From owner-dnssec-trac at kirei.se Fri Jul 1 08:47:03 2011 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 01 Jul 2011 08:47:03 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #245: Signer daemon keeps running after signing large zone In-Reply-To: <057.244b9729c92229f8efa63e7da9e5ba6b@kirei.se> References: <057.244b9729c92229f8efa63e7da9e5ba6b@kirei.se> Message-ID: <072.a07d57bfc142546904b701b60c83edc6@kirei.se> #245: Signer daemon keeps running after signing large zone --------------------------------+------------------------------------------- Reporter: Nick van den Heuvel | Owner: rb Type: defect | Status: new Priority: major | Component: Unknown Version: 1.3.0 | Resolution: Keywords: 1.3.0rc2 | --------------------------------+------------------------------------------- Comment (by rb): r5276 will prevent the infinite loop if the Enforcer does not stop. Could you test again? If it fails, then we have to investigate why the Enforcer does not want to close down. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Fri Jul 1 09:12:12 2011 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 01 Jul 2011 09:12:12 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #247: Hang signer processes after receiving several notifies in succession In-Reply-To: <056.168398051f6878f3b30e025dabd6d8c8@kirei.se> References: <056.168398051f6878f3b30e025dabd6d8c8@kirei.se> Message-ID: <071.325be7a3618917f178fc62dab35c1c0a@kirei.se> #247: Hang signer processes after receiving several notifies in succession -----------------------------------+---------------------------------------- Reporter: goeran@? | Owner: matthijs Type: defect | Status: accepted Priority: major | Component: Signer Version: 1.3.0 | Resolution: Keywords: signer, hang, notifies | -----------------------------------+---------------------------------------- Comment (by matthijs): Can I conclude that the problem does not exist in 1.2.1 (since you downgraded)? -- Ticket URL: OpenDNSSEC OpenDNSSEC From rickard at opendnssec.org Fri Jul 1 12:04:58 2011 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Fri, 1 Jul 2011 14:04:58 +0200 Subject: [Opendnssec-develop] Botan version Message-ID: Hi Before I committed the code today, SoftHSM did not reuse the PK_Signer object. It worked ok in Botan 1.8.X, but it would get some performance issues in Botan 1.9 and Botan 1.10. I realized however that there is a bug in Botan prior to the latest releases that caused a problem when you reuse the object and where running EMSA3(RAW) (== CKM_RSA_PKCS). Should I increase the required Botan version or try to detect which version are used and then apply the optimization? // Rickard From Roland.vanRijswijk at surfnet.nl Fri Jul 1 12:07:23 2011 From: Roland.vanRijswijk at surfnet.nl (Roland van Rijswijk) Date: Fri, 1 Jul 2011 14:07:23 +0200 Subject: [Opendnssec-develop] Botan version In-Reply-To: References: Message-ID: <2EC2A24C-2819-4F06-AC69-4D7E9377601C@surfnet.nl> Hi Rickard, On 1 jul 2011, at 14:04, Rickard Bellgrim wrote: > Before I committed the code today, SoftHSM did not reuse the PK_Signer > object. It worked ok in Botan 1.8.X, but it would get some performance > issues in Botan 1.9 and Botan 1.10. > > I realized however that there is a bug in Botan prior to the latest > releases that caused a problem when you reuse the object and where > running EMSA3(RAW) (== CKM_RSA_PKCS). > > Should I increase the required Botan version or try to detect which > version are used and then apply the optimization? I would say try to detect the version; pre-built packages for distributions tend to lag behind the release cycle of products so it would be prudent to make this optional for the time being. Cheers, Roland -- Roland M. van Rijswijk -- SURFnet Middleware Services -- t: +31-30-2305388 -- e: roland.vanrijswijk at surfnet.nl From rickard at opendnssec.org Fri Jul 1 12:58:34 2011 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Fri, 1 Jul 2011 14:58:34 +0200 Subject: [Opendnssec-develop] Botan version In-Reply-To: <2EC2A24C-2819-4F06-AC69-4D7E9377601C@surfnet.nl> References: <2EC2A24C-2819-4F06-AC69-4D7E9377601C@surfnet.nl> Message-ID: On Fri, Jul 1, 2011 at 2:07 PM, Roland van Rijswijk wrote: > Hi Rickard, > > On 1 jul 2011, at 14:04, Rickard Bellgrim wrote: > >> Before I committed the code today, SoftHSM did not reuse the PK_Signer >> object. It worked ok in Botan 1.8.X, but it would get some performance >> issues in Botan 1.9 and Botan 1.10. >> >> I realized however that there is a bug in Botan prior to the latest >> releases that caused a problem when you reuse the object and where >> running EMSA3(RAW) (== CKM_RSA_PKCS). >> >> Should I increase the required Botan version or try to detect which >> version are used and then apply the optimization? > > > I would say try to detect the version; pre-built packages for distributions tend to lag behind the release cycle of products so it would be prudent to make this optional for the time being. Fixed in r5277 From yuri at nlnetlabs.nl Fri Jul 1 15:34:47 2011 From: yuri at nlnetlabs.nl (Yuri Schaeffer) Date: Fri, 01 Jul 2011 17:34:47 +0200 Subject: [Opendnssec-develop] Enforcer engine In-Reply-To: <4DECECA9.9010101@nlnetlabs.nl> References: <4DECECA9.9010101@nlnetlabs.nl> Message-ID: <1309534487.6011.17.camel@thorin> Hi, Attached 2 files. 