From rickard at opendnssec.org Thu Dec 1 07:58:58 2011 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Thu, 1 Dec 2011 08:58:58 +0100 Subject: [Opendnssec-develop] Re: OpenDNSSEC teleconf In-Reply-To: References: Message-ID: > Please select your preferred dates and times. > http://www.doodle.com/cpse68y7cte84ay2 Thank you for the input. We will have the meeting on Friday. Date: Friday 2 December Time: 15:00-16:00 CET, 14:00-15:00 GMT https://wiki.opendnssec.org/display/OpenDNSSEC/2011-12-02+Agenda // Rickard From jerry at opendnssec.org Fri Dec 2 10:36:04 2011 From: jerry at opendnssec.org (Jerry =?ISO-8859-1?B?THVuZHN0cvZt?=) Date: Fri, 02 Dec 2011 11:36:04 +0100 Subject: [Opendnssec-develop] JIRA setup documentation, can someone look at it please? Message-ID: Hi, So I have made some documentation about the JIRA setup and I would like someone else to look at it, spelling and such. I've started a small FAQ, if anyone comes up with more questions feel free to add them. https://wiki.opendnssec.org/display/OpenDNSSEC/JIRA /Jerry From sion at nominet.org.uk Fri Dec 2 14:56:25 2011 From: sion at nominet.org.uk (=?ISO-8859-1?Q?Si=F4n_Lloyd?=) Date: Fri, 2 Dec 2011 14:56:25 +0000 Subject: [Opendnssec-develop] ods-kaspcheck requirements Message-ID: <4ED8E719.8050900@nominet.org.uk> Hi. During the conference call I said that I would port the kaspcheck code to c; to remove our ruby dependency. The requirements used to be at this page: trac.opendnssec.org/wiki/Signer/ConfigurationChecker Which does not seem to have been ported to confluence. Is there a way to recover the text? (I tried the wayback machine, no joy there :( ) If not I'll recreate them from the code and ask someone to review them. Cheers, Sion From jerry at opendnssec.org Fri Dec 2 15:05:00 2011 From: jerry at opendnssec.org (Jerry =?ISO-8859-1?B?THVuZHN0cvZt?=) Date: Fri, 02 Dec 2011 16:05:00 +0100 Subject: [Opendnssec-develop] ods-kaspcheck requirements In-Reply-To: <4ED8E719.8050900@nominet.org.uk> Message-ID: On 2011-12-02 15.56, Si?n Lloyd wrote: >trac.opendnssec.org/wiki/Signer/ConfigurationChecker https://wiki.opendnssec.org/pages/viewpage.action?pageId=1179661 /Jerry From rick at openfortress.nl Fri Dec 2 15:09:52 2011 From: rick at openfortress.nl (Rick van Rein) Date: Fri, 2 Dec 2011 15:09:52 +0000 Subject: [Opendnssec-develop] Minutes 2011-12-02 online Message-ID: <20111202150952.GB13724@phantom.vanrein.org> Hello, The latest and greatest (?!?) minutes are now online: https://wiki.opendnssec.org/display/OpenDNSSEC/2011-12-02+(Project+meeting%2C+telephone) -Rick From jad at sinodun.com Sat Dec 3 19:36:13 2011 From: jad at sinodun.com (John Dickinson) Date: Sat, 3 Dec 2011 19:36:13 +0000 Subject: [Opendnssec-develop] build is broken Message-ID: Hi, FYI: The build is broken. John --- jad at sinodun.com Sinodun Internet Technologies Ltd. Stables 4, Suite 11, Howbery Park, Wallingford, Oxfordshire, OX10 8BA, U.K. +44 (0)1491 834957 From matthijs at NLnetLabs.nl Sun Dec 4 14:22:52 2011 From: matthijs at NLnetLabs.nl (Matthijs Mekking) Date: Sun, 04 Dec 2011 15:22:52 +0100 Subject: [Opendnssec-develop] build is broken In-Reply-To: References: Message-ID: <4EDB823C.8000206@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Works for me. On 12/03/2011 08:36 PM, John Dickinson wrote: > Hi, > > FYI: The build is broken. > > John > --- > jad at sinodun.com > Sinodun Internet Technologies Ltd. > Stables 4, Suite 11, > Howbery Park, > Wallingford, > Oxfordshire, > OX10 8BA, > U.K. > > +44 (0)1491 834957 > > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJO24I8AAoJEA8yVCPsQCW5Hc4IAJgb8aO4kze4FtIQYUQ2fULr ztOGqUkYfI5LnCWfz/RhxrNiKoE3OJ/mOUSTPhIpXPHEa7xs+kY4Bw7FtIJRncCB RzxdvozJQSSaz3GRglp3SNeMtlqwkQYuAMuk/5LgRJ0RsWEvyEHhF9u/gXTejtfI gSXyMlZtZ//tEtgJ6r3Z0o9w6qSTo4cEmMhmyuTpqxzlRHtK08M35K3gjUVv6bek N03FrKF4Lnev0qjfAdHGHSi2NQdjIVDYTWdmgPaks0p+xv7nSD/ld35HeSTea9or viEfTpIOyweC5mMKMSANN/bQsoimQxjfdQ0FO3AdRPmnqCPm3JELrz3H3tvSJhk= =YsTG -----END PGP SIGNATURE----- From jad at sinodun.com Sun Dec 4 14:46:42 2011 From: jad at sinodun.com (John Dickinson) Date: Sun, 4 Dec 2011 14:46:42 +0000 Subject: [Opendnssec-develop] build is broken In-Reply-To: <4EDB823C.8000206@nlnetlabs.nl> References: <4EDB823C.8000206@nlnetlabs.nl> Message-ID: <3FC341F3-3A17-49B7-A21D-EC4C52ADB531@sinodun.com> There is a clear pattern here https://jenkins.opendnssec.org/job/Build_OpenDNSSEC/ Of course it could be the build script. John On 4 Dec 2011, at 14:22, Matthijs Mekking wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Works for me. > > On 12/03/2011 08:36 PM, John Dickinson wrote: >> Hi, >> >> FYI: The build is broken. >> >> John >> --- >> jad at sinodun.com >> Sinodun Internet Technologies Ltd. >> Stables 4, Suite 11, >> Howbery Park, >> Wallingford, >> Oxfordshire, >> OX10 8BA, >> U.K. >> >> +44 (0)1491 834957 >> >> _______________________________________________ >> Opendnssec-develop mailing list >> Opendnssec-develop at lists.opendnssec.org >> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iQEcBAEBAgAGBQJO24I8AAoJEA8yVCPsQCW5Hc4IAJgb8aO4kze4FtIQYUQ2fULr > ztOGqUkYfI5LnCWfz/RhxrNiKoE3OJ/mOUSTPhIpXPHEa7xs+kY4Bw7FtIJRncCB > RzxdvozJQSSaz3GRglp3SNeMtlqwkQYuAMuk/5LgRJ0RsWEvyEHhF9u/gXTejtfI > gSXyMlZtZ//tEtgJ6r3Z0o9w6qSTo4cEmMhmyuTpqxzlRHtK08M35K3gjUVv6bek > N03FrKF4Lnev0qjfAdHGHSi2NQdjIVDYTWdmgPaks0p+xv7nSD/ld35HeSTea9or > viEfTpIOyweC5mMKMSANN/bQsoimQxjfdQ0FO3AdRPmnqCPm3JELrz3H3tvSJhk= > =YsTG > -----END PGP SIGNATURE----- > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop --- jad at sinodun.com Sinodun Internet Technologies Ltd. Stables 4, Suite 11, Howbery Park, Wallingford, Oxfordshire, OX10 8BA, U.K. +44 (0)1491 834957 From matthijs at NLnetLabs.nl Sun Dec 4 15:56:51 2011 From: matthijs at NLnetLabs.nl (Matthijs Mekking) Date: Sun, 04 Dec 2011 16:56:51 +0100 Subject: [Opendnssec-develop] build is broken In-Reply-To: <3FC341F3-3A17-49B7-A21D-EC4C52ADB531@sinodun.com> References: <4EDB823C.8000206@nlnetlabs.nl> <3FC341F3-3A17-49B7-A21D-EC4C52ADB531@sinodun.com> Message-ID: <4EDB9843.4000004@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ok, thanks for the link. I still have to get used to working with jenkins. The protocol family declarations are missing, commit r5961 might fix that. Best regards, Matthijs PS: I think it is a good time to ask for a jenkins account, or at least a password reset. On 12/04/2011 03:46 PM, John Dickinson wrote: > There is a clear pattern here > > https://jenkins.opendnssec.org/job/Build_OpenDNSSEC/ > > Of course it could be the build script. > > John > On 4 Dec 2011, at 14:22, Matthijs Mekking wrote: > > Works for me. > > On 12/03/2011 08:36 PM, John Dickinson wrote: >>>> Hi, >>>> >>>> FYI: The build is broken. >>>> >>>> John >>>> --- >>>> jad at sinodun.com >>>> Sinodun Internet Technologies Ltd. >>>> Stables 4, Suite 11, >>>> Howbery Park, >>>> Wallingford, >>>> Oxfordshire, >>>> OX10 8BA, >>>> U.K. >>>> >>>> +44 (0)1491 834957 >>>> >>>> _______________________________________________ >>>> Opendnssec-develop mailing list >>>> Opendnssec-develop at lists.opendnssec.org >>>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop > _______________________________________________ Opendnssec-develop mailing list Opendnssec-develop at lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop > --- > jad at sinodun.com > Sinodun Internet Technologies Ltd. > Stables 4, Suite 11, > Howbery Park, > Wallingford, > Oxfordshire, > OX10 8BA, > U.K. > +44 (0)1491 834957 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJO25hDAAoJEA8yVCPsQCW57tIH/3YRMO9HponozsJXW4m/dQlJ 53+I8FaZEzVbUm9QvjSoQHNl+Am1/efKOAM92mPe/U5jGgWoUz5SUv3SMgG+h5gK qaLTH5HBq0tqytxixuTqIhR87rulsUeLCvpE/Rlr9y+VBO0ga7z7FzFQyrnYGYAo 2CfTX2KZLVFQgb9j/uS+F0HCIu/VOhJePuPplD4efv74ez3sRZQub6jewdWnUX3h /Pizi6SdWOHIsnudF+nEygV0Dz2O2S47rBIze8ocSeDMi2IyptecevzEXd1q1ZNF bNIdikTZXGr/2csYJAJ+PN9sHqzMyhdkqVYlTQgT1cZ5R2dmFtb0Y6fLfK2xmxc= =hiCx -----END PGP SIGNATURE----- From yuri at NLnetLabs.nl Mon Dec 5 12:01:09 2011 From: yuri at NLnetLabs.nl (Yuri Schaeffer) Date: Mon, 05 Dec 2011 13:01:09 +0100 Subject: [Opendnssec-develop] Signer Enforcer Communication In-Reply-To: <4ED3BD64.5050007@nlnetlabs.nl> References: <4ED3BD64.5050007@nlnetlabs.nl> Message-ID: <4EDCB285.7030802@nlnetlabs.nl> While Matthijs is enjoying the sun, could you help verify I'm correct? In order to support smooth rollovers the enforcer must wait TTL + some additional_time when transition a RRSIG state from rumoured to omnipresent. (Signatures only get replaced when they expire). What is "additional_time"? I think: additional_time = Signatures->Validity->default + Signatures->Jitter As the enforcer I do not know the actual jitter value, so I must wait worst case time (I wait max 2*jitter to long). I believe I can ignore the refresh and resign intervals. //yuri -- Yuri Schaeffer NLnet Labs http://www.nlnetlabs.nl From sion at nominet.org.uk Mon Dec 5 15:32:25 2011 From: sion at nominet.org.uk (=?ISO-8859-1?Q?Si=F4n_Lloyd?=) Date: Mon, 5 Dec 2011 15:32:25 +0000 Subject: [Opendnssec-develop] ods-kaspcheck requirements In-Reply-To: References: Message-ID: <4EDCE409.2060807@nominet.org.uk> Thank you Jerry. I've added that page back to the main site (no longer under signer though)... https://wiki.opendnssec.org/display/OpenDNSSEC/Configuration+Checker+%28ods-kaspcheck%29 They seem sensible on a quick look through; if anyone would like to comment on them, or update them, now would be a good time ;) . Sion From patrik.wallstrom at iis.se Tue Dec 6 09:00:41 2011 From: patrik.wallstrom at iis.se (=?Windows-1252?Q?Patrik_Wallstr=F6m?=) Date: Tue, 6 Dec 2011 10:00:41 +0100 Subject: [Opendnssec-develop] ods-kaspcheck requirements In-Reply-To: <4EDCE409.2060807@nominet.org.uk> References: <4EDCE409.2060807@nominet.org.uk> Message-ID: <3E86529D-AE25-45B2-921D-2FB4F98EA34A@iis.se> On Dec 5, 2011, at 4:32 PM, Si?n Lloyd wrote: > Thank you Jerry. > > I've added that page back to the main site (no longer under signer > though)... > > https://wiki.opendnssec.org/display/OpenDNSSEC/Configuration+Checker+%28ods-kaspcheck%29 > > They seem sensible on a quick look through; if anyone would like to > comment on them, or update them, now would be a good time ;) . The only thing I got curious about was the month duration equals 31 days. This is from the ISO 8601 document: 2.2.12 month duration of 28, 29, 30 or 31 calendar days depending on the start and/or the end of the corresponding time interval within the specific calendar month NOTE 1 The term ?month? applies also to the duration of any time interval which starts at a certain time of day at a certain calendar day of the calendar month and ends at the same time of day at the same calendar day of the next calendar month, if it exists. In other cases the ending calendar day has to be agreed on. NOTE 2 In certain applications a month is considered as a duration of 30 calendar days. So our 31 days approximation seem unusual. Maybe change it to 30? -- Patrik Wallstr?m Project Manager, R&D .SE (Stiftelsen f?r Internetinfrastruktur) E-mail: patrik.wallstrom at iis.se Web: http://www.iis.se/ From sion at nominet.org.uk Tue Dec 6 09:26:58 2011 From: sion at nominet.org.uk (=?windows-1252?Q?Si=F4n_Lloyd?