010 From: matthijs at NLnetLabs.nl (Matthijs Mekking) Date: Wed, 02 Jun 2010 14:21:10 +0200 Subject: [Opendnssec-develop] Serial too large In-Reply-To: References: <4C04FE05.3010203@nlnetlabs.nl> Message-ID: <4C064CB6.6060708@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Rick, Rick Zijlker wrote: >> The output serial is too large if it is equal or larger than the input >> serial. > > This has never happened before when resigning with equal serial. Many tests exists of resigning the exact same zonefile. I expected the first message (serial not increased) but not the second message (serial too long) in between these 2 resigns nothing was changed in the zone or config. I would expect the first message (serial not increased) to continue showing every resign. This message should not appear in the case of regular resigning. But you mentioned a key rollover was in process. So now the message is 'output serial too large' does appear. > > In my opinion at key rollover when serial set to 'keep', the zone should actually still sign the zone since the keys change, which means you need to resign the same zone. Even when it's the same zone serial. Some zones don't change for years but they do get rollovers. I agree with Rickards previous e-mail. Perhaps a different serial setting (unixtime of counter for example) is more fitting when you have a very static zone. Best regards, Matthijs > > Cheers, > Rick > > > -----Original Message----- > From: Matthijs Mekking [mailto:matthijs at NLnetLabs.nl] > Sent: Tuesday, June 01, 2010 2:33 PM > To: Rick Zijlker > Cc: Opendnssec-develop at lists.opendnssec.org > Subject: Re: [Opendnssec-develop] Serial too large > > Hi Rick, > > I wrote my comments in between lines.... > > Rick Zijlker wrote: >> Hey, > >> When resigning a zone which has a serial of 1000 and policy for the >> serial is keep , and the zone still has that same serial, I get the >> following message: > >> Jun 1 11:22:15 signer1 ods-signerd: Cannot keep input serial 1000, >> output serial 1000 is too large. Aborting operation > >> How can an output serial be too large? On a sidenote, the zone was about >> to get a KSK rollover. > > The output serial is too large if it is equal or larger than the input > serial. > > However, if you are in a key rollover it will also look at the input > serial. Thus if you do not increase the serial value in the input file, > the key rollover will not be picked up by the signer (in the case of > serial keep). I am not sure if this is desired behavior. > > Should we increase the serial when doing a rollover, even if the serial > is set to keep? > >> At earlier signing I got this message which is correct and expected: > >> Jun 1 11:12:11 signer1 ods-signerd: Error: serial setting is set to >> 'keep', but input serial has not increased. Aborting sign operation for ods > > This message can appear when the actual signing is going on > (adding/updating RRSIG records). If you for example re-sign every hour, > but don't update the serial in the input file in the mean time, you'll > see this error. > > The other, previous message you'll see when you need to sort the zone, > because of a change in the signer configuration or a change in the input > file. > > Best regards, > > Matthijs > >> Full log: > >> Jun 1 11:22:14 signer1 ods-signerd: Scheduling task to sign zone ods at >> 1275384134.71 with resign time 180 > >> Jun 1 11:22:14 signer1 ods-signerd: Scheduling task to sign zone ods at >> 1275384134.71 with resign time 180 > >> Jun 1 11:22:14 signer1 ods-signerd: Zone ods added > >> Jun 1 11:22:14 signer1 ods-signerd: opening socket: >> /var/run/opendnssec/engine.sock > >> Jun 1 11:22:14 signer1 ods-signerd: Engine running > >> Jun 1 11:22:14 signer1 ods-enforcerd: opendnssec-enforcer starting... > >> Jun 1 11:22:14 signer1 ods-enforcerd: opendnssec-enforcer Parent exiting... > >> Jun 1 11:22:14 signer1 ods-enforcerd: opendnssec-enforcer forked OK... > >> Jun 1 11:22:14 signer1 ods-enforcerd: opendnssec-enforcer started >> (version 1.1.0rc3), pid 13521 > >> Jun 1 11:22:14 signer1 ods-enforcerd: HSM opened successfully. > >> Jun 1 11:22:14 signer1 ods-enforcerd: Reading config >> "/etc/opendnssec/conf.xml" > >> Jun 1 11:22:14 signer1 ods-enforcerd: Reading config schema >> "/usr/local/share/opendnssec/conf.rng" > >> Jun 1 11:22:14 signer1 ods-enforcerd: Communication Interval: 1800 > >> Jun 1 11:22:14 signer1 ods-enforcerd: No DS Submit command supplied > >> Jun 1 11:22:14 signer1 ods-enforcerd: SQLite database set to: >> /var/opendnssec/kasp.db > >> Jun 1 11:22:14 signer1 ods-enforcerd: Log User set to: local0 > >> Jun 1 11:22:14 signer1 ods-enforcerd: Switched log facility to: local0 > >> Jun 1 11:22:14 signer1 ods-enforcerd: Connecting to Database... > >> Jun 1 11:22:14 signer1 ods-enforcerd: Policy default found. > >> Jun 1 11:22:14 signer1 ods-enforcerd: Key sharing is Off. > >> Jun 1 11:22:14 signer1 ods-enforcerd: Policy gradual1 found. > >> Jun 1 11:22:14 signer1 ods-enforcerd: Key sharing is Off. > >> Jun 1 11:22:14 signer1 ods-enforcerd: zonelist filename set to >> /etc/opendnssec/zonelist.xml. > >> Jun 1 11:22:14 signer1 ods-enforcerd: Zone ods found. > >> Jun 1 11:22:14 signer1 ods-enforcerd: Policy for ods set to gradual1. > >> Jun 1 11:22:14 signer1 ods-enforcerd: Config will be output to >> /var/opendnssec/signconf/ods.xml. > >> Jun 1 11:22:15 signer1 ods-enforcerd: INFO: New DS records needed for >> the zone ods; details will follow > >> Jun 1 11:22:15 signer1 ods-enforcerd: WARNING: KSK Retirement reached; >> please submit the new DS for ods and use ods-ksmutil key ksk-roll to >> roll the key. > >> Jun 1 11:22:15 signer1 ods-enforcerd: No change to: >> /var/opendnssec/signconf/ods.xml > >> Jun 1 11:22:15 signer1 ods-enforcerd: DSChanged > >> Jun 1 11:22:15 signer1 ods-enforcerd: DS Record set has changed, the >> current set looks like: > >> Jun 1 11:22:15 signer1 ods-enforcerd: ods. 3600 IN DNSKEY >> 257 3 7 >> AwEAAdipHfA+phxY3scDd7Go/ncAJm1WDfarQAz2jjmCFgSlG9SHvDzxpXIlO/ThDMU+IXC/LRyW9tMhedDA/ZKJ9fHjd+0MCa66o7SMSS4/ATozbzLwy/ENaFjtb6jAho3w/R9MPwajiKZQ2XtXO8DwjdglFklDHJKSbXeleaMRfDLzPRpx4DZxnE1sMgTSh2j707MrCm8vjZcrZDbR53vQfHztu/VHD9vv29ji426NYg5wqC1toUUHMMBCR70jZ1KO15Ubkpwf/FXRySxCuiZuO5KUpUWYWxh342l4ZGUwsLQ+fWZ04rhwAplXrvxRrq5NEMif9csFdZJyxxibOOGWlCE= >> ;{id = 45856 (ksk), size = 2048b} > >> Jun 1 11:22:15 signer1 ods-enforcerd: ods. 3600 IN DNSKEY >> 257 3 7 >> AwEAAcNcbkEd+NhwfWk0WgVuUWJyfgBWLMwSF5ZRHD+9Sru5kRkKNXDl7IMpdiSjp/wSCFWjr2IR5/KMZe0Cf4laV63I8sJy6OWRpCF/Kk8EuDaE1T0MOP6GQkif9Fn+JUzwz/SESAMv/knY5+xwwGm4cMNuS8egmlsmUuNqnw3PqChJbLKKpDbzzBI5P98KY51kbVIdfLqMkf8X8B3y/5rc8xmBc0xhTY4ZbpP2dgm65dFeK8lCOF1FSSWwItc2qRT2jdG/60226CufjXnEeS7oChFKF0cP46ZXFRql6/3qOkfACwdVxAizWoraMU4JHp2rVvla2WmMBvhXJyDEl+xP/Qc= >> ;{id = 16581 (ksk), size = 2048b} > >> Jun 1 11:22:15 signer1 ods-enforcerd: Once the new DS records are seen >> in DNS please issue the ds-seen command for zone ods with the following >> cka_ids, b48cfc3c80e11ed41eb21ab49d7666df, 12306205b8e5aa46abb276d57544680c > >> Jun 1 11:22:15 signer1 ods-enforcerd: Disconnecting from Database... > >> Jun 1 11:22:15 signer1 ods-enforcerd: Sleeping for 1800 seconds. > >> Jun 1 11:22:15 signer1 ods-signerd: Zone action to perform: 3 > >> Jun 1 11:22:15 signer1 ods-signerd: Cannot keep input serial 1000, >> output serial 1000 is too large. Aborting operation > >> Jun 1 11:22:25 signer1 ods-enforcerd: Received SIGTERM, exiting... > >> Jun 1 11:22:25 signer1 ods-enforcerd: all done! hsm_close result: 0 > >> Jun 1 11:22:25 signer1 ods-signerd: Received command: 'stop' > >> Jun 1 11:22:25 signer1 ods-signerd: close syslog > >> Jun 1 11:22:25 signer1 python: Connection closed by peer > > > >> Cheers, > >> Rick > > > > >> ------------------------------------------------------------------------ > >> _______________________________________________ >> Opendnssec-develop mailing list >> Opendnssec-develop at lists.opendnssec.org >> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJMBkybAAoJEA8yVCPsQCW5YTMH/3JRmYOWGhrLmzeqZDj5xs/v