1) updated document. Most noticeably a refinement of the rules which now reflect the prototype implementation. It is now (for me) much more clear why and how it works. I've tried to write that down in section 7. Also I added some set symbols to make the notation more natural and changed the letters of the records to something easy to remember. D = ds record K = dnskey record k = rrsig dnskey record S = rrsig record. 2) direct output from my prototype for some rollovers. each table row is a timestep. Each column a record and each group of columns a key. from left to right D,K,k,S. '---' denotes the key has no such record. In brackets whether the key want to (in) or (out)roduce. TTL(D) = 11 TTL(K,k) = 1 TTL(S) = 3 You are welcome to review the correctness of the rollovers. //yuri -------------- next part -------------- A non-text attachment was scrubbed... Name: enforcer_rules.pdf Type: application/pdf Size: 224405 bytes Desc: not available URL: -------------- next part -------------- zsk roll key 0 (out) | key 1 (out) | key 2 (in) | T -----------------+-----------------+-----------------+------ OMN,OMN,OMN,--- | ---,OMN,---,OMN | ---,HID,---,HID | None OMN,OMN,OMN,--- | ---,OMN,---,OMN | ---,RUM,---,RUM | 0 OMN,OMN,OMN,--- | ---,OMN,---,UNR | ---,OMN,---,RUM | 1 OMN,OMN,OMN,--- | ---,UNR,---,UNR | ---,OMN,---,OMN | 3 OMN,OMN,OMN,--- | ---,HID,---,HID | ---,OMN,---,OMN | 4 zsk roll minkey key 3 (out) | key 4 (out) | key 5 (in) | T -----------------+-----------------+-----------------+------ OMN,OMN,OMN,--- | ---,OMN,---,OMN | ---,HID,---,HID | None OMN,OMN,OMN,--- | ---,OMN,---,OMN | ---,HID,---,RUM | 0 OMN,OMN,OMN,--- | ---,UNR,---,OMN | ---,RUM,---,OMN | 3 OMN,OMN,OMN,--- | ---,HID,---,UNR | ---,OMN,---,OMN | 4 OMN,OMN,OMN,--- | ---,HID,---,HID | ---,OMN,---,OMN | 7 zsk roll minsig key 6 (out) | key 7 (out) | key 8 (in) | T -----------------+-----------------+-----------------+------ OMN,OMN,OMN,--- | ---,OMN,---,OMN | ---,HID,---,HID | None OMN,OMN,OMN,--- | ---,OMN,---,OMN | ---,RUM,---,HID | 0 OMN,OMN,OMN,--- | ---,OMN,---,UNR | ---,OMN,---,RUM | 1 OMN,OMN,OMN,--- | ---,UNR,---,HID | ---,OMN,---,OMN | 4 OMN,OMN,OMN,--- | ---,HID,---,HID | ---,OMN,---,OMN | 5 Ksk roll key 9 (out) | key 10 (in) | key 11 (in) | T -----------------+-----------------+-----------------+------ OMN,OMN,OMN,--- | HID,HID,HID,--- | ---,OMN,---,OMN | None OMN,OMN,OMN,--- | RUM,RUM,RUM,--- | ---,OMN,---,OMN | 0 UNR,OMN,OMN,--- | RUM,OMN,OMN,--- | ---,OMN,---,OMN | 1 UNR,UNR,UNR,--- | OMN,OMN,OMN,--- | ---,OMN,---,OMN | 11 HID,HID,HID,--- | OMN,OMN,OMN,--- | ---,OMN,---,OMN | 12 Ksk roll minkey key 12 (out) | key 13 (in) | key 14 (in) | T -----------------+-----------------+-----------------+------ OMN,OMN,OMN,--- | HID,HID,HID,--- | ---,OMN,---,OMN | None OMN,OMN,OMN,--- | RUM,HID,HID,--- | ---,OMN,---,OMN | 0 OMN,UNR,UNR,--- | OMN,RUM,RUM,--- | ---,OMN,---,OMN | 11 UNR,HID,HID,--- | OMN,OMN,OMN,--- | ---,OMN,---,OMN | 12 HID,HID,HID,--- | OMN,OMN,OMN,--- | ---,OMN,---,OMN | 23 Ksk roll minds key 15 (out) | key 16 (in) | key 17 (in) | T -----------------+-----------------+-----------------+------ OMN,OMN,OMN,--- | HID,HID,HID,--- | ---,OMN,---,OMN | None OMN,OMN,OMN,--- | HID,RUM,RUM,--- | ---,OMN,---,OMN | 0 UNR,OMN,OMN,--- | RUM,OMN,OMN,--- | ---,OMN,---,OMN | 1 HID,UNR,UNR,--- | OMN,OMN,OMN,--- | ---,OMN,---,OMN | 12 HID,HID,HID,--- | OMN,OMN,OMN,--- | ---,OMN,---,OMN | 13 split roll key 18 (out) | key 19 (out) | key 20 (in) | key 21 (in) | T -----------------+-----------------+-----------------+-----------------+------ OMN,OMN,OMN,--- | ---,OMN,---,OMN | HID,HID,HID,--- | ---,HID,---,HID | None OMN,OMN,OMN,--- | ---,OMN,---,OMN | RUM,RUM,RUM,--- | ---,RUM,---,RUM | 0 UNR,OMN,OMN,--- | ---,OMN,---,UNR | RUM,OMN,OMN,--- | ---,OMN,---,RUM | 1 UNR,OMN,OMN,--- | ---,UNR,---,UNR | RUM,OMN,OMN,--- | ---,OMN,---,OMN | 3 UNR,OMN,OMN,--- | ---,HID,---,HID | RUM,OMN,OMN,--- | ---,OMN,---,OMN | 4 UNR,UNR,UNR,--- | ---,HID,---,HID | OMN,OMN,OMN,--- | ---,OMN,---,OMN | 11 HID,HID,HID,--- | ---,HID,---,HID | OMN,OMN,OMN,--- | ---,OMN,---,OMN | 12 split roll diff alg key 22 (out) | key 23 (out) | key 24 (in) | key 25 (in) | T -----------------+-----------------+-----------------+-----------------+------ OMN,OMN,OMN,--- | ---,OMN,---,OMN | HID,HID,HID,--- | ---,HID,---,HID | None OMN,OMN,OMN,--- | ---,OMN,---,OMN | HID,HID,HID,--- | ---,HID,---,RUM | 0 OMN,OMN,OMN,--- | ---,OMN,---,OMN | HID,RUM,RUM,--- | ---,RUM,---,OMN | 3 UNR,OMN,OMN,--- | ---,OMN,---,OMN | RUM,OMN,OMN,--- | ---,OMN,---,OMN | 4 HID,UNR,UNR,--- | ---,UNR,---,OMN | OMN,OMN,OMN,--- | ---,OMN,---,OMN | 15 HID,HID,HID,--- | ---,HID,---,UNR | OMN,OMN,OMN,--- | ---,OMN,---,OMN | 16 HID,HID,HID,--- | ---,HID,---,HID | OMN,OMN,OMN,--- | ---,OMN,---,OMN | 19 csk roll key 26 (out) | key 27 (in) | T -----------------+-----------------+------ OMN,OMN,OMN,OMN | HID,HID,HID,HID | None OMN,OMN,OMN,OMN | RUM,RUM,RUM,RUM | 0 UNR,OMN,OMN,UNR | RUM,OMN,OMN,RUM | 1 UNR,OMN,OMN,UNR | RUM,OMN,OMN,OMN | 3 UNR,OMN,OMN,HID | RUM,OMN,OMN,OMN | 4 UNR,UNR,UNR,HID | OMN,OMN,OMN,OMN | 11 HID,HID,HID,HID | OMN,OMN,OMN,OMN | 12 csk roll diff alg key 28 (out) | key 29 (in) | T -----------------+-----------------+------ OMN,OMN,OMN,OMN | HID,HID,HID,HID | None OMN,OMN,OMN,OMN | HID,HID,HID,RUM | 0 OMN,OMN,OMN,OMN | HID,RUM,RUM,OMN | 3 UNR,OMN,OMN,OMN | RUM,OMN,OMN,OMN | 4 HID,UNR,UNR,OMN | OMN,OMN,OMN,OMN | 15 HID,HID,HID,UNR | OMN,OMN,OMN,OMN | 16 HID,HID,HID,HID | OMN,OMN,OMN,OMN | 19 csk roll to split key 30 (out) | key 31 (in) | key 32 (in) | T -----------------+-----------------+-----------------+------ OMN,OMN,OMN,OMN | HID,HID,HID,--- | ---,HID,---,HID | None OMN,OMN,OMN,OMN | RUM,RUM,RUM,--- | ---,RUM,---,RUM | 0 UNR,OMN,OMN,UNR | RUM,OMN,OMN,--- | ---,OMN,---,RUM | 1 UNR,OMN,OMN,UNR | RUM,OMN,OMN,--- | ---,OMN,---,OMN | 3 UNR,OMN,OMN,HID | RUM,OMN,OMN,--- | ---,OMN,---,OMN | 4 UNR,UNR,UNR,HID | OMN,OMN,OMN,--- | ---,OMN,---,OMN | 11 HID,HID,HID,HID | OMN,OMN,OMN,--- | ---,OMN,---,OMN | 12 csk roll to split diff alg key 33 (out) | key 34 (in) | key 35 (in) | T -----------------+-----------------+-----------------+------ OMN,OMN,OMN,OMN | HID,HID,HID,--- | ---,HID,---,HID | None OMN,OMN,OMN,OMN | HID,HID,HID,--- | ---,HID,---,RUM | 0 OMN,OMN,OMN,OMN | HID,RUM,RUM,--- | ---,RUM,---,OMN | 3 UNR,OMN,OMN,OMN | RUM,OMN,OMN,--- | ---,OMN,---,OMN | 4 HID,UNR,UNR,OMN | OMN,OMN,OMN,--- | ---,OMN,---,OMN | 15 HID,HID,HID,UNR | OMN,OMN,OMN,--- | ---,OMN,---,OMN | 16 HID,HID,HID,HID | OMN,OMN,OMN,--- | ---,OMN,---,OMN | 19 split roll to csk key 36 (out) | key 37 (out) | key 38 (in) | T -----------------+-----------------+-----------------+------ OMN,OMN,OMN,--- | ---,OMN,---,OMN | HID,HID,HID,HID | None OMN,OMN,OMN,--- | ---,OMN,---,OMN | RUM,RUM,RUM,RUM | 0 UNR,OMN,OMN,--- | ---,OMN,---,UNR | RUM,OMN,OMN,RUM | 1 UNR,OMN,OMN,--- | ---,UNR,---,UNR | RUM,OMN,OMN,OMN | 3 UNR,OMN,OMN,--- | ---,HID,---,HID | RUM,OMN,OMN,OMN | 4 UNR,UNR,UNR,--- | ---,HID,---,HID | OMN,OMN,OMN,OMN | 11 HID,HID,HID,--- | ---,HID,---,HID | OMN,OMN,OMN,OMN | 12 split roll to csk diff alg key 39 (out) | key 40 (out) | key 41 (in) | T -----------------+-----------------+-----------------+------ OMN,OMN,OMN,--- | ---,OMN,---,OMN | HID,HID,HID,HID | None OMN,OMN,OMN,--- | ---,OMN,---,OMN | HID,HID,HID,RUM | 0 OMN,OMN,OMN,--- | ---,OMN,---,OMN | HID,RUM,RUM,OMN | 3 UNR,OMN,OMN,--- | ---,OMN,---,OMN | RUM,OMN,OMN,OMN | 4 HID,UNR,UNR,--- | ---,UNR,---,OMN | OMN,OMN,OMN,OMN | 15 HID,HID,HID,--- | ---,HID,---,UNR | OMN,OMN,OMN,OMN | 16 HID,HID,HID,--- | ---,HID,---,HID | OMN,OMN,OMN,OMN | 19 unsigned to signed split key 42 (in) | key 43 (in) | T -----------------+-----------------+------ HID,HID,HID,--- | ---,HID,---,HID | None HID,HID,HID,--- | ---,HID,---,RUM | 0 HID,RUM,RUM,--- | ---,RUM,---,OMN | 3 RUM,OMN,OMN,--- | ---,OMN,---,OMN | 4 OMN,OMN,OMN,--- | ---,OMN,---,OMN | 15 unsigned to signed csk key 44 (in) | T -----------------+------ HID,HID,HID,HID | None HID,HID,HID,RUM | 0 HID,RUM,RUM,OMN | 3 RUM,OMN,OMN,OMN | 4 OMN,OMN,OMN,OMN | 15 signed csk to unsigned key 45 (out) | T -----------------+------ OMN,OMN,OMN,OMN | None UNR,OMN,OMN,OMN | 0 HID,UNR,UNR,OMN | 11 HID,HID,HID,UNR | 12 HID,HID,HID,HID | 15 From owner-dnssec-trac at kirei.se Mon Jul 4 10:27:16 2011 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Mon, 04 Jul 2011 10:27:16 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #247: Hang signer processes after receiving several notifies in succession In-Reply-To: <056.168398051f6878f3b30e025dabd6d8c8@kirei.se> References: <056.168398051f6878f3b30e025dabd6d8c8@kirei.se> Message-ID: <071.48d5357b0629e773486b5ea4db939348@kirei.se> #247: Hang signer processes after receiving several notifies in succession -----------------------------------+---------------------------------------- Reporter: goeran@? | Owner: matthijs Type: defect | Status: accepted Priority: major | Component: Signer Version: 1.3.0 | Resolution: Keywords: signer, hang, notifies | -----------------------------------+---------------------------------------- Comment (by matthijs): The fix has been acknowledged. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Mon Jul 4 10:27:25 2011 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Mon, 04 Jul 2011 10:27:25 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #247: Hang signer processes after receiving several notifies in succession In-Reply-To: <056.168398051f6878f3b30e025dabd6d8c8@kirei.se> References: <056.168398051f6878f3b30e025dabd6d8c8@kirei.se> Message-ID: <071.8934ee017f78cc60cc783dbf0a0627eb@kirei.se> #247: Hang signer processes after receiving several notifies in succession -----------------------------------+---------------------------------------- Reporter: goeran@? | Owner: matthijs Type: defect | Status: closed Priority: major | Component: Signer Version: 1.3.0 | Resolution: fixed Keywords: signer, hang, notifies | -----------------------------------+---------------------------------------- Changes (by matthijs): * status: accepted => closed * resolution: => fixed -- Ticket URL: OpenDNSSEC OpenDNSSEC From goeran at chalmers.se Mon Jul 4 06:45:33 2011 From: goeran at chalmers.se (=?ISO-8859-1?Q?G=F6ran_Bengtson?=) Date: Mon, 4 Jul 2011 08:45:33 +0200 (CEST) Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #247: Hang signer processes after receiving several notifies in succession In-Reply-To: <071.325be7a3618917f178fc62dab35c1c0a@kirei.se> References: <056.168398051f6878f3b30e025dabd6d8c8@kirei.se> <071.325be7a3618917f178fc62dab35c1c0a@kirei.se> Message-ID: On Fri, 1 Jul 2011, OpenDNSSEC wrote: > From: OpenDNSSEC > Cc: "opendnssec-develop at lists.opendnssec.org" > > Message-ID: <071.325be7a3618917f178fc62dab35c1c0a at kirei.se> > Date: Fri, 1 Jul 2011 11:12:12 +0200 > Subject: Re: [OpenDNSSEC] #247: Hang signer processes after receiving several > notifies in succession > > #247: Hang signer processes after receiving several notifies in succession > -----------------------------------+---------------------------------------- > Reporter: goeran@? | Owner: matthijs > Type: defect | Status: accepted > Priority: major | Component: Signer > Version: 1.3.0 | Resolution: > Keywords: signer, hang, notifies | > -----------------------------------+---------------------------------------- > > Comment (by matthijs): > > Can I conclude that the problem does not exist in 1.2.1 (since you > downgraded)? I've never seen it in 1.2.1. The handling of repeated sign request are different (notify och explicit ods-signer sign commands). If the signer already is working with a zone the sign request returns "cmdhandler: already performing task for zone itsnat.se". Jul 4 08:40:51 ns-test ods-signerd: zone fetcher received NOTIFY for zone itsnat.se Jul 4 08:40:52 ns-test ods-signerd: zone fetcher transferred zone itsnat.se serial 2011070402 successfully Jul 4 08:40:54 ns-test ods-signerd: cmdhandler: zone itsnat.se scheduled for immediate re-sign Jul 4 08:40:59 ns-test ods-signerd: zone fetcher received NOTIFY for zone itsnat.se Jul 4 08:40:59 ns-test ods-signerd: zone fetcher transferred zone itsnat.se serial 2011070403 successfully Jul 4 08:41:00 ns-test ods-signerd: cmdhandler: already performing task for zone itsnat.se Jul 4 08:41:07 ns-test ods-auditor[26071]: Auditor started Jul 4 08:41:07 ns-test ods-auditor[26071]: Auditor starting on itsnat.se Jul 4 08:41:07 ns-test ods-auditor[26071]: Auditing itsnat.se zone : NSEC3 SIGNED Jul 4 08:41:18 ns-test ods-signerd: zone fetcher received NOTIFY for zone itsnat.se Jul 4 08:41:18 ns-test ods-signerd: zone fetcher transferred zone itsnat.se serial 2011070404 successfully Jul 4 08:41:18 ns-test ods-signerd: cmdhandler: already performing task for zone itsnat.se Jul 4 08:41:23 ns-test ods-signerd: zone fetcher received NOTIFY for zone itsnat.se Jul 4 08:41:23 ns-test ods-signerd: zone fetcher transferred zone itsnat.se serial 2011070405 successfully Jul 4 08:41:23 ns-test ods-signerd: cmdhandler: already performing task for zone itsnat.se Jul 4 08:41:28 ns-test ods-signerd: zone fetcher received NOTIFY for zone itsnat.se Jul 4 08:41:29 ns-test ods-signerd: zone fetcher transferred zone itsnat.se serial 2011070406 successfully Jul 4 08:41:29 ns-test ods-signerd: cmdhandler: already performing task for zone itsnat.se Jul 4 08:42:02 ns-test trigger-resign[26443]: Try to schedule a resign for itsnat.se (based on new unsigned file) Jul 4 08:42:02 ns-test ods-signerd: cmdhandler: already performing task for zone itsnat.se Jul 4 08:42:37 ns-test ods-auditor[26071]: SOA differs : from 2011070402 to 2011070407 Jul 4 08:42:38 ns-test ods-auditor[26071]: Finished auditing itsnat.se zone Jul 4 08:42:41 ns-test my-reload[26561]: Start processing itsnat.se Jul 4 08:42:42 ns-test my-reload[26561]: End processing itsnat.se Jul 4 08:42:42 ns-test ods-signerd: [STATS] itsnat.se RR[count=37644 time=1(sec)] NSEC3[count=0 time=1(sec)] RRSIG[new=10 reused=73493 time=6(sec) avg=1(sig/sec)] AUDIT[time=92(sec)] TOTAL[time=108(sec)] However, that fact also imply that it may not sign a zone that was transfered while a signing was in progress. That is a problem that I handle with a cron- job, and that have worked weel for some time now. > > -- > Ticket URL: > OpenDNSSEC > OpenDNSSEC / G?ran From owner-dnssec-trac at kirei.se Tue Jul 5 13:12:07 2011 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 05 Jul 2011 13:12:07 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #248: Incorrect check for availability of LoadLibrary function Message-ID: <063.65a97b964467167cbf3ab2abef2a1626@kirei.se> #248: Incorrect check for availability of LoadLibrary function --------------------------------------+------------------------------------- Reporter: jaroslav.imrich@? | Owner: rb Type: defect | Status: new Priority: major | Component: SoftHSM Version: trunk | Keywords: windows mingw autoconf loadlibrary --------------------------------------+------------------------------------- I am trying to build softHSM (svn rev. 5288) on Windows XP with MinGW and I am facing a little problem with autoconfiguration and acx_dlopen.m4 macro. When I run.. {{{ ./configure --with-botan=c:/botan --with-sqlite3=c:/sqlite3 }}} ..it always ends with message: {{{ checking for dlopen... no checking for dlopen in -ldl... no checking for LoadLibrary... no configure: error: No dynamic library loading support }}} I am pretty sure that LoadLibrary is available on this system because I use it in other projects. I am no m4 expert so I've used only simple workaround to pass this test (attached as a patch). If you can come up with better solution I will gladly test it. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Wed Jul 6 09:00:07 2011 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Wed, 06 Jul 2011 09:00:07 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #248: Incorrect check for availability of LoadLibrary function In-Reply-To: <063.65a97b964467167cbf3ab2abef2a1626@kirei.se> References: <063.65a97b964467167cbf3ab2abef2a1626@kirei.se> Message-ID: <078.9a3bc3528357cd511cf30740158eb950@kirei.se> #248: Incorrect check for availability of LoadLibrary function -----------------------------------------------+---------------------------- Reporter: jaroslav.imrich@? | Owner: rb Type: defect | Status: new Priority: major | Component: SoftHSM Version: trunk | Resolution: Keywords: windows mingw autoconf loadlibrary | -----------------------------------------------+---------------------------- Comment (by rb): Does this patch work for you? http://trac.opendnssec.org/attachment/ticket/248/acx_dlopen.m4.patch -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Wed Jul 6 09:57:08 2011 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Wed, 06 Jul 2011 09:57:08 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #248: Incorrect check for availability of LoadLibrary function In-Reply-To: <063.65a97b964467167cbf3ab2abef2a1626@kirei.se> References: <063.65a97b964467167cbf3ab2abef2a1626@kirei.se> Message-ID: <078.10842894f8c5646ea016815b162f7289@kirei.se> #248: Incorrect check for availability of LoadLibrary function -----------------------------------------------+---------------------------- Reporter: jaroslav.imrich@? | Owner: rb Type: defect | Status: new Priority: major | Component: SoftHSM Version: trunk | Resolution: Keywords: windows mingw autoconf loadlibrary | -----------------------------------------------+---------------------------- Comment (by rb): Also committed to r5294 -- Ticket URL: OpenDNSSEC OpenDNSSEC From yuri at NLnetLabs.nl Wed Jul 6 12:40:56 2011 From: yuri at NLnetLabs.nl (Yuri Schaeffer) Date: Wed, 06 Jul 2011 14:40:56 +0200 Subject: [Opendnssec-develop] PublishSafety and RetireSafety Message-ID: <4E1457D8.1050304@nlnetlabs.nl> Hi, I'm unsure how PublishSafety and RetireSafety should be used. The Wiki says the following, but it confuses me. """ and are the publish and retire safety margins for the keys. These intervals are safety margins added to calculated timing values to ensure that keys are published and retired without there being a chance of signatures created with the keys being considered invalid.""" I attached two possibilities. Drawn in the well-known state diagram with Hidden/Rumoured/Omnipresent/Unretentive. 1) We wait extra long after introducing/outroducing a resource record 2) We wait extra long before introducing/outroducing a resource record T = TTL D = PropagationDelay P = PublishSafety R = RetireSafety There might be a third option? I should think it is option 2 since in option 1 it does the same as PropagationDelay. //yuri -- Yuri Schaeffer NLnet Labs http://www.nlnetlabs.nl -------------- next part -------------- A non-text attachment was scrubbed... Name: 20110706_002.jpg Type: image/jpeg Size: 27869 bytes Desc: not available URL: From rickard at opendnssec.org Wed Jul 6 13:01:23 2011 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Wed, 6 Jul 2011 15:01:23 +0200 Subject: [Opendnssec-develop] PublishSafety and RetireSafety In-Reply-To: <4E1457D8.1050304@nlnetlabs.nl> References: <4E1457D8.1050304@nlnetlabs.nl> Message-ID: > I'm unsure how