=) Date: Tue, 6 Dec 2011 09:26:58 +0000 Subject: [Opendnssec-develop] ods-kaspcheck requirements In-Reply-To: <3E86529D-AE25-45B2-921D-2FB4F98EA34A@iis.se> References: <4EDCE409.2060807@nominet.org.uk> <3E86529D-AE25-45B2-921D-2FB4F98EA34A@iis.se> Message-ID: <4EDDDFE2.5000705@nominet.org.uk> On 06/12/11 09:00, Patrik Wallstr?m wrote: > On Dec 5, 2011, at 4:32 PM, Si?n Lloyd wrote: > >> Thank you Jerry. >> >> I've added that page back to the main site (no longer under signer >> though)... >> >> https://wiki.opendnssec.org/display/OpenDNSSEC/Configuration+Checker+%28ods-kaspcheck%29 >> >> They seem sensible on a quick look through; if anyone would like to >> comment on them, or update them, now would be a good time ;) . > The only thing I got curious about was the month duration equals 31 days. This is from the ISO 8601 document: > > 2.2.12 > month > duration of 28, 29, 30 or 31 calendar days depending on the start and/or the end of the corresponding time > interval within the specific calendar month > NOTE 1 The term ?month? applies also to the duration of any time interval which starts at a certain time of day at a certain calendar day of the calendar month and ends at the same time of day at the same calendar day of the next calendar month, if it exists. In other cases the ending calendar day has to be agreed on. > NOTE 2 In certain applications a month is considered as a duration of 30 calendar days. > > So our 31 days approximation seem unusual. Maybe change it to 30? > We had a discussion on this subject quite a while ago, I can't actually find it at the moment. I _think_ that the theory is that if we use 31 days we will never be short. This behaviour is documented here: https://wiki.opendnssec.org/display/DOCS/Date+Time+durations This is the behaviour of the current enforcer, is it also true of the enforcerNG? Sion From AlexD at nominet.org.uk Tue Dec 6 10:52:18 2011 From: AlexD at nominet.org.uk (Alex Dalitz) Date: Tue, 6 Dec 2011 10:52:18 +0000 Subject: [Opendnssec-develop] ods-kaspcheck requirements In-Reply-To: <4EDDDFE2.5000705@nominet.org.uk> References: <4EDCE409.2060807@nominet.org.uk> <3E86529D-AE25-45B2-921D-2FB4F98EA34A@iis.se> <4EDDDFE2.5000705@nominet.org.uk> Message-ID: <7229AA40-FA96-40F2-959B-4BBACB7C31B9@nominet.org.uk> >> So our 31 days approximation seem unusual. Maybe change it to 30? >> > > We had a discussion on this subject quite a while ago, I can't actually find it at the moment. I _think_ that the theory is that if we use 31 days we will never be short. I don't think we should change the existing behaviour, for backwards compatibility reasons. Existing installations of OpenDNSSEC have been configured against these values, and changing them now would alter the behaviour of existing installations - against the Principle of Least Surprise. Alex. From rickard at opendnssec.org Wed Dec 7 08:54:27 2011 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Wed, 7 Dec 2011 09:54:27 +0100 Subject: [Opendnssec-develop] ods-kaspcheck requirements In-Reply-To: <4EDCE409.2060807@nominet.org.uk> References: <4EDCE409.2060807@nominet.org.uk> Message-ID: > They seem sensible on a quick look through; if anyone would like to comment > on them, or update them, now would be a good time ;) . I have added some more information on the key size checks: *** The key strength should be checked for sanity - warn if less than 1024 or error if more than 4096. Only do this check for RSA. *** We should error if the key size is larger than 4096, because that is not supported in DNSSEC. And this only apply to RSA. From jerry at opendnssec.org Fri Dec 9 10:05:53 2011 From: jerry at opendnssec.org (Jerry =?ISO-8859-1?B?THVuZHN0cvZt?=) Date: Fri, 09 Dec 2011 11:05:53 +0100 Subject: [Opendnssec-develop] We need to push out 1.3.4 now! Message-ID: Hi, We really need to push out 1.3.4 immediately! The drugers notifications added in 1.3.3 really breaks the signing if your signing is a bit slow. When the queue is full it will spam 10.000 of messages per sec about the queue being full and that in its turn slows down signing and can fill the syslog very fast. The main issue I see is that the worker thread keeps trying to add items on the fifoq and its very bad because it will use 100% cpu if it can. This MUST be changed to a secondary condition broadcast so that when there is space in the fifoq it will notify anyone that wants to write for it. Then you will have threads waiting to write instead of trying some million times a second! I've added an issue about it: https://issues.opendnssec.org/browse/OPENDNSSEC-178 . 