kVH/NbjjEjSksLAGN9PZ/Om8VJxOLBgvWHCgICD9nekQsMtfmPeIXOdSI9AvjWm1 J9ON0xgQ7NeNNunJPAec80RqijFRIxoS8ViNDuhMEP5m0Fdv6kn3B0UkV6St7+h8 oWCkdbRhijHebudHuyIdu0e06MupFy8sCsdHWcpqPIuzL4mEAmakpFVHaMBHEr/F yan884rooeKT/Rq7h7uANN0qy5oIOCq8FjtMLt3o2TWBz6RyGH/vLyeusX+ElHl2 60dYgRrZZEOa/rA7NhNsJPKHqphXwWJvMWBmsy0PlglhUtpxxjLqCeY6fM649SA= =JDX7 -----END PGP SIGNATURE----- From rick.zijlker at sidn.nl Wed Jun 2 13:27:13 2010 From: rick.zijlker at sidn.nl (Rick Zijlker) Date: Wed, 2 Jun 2010 13:27:13 +0000 Subject: [Opendnssec-develop] Serial too large In-Reply-To: <4C064CB6.6060708@nlnetlabs.nl> References: <4C04FE05.3010203@nlnetlabs.nl> <4C064CB6.6060708@nlnetlabs.nl> Message-ID: > I agree with Rickards previous e-mail. Perhaps a different serial > setting (unixtime of counter for example) is more fitting when you have > a very static zone. I understand > This message should not appear in the case of regular resigning. But you > mentioned a key rollover was in process. So now the message is 'output > serial too large' does appear. I still don't understand how the output serial can be 'too large'? It was 1000 and still is 1000. Cheers, Rick -----Original Message----- From: Matthijs Mekking [mailto:matthijs at NLnetLabs.nl] Sent: Wednesday, June 02, 2010 2:21 PM To: Rick Zijlker Cc: Opendnssec-develop at lists.opendnssec.org Subject: Re: [Opendnssec-develop] Serial too large -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Rick, Rick Zijlker wrote: >> The output serial is too large if it is equal or larger than the input >> serial. > > This has never happened before when resigning with equal serial. Many tests exists of resigning the exact same zonefile. I expected the first message (serial not increased) but not the second message (serial too long) in between these 2 resigns nothing was changed in the zone or config. I would expect the first message (serial not increased) to continue showing every resign. This message should not appear in the case of regular resigning. But you mentioned a key rollover was in process. So now the message is 'output serial too large' does appear. > > In my opinion at key rollover when serial set to 'keep', the zone should actually still sign the zone since the keys change, which means you need to resign the same zone. Even when it's the same zone serial. Some zones don't change for years but they do get rollovers. I agree with Rickards previous e-mail. Perhaps a different serial setting (unixtime of counter for example) is more fitting when you have a very static zone. Best regards, Matthijs > > Cheers, > Rick > > > -----Original Message----- > From: Matthijs Mekking [mailto:matthijs at NLnetLabs.nl] > Sent: Tuesday, June 01, 2010 2:33 PM > To: Rick Zijlker > Cc: Opendnssec-develop at lists.opendnssec.org > Subject: Re: [Opendnssec-develop] Serial too large > > Hi Rick, > > I wrote my comments in between lines.... > > Rick Zijlker wrote: >> Hey, > >> When resigning a zone which has a serial of 1000 and policy for the >> serial is keep , and the zone still has that same serial, I get the >> following message: > >> Jun 1 11:22:15 signer1 ods-signerd: Cannot keep input serial 1000, >> output serial 1000 is too large. Aborting operation > >> How can an output serial be too large? On a sidenote, the zone was about >> to get a KSK rollover. > > The output serial is too large if it is equal or larger than the input > serial. > > However, if you are in a key rollover it will also look at the input > serial. Thus if you do not increase the serial value in the input file, > the key rollover will not be picked up by the signer (in the case of > serial keep). I am not sure if this is desired behavior. > > Should we increase the serial when doing a rollover, even if the serial > is set to keep? > >> At earlier signing I got this message which is correct and expected: > >> Jun 1 11:12:11 signer1 ods-signerd: Error: serial setting is set to >> 'keep', but input serial has not increased. Aborting sign operation for ods > > This message can appear when the actual signing is going on > (adding/updating RRSIG records). If you for example re-sign every hour, > but don't update the serial in the input file in the mean time, you'll > see this error. > > The other, previous message you'll see when you need to sort the zone, > because of a change in the signer configuration or a change in the input > file. > > Best regards, > > Matthijs > >> Full log: > >> Jun 1 11:22:14 signer1 ods-signerd: Scheduling task to sign zone ods at >> 1275384134.71 with resign time 180 > >> Jun 1 11:22:14 signer1 ods-signerd: Scheduling task to sign zone ods at >> 1275384134.71 with resign time 180 > >> Jun 1 11:22:14 signer1 ods-signerd: Zone ods added > >> Jun 1 11:22:14 signer1 ods-signerd: opening socket: >> /var/run/opendnssec/engine.sock > >> Jun 1 11:22:14 signer1 ods-signerd: Engine running > >> Jun 1 11:22:14 signer1 ods-enforcerd: opendnssec-enforcer starting... > >> Jun 1 11:22:14 signer1 ods-enforcerd: opendnssec-enforcer Parent exiting... > >> Jun 1 11:22:14 signer1 ods-enforcerd: opendnssec-enforcer forked OK... > >> Jun 1 11:22:14 signer1 ods-enforcerd: opendnssec-enforcer started >> (version 1.1.0rc3), pid 13521 > >> Jun 1 11:22:14 signer1 ods-enforcerd: HSM opened successfully. > >> Jun 1 11:22:14 signer1 ods-enforcerd: Reading config >> "/etc/opendnssec/conf.xml" > >> Jun 1 11:22:14 signer1 ods-enforcerd: Reading config schema >> "/usr/local/share/opendnssec/conf.rng" > >> Jun 1 11:22:14 signer1 ods-enforcerd: Communication Interval: 1800 > >> Jun 1 11:22:14 signer1 ods-enforcerd: No DS Submit command supplied > >> Jun 1 11:22:14 signer1 ods-enforcerd: SQLite database set to: >> /var/opendnssec/kasp.db > >> Jun 1 11:22:14 signer1 ods-enforcerd: Log User set to: local0 > >> Jun 1 11:22:14 signer1 ods-enforcerd: Switched log facility to: local0 > >> Jun 1 11:22:14 signer1 ods-enforcerd: Connecting to Database... > >> Jun 1 11:22:14 signer1 ods-enforcerd: Policy default found. > >> Jun 1 11:22:14 signer1 ods-enforcerd: Key sharing is Off. > >> Jun 1 11:22:14 signer1 ods-enforcerd: Policy gradual1 found. > >> Jun 1 11:22:14 signer1 ods-enforcerd: Key sharing is Off. > >> Jun 1 11:22:14 signer1 ods-enforcerd: zonelist filename set to >> /etc/opendnssec/zonelist.xml. > >> Jun 1 11:22:14 signer1 ods-enforcerd: Zone ods found. > >> Jun 1 11:22:14 signer1 ods-enforcerd: Policy for ods set to gradual1. > >> Jun 1 11:22:14 signer1 ods-enforcerd: Config will be output to >> /var/opendnssec/signconf/ods.xml. > >> Jun 1 11:22:15 signer1 ods-enforcerd: INFO: New DS records needed for >> the zone ods; details will follow > >> Jun 1 11:22:15 signer1 ods-enforcerd: WARNING: KSK Retirement reached; >> please submit the new DS for ods and use ods-ksmutil key ksk-roll to >> roll the key. > >> Jun 1 11:22:15 signer1 ods-enforcerd: No change to: >> /var/opendnssec/signconf/ods.xml > >> Jun 1 11:22:15 signer1 ods-enforcerd: DSChanged > >> Jun 1 11:22:15 signer1 ods-enforcerd: DS Record set has changed, the >> current set looks like: > >> Jun 1 11:22:15 signer1 ods-enforcerd: ods. 3600 IN DNSKEY >> 257 3 7 >> AwEAAdipHfA+phxY3scDd7Go/ncAJm1WDfarQAz2jjmCFgSlG9SHvDzxpXIlO/ThDMU+IXC/LRyW9tMhedDA/ZKJ9fHjd+0MCa66o7SMSS4/ATozbzLwy/ENaFjtb6jAho3w/R9MPwajiKZQ2XtXO8DwjdglFklDHJKSbXeleaMRfDLzPRpx4DZxnE1sMgTSh2j707MrCm8vjZcrZDbR53vQfHztu/VHD9vv29ji426NYg5wqC1toUUHMMBCR70jZ1KO15Ubkpwf/FXRySxCuiZuO5KUpUWYWxh342l4ZGUwsLQ+fWZ04rhwAplXrvxRrq5NEMif9csFdZJyxxibOOGWlCE= >> ;{id = 45856 (ksk), size = 2048b} > >> Jun 1 11:22:15 signer1 ods-enforcerd: ods. 3600 IN DNSKEY >> 257 3 7 >> AwEAAcNcbkEd+NhwfWk0WgVuUWJyfgBWLMwSF5ZRHD+9Sru5kRkKNXDl7IMpdiSjp/wSCFWjr2IR5/KMZe0Cf4laV63I8sJy6OWRpCF/Kk8EuDaE1T0MOP6GQkif9Fn+JUzwz/SESAMv/knY5+xwwGm4cMNuS8egmlsmUuNqnw3PqChJbLKKpDbzzBI5P98KY51kbVIdfLqMkf8X8B3y/5rc8xmBc0xhTY4ZbpP2dgm65dFeK8lCOF1FSSWwItc2qRT2jdG/60226CufjXnEeS7oChFKF0cP46ZXFRql6/3qOkfACwdVxAizWoraMU4JHp2rVvla2WmMBvhXJyDEl+xP/Qc= >> ;{id = 16581 (ksk), size = 2048b} > >> Jun 1 11:22:15 signer1 ods-enforcerd: Once the new DS records are seen >> in DNS please issue the ds-seen command for zone