PublishSafety and RetireSafety should be used. The Wiki > says the following, but it confuses me. > > """ and are the publish and retire safety > margins for the keys. These intervals are safety margins added to > calculated timing values to ensure that keys are published and retired > without there being a chance of signatures created with the keys being > considered invalid.""" > > I attached two possibilities. Drawn in the well-known state diagram with > Hidden/Rumoured/Omnipresent/Unretentive. > > 1) We wait extra long after ?introducing/outroducing a resource record > 2) We wait extra long before introducing/outroducing a resource record > > T = TTL > D = PropagationDelay > P = PublishSafety > R = RetireSafety > > There might be a third option? > > I should think it is option 2 since in option 1 it does the same as > PropagationDelay. The code in Enforcer uses them this way: Time between publish and ready: deltat = collection->zskttl + collection->propdelay + collection->pub_safety; (ZSK) deltat = collection->kskttl + collection->kskpropdelay + collection->pub_safety; (KSK) Time between retire to dead: deltat = collection->zsksiglife + collection->propdelay + collection->ret_safety; (ZSK) deltat = collection->dsttl + collection->kskpropdelay + collection->ret_safety; (KSK) So this is option 1 and is almost like adding extra time to the PropagationDelay. The thing that the safety margins want to protect you from is to enter the omnipresent and the hidden state too early. Not that we enter the rumoured or unretentive too early (nothing bad can happen to use in this state). Question: Do you need time between rumoured and unretentive? // Rickard From owner-dnssec-trac at kirei.se Wed Jul 6 13:07:12 2011 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Wed, 06 Jul 2011 13:07:12 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #248: Incorrect check for availability of LoadLibrary function In-Reply-To: <063.65a97b964467167cbf3ab2abef2a1626@kirei.se> References: <063.65a97b964467167cbf3ab2abef2a1626@kirei.se> Message-ID: <078.e669aafae3685d8785b6c0608a320a9a@kirei.se> #248: Incorrect check for availability of LoadLibrary function -----------------------------------------------+---------------------------- Reporter: jaroslav.imrich@? | Owner: rb Type: defect | Status: new Priority: major | Component: SoftHSM Version: trunk | Resolution: Keywords: windows mingw autoconf loadlibrary | -----------------------------------------------+---------------------------- Comment (by jaroslav.imrich@?): I confirm svn rev. 5294 works as expected and LoadLibrary is detected correctly. -- Ticket URL: OpenDNSSEC OpenDNSSEC From sion at nominet.org.uk Wed Jul 6 13:12:01 2011 From: sion at nominet.org.uk (=?ISO-8859-1?Q?Si=F4n_Lloyd?=) Date: Wed, 6 Jul 2011 14:12:01 +0100 Subject: [Opendnssec-develop] PublishSafety and RetireSafety In-Reply-To: References: <4E1457D8.1050304@nlnetlabs.nl> Message-ID: <4E145F21.5000100@nominet.org.uk> > The code in Enforcer uses them this way: > > Time between publish and ready: > deltat = collection->zskttl + collection->propdelay + > collection->pub_safety; (ZSK) > deltat = collection->kskttl + collection->kskpropdelay + > collection->pub_safety; (KSK) > > Time between retire to dead: > deltat = collection->zsksiglife + collection->propdelay + > collection->ret_safety; (ZSK) > deltat = collection->dsttl + collection->kskpropdelay + > collection->ret_safety; (KSK) > > So this is option 1 and is almost like adding extra time to the > PropagationDelay. Yes. You can think of it like this... The propagation delay is a guess, and may be longer than the value given, so this term is included to add some extra safety. You have to look at the original version of the timing draft for a full explanation: http://tools.ietf.org/html/draft-morris-dnsop-dnssec-key-timing-00 Sion From yuri at NLnetLabs.nl Wed Jul 6 13:46:25 2011 From: yuri at NLnetLabs.nl (Yuri Schaeffer) Date: Wed, 06 Jul 2011 15:46:25 +0200 Subject: [Opendnssec-develop] PublishSafety and RetireSafety In-Reply-To: References: <4E1457D8.1050304@nlnetlabs.nl> Message-ID: <4E146731.7020007@nlnetlabs.nl> > So this is option 1 and is almost like adding extra time to the > PropagationDelay. Thank you. You say 'almost like', why isn't it 'entirely like'? I do not see the nuance. > Question: Do you need time between rumoured and unretentive? No you are right. That is an error of mine. There should be no time in those transitions. //yuri -- Yuri Schaeffer NLnet Labs http://www.nlnetlabs.nl From yuri at NLnetLabs.nl Wed Jul 6 13:55:54 2011 From: yuri at NLnetLabs.nl (Yuri Schaeffer) Date: Wed, 06 Jul 2011 15:55:54 +0200 Subject: [Opendnssec-develop] PublishSafety and RetireSafety In-Reply-To: <4E145F21.5000100@nominet.org.uk> References: <4E1457D8.1050304@nlnetlabs.nl> <4E145F21.5000100@nominet.org.uk> Message-ID: <4E14696A.40902@nlnetlabs.nl> > Yes. You