3 issues left for 1.3.4, 1 I hope to finish today, other two? Finish or push for 1.3.5? https://issues.opendnssec.org/browse/OPENDNSSEC-21 Alex https://issues.opendnssec.org/browse/OPENDNSSEC-175 Jerry https://issues.opendnssec.org/browse/OPENDNSSEC-176 Sion 1.3.2: Dec 9 10:33:43 osd ods-signerd: [engine] signer started Dec 9 10:33:43 osd ods-signerd: [signconf] zone test.se signconf: RESIGN[PT300S] REFRESH[PT2700S] VALIDITY[PT3600S] DENIAL[PT3600S] JITTER[PT120S] OFFSET[PT3600S] NSEC[50] DNSKEYTTL[PT60S] SOATTL[PT60S] MINIMUM[PT60S] SERIAL[unixtime] AUDIT[0] Dec 9 10:34:00 osd ods-signerd: [STATS] test.se RR[count=10003 time=1(sec)] NSEC3[count=10002 time=0(sec)] RRSIG[new=20008 reused=0 time=16(sec) avg=1250(sig/sec)] AUDIT[time=0(sec)] TOTAL[time=17(sec)]Dec 9 10:34:18 osd ods-signerd: [engine] signer shutdown 1.3.3: Dec 9 10:34:47 osd ods-signerd: [engine] signer started Dec 9 10:34:47 osd ods-signerd: [signconf] zone test.se signconf: RESIGN[PT300S] REFRESH[PT2700S] VALIDITY[PT3600S] DENIAL[PT3600S] JITTER[PT120S] OFFSET[PT3600S] NSEC[50] DNSKEYTTL[PT60S] SOATTL[PT60S] MINIMUM[PT60S] SERIAL[unixtime] AUDIT[0] Dec 9 10:34:47 osd ods-signerd: [data] unable to use unixtime 1323423287 as serial: not greater than inbound serial 2011102400 Dec 9 10:34:47 osd ods-signerd: [fifo] max cap reached, but drudgers seem to be on hold, notify drudgers again Dec 9 10:35:04 osd ods-signerd: last message repeated 237391 times Dec 9 10:35:04 osd ods-signerd: [worker[1]] sign zone test.se failed: 4 of 1003 signatures completed Dec 9 10:35:04 osd ods-signerd: [worker[1]] backoff task [read] for zone test.se with 60 seconds Dec 9 10:35:04 osd ods-signerd: [engine] signer shutdown CPU usage was 25% opendnssec and 75% rsyslogd. /Jerry From AlexD at nominet.org.uk Fri Dec 9 10:15:09 2011 From: AlexD at nominet.org.uk (Alex Dalitz) Date: Fri, 9 Dec 2011 10:15:09 +0000 Subject: [Opendnssec-develop] Re: We need to push out 1.3.4 now! In-Reply-To: References: Message-ID: <399781DC-BEBB-44F2-9A9D-DBE18C8E480E@nominet.org.uk> > https://issues.opendnssec.org/browse/OPENDNSSEC-21 Alex I'm not sure that this is an issue, or whether it needs to be fixed. I'm not sure what caused Volker's problems - Rickard has noted that "this needn't be fixed in the auditor". I would propose to ignore this issue for now. Alex. From sion at nominet.org.uk Fri Dec 9 10:37:54 2011 From: sion at nominet.org.uk (=?ISO-8859-1?Q?Si=F4n_Lloyd?=) Date: Fri, 9 Dec 2011 10:37:54 +0000 Subject: [Opendnssec-develop] Re: We need to push out 1.3.4 now! In-Reply-To: References: Message-ID: <4EE1E502.3060609@nominet.org.uk> On 09/12/11 10:05, Jerry Lundstr?m wrote: > https://issues.opendnssec.org/browse/OPENDNSSEC-176 Sion > I have a patch for this, as can be seen in the comments. It has a side-effect of requiring manual removal of the old pidfile after a crash or unclean shutdown. I don't mind if this waits for a 1.3.5 as the behaviour has been like this since 1.0. Sion From rick at openfortress.nl Fri Dec 9 11:05:54 2011 From: rick at openfortress.nl (Rick van Rein) Date: Fri, 9 Dec 2011 11:05:54 +0000 Subject: [Opendnssec-develop] We need to push out 1.3.4 now! In-Reply-To: References: Message-ID: <20111209110554.GE10274@phantom.vanrein.org> Hi, > We really need to push out 1.3.4 immediately! Sounds serious. > 3 issues left for 1.3.4, 1 I hope to finish today, other two? Finish or > push for 1.3.5? > > https://issues.opendnssec.org/browse/OPENDNSSEC-21 Alex > https://issues.opendnssec.org/browse/OPENDNSSEC-175 Jerry > https://issues.opendnssec.org/browse/OPENDNSSEC-176 Sion Rather than expediting unrelated plans and risking to introduce new bugs, is it an idea to _only_ fix the issue and leave the rest for 1.3.5? It does not sound like there'd be time for proper testing, and two faulty versions in a row can't be good for OpenDNSSEC's name. Just my thoughts. Cheers, -Rick From jakob at kirei.se Fri Dec 9 12:05:16 2011 From: jakob at kirei.se (Jakob Schlyter) Date: Fri, 9 Dec 2011 13:05:16 +0100 Subject: [Opendnssec-develop] We need to push out 1.3.4 now! In-Reply-To: References: Message-ID: <213EFD62-A907-468E-A551-5BA5A9850D52@kirei.se> Just tell me the magic work and I'll do the release. jakob From jerry at opendnssec.org Fri Dec 9 12:40:59 2011 From: jerry at opendnssec.org (Jerry =?ISO-8859-1?B?THVuZHN0cvZt?=) Date: Fri, 09 Dec 2011 13:40:59 +0100 Subject: [Opendnssec-develop] We need to push out 1.3.4 now! In-Reply-To: <20111209110554.GE10274@phantom.vanrein.org> Message-ID: On 2011-12-09 12.05, Rick van Rein wrote: >Rather than expediting unrelated plans and risking to introduce new bugs, >is it an idea to _only_ fix the issue and leave the rest for 1.3.5? >It does not sound like there'd be time for proper testing, and two >faulty versions in a row can't be good for OpenDNSSEC's name. Yeah, thought of that. But even better would be to just push out 1.3.4 with the druger message fix. My suggestion is to copy release/OpenDNSSEC-1.3.3 and add these patches which is already in branches/OpenDNSSEC-1.3: Index: signer/src/scheduler/fifoq.c =================================================================== --- signer/src/scheduler/fifoq.c (revision 5893) +++ signer/src/scheduler/fifoq.c (revision 5907) @@ -145,7 +145,7 @@ /* #262 if drudgers remain on hold, do additional broadcast */ if (*tries > FIFOQ_TRIES_COUNT) { lock_basic_broadcast(&q->q_threshold); - ods_log_warning("[%s] max cap reached, but drudgers seem to be " + ods_log_debug("[%s] max cap reached, but drudgers seem to be " "on hold, notify drudgers again", fifoq_str); /* reset tries */ *tries = 0; Index: signer/src/scheduler/fifoq.h =================================================================== --- signer/src/scheduler/fifoq.h (revision 5893) +++ signer/src/scheduler/fifoq.h (revision 5907) @@ -53,7 +53,7 @@ #include #define FIFOQ_MAX_COUNT 1000 -#define FIFOQ_TRIES_COUNT 100 +#define FIFOQ_TRIES_COUNT 10000 /** * FIFO Queue. And add this change: Index: signer/src/signer/rrset.c =================================================================== --- signer/src/signer/rrset.c (revision 5966) +++ signer/src/signer/rrset.c (working copy) @@ -45,6 +45,7 @@ #include #include +#include static const char* rrset_str = "rrset"; @@ -1144,10 +1145,17 @@ ods_log_assert(q); while (status == ODS_STATUS_UNCHANGED && !worker->need_to_exit) { + tries++; lock_basic_lock(&q->q_lock); status = fifoq_push(q, (void*) rrset, worker, &tries); lock_basic_unlock(&q->q_lock); - tries++; + /** + * If tries are 0 they we have tries FIFOQ_TRIES_COUNT times, + * lets take a small break to not hog CPU. + */ + if (status == ODS_STATUS_UNCHANGED && !tries) { + usleep(10000); + } } if (status == ODS_STATUS_OK) { lock_basic_lock(&worker->worker_lock); Comments? I will test this now. /Jerry From jerry at opendnssec.org Fri Dec 9 13:01:51 2011 From: jerry at opendnssec.org (Jerry =?ISO-8859-1?B?THVuZHN0cvZt?