ods with the following >> cka_ids, b48cfc3c80e11ed41eb21ab49d7666df, 12306205b8e5aa46abb276d57544680c > >> Jun 1 11:22:15 signer1 ods-enforcerd: Disconnecting from Database... > >> Jun 1 11:22:15 signer1 ods-enforcerd: Sleeping for 1800 seconds. > >> Jun 1 11:22:15 signer1 ods-signerd: Zone action to perform: 3 > >> Jun 1 11:22:15 signer1 ods-signerd: Cannot keep input serial 1000, >> output serial 1000 is too large. Aborting operation > >> Jun 1 11:22:25 signer1 ods-enforcerd: Received SIGTERM, exiting... > >> Jun 1 11:22:25 signer1 ods-enforcerd: all done! hsm_close result: 0 > >> Jun 1 11:22:25 signer1 ods-signerd: Received command: 'stop' > >> Jun 1 11:22:25 signer1 ods-signerd: close syslog > >> Jun 1 11:22:25 signer1 python: Connection closed by peer > > > >> Cheers, > >> Rick > > > > >> ------------------------------------------------------------------------ > >> _______________________________________________ >> Opendnssec-develop mailing list >> Opendnssec-develop at lists.opendnssec.org >> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQEcBAEBAgAGBQJMBkybAAoJEA8yVCPsQCW5YTMH/3JRmYOWGhrLmzeqZDj5xs/v kVH/NbjjEjSksLAGN9PZ/Om8VJxOLBgvWHCgICD9nekQsMtfmPeIXOdSI9AvjWm1 J9ON0xgQ7NeNNunJPAec80RqijFRIxoS8ViNDuhMEP5m0Fdv6kn3B0UkV6St7+h8 oWCkdbRhijHebudHuyIdu0e06MupFy8sCsdHWcpqPIuzL4mEAmakpFVHaMBHEr/F yan884rooeKT/Rq7h7uANN0qy5oIOCq8FjtMLt3o2TWBz6RyGH/vLyeusX+ElHl2 60dYgRrZZEOa/rA7NhNsJPKHqphXwWJvMWBmsy0PlglhUtpxxjLqCeY6fM649SA= =JDX7 -----END PGP SIGNATURE----- From rickard.bellgrim at iis.se Wed Jun 2 13:43:21 2010 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Wed, 2 Jun 2010 15:43:21 +0200 Subject: [Opendnssec-develop] Serial too large In-Reply-To: References: <4C04FE05.3010203@nlnetlabs.nl> <4C064CB6.6060708@nlnetlabs.nl> Message-ID: On 2 jun 2010, at 15.27, Rick Zijlker wrote: > I still don't understand how the output serial can be 'too large'? It was 1000 and still is 1000. The update command from the Enforcer triggers the Signer Engine to re-read the configuration but also to resort the unsigned zone. You get different code path for the regular resign and the update command: RESORT (update command will set this action): 492 if self.zone_config.soa_serial == "keep" and \ 493 self.compare_serial(ser_out, ser_in) <= 0: 494 syslog.syslog(syslog.LOG_ERR, "Cannot keep input serial " + str(ser_in) +\ 495 ", output serial " + str(ser_out) +\ 496 " is too large. Aborting operation") RESIGN: 558 if self.compare_serial(prev_serial, soa_serial) <= 0: 559 syslog.syslog(syslog.LOG_ERR, 560 "Error: serial setting is set to 'keep', but input " 561 "serial has not increased. Aborting sign operation " 562 "for " + self.zone_name) From rick.zijlker at sidn.nl Wed Jun 2 13:43:29 2010 From: rick.zijlker at sidn.nl (Rick Zijlker) Date: Wed, 2 Jun 2010 13:43:29 +0000 Subject: [Opendnssec-develop] Auditor reaction on changed policy Message-ID: Hey, An interesting scenario to think about: - Sign zone with signature lifetime of 1200s and jitter of 10s. So lifetime varies between 1190 and 1210. - Change policy and set jitter to 0 so signature lifetime becomes a solid 1200s. - Stop engines, update database, start engines - At next resign, auditor fails signing the zone because some signature lifetimes are below 1200s. Basically the auditor audits the zone with the updated policy, while the signer hasn't touched those signatures yet because they are still valid. I'm not sure what or if anything is wrong here, but I think it's not appropriate that the process fails because of a changed jitter. After a while the signing will correct itself since signatures will be made by new policy, but it could mean you won't get an updated zone for some time. Depending on your key validity. Auditor returned: 3 on this scenario. Does that mean no signed zone output? Or just warnings? Cheers, Rick -------------- next part -------------- An HTML attachment was scrubbed... URL: From AlexD at nominet.org.uk Wed Jun 2 14:51:44 2010 From: AlexD at nominet.org.uk (Alex Dalitz) Date: Wed, 2 Jun 2010 14:51:44 +0000 Subject: [Opendnssec-develop] Auditor reaction on changed policy In-Reply-To: Message-ID: Hi Rick - This has to do with the more general problem of how the auditor should behave after policy changes. ISTM the only straightforward option is for the auditor to store some policy state (it already stores the current states of keys seen in the zone). It could then either work out that the observed situation is OK due to the change of policy, or, at the least, downgrade associated errors to warnings, and let the signed zone be published. Thanks, Alex. On 02/06/2010 14:43, "Rick Zijlker" wrote: Hey, An interesting scenario to think about: - Sign zone with signature lifetime of 1200s and jitter of 10s. So lifetime varies between 1190 and 1210. - Change policy and set jitter to 0 so signature lifetime becomes a solid 1200s. - Stop engines, update database, start engines - At next resign, auditor fails signing the zone because some signature lifetimes are below 1200s. Basically the auditor audits the zone with the updated policy, while the signer hasn?t touched those signatures yet because they are still valid. I?m not sure what or if anything is wrong here, but I think it?s not appropriate that the process fails because of a changed jitter. After a while the signing will correct itself since signatures will be made by new policy, but it could mean you won?t get an updated zone for some time. Depending on your key validity. Auditor returned: 3 on this scenario. Does that mean no signed zone output? Or just warnings? Cheers, Rick ________________________________ _______________________________________________ Opendnssec-develop mailing list Opendnssec-develop at lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -------------- next part -------------- An HTML attachment was scrubbed... URL: From owner-dnssec-trac at kirei.se Fri Jun 4 09:16:30 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 04 Jun 2010 09:16:30 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #69: OpenDNSSEC + DLV (isc.org) In-Reply-To: <061.b91b466378c352603e347ab80651e414@kirei.se> References: <061.b91b466378c352603e347ab80651e414@kirei.se> Message-ID: <070.136ee7ea2ed56f7dd1fe41cf98a9dfb8@kirei.se> #69: OpenDNSSEC + DLV (isc.org) ---------------------------------------+------------------------------------ Reporter: archi.laurent@? | Owner: rb Type: defect | Status: closed Priority: trivial | Component: Unknown Version: trunk | Resolution: worksforme Keywords: OpenDNSSEC + DLV (isc.org) | ---------------------------------------+------------------------------------ Comment(by dfadfs1s): rosetta stone spanish -- Ticket URL: OpenDNSSEC OpenDNSSEC From rick at openfortress.nl Fri Jun 4 09:56:46 2010 From: rick at openfortress.nl (Rick van Rein) Date: Fri, 4 Jun 2010 09:56:46 +0000 Subject: [Opendnssec-develop] Meeting notes 2010-05-25 Message-ID: <20100604095646.GB27648@phantom.vanrein.org> Hello, I finally found the time to write up the notes of the last phone meeting. Sorry for the delay, but it is now online! Best, -Rick From rickard.bellgrim at iis.se Fri Jun 4 12:33:58 2010 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Fri, 4 Jun 2010 14:33:58 +0200 Subject: [Opendnssec-develop] Meeting topics Message-ID: <7977C0A6-C179-49EE-A0B3-64E4ECACD3FA@iis.se> Hi Is there any special topic that you want us to discuss during the next meeting on Wednesday? // Rickard From sion at nominet.org.uk Fri Jun 4 12:41:07 2010 From: sion at nominet.org.uk (Sion Lloyd) Date: Fri, 4 Jun 2010 13:41:07 +0100 Subject: [Opendnssec-develop] Meeting topics In-Reply-To: <7977C0A6-C179-49EE-A0B3-64E4ECACD3FA@iis.se> References: <7977C0A6-C179-49EE-A0B3-64E4ECACD3FA@iis.se> Message-ID: <201006041341.07962.sion@nominet.org.uk> > Is there any special topic that you want us to discuss during the next > meeting on Wednesday? Do we need a 1.1.1 release? I have one fix that I am testing and am tracking down another. Sion From AlexD at nominet.org.uk Fri Jun 4 14:39:21 2010 From: AlexD at nominet.org.uk (Alex Dalitz) Date: Fri, 4 Jun 2010 14:39:21 +0000 Subject: [Opendnssec-develop] Enforcer tests Message-ID: Hi - I've been spending some time developing a test engine for the enforcer. Currently, it does the ZSK checks outlined in : http://trac.opendnssec.org/wiki/ProjectPlan/SystemTest/BasicTest (translated to an enforcer-only point-of-view) I'm looking at getting the KSK checks added as well. I then hope to produce a general purpose engine, which will generate automated tests for a given set of zones and policies. Emergency rollovers and other odd cases should also be added in time. I've implemented these tests in Cucumber (a Ruby testing library). You have to have Ruby installed (which most people do), and do a gem install cucumber in order to run the tests. Here's the question : Are people happy for me to add these tests to the OpenDNSSEC/enforcer/test/cucumber folder? Or would you rather keep them somewhere like OpenDNSSEC/test/cucumber/enforcer? Thanks, Alex. From owner-dnssec-trac at kirei.se Fri Jun 4 15:11:54 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 04 Jun 2010 15:11:54 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #137: text is not adequatly quoted for insertion in the database Message-ID: <053.670cfe1e78d519363e2d580bab9f19a1@kirei.se> #137: text is not adequatly quoted for insertion in the database ----------------------------+----------------------------------------------- Reporter: Kim Minh Kaplan | Owner: sion Type: defect | Status: new Priority: minor | Component: Enforcer Version: trunk | Keywords: ----------------------------+----------------------------------------------- A ' (quote) character in the of the kasp.xml file does not work: $ ods-ksmutil update kasp SQLite database set to: /var/kasp.db zonelist filename set to /etc/zonelist.xml. kasp filename set to /etc/kasp.xml. Policy errtest found ERROR: error executing SQL - near "erreur": syntax error Error: unable to insert policy errtest; skipping -- Ticket URL: OpenDNSSEC OpenDNSSEC From jakob at kirei.se Fri Jun 4 15:38:41 2010 From: jakob at kirei.se (Jakob Schlyter) Date: Fri, 4 Jun 2010 17:38:41 +0200 Subject: [Opendnssec-develop] Enforcer tests In-Reply-To: References: Message-ID: <5A226448-2D34-40FD-B19A-408C3CC85525@kirei.se> On 4 jun 2010, at 16.39, Alex Dalitz wrote: > I've been spending some time developing a test engine for the enforcer. nice! > Here's the question : Are people happy for me to add these tests to the > OpenDNSSEC/enforcer/test/cucumber folder? Or would you rather keep them > somewhere like OpenDNSSEC/test/cucumber/enforcer? as the other regression tests are kept together with "their" module, I suggest enforcer/test/cucumber. jakob From owner-dnssec-trac at kirei.se Mon Jun 7 08:24:51 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Mon, 07 Jun 2010 08:24:51 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #138: ods-hsmutil segfaults with AEP Keyper Message-ID: <053.cec61dc1b538fc3316fcd1a4e1898d0a@kirei.se> #138: ods-hsmutil segfaults with AEP Keyper ----------------------------+----------------------------------------------- Reporter: Kim Minh Kaplan | Owner: jakob Type: defect | Status: new Priority: major | Component: libhsm Version: trunk | Keywords: ----------------------------+----------------------------------------------- After listing the keys of the AEP Keyper it segfaults: {{{ $ ods-hsmutil list Listing keys in all repositories. 10 keys found. Repository ID Type ---------- -- ---- AEPKeyper b4c966b81ddd3a80cb072b7504d9e7a9 RSA/1024 Segmentation fault }}} With the attached patch it gives: {{{ $ ods-hsmutil list Listing keys in all repositories. 10 keys found. Repository ID Type ---------- -- ---- AEPKeyper b4c966b81ddd3a80cb072b7504d9e7a9 RSA/1024 (INVALID) softHSM 43e2b2c548e35a9d9c0bbc8e89a2dbf2 RSA/1024 softHSM dc4bfbaa6c99533759bc579d22622263 RSA/1024 softHSM 0f7de531d34eb38d24cfa98c6b4a810f RSA/1024 softHSM c2d5144ab101c44050dfb2de6696fe2d RSA/1024 softHSM 491869d604edad2c00794d8a997bf4e9 RSA/1024 softHSM 6098505396c1cd10116fb269496e07db RSA/1024 softHSM 9f29246596593bec7471b9cd026802a7 RSA/1024 softHSM 3c3a77b81a2f1986af2e4613437a7f39 RSA/1024 }}} -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Mon Jun 7 20:05:05 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Mon, 07 Jun 2010 20:05:05 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #138: ods-hsmutil segfaults with AEP Keyper In-Reply-To: <053.cec61dc1b538fc3316fcd1a4e1898d0a@kirei.se> References: <053.cec61dc1b538fc3316fcd1a4e1898d0a@kirei.se> Message-ID: <062.1b47f3de51775adbf8f5c65f81861c9a@kirei.se> #138: ods-hsmutil segfaults with AEP Keyper ----------------------------+----------------------------------------------- Reporter: Kim Minh Kaplan | Owner: jakob Type: defect | Status: accepted Priority: major | Component: libhsm Version: trunk | Keywords: ----------------------------+----------------------------------------------- Changes (by jakob): * status: new => accepted Comment: What revision of trunk did you try? I independently committed code to skip NULL keys last week and I believe that change should handle your problem as well. Could you try current trunk (rev 3467 or later) and report back your findings? -- Ticket URL: OpenDNSSEC OpenDNSSEC From rickard.bellgrim at iis.se Wed Jun 9 07:49:16 2010 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Wed, 9 Jun 2010 09:49:16 +0200 Subject: [Opendnssec-develop] Meeting topics In-Reply-To: <201006041341.07962.sion@nominet.org.uk> References: <7977C0A6-C179-49EE-A0B3-64E4ECACD3FA@iis.se> <201006041341.07962.sion@nominet.org.uk> Message-ID: <05C6C5F0-E14B-4830-83D3-D2AC5C7434F1@iis.se> On 4 jun 2010, at 14.41, Sion Lloyd wrote: >> Is there any special topic that you want us to discuss during the next >> meeting on Wednesday? > > Do we need a 1.1.1 release? > > I have one fix that I am testing and am tracking down another. And here is the agenda for today: http://trac.opendnssec.org/wiki/Meetings/Agenda/2010-06-09 // Rickard From owner-dnssec-trac at kirei.se Wed Jun 9 08:18:32 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Wed, 09 Jun 2010 08:18:32 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #26: Signer (or communicated) gets very slow with many zones In-Reply-To: <043.3e06d24187eff497c818ae327e7a67e4@kirei.se> References: <043.3e06d24187eff497c818ae327e7a67e4@kirei.se> Message-ID: <052.6eb60671e4124f63966a4a9038f190ca@kirei.se> #26: Signer (or communicated) gets very slow with many zones -------------------+-------------------------------------------------------- Reporter: pawal | Owner: rb Type: defect | Status: new Priority: major | Component: Unknown Version: | Keywords: -------------------+-------------------------------------------------------- Comment(by anonymous): * [http://www.achetersildenafil.net/|acheter viagra generique] vs [http://www.achetersildenafil.net/|acheter cialis en france] * [http://www.pharmaplax.com/medications/buy-lexapro-online.html|lexapro online no prescription] * [http://www.buysildenafil.eu/|buy sildenafil] -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Wed Jun 9 08:19:26 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Wed, 09 Jun 2010 08:19:26 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #26: Signer (or communicated) gets very slow with many zones In-Reply-To: <043.3e06d24187eff497c818ae327e7a67e4@kirei.se> References: <043.3e06d24187eff497c818ae327e7a67e4@kirei.se> Message-ID: <052.b4b1c950bbb52792c92246d16862f003@kirei.se> #26: Signer (or communicated) gets very slow with many zones -------------------+-------------------------------------------------------- Reporter: pawal | Owner: rb Type: defect | Status: new Priority: major | Component: Unknown Version: | Keywords: -------------------+-------------------------------------------------------- Comment(by anonymous): * [http://www.achetersildenafil.net/ acheter viagra generique] vs [http://www.achetersildenafil.net/ acheter cialis en france] * [http://www.achetersildenafil.net/ acheter sildenafil] * [http://www.pharmaplax.com/medications/buy-lexapro-online.html