can think of it like this... The propagation delay is a guess, > and may be longer than the value given, so this term is included to add > some extra safety. Okay, so propagationdelay is entirely like publishsafety. Do you agree it does not actually add safety over propdelay and it is only cosmetic? (No offense intended, I only want to make sure I understand fully and correctly). > You have to look at the original version of the timing draft for a full > explanation: > http://tools.ietf.org/html/draft-morris-dnsop-dnssec-key-timing-00 Will do. //yuri -- Yuri Schaeffer NLnet Labs http://www.nlnetlabs.nl From yuri at NLnetLabs.nl Wed Jul 6 14:12:37 2011 From: yuri at NLnetLabs.nl (Yuri Schaeffer) Date: Wed, 06 Jul 2011 16:12:37 +0200 Subject: [Opendnssec-develop] PublishSafety and RetireSafety In-Reply-To: <4E14696A.40902@nlnetlabs.nl> References: <4E1457D8.1050304@nlnetlabs.nl> <4E145F21.5000100@nominet.org.uk> <4E14696A.40902@nlnetlabs.nl> Message-ID: <4E146D55.4000309@nlnetlabs.nl> On 07/06/2011 03:55 PM, Yuri Schaeffer wrote: >> Yes. You can think of it like this... The propagation delay is a guess, >> and may be longer than the value given, so this term is included to add >> some extra safety. Ah yes. I see now it is the difference between internal and external factors. So safety might take clockskew of validators into account. While propagation delay might have the signing time and xfrs to slaves. //yuri -- Yuri Schaeffer NLnet Labs http://www.nlnetlabs.nl From owner-dnssec-trac at kirei.se Wed Jul 6 14:30:03 2011 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Wed, 06 Jul 2011 14:30:03 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #248: Incorrect check for availability of LoadLibrary function In-Reply-To: <063.65a97b964467167cbf3ab2abef2a1626@kirei.se> References: <063.65a97b964467167cbf3ab2abef2a1626@kirei.se> Message-ID: <078.85817a742168ca306f5c44b0db3f6755@kirei.se> #248: Incorrect check for availability of LoadLibrary function -----------------------------------------------+---------------------------- Reporter: jaroslav.imrich@? | Owner: rb Type: defect | Status: closed Priority: major | Component: SoftHSM Version: trunk | Resolution: fixed Keywords: windows mingw autoconf loadlibrary | -----------------------------------------------+---------------------------- Changes (by rb): * status: new => closed * resolution: => fixed -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Wed Jul 6 16:36:01 2011 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Wed, 06 Jul 2011 16:36:01 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #249: New document about building SoftHSM on Windows with MinGW Message-ID: <063.10d40b057353c82c4cac55dd94a23a7b@kirei.se> #249: New document about building SoftHSM on Windows with MinGW --------------------------------------+------------------------------------- Reporter: jaroslav.imrich@? | Owner: rb Type: enhancement | Status: new Priority: trivial | Component: SoftHSM Version: trunk | Keywords: softhsm windows --------------------------------------+------------------------------------- I've created new document about building SoftHSM on Windows with MinGW. Perhaps it could be added to SVN trunk as README.MinGW -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Wed Jul 6 19:56:41 2011 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Wed, 06 Jul 2011 19:56:41 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #250: Missing include of time.h Message-ID: <063.96d9ee20564a8b05a699d6479129477f@kirei.se> #250: Missing include of time.h --------------------------------------+------------------------------------- Reporter: jaroslav.imrich@? | Owner: rb Type: defect | Status: new Priority: trivial | Component: SoftHSM Version: trunk | Keywords: --------------------------------------+------------------------------------- Functions time() and strftime() are used in file src/lib/SoftHSMInternal.cpp but header file time.h is not included. Library cannot be build without this header on Windows with MinGW. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Wed Jul 6 22:18:30 2011 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Wed, 06 Jul 2011 22:18:30 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #251: Header sys/socket.h is not available on Windows Message-ID: <063.c718eae02ddc8cac8791256de1cce7d5@kirei.se> #251: Header sys/socket.h is not available on Windows --------------------------------------+------------------------------------- Reporter: jaroslav.imrich@? | Owner: rb Type: defect | Status: new Priority: trivial | Component: SoftHSM Version: trunk | Keywords: --------------------------------------+------------------------------------- I am attaching patch that removes inclusion of header sys/socket.h in file src/bin/base64.c for Windows builds. Support tools cannot be build with this header on Windows with MinGW. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Wed Jul 6 22:28:16 2011 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Wed, 06 Jul 2011 22:28:16 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #252: Missing implementation of getpass() and dynamic library loading part on Windows Message-ID: <063.a56e024e21e98fb0b12682a80271e12a@kirei.se> #252: Missing implementation of getpass() and dynamic library loading part on Windows --------------------------------------+------------------------------------- Reporter: jaroslav.imrich@? | Owner: rb Type: defect | Status: new Priority: major | Component: SoftHSM Version: trunk | Keywords: --------------------------------------+------------------------------------- Implementation of function getpass() is missing in file src/bin/softhsm.cpp. This function is GNU extension that does not exist on Windows. Also dynamic library loading part is not implemented when LoadLibrary is used. I am attaching patch that fixes these issues. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Thu Jul 7 07:58:54 2011 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Thu, 07 Jul 2011 07:58:54 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #249: New document about building SoftHSM on Windows with MinGW In-Reply-To: <063.10d40b057353c82c4cac55dd94a23a7b@kirei.se> References: <063.10d40b057353c82c4cac55dd94a23a7b@kirei.se> Message-ID: <078.ebca95e8dc3879d9df07cc98af9de62c@kirei.se> #249: New document about building SoftHSM on Windows with MinGW --------------------------------------+------------------------------------- Reporter: jaroslav.imrich@? | Owner: rb Type: enhancement | Status: closed Priority: trivial | Component: SoftHSM Version: trunk | Resolution: fixed Keywords: softhsm windows | --------------------------------------+------------------------------------- Changes (by rb): * status: new => closed * resolution: => fixed Comment: Thanks. Added in r5296 -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Fri Jul 8 10:50:05 2011 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 08 Jul 2011 10:50:05 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #250: Missing include of time.h In-Reply-To: <063.96d9ee20564a8b05a699d6479129477f@kirei.se> References: <063.96d9ee20564a8b05a699d6479129477f@kirei.se> Message-ID: <078.85bc14e45a371e45118f69a7ad2f18fb@kirei.se> #250: Missing include of time.h --------------------------------------+------------------------------------- Reporter: jaroslav.imrich@? | Owner: rb Type: defect | Status: closed Priority: trivial | Component: SoftHSM Version: trunk | Resolution: fixed Keywords: | --------------------------------------+------------------------------------- Changes (by rb): * status: new => closed * resolution: => fixed Comment: Thanks. Fixed in r5303. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Fri Jul 8 11:08:04 2011 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 08 Jul 2011 11:08:04 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #252: Missing implementation of getpass() and dynamic library loading part on Windows In-Reply-To: <063.a56e024e21e98fb0b12682a80271e12a@kirei.se> References: <063.a56e024e21e98fb0b12682a80271e12a@kirei.se> Message-ID: <078.81bc32129a712be429cc7026fcd42544@kirei.se> #252: Missing implementation of getpass() and dynamic library loading part on Windows --------------------------------------+------------------------------------- Reporter: jaroslav.imrich@? | Owner: rb Type: defect | Status: closed Priority: major | Component: SoftHSM Version: trunk | Resolution: fixed Keywords: | --------------------------------------+------------------------------------- Changes (by rb): * status: new => closed * resolution: => fixed Comment: Thanks. Fixed in r5304. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Fri Jul 8 13:26:55 2011 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 08 Jul 2011 13:26:55 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #251: Header sys/socket.h is not available on Windows In-Reply-To: <063.c718eae02ddc8cac8791256de1cce7d5@kirei.se> References: <063.c718eae02ddc8cac8791256de1cce7d5@kirei.se> Message-ID: <078.c0df833e907b9a2e82c3efa85ba5535b@kirei.se> #251: Header sys/socket.h is not available on Windows --------------------------------------+------------------------------------- Reporter: jaroslav.imrich@? | Owner: rb Type: defect | Status: closed Priority: trivial | Component: SoftHSM Version: trunk | Resolution: fixed Keywords: | --------------------------------------+------------------------------------- Changes (by rb): * status: new => closed * resolution: => fixed Comment: Thanks. Fixed in r5305. -- Ticket URL: OpenDNSSEC OpenDNSSEC From nick.vandenheuvel at sidn.nl Mon Jul 11 13:05:05 2011 From: nick.vandenheuvel at sidn.nl (Nick van den Heuvel) Date: Mon, 11 Jul 2011 13:05:05 +0000 Subject: [Opendnssec-develop] Testing ODS 1