=) Date: Fri, 09 Dec 2011 14:01:51 +0100 Subject: [Opendnssec-develop] We need to push out 1.3.4 now! In-Reply-To: Message-ID: It works perfectly! I also lowered the FIFOQ_TRIES_COUNT to 100 to enable it to usleep() more often and got a nice side effect. Signing with SoftHSM on a single core machine increased 2.14 times, from 1333/sec to 2858/sec. /Jerry From jerry at opendnssec.org Fri Dec 9 13:23:41 2011 From: jerry at opendnssec.org (Jerry =?ISO-8859-1?B?THVuZHN0cvZt?=) Date: Fri, 09 Dec 2011 14:23:41 +0100 Subject: [Opendnssec-develop] We need to push out 1.3.4 now! In-Reply-To: <213EFD62-A907-468E-A551-5BA5A9850D52@kirei.se> Message-ID: On 2011-12-09 13.05, Jakob Schlyter wrote: >Just tell me the magic work and I'll do the release. Magic worK, hmm okey... Work it now be-atch! :D releases/OpenDNSSEC-1.3.4 /Jerry From sion at nominet.org.uk Mon Dec 12 15:34:15 2011 From: sion at nominet.org.uk (=?ISO-8859-1?Q?Si=F4n_Lloyd?=) Date: Mon, 12 Dec 2011 15:34:15 +0000 Subject: [Opendnssec-develop] Signer ToolsDirectory Message-ID: <4EE61EF7.5050504@nominet.org.uk> Hi there. I am working on the kaspcheck script and am working through conf.xml working out what I need to check. Could someone who is more familiar with the signer confirm that the ToolsDirectory is no longer used? I'll not check it if that is the case. Cheers, Sion From rickard at opendnssec.org Thu Dec 15 14:41:57 2011 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Thu, 15 Dec 2011 15:41:57 +0100 Subject: [Opendnssec-develop] Meeting tomorrow Message-ID: Hi We have a telephone meeting tomorrow. The draft agenda can be found here: https://wiki.opendnssec.org/display/OpenDNSSEC/2011-12-16+Agenda // Rickard From jerry at opendnssec.org Fri Dec 16 13:21:02 2011 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Fri, 16 Dec 2011 14:21:02 +0100 Subject: [Opendnssec-develop] Redesign of Jenkins - feedback needed! Message-ID: <625EF588-FAAB-4001-9A58-D32F1492BDDA@opendnssec.org> Hi, I am about to redesigning the setup of Jenkins we have because I feel that in the long run it won't work the way its setup right now. My reasons behind this are: - Too large version matrix makes it complex and hard to maintain - One setup of scripts, tests and jobs Scripts and tests needs to understand what versions are running if there are different build options / configurations etc Tests result will be miss guided if they don't apply for the version and just return success Redesign: - Model as branches/trunk we have today All files inside branches/trunk but not included in release Jenkins tab per branch - Simplify Jenkins jobs for now One build job per branch One test job per branch - Manually build external dependencies for now Document in wiki what distributions and dependency versions are used/tested Ignore cases where we have two versions of dependencies for now, just use one - Simplify test Scriptish based tests as SIDN has today, they shouldn't need to know versions, paths etc Today SIDN have made 220 tests that are based on keywords in an excel file that is parse by a perl program and executed. It should be easy to support that exact layout and to export and import all 220 tests. I will bring this up at the meeting today also. /Jerry -- Jerry Lundstr?m OpenDNSSEC Developer http://www.opendnssec.org/ From sion at nominet.org.uk Fri Dec 16 15:07:26 2011 From: sion at nominet.org.uk (=?ISO-8859-1?Q?Si=F4n_Lloyd?=) Date: Fri, 16 Dec 2011 15:07:26 +0000 Subject: [Opendnssec-develop] Meeting tomorrow In-Reply-To: References: Message-ID: <4EEB5EAE.1020702@nominet.org.uk> On 15/12/11 14:41, Rickard Bellgrim wrote: > Hi > > We have a telephone meeting tomorrow. The draft agenda can be found here: > https://wiki.opendnssec.org/display/OpenDNSSEC/2011-12-16+Agenda > > // Rickard Here are the notes... https://wiki.opendnssec.org/display/OpenDNSSEC/2011-12-16+Minutes I missed some of the discussion about the zonelist master as I was finding it hard to keep up, sorry about that. If anyone wants to add to them feel free. I also missed who was going to take that discussion on, whether it was Jerry or Yuri. Sion From jerry at opendnssec.org Mon Dec 19 07:49:39 2011 From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Mon, 19 Dec 2011 08:49:39 +0100 Subject: [Opendnssec-develop] Meeting tomorrow In-Reply-To: <4EEB5EAE.1020702@nominet.org.uk> References: <4EEB5EAE.1020702@nominet.org.uk> Message-ID: <-9033389544897142846@unknownmsgid> It is Yuri that is going to follow up zonelist. /Jerry On 16 dec 2011, at 16:07, "Si?n Lloyd" wrote: > On 15/12/11 14:41, Rickard Bellgrim wrote: >> Hi >> >> We have a telephone meeting tomorrow. The draft agenda can be found here: >> https://wiki.opendnssec.org/display/OpenDNSSEC/2011-12-16+Agenda >> >> // Rickard > > Here are the notes... > > https://wiki.opendnssec.org/display/OpenDNSSEC/2011-12-16+Minutes > > I missed some of the discussion about the zonelist master as I was finding it hard to keep up, sorry about that. If anyone wants to add to them feel free. > > I also missed who was going to take that discussion on, whether it was Jerry or Yuri. > > Sion > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop From jerry at opendnssec.org Tue Dec 20 18:32:50 2011 From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Tue, 20 Dec 2011 19:32:50 +0100 Subject: [Opendnssec-develop] Where have Jenkins gone? Message-ID: <4047721226530302592@unknownmsgid> Hi, Http://jenkins.opendnssec.org displays DNSCCM site and https site doesnt answer. Have Jenkins taken a early christmas? /Jerry From jad at sinodun.com Tue Dec 20 19:21:22 2011 From: jad at sinodun.com (John Dickinson) Date: Tue, 20 Dec 2011 19:21:22 +0000 Subject: [Opendnssec-develop] Re: Where have Jenkins gone? In-Reply-To: <4047721226530302592@unknownmsgid> References: <4047721226530302592@unknownmsgid> Message-ID: <4B564511-0C1B-46E3-92DE-2DDDB3DD8C5B@sinodun.com> Looks like the jerkins process was hung. restarted now. I will check for an upgrade tomorrow. John On 20 Dec 2011, at 18:32, Jerry Lundstr?m wrote: > Hi, > > Http://jenkins.opendnssec.org displays DNSCCM site and https site doesnt answer. > > Have Jenkins taken a early christmas? > > /Jerry --- jad at sinodun.com Sinodun Internet Technologies Ltd. Stables 4, Suite 11, Howbery Park, Wallingford, Oxfordshire, OX10 8BA, U.K. +44 (0)1491 834957 From rickard at opendnssec.org Wed Dec 21 13:16:50 2011 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Wed, 21 Dec 2011 14:16:50 +0100 Subject: [Opendnssec-develop] Signer ToolsDirectory In-Reply-To: <4EE61EF7.5050504@nominet.org.uk> References: <4EE61EF7.5050504@nominet.org.uk> Message-ID: > Could someone who is more familiar with the signer confirm that the > ToolsDirectory is no longer used? I'll not check it if that is the case. It was dropped in OpenDNSSEC 1.2. // Rickard From rickard at opendnssec.org Wed Dec 21 13:45:56 2011 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Wed, 21 Dec 2011 14:45:56 +0100 Subject: [Opendnssec-develop] Redesign of Jenkins - feedback needed! In-Reply-To: <625EF588-FAAB-4001-9A58-D32F1492BDDA@opendnssec.org> References: <625EF588-FAAB-4001-9A58-D32F1492BDDA@opendnssec.org> Message-ID: > I will bring this up at the meeting today also. FYI, we all agreed on this. Jerry and Nick will continue working on it. // Rickard From sion at nominet.org.uk Thu Dec 22 09:18:17 2011 From: sion at nominet.org.uk (=?ISO-8859-1?Q?Si=F4n_Lloyd?=) Date: Thu, 22 Dec 2011 09:18:17 +0000 Subject: [Opendnssec-develop] -maintainers list Message-ID: <4EF2F5D9.1040708@nominet.org.uk> Morning. We have finally got a maintainers list set up... https://lists.opendnssec.org/mailman/listinfo/opendnssec-maintainers I _think_ that I have it configured in the same way as the developers list; i.e. subscription requests need to be approved but the archives are all public, etc. Yesterday, Rickard suggested that only active developers are added to the list, along with package maintainers. This sounds reasonable to me, and if anyone from the develop list asks to subscribe I'll accept the request. Do we know who else needs to be added? Today is my last day at work until the new year, so maybe we should wait until then before sending out invites? Sion From jerry at opendnssec.org Thu Dec 22 09:27:13 2011 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Thu, 22 Dec 2011 10:27:13 +0100 Subject: [Opendnssec-develop] -maintainers list In-Reply-To: <4EF2F5D9.1040708@nominet.org.uk> References: <4EF2F5D9.1040708@nominet.org.uk> Message-ID: <08DA04EB-D481-406D-939A-47EF493FB88A@opendnssec.org> On Dec 22, 2011, at 10:18 , Si?n Lloyd wrote: > We have finally got a maintainers list set up? Weeiii!! > Do we know who else needs to be added? Who has been added so far? -- Jerry Lundstr?m OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 455 bytes Desc: Message signed with OpenPGP using GPGMail URL: From sion at nominet.org.uk Thu Dec 22 09:35:07 2011 From: sion at nominet.org.uk (=?windows-1252?Q?Si=F4n_Lloyd?=) Date: Thu, 22 Dec 2011 09:35:07 +0000 Subject: [Opendnssec-develop] -maintainers list In-Reply-To: <08DA04EB-D481-406D-939A-47EF493FB88A@opendnssec.org> References: <4EF2F5D9.1040708@nominet.org.uk> <08DA04EB-D481-406D-939A-47EF493FB88A@opendnssec.org> Message-ID: <4EF2F9CB.80501@nominet.org.uk> On 22/12/11 09:27, Jerry Lundstr?m wrote: > Who has been added so far? > I didn't add anyone (except myself) by default. From matthijs at NLnetLabs.nl Thu Dec 22 10:47:50 2011 From: matthijs at NLnetLabs.nl (Matthijs Mekking) Date: Thu, 22 Dec 2011 11:47:50 +0100 Subject: [Opendnssec-develop] Signer Enforcer Communication In-Reply-To: <4EDCB285.7030802@nlnetlabs.nl> References: <4ED3BD64.5050007@nlnetlabs.nl> <4EDCB285.7030802@nlnetlabs.nl> Message-ID: <4EF30AD6.70000@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Yuri, Because the enforcer cannot look into the signed zone, it can only be sure some additional time before all new RRSIGs are introduced. From the moment that the signer has a new signer configuration (t0), the enforcer has to wait until all signatures have been replaced (dx). The moment that a signature is replaced is the at the resign interval where the signature is not fresh anymore for the first time: (validity + jitter) + resign - refresh Note that jitter in the worst case is 1*jitter, because the jitter range is from [-j ... j]. Note that