lexapro online no prescription] * [http://www.buysildenafil.eu/ buy sildenafil] -- Ticket URL: OpenDNSSEC OpenDNSSEC From matthijs at NLnetLabs.nl Wed Jun 9 12:35:50 2010 From: matthijs at NLnetLabs.nl (Matthijs Mekking) Date: Wed, 09 Jun 2010 14:35:50 +0200 Subject: [Opendnssec-develop] Meeting topics In-Reply-To: <05C6C5F0-E14B-4830-83D3-D2AC5C7434F1@iis.se> References: <7977C0A6-C179-49EE-A0B3-64E4ECACD3FA@iis.se> <201006041341.07962.sion@nominet.org.uk> <05C6C5F0-E14B-4830-83D3-D2AC5C7434F1@iis.se> Message-ID: <4C0F8AA6.3080003@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The minutes are online. http://trac.opendnssec.org/wiki/Meetings/Minutes/2010-06-09 Matthijs On 06/09/2010 09:49 AM, Rickard Bellgrim wrote: > > On 4 jun 2010, at 14.41, Sion Lloyd wrote: > >>> Is there any special topic that you want us to discuss during the next >>> meeting on Wednesday? >> >> Do we need a 1.1.1 release? >> >> I have one fix that I am testing and am tracking down another. > > And here is the agenda for today: > > http://trac.opendnssec.org/wiki/Meetings/Agenda/2010-06-09 > > // Rickard > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJMD4qlAAoJEA8yVCPsQCW5BCYIALLKEiuauMRMHimw3B+XLsH5 uTdMXv9HjC8KW0xeL55chSqzxcHGGmXZVoOOt1wqKHMNTRGMmDqratwb4e4sLQmv 734yjBYnwg2E7vd7zMCvzMc8m55PUJhHwOXLqBjaNFtlTRtzEOxY4IlT1lnhVkld aBgZz5UIkVhWfBZ3ILwiZVb34en23mSJVdfUsdwo5rjP593NK4XdtqwMn3ppXjO2 Ij/cmr86kj3a3wjEA6sJPuz79vjYcb0dnwe47rrduerhYOhCzbO6CntpC2UzqS0P EIqdBxMV3M+qDWFvC3Ae+pGm3dklTTfqfbvo8Yqoxs9YGmuxeHA81/ucKu/ZGCM= =JGou -----END PGP SIGNATURE----- From owner-dnssec-trac at kirei.se Wed Jun 9 19:00:16 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Wed, 09 Jun 2010 19:00:16 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #139: ods-auditor fails on root zone Message-ID: <059.08d771def356f88883519f24053db8c9@kirei.se> #139: ods-auditor fails on root zone ----------------------------------+----------------------------------------- Reporter: dwessels@? | Owner: alex Type: defect | Status: new Priority: minor | Component: Auditor Version: trunk | Keywords: ----------------------------------+----------------------------------------- I assume a root zone should be specified as in zonelist.xml. But the auditor compares this to the empty string: ods-auditor[98240]: SOA name () is different to the configured zone name (.) - aborting -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Thu Jun 10 07:14:00 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Thu, 10 Jun 2010 07:14:00 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #135: many links broken (points to file:/) In-Reply-To: <054.51d441acca413ff67ba6d7f914a76aaa@kirei.se> References: <054.51d441acca413ff67ba6d7f914a76aaa@kirei.se> Message-ID: <063.1c1a36b28ff5bc8743c381676cfbe9f4@kirei.se> #135: many links broken (points to file:/) -----------------------------+---------------------------------------------- Reporter: fredrik@? | Owner: rb Type: defect | Status: closed Priority: major | Component: Unknown Version: trunk | Resolution: fixed Keywords: | -----------------------------+---------------------------------------------- Changes (by rb): * status: new => closed * resolution: => fixed Comment: Fixed in the documentation -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Thu Jun 10 07:17:52 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Thu, 10 Jun 2010 07:17:52 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #111: Missing sanity check in hsm_get_dnskey() In-Reply-To: <063.736ed46d6fc3275c8d248b3afb6e5f47@kirei.se> References: <063.736ed46d6fc3275c8d248b3afb6e5f47@kirei.se> Message-ID: <072.4c8436aeb3c954050d51df2c8cc0980e@kirei.se> #111: Missing sanity check in hsm_get_dnskey() --------------------------------------+------------------------------------- Reporter: jaroslav.benkovsky@? | Owner: jakob Type: defect | Status: assigned Priority: minor | Component: Unknown Version: 1.0.0 | Keywords: --------------------------------------+------------------------------------- Changes (by rb): * owner: rb => jakob * status: new => assigned Comment: Jakob, is this one fixed? -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Thu Jun 10 07:19:18 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Thu, 10 Jun 2010 07:19:18 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #125: Can't setuid in ods-auditor In-Reply-To: <063.6198b94bdc4e75a0cf14f9b2b61e44be@kirei.se> References: <063.6198b94bdc4e75a0cf14f9b2b61e44be@kirei.se> Message-ID: <072.129038a94de2f87de337946e2d24517e@kirei.se> #125: Can't setuid in ods-auditor --------------------------------------+------------------------------------- Reporter: jaroslav.benkovsky@? | Owner: alex Type: defect | Status: new Priority: minor | Component: Auditor Version: 1.0.0 | Keywords: --------------------------------------+------------------------------------- Comment(by rb): Is this still a problem? -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Thu Jun 10 07:23:05 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Thu, 10 Jun 2010 07:23:05 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #139: ods-auditor fails on root zone In-Reply-To: <059.08d771def356f88883519f24053db8c9@kirei.se> References: <059.08d771def356f88883519f24053db8c9@kirei.se> Message-ID: <068.ede27b4db5575ca8e4ebdd2e62cd7668@kirei.se> #139: ods-auditor fails on root zone ----------------------------------+----------------------------------------- Reporter: dwessels@? | Owner: alex Type: defect | Status: new Priority: minor | Component: Auditor Version: trunk | Keywords: ----------------------------------+----------------------------------------- Comment(by rb): Yes, this is a problem. The Auditor wants the zone to be named "", and the Signer want it to be named "." We will have a meeting within two weeks where we discuss this issue. So that we handle the zone names in the same way. Because you probably want to sign the root zone in a test setup. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Thu Jun 10 07:24:04 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Thu, 10 Jun 2010 07:24:04 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #94: IWBN to be notified when a key rolls over In-Reply-To: <087.a1ed4cda6b56b83f7f4d3bd7223d4f06@kirei.se> References: <087.a1ed4cda6b56b83f7f4d3bd7223d4f06@kirei.se> Message-ID: <096.9babd0dcc2c019b5a73d0c29c5d78d99@kirei.se> #94: IWBN to be notified when a key rolls over ---------------------------------------------------------------+------------ Reporter: St?phane Bortzmeyer | Owner: sion Type: enhancement | Status: closed Priority: minor | Component: Enforcer Version: trunk | Resolution: fixed Keywords: | ---------------------------------------------------------------+------------ Changes (by rb): * status: accepted => closed * resolution: => fixed -- Ticket URL: OpenDNSSEC OpenDNSSEC From rickard.bellgrim at iis.se Thu Jun 10 07:48:51 2010 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Thu, 10 Jun 2010 09:48:51 +0200 Subject: [Opendnssec-develop] Agenda for the code sprint Message-ID: Hi We wanted to discuss some topics during the code sprint. Write down anything you have on your mind here: http://trac.opendnssec.org/wiki/Meetings/Agenda/2010-06-22-23 // Rickard From owner-dnssec-trac at kirei.se Thu Jun 10 08:01:03 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Thu, 10 Jun 2010 08:01:03 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #137: text is not adequatly quoted for insertion in the database In-Reply-To: <053.670cfe1e78d519363e2d580bab9f19a1@kirei.se> References: <053.670cfe1e78d519363e2d580bab9f19a1@kirei.se> Message-ID: <062.1a2d177ffe74d89157336e58fd706301@kirei.se> #137: text is not adequatly quoted for insertion in the database ----------------------------+----------------------------------------------- Reporter: Kim Minh Kaplan | Owner: sion Type: defect | Status: accepted Priority: minor | Component: Enforcer Version: trunk | Keywords: ----------------------------+----------------------------------------------- Changes (by