the maximum validity is max(Signatures->Validity->Default, Signatures->Validity->Denial) Hope this clarification helps. Best regards, Matthijs On 12/05/2011 01:01 PM, Yuri Schaeffer wrote: > While Matthijs is enjoying the sun, could you help verify I'm correct? > > In order to support smooth rollovers the enforcer must wait TTL + some > additional_time when transition a RRSIG state from rumoured to > omnipresent. (Signatures only get replaced when they expire). > > What is "additional_time"? I think: > > additional_time = Signatures->Validity->default + Signatures->Jitter > > As the enforcer I do not know the actual jitter value, so I must wait > worst case time (I wait max 2*jitter to long). > > I believe I can ignore the refresh and resign intervals. > > //yuri > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJO8wrWAAoJEA8yVCPsQCW5NN0H/0hQ8p9k8mcH0rW2fTdsUNPm YZ3FnKNHy4+yho8mPLLQdomoV+D8SXamn9MY4K+H7SxRaStfqACRnUEMHAUPYpjr 3uc98jlezP7JoMx7CqcOu9FurlitJt5z+hUk6273uN7H19LJfap9MurFrM4o2gdP xDklSvmTHbpTy+GNAeqAXW/fRZnw7B1mlrWOfGVYd6591FSQ4WybE+PyppJHm5Yi HYQLQCkkq9XZrQkUR9GJEJ59HubScgGrR6jS1DtQv8ybgJ/DU7/oAUIH9CQws9x/ F9BPdIkus6kuo2O9N9VTg28FsxOZcA3PiVrCap/tp7N3y/QKOROvKJ9iIxkqZ/w= =J0gs -----END PGP SIGNATURE----- From yuri at nlnetlabs.nl Fri Dec 23 12:29:46 2011 From: yuri at nlnetlabs.nl (Yuri Schaeffer) Date: Fri, 23 Dec 2011 13:29:46 +0100 Subject: [Opendnssec-develop] Signer Enforcer Communication In-Reply-To: <4EF30AD6.70000@nlnetlabs.nl> References: <4ED3BD64.5050007@nlnetlabs.nl> <4EDCB285.7030802@nlnetlabs.nl> <4EF30AD6.70000@nlnetlabs.nl> Message-ID: <1324643386.3581.23.camel@thorin> > The moment that a signature is replaced is the at the resign interval > where the signature is not fresh anymore for the first time: > > (validity + jitter) + resign - refresh I think I get it; The signer does check for work it regular intervals, so I need resign en refresh times. so the period to wait for the signer to make the transition is: MaxZoneTTL + MAX(Signatures->Validity->Default, Signatures->Validity->Denial) + Signatures->Jitter + resign - refresh > Note that jitter in the worst case is 1*jitter, because the jitter range > is from [-j ... j]. Yes. Worst case 1*jitter. Which means I'm worst case 2*jitter off. //yuri From rickard at opendnssec.org Fri Dec 23 13:24:16 2011 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Fri, 23 Dec 2011 14:24:16 +0100 Subject: [Opendnssec-develop] Signer Enforcer Communication In-Reply-To: <1324643386.3581.23.camel@thorin> References: <4ED3BD64.5050007@nlnetlabs.nl> <4EDCB285.7030802@nlnetlabs.nl> <4EF30AD6.70000@nlnetlabs.nl> <1324643386.3581.23.camel@thorin> Message-ID: > so the period to wait for the signer to make the transition is: > > MaxZoneTTL + > MAX(Signatures->Validity->Default, Signatures->Validity->Denial) + > Signatures->Jitter + resign - refresh > >> Note that jitter in the worst case is 1*jitter, because the jitter range >> is from [-j ... j]. > > Yes. Worst case 1*jitter. Which means I'm worst case 2*jitter off. The worst case should be just one jitter. Because the negative jitter is subtracted from the validity. validity - jitter + rnd(2*jitter) => validity + jitter // Rickard From rickard at opendnssec.org Fri Dec 23 14:10:39 2011 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Fri, 23 Dec 2011 15:10:39 +0100 Subject: [Opendnssec-develop] of-by-one error and new year Message-ID: Hi An error, as seen on the user's list, has been uncovered. I think we should make an announcement of this. Due to this error, you could get signatures that are valid for one year extra. What happens if you leave the signature in the zone? Will it be removed during the next key rollover? This problem is on 32-bit platforms. I think they should remove the tmp files and create new signatures. // Rickard -------------- next part -------------- An HTML attachment was scrubbed... URL: From yuri at NLnetLabs.nl Tue Dec 27 10:03:02 2011 From: yuri at NLnetLabs.nl (Yuri Schaeffer) Date: Tue, 27 Dec 2011 11:03:02 +0100 Subject: [Opendnssec-develop] Signer Enforcer Communication In-Reply-To: References: <4ED3BD64.5050007@nlnetlabs.nl> <4EDCB285.7030802@nlnetlabs.nl> <4EF30AD6.70000@nlnetlabs.nl> <1324643386.3581.23.camel@thorin> Message-ID: <4EF997D6.7050201@nlnetlabs.nl> On 23/12/11 14:24, Rickard Bellgrim wrote: > The worst case should be just one jitter. Because the negative jitter > is subtracted from the validity. > > validity - jitter + rnd(2*jitter) => validity + jitter And thus I stand by my previous statement. The enforcer must wait till "Validity+Jitter" while the key *might* actually only be valid until "Validity-Jitter". Hence, if I'm playing save, I'm worst-case 2*Jitter off from my earliest moment to roll. -- Yuri Schaeffer NLnet Labs http://www.nlnetlabs.nl From rickard at opendnssec.org Tue Dec 27 10:36:41 2011 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Tue, 27 Dec 2011 11:36:41 +0100 Subject: [Opendnssec-develop] Off-by-one error and new year Message-ID: Hi An error, as seen on the user's list, has been uncovered. I think we should make an announcement of this. Due to this error, you could get signatures that are valid for one year extra. What happens if you leave the signature in the zone? Will it be removed during the next key rollover? This problem is only on 32-bit platforms. I think they should remove the tmp files and create new signatures. // Rickard From yuri at NLnetLabs.nl Tue Dec 27 11:20:46 2011 From: yuri at NLnetLabs.nl (Yuri Schaeffer) Date: Tue, 27 Dec 2011 12:20:46 +0100 Subject: [Opendnssec-develop] Off-by-one error and new year In-Reply-To: References: Message-ID: <4EF9AA0E.7090307@nlnetlabs.nl> > Due to this error, you could get signatures that are valid for one > year extra. What happens if you leave the signature in the zone? Will > it be removed during the next key rollover? Assuming only the signer is affected: When the enforcer rolls to a new key then at some point it will remove the references to the old key from the signconf. The signer will then promptly drop all (still valid) signatures of that old key. Normally the signer will gradually roll from one key to the next. In this scenario your whole zone gets signed at once as the signer can reuse every signature till the very last moment. So I guess the cpu temperature will rise a bit for one time during that year? //yuri -- Yuri Schaeffer NLnet Labs http://www.nlnetlabs.nl From rickard at opendnssec.org Tue Dec 27 11:59:34 2011 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Tue, 27 Dec 2011 12:59:34 +0100 Subject: [Opendnssec-develop] Off-by-one error and new year In-Reply-To: <4EF9AA0E.7090307@nlnetlabs.nl> References: <4EF9AA0E.7090307@nlnetlabs.nl> Message-ID: > Assuming only the signer is affected: When the enforcer rolls to a new > key then at some point it will remove the references to the old key from > the signconf. The signer will then promptly drop all (still valid) > signatures of that old key. > > Normally the signer will gradually roll from one key to the next. In > this scenario your whole zone gets signed at once as the signer can > reuse every signature till the very last moment. Ok, so you will never have a signature in the zone where there is no DNSKEY? The Signer Engine will do a smooth transition between keys, but in this case you will have a signature that is valid for a year extra. At some point will the Enforcer remove the DNSKEY, because it thinks that all of the signatures have been replaced. // Rickard From yuri at NLnetLabs.nl Tue Dec 27 12:25:10 2011 From: yuri at NLnetLabs.nl (Yuri Schaeffer) Date: Tue, 27 Dec 2011 13:25:10 +0100 Subject: [Opendnssec-develop] Off-by-one error and new year In-Reply-To: References: <4EF9AA0E.7090307@nlnetlabs.nl> Message-ID: <4EF9B926.5090603@nlnetlabs.nl> > Ok, so you will never have a signature in the zone where there is no DNSKEY? Correct. > The Signer Engine will do a smooth transition between keys, but in > this case you will have a signature that is valid for a year extra. At > some point will the Enforcer remove the DNSKEY, because it thinks that > all of the signatures have been replaced. Yes, At this point the signer will start to sweat. Doing all the work at once, instead of during the last validity period. -- Yuri Schaeffer NLnet Labs http://www.nlnetlabs.nl From rickard at opendnssec.org Tue Dec 27 12:31:47 2011 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Tue, 27 Dec 2011 13:31:47 +0100 Subject: [Opendnssec-develop] Off-by-one error and new year In-Reply-To: <4EF9B926.5090603@nlnetlabs.nl> References: <4EF9AA0E.7090307@nlnetlabs.nl> <4EF9B926.5090603@nlnetlabs.nl> Message-ID: >> The Signer Engine will do a smooth transition between keys, but in >> this case you will have a signature that is valid for a year extra. At >> some point will the Enforcer remove the DNSKEY, because it thinks that >> all of the signatures have been replaced. > > Yes, At this point the signer will start to sweat. Doing all the work at > once, instead of during the last validity period. So the conclusion is that there will be no post-publication of the DNSKEY for this signature, right? From yuri at NLnetLabs.nl Tue Dec 27 13:29:03 2011 From: yuri at NLnetLabs.nl (Yuri Schaeffer) Date: Tue, 27 Dec 2011 14:29:03 +0100 Subject: [Opendnssec-develop] Off-by-one error and new year In-Reply-To: References: <4EF9AA0E.7090307@nlnetlabs.nl> <4EF9B926.5090603@nlnetlabs.nl> Message-ID: <4EF9C81F.2050402@nlnetlabs.nl> > So the conclusion is that there will be no post-publication of the > DNSKEY for this signature, right? Ah yes, this could be bad. A resolver could end up with only the new key, and only the old signature. 1) Resolver fetches old signature 2) Enforcer tells signer to drop old DNSKEY. everything will get resigned with new key. (This is normally the end of post-publication) 3) Resolver fetches new DNSKEY-set (with only new DNSKEY) 4) Chain of trust is broken for at most the record's TTL. The post-publication would 'get lost' due to this error. //yuri -- Yuri Schaeffer NLnet Labs http://www.nlnetlabs.nl From olaf at NLnetLabs.nl Wed Dec 28 08:19:16 2011 From: olaf at NLnetLabs.nl (Olaf Kolkman) Date: Wed, 28 Dec 2011 09:19:16 +0100 Subject: [Opendnssec-develop] Off-by-one error and new year In-Reply-To: References: Message-ID: On Dec 27, 2011, at 11:36 AM, Rickard Bellgrim wrote: > Hi > > An error, as seen on the user's list, has been uncovered. I think we > should make an announcement of this. > > Due to this error, you could get signatures that are valid for one > year extra. What happens if you leave the signature in the zone? Will > it be removed during the next key rollover? > > This problem is only on 32-bit platforms. > > I think they should remove the tmp files and create new signatures. I read the thread which seemed to focus on the operational aspects. What are the risks in the context of replay attack? --Olaf ________________________________________________________ Olaf M. Kolkman NLnet Labs http://www.nlnetlabs.nl/