sion): * status: new => accepted -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Thu Jun 10 09:54:33 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Thu, 10 Jun 2010 09:54:33 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #127: Large SOA serial numbers are not handled properly by "signer" In-Reply-To: <076.a19d373382cd63fa43f3c906215ddd4a@kirei.se> References: <076.a19d373382cd63fa43f3c906215ddd4a@kirei.se> Message-ID: <085.a4278a27b477ead4f00c204fdec8038a@kirei.se> #127: Large SOA serial numbers are not handled properly by "signer" ---------------------------------------------------+------------------------ Reporter: Anirban Mukherjee | Owner: matthijs Type: defect | Status: closed Priority: major | Component: Signer Version: 1.0.0 | Resolution: fixed Keywords: | ---------------------------------------------------+------------------------ Changes (by matthijs): * status: new => closed * resolution: => fixed Comment: Fixed by indeed using strtoul for uint32_t parameters, instead of atol. Thanks for the report! -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Thu Jun 10 10:33:19 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Thu, 10 Jun 2010 10:33:19 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #133: Issues with SOA serial "keep" mode In-Reply-To: <076.1c853891ecc1bd90390515123a98f990@kirei.se> References: <076.1c853891ecc1bd90390515123a98f990@kirei.se> Message-ID: <085.d476dcdbd9d216dc2ed313dd96f71755@kirei.se> #133: Issues with SOA serial "keep" mode ---------------------------------------------------+------------------------ Reporter: Anirban Mukherjee | Owner: matthijs Type: defect | Status: closed Priority: major | Component: Signer Version: trunk | Resolution: fixed Keywords: | ---------------------------------------------------+------------------------ Changes (by matthijs): * status: new => closed * resolution: => fixed Comment: 1) I agree that the error message might be a bit unclear. I changed it in the branch 1.1 2) I changed the code, in the sense that if there is no .serial file, all input serials are always larger than the (non-existent) output serial -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Thu Jun 10 12:58:37 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Thu, 10 Jun 2010 12:58:37 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #111: Missing sanity check in hsm_get_dnskey() In-Reply-To: <063.736ed46d6fc3275c8d248b3afb6e5f47@kirei.se> References: <063.736ed46d6fc3275c8d248b3afb6e5f47@kirei.se> Message-ID: <072.51067022777f039d5f72ac3eee32701d@kirei.se> #111: Missing sanity check in hsm_get_dnskey() --------------------------------------+------------------------------------- Reporter: jaroslav.benkovsky@? | Owner: jakob Type: defect | Status: closed Priority: minor | Component: Unknown Version: 1.0.0 | Resolution: fixed Keywords: | --------------------------------------+------------------------------------- Changes (by jakob): * status: assigned => closed * resolution: => fixed Comment: Fixed in r3482. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Sat Jun 12 09:15:02 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Sat, 12 Jun 2010 09:15:02 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #30: Compile links to wrong libhsm In-Reply-To: <065.585083d175d6ccb72217a26c902ec560@kirei.se> References: <065.585083d175d6ccb72217a26c902ec560@kirei.se> Message-ID: <074.76ef346e76e1382e27bf1ec8f118a7d6@kirei.se> #30: Compile links to wrong libhsm ----------------------------------------+----------------------------------- Reporter: opendnssec.simon@? | Owner: jakob Type: defect | Status: closed Priority: major | Component: Unknown Version: trunk | Resolution: fixed Keywords: | ----------------------------------------+----------------------------------- Comment(by opendnssec.simon@?): This still isn't fixed properly. I have an old libhsm installed as /usr/local/lib/libhsm.la which it attempts to use when linking: {{{ make[2]: Entering directory `/home/dnssec/src/opendnssec-1.1.0/enforcer/utils' /bin/sh ../libtool --tag=CC --mode=link gcc -std=c99 -g -O2 -pedantic -Wall -Wextra -o ods-ksmutil ksmutil.o ../ksm/libksm.a -lxml2 -lz -lm -L/usr/local/lib -lsqlite3 -L../../libhsm/src/.libs -lhsm -Wl,--as-needed -L/usr/lib -lnsl -lcrypto -lcrypto -lldns libtool: link: `/usr/local/lib/libhsm.la' is not a valid libtool archive }}} As the opendnssec package is itself building libhsm it needs to ensure that the local copy in libhsm/src/.libs is always used. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Fri Jun 18 06:42:29 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 18 Jun 2010 06:42:29 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #64: .signed does not exist In-Reply-To: <087.e18ca9b866c7d5cf0c024f3b53203684@kirei.se> References: <087.e18ca9b866c7d5cf0c024f3b53203684@kirei.se> Message-ID: <096.ec80c4d67abefa53094cb0cbeb8282e1@kirei.se> #64: .signed does not exist --------------------------------------------------------------+------------- Reporter: archi.laurent@?> | Owner: alex Type: defect | Status: closed Priority: blocker | Component: Signer Version: trunk | Resolution: invalid Keywords: .signed does not exist | --------------------------------------------------------------+------------- Comment(by anonymous): Hi! http://activ-studentov.ru intim uslugi moskvy http://almanac-studentov.ru moskovskie blyadi http://almanac-studentov.ru moskovskie shluhi on this site. -- Ticket URL: OpenDNSSEC OpenDNSSEC From rickard.bellgrim at iis.se Fri Jun 18 13:29:39 2010 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Fri, 18 Jun 2010 15:29:39 +0200 Subject: [Opendnssec-develop] Agenda for the code sprint In-Reply-To: References: Message-ID: On 10 jun 2010, at 09.48, Rickard Bellgrim wrote: > We wanted to discuss some topics during the code sprint. > > Write down anything you have on your mind here: > http://trac.opendnssec.org/wiki/Meetings/Agenda/2010-06-22-23 We now have a set of topics on the wiki. We can start the meeting by discussing the different topics and arranging them in a good order. See you next week // Rickard From owner-dnssec-trac at kirei.se Tue Jun 22 13:26:16 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 22 Jun 2010 13:26:16 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #138: ods-hsmutil segfaults with AEP Keyper In-Reply-To: <053.cec61dc1b538fc3316fcd1a4e1898d0a@kirei.se> References: <053.cec61dc1b538fc3316fcd1a4e1898d0a@kirei.se> Message-ID: <062.6aa6c838e6a042535b8efdc0377a0724@kirei.se> #138: ods-hsmutil segfaults with AEP Keyper ----------------------------+----------------------------------------------- Reporter: Kim Minh Kaplan | Owner: jakob Type: defect | Status: closed Priority: major | Component: libhsm Version: trunk | Resolution: fixed Keywords: | ----------------------------+----------------------------------------------- Changes (by jakob): * status: accepted => closed * resolution: => fixed Comment: No response from user. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Tue Jun 22 13:42:35 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 22 Jun 2010 13:42:35 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #99: IWBN to have a structured output format In-Reply-To: <087.00ca85b1cce0f69168a5e07b2450a157@kirei.se> References: <087.00ca85b1cce0f69168a5e07b2450a157@kirei.se> Message-ID: <096.bff6321573e2e8f2e4e59fb650ae3b37@kirei.se> #99: IWBN to have a structured output format ---------------------------------------------------------------+------------ Reporter: St?phane Bortzmeyer | Owner: jakob Type: enhancement | Status: accepted Priority: major | Component: Enforcer Version: trunk | Keywords: ---------------------------------------------------------------+------------ Changes (by jakob): * owner: sion => jakob * status: new => accepted Comment: Yes, it would be nice to have and we will keep it in mind for a future version (including a GUI) -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Tue Jun 22 13:47:42 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 22 Jun 2010 13:47:42 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #125: Can't setuid in ods-auditor In-Reply-To: <063.6198b94bdc4e75a0cf14f9b2b61e44be@kirei.se> References: <063.6198b94bdc4e75a0cf14f9b2b61e44be@kirei.se> Message-ID: <072.3eb49541f9e730003c58f003a90d0d04@kirei.se> #125: Can't setuid in ods-auditor --------------------------------------+------------------------------------- Reporter: jaroslav.benkovsky@? | Owner: alex Type: defect | Status: closed Priority: minor | Component: Auditor Version: 1.0.0 | Resolution: worksforme Keywords: | --------------------------------------+------------------------------------- Changes (by alex): * status: new => closed * resolution: => worksforme Comment: No response so closing this ticket. Please re-open if this is still a problem. Thanks, Alex. -- Ticket URL: OpenDNSSEC OpenDNSSEC From Freddy.Keurntjes at sidn.nl Wed Jun 23 14:44:23 2010 From: Freddy.Keurntjes at sidn.nl (Freddy Keurntjes) Date: Wed, 23 Jun 2010 14:44:23 +0000 Subject: [Opendnssec-develop] automated testing Message-ID: Hello, The test engine we are using to run our automated tests has been approved for distribution. Enclosed in this mail you can find the test engine and example file. If you have any questions, I'll be out of office until 30 June 2010 but you can contact Rick Zijlker in that period. Best regards, Freddy Keurntjes -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: opendnssec.tgz Type: application/x-compressed Size: 13783 bytes Desc: opendnssec.tgz URL: From AlexD at nominet.org.uk Thu Jun 24 13:04:48 2010 From: AlexD at nominet.org.uk (Alex Dalitz) Date: Thu, 24 Jun 2010 13:04:48 +0000 Subject: [Opendnssec-develop] automated testing In-Reply-To: References: Message-ID: <04F40630-479E-430F-894D-068ADF7D80F5@nominet.org.uk> Hi Freddy - Thanks very much for open sourcing this engine! I notice that there is an example test template included - do you have some actual test cases which we could use to test the OpenDNSSEC distribution, please? Thanks! Alex. On 23 Jun 2010, at 15:44, Freddy Keurntjes wrote: Hello, The test engine we are using to run our automated tests has been approved for distribution. Enclosed in this mail you can find the test engine and example file. If you have any questions, I?ll be out of office until 30 June 2010 but you can contact Rick Zijlker in that period. Best regards, Freddy Keurntjes _______________________________________________ Opendnssec-develop mailing list Opendnssec-develop at lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -------------- next part -------------- An HTML attachment was scrubbed... URL: From rick.zijlker at sidn.nl Thu Jun 24 13:57:14 2010 From: rick.zijlker at sidn.nl (Rick Zijlker) Date: Thu, 24 Jun 2010 13:57:14 +0000 Subject: [Opendnssec-develop] automated testing In-Reply-To: <04F40630-479E-430F-894D-068ADF7D80F5@nominet.org.uk> References: <04F40630-479E-430F-894D-068ADF7D80F5@nominet.org.uk> Message-ID: Hey Alex, The test template was based on the workbook I enclosed in this mail. Only C1T2 has content since that's executed with a small zone. Other 3 test cases are executed with the .nl zone which doesn't fit in this mail ;) . I must say this test script is full under construction, but it should give an idea. Since I'm lacking a test environment here (should have it next Monday) I haven't been able to test the script yet. You will need to check the paths for config files and zone file used in the test case and adjust them to your situation. Cheers, Rick From: opendnssec-develop-bounces at lists.opendnssec.org [mailto:opendnssec-develop-bounces at lists.opendnssec.org] On Behalf Of Alex Dalitz Sent: Thursday, June 24, 2010 3:05 PM To: Freddy Keurntjes Cc: opendnssec-develop at lists.opendnssec.org Subject: Re: [Opendnssec-develop] automated testing Hi Freddy - Thanks very much for open sourcing this engine! I notice that there is an example test template included - do you have some actual test cases which we could use to test the OpenDNSSEC distribution, please? Thanks! Alex. On 23 Jun 2010, at 15:44, Freddy Keurntjes wrote: Hello, The test engine we are using to run our automated tests has been approved for distribution. Enclosed in this mail you can find the test engine and example file. If you have any questions, I'll be out of office until 30 June 2010 but you can contact Rick Zijlker in that period. Best regards, Freddy Keurntjes _______________________________________________ Opendnssec-develop mailing list Opendnssec-develop at lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: ods Type: application/octet-stream Size: 10294 bytes Desc: ods URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: conf_key_rollovers.xml Type: text/xml Size: 1760 bytes Desc: conf_key_rollovers.xml URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: kasp_key_rollovers.xml Type: text/xml Size: 9390 bytes Desc: kasp_key_rollovers.xml URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: softhsm_key_rollovers.conf Type: application/octet-stream Size: 72 bytes Desc: softhsm_key_rollovers.conf URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: key_rollovers_alex.xls Type: application/vnd.ms-excel Size: 45568 bytes Desc: key_rollovers_alex.xls URL: From rick.zijlker at sidn.nl Fri Jun 25 10:47:24 2010 From: rick.zijlker at sidn.nl (Rick Zijlker) Date: Fri, 25 Jun 2010 10:47:24 +0000 Subject: [Opendnssec-develop] Enforcer refers to old command Message-ID: Hey, In ODS1.1.0 the enforcer refers to "ods-ksmutil key ksk-roll", but I think that should be "key ds-seen" right? Log: Jun 25 12:13:14 DEVELOPER15 ods-enforcerd: WARNING: KSK Retirement reached; please submit the new DS for ods and use ods-ksmutil key ksk-roll to roll the key. Cheers, Rick -------------- next part -------------- An HTML attachment was scrubbed... URL: From owner-dnssec-trac at kirei.se Sun Jun 27 20:14:17 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Sun, 27 Jun 2010 20:14:17 -0000 Subject: [Opendnssec-develop] =?utf-8?b?W09wZW5ETlNTRUNdICMxNDA6INCQ0L0=?= =?utf-8?b?0LrQtdGC0Ysg0LzQvtGB0LrQvtCy0YHQutC40YUg0L/RgNC+0YHRgtC40YM=?= =?utf-8?b?0YLQvtC6INC40L3QtNC40LLQuNC00YPQsNC70L7Qug==?= Message-ID: <047.24efa9919d80ee140aa7937ae50c5ca1@kirei.se> #140: ?????? ?????????? ?????????? ???????????? ----------------------+----------------------------------------------------- Reporter: anonymous | Owner: alex Type: defect | Status: new Priority: blocker | Component: Auditor Version: | Keywords: ----------------------+----------------------------------------------------- Lkzplqyc http://ruintimmeeting.co.cc/ mdpgh crysijk http://ruintimfrands.co.cc/ tbwqc vdreehp http://ruintimdating.co.cc/ fsyyo hlyiogb. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Tue Jun 29 11:39:25 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 29 Jun 2010 11:39:25 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #141: Signer discarding the remaining zones if it has an issue with one zone Message-ID: <060.bb4ad74136ff80b504801c3a8ad887ab@kirei.se> #141: Signer discarding the remaining zones if it has an issue with one zone -----------------------------------+---------------------------------------- Reporter: sunil.kakita@? | Owner: rb Type: defect | Status: new Priority: major | Component: Unknown Version: trunk | Keywords: -----------------------------------+---------------------------------------- Reproduction steps. 1. I have 10 zones for signing & the fourth zone file I have DS record in invalid format. 2. The signer failed @ the 4th zone. 3. No other zones are signed (only 3 zones are signed, till I corrected the DS Record of 4th zone) -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Tue Jun 29 11:47:42 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 29 Jun 2010 11:47:42 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #142: Need A Notifier After Enforcer Runs Message-ID: <056.1411376a887a8188a643f26f526b9740@kirei.se> #142: Need A Notifier After Enforcer Runs -------------------------------+-------------------------------------------- Reporter: sunil.kakita@? | Owner: rb Type: enhancement | Status: new Priority: major | Component: Unknown Version: trunk | Keywords: -------------------------------+-------------------------------------------- 1. After enforcer runs (periodically) I am getting my zones signed. 2. I want to reload the config file at that time, not everytime the zone signed. Only once after the enforcer runs. 3. For dynamic zones signing this is required. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Tue Jun 29 15:41:47 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 29 Jun 2010 15:41:47 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #143: ods-signer flush moves queue further away Message-ID: <056.51661cc4481924e8e4b59b58961cef26@kirei.se> #143: ods-signer flush moves queue further away -------------------------------+-------------------------------------------- Reporter: dnssec@? | Owner: rb Type: defect | Status: new Priority: major | Component: Unknown Version: trunk | Keywords: -------------------------------+-------------------------------------------- This happens when I try to sign a zone. The time for the new signature is always 2 hours away. even if a wail for two hours, it moves again 2 hours forward (without flush) so the zone never gets signed: cmd> sign v6.inline-services.com Zone scheduled for immediate resign cmd> queue It is now: 2010-06-29 15:39:11 I have 1 tasks scheduled At 2010-06-29 17:39:08 I will sign zone v6.inline-services.com cmd> flush All tasks scheduled immediately cmd> queue It is now: 2010-06-29 15:39:20 I have 1 tasks scheduled At 2010-06-29 17:39:17 I will sign zone v6.inline-services.com -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Wed Jun 30 08:49:13 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Wed, 30 Jun 2010 08:49:13 -0000 Subject: [Opendnssec-develop] =?utf-8?b?UmU6IFtPcGVuRE5TU0VDXSAjMTQwOiA=?= =?utf-8?b?0JDQvdC60LXRgtGLINC80L7RgdC60L7QstGB0LrQuNGFINC/0YDQvtGB0YI=?= =?utf-8?b?0LjRg9GC0L7QuiDQuNC90LTQuNCy0LjQtNGD0LDQu9C+0Lo=?= In-Reply-To: <047.24efa9919d80ee140aa7937ae50c5ca1@kirei.se> References: <047.24efa9919d80ee140aa7937ae50c5ca1@kirei.se> Message-ID: <056.71bd77f74d6405dbe7918ea2e0f0e0ae@kirei.se> #140: ?????? ?????????? ?????????? ???????????? ----------------------+----------------------------------------------------- Reporter: anonymous | Owner: alex Type: defect | Status: closed Priority: blocker | Component: Auditor Version: | Resolution: invalid Keywords: | ----------------------+----------------------------------------------------- Changes (by rb): * status: new => closed * resolution: => invalid -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Wed Jun 30 08:55:13 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Wed, 30 Jun 2010 08:55:13 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #143: ods-signer flush moves queue further away In-Reply-To: <056.51661cc4481924e8e4b59b58961cef26@kirei.se> References: <056.51661cc4481924e8e4b59b58961cef26@kirei.se> Message-ID: <065.87d61ed63fe05bab6a191e5ac10846ad@kirei.se> #143: ods-signer flush moves queue further away -------------------------------+-------------------------------------------- Reporter: dnssec@? | Owner: rb Type: defect | Status: accepted Priority: major | Component: Unknown Version: trunk | Keywords: -------------------------------+-------------------------------------------- Changes (by rb): * status: new => accepted Comment: Your zone is probably signed between the time you flush the queue until you view the content of the queue. It takes less than a second to sign a small zone. The zone will be removed from the queue when it is in the process of being signed. It is then added to the queue again so that it will be re-signed, in your case, two hours later. We will only update the signatures if they are about to expire according to the refresh period. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Wed Jun 30 08:57:22 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Wed, 30 Jun 2010 08:57:22 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #141: Signer discarding the remaining zones if it has an issue with one zone In-Reply-To: <060.bb4ad74136ff80b504801c3a8ad887ab@kirei.se> References: <060.bb4ad74136ff80b504801c3a8ad887ab@kirei.se> Message-ID: <069.043a5d712edecc8af7487537e885eceb@kirei.se> #141: Signer discarding the remaining zones if it has an issue with one zone -----------------------------------+---------------------------------------- Reporter: sunil.kakita@? | Owner: matthijs Type: defect | Status: assigned Priority: major | Component: Unknown Version: trunk | Keywords: -----------------------------------+---------------------------------------- Changes (by rb): * owner: rb => matthijs * status: new => assigned -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Wed Jun 30 09:01:10 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Wed, 30 Jun 2010 09:01:10 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #142: Need A Notifier After Enforcer Runs In-Reply-To: <056.1411376a887a8188a643f26f526b9740@kirei.se> References: <056.1411376a887a8188a643f26f526b9740@kirei.se> Message-ID: <065.e738fc9d4cfa7f412f8305983b4f5be6@kirei.se> #142: Need A Notifier After Enforcer Runs -------------------------------+-------------------------------------------- Reporter: sunil.kakita@? | Owner: rb Type: enhancement | Status: accepted Priority: major | Component: Unknown Version: trunk | Keywords: -------------------------------+-------------------------------------------- Changes (by rb): * status: new => accepted Comment: Are you using your own signer? Or why do want to read the updated signer configuration? If you have your own signer, then try to highjack the '''ods-signer''' command. The enforcer will call '''ods-signer update ''' when the signer configuration has been updated. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Wed Jun 30 09:05:13 2010 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Wed, 30 Jun 2010 09:05:13 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #139: ods-auditor fails on root zone In-Reply-To: <059.08d771def356f88883519f24053db8c9@kirei.se> References: <059.08d771def356f88883519f24053db8c9@kirei.se> Message-ID: <068.f3072f7bd4bcabdc886ff2875f387c84@kirei.se> #139: ods-auditor fails on root zone ----------------------------------+----------------------------------------- Reporter: dwessels@? | Owner: rb Type: defect | Status: accepted Priority: minor | Component: Auditor Version: trunk | Keywords: ----------------------------------+----------------------------------------- Changes (by rb): * owner: alex => rb * status: new => accepted Comment: The fix is scheduled for 1.3, but may be included in 1.2 -- Ticket URL: OpenDNSSEC OpenDNSSEC From rickard.bellgrim at iis.se Wed Jun 30 13:33:37 2010 From: rickard.bellgrim at iis.se (Rickard Bellgrim) Date: Wed, 30 Jun 2010 15:33:37 +0200 Subject: [Opendnssec-develop] Upcoming meetings Message-ID: <47D414F3-A252-4E1B-B7CD-8F9FBAE11F0A@iis.se> Hi Should we have the next meeting on 7th July, 14-15 CEST, 13-14 BST? If we have any topics (besides v1.1.1)? We should also schedule a face-to-face meeting during IETF78. Please fill in the Doodle. http://www.doodle.com/rcxpnyit4ut88c22 // Rickard From patrik.wallstrom at iis.se Wed Jun 30 15:10:53 2010 From: patrik.wallstrom at iis.se (=?iso-8859-1?Q?Patrik_Wallstr=F6m?=) Date: Wed, 30 Jun 2010 17:10:53 +0200 Subject: [Opendnssec-develop] Upcoming meetings In-Reply-To: <47D414F3-A252-4E1B-B7CD-8F9FBAE11F0A@iis.se> References: <47D414F3-A252-4E1B-B7CD-8F9FBAE11F0A@iis.se> Message-ID: <2E82E333-7DEF-4B0D-B126-AFEE1F9DF790@iis.se> About meeting during the IETF, the schedule has not yet been finalized. On 30 jun 2010, at 15:34, Rickard Bellgrim wrote: > Hi > > Should we have the next meeting on 7th July, 14-15 CEST, 13-14 BST? If we have any topics (besides v1.1.1)? > > We should also schedule a face-to-face meeting during IETF78. Please fill in the Doodle. > http://www.doodle.com/rcxpnyit4ut88c22 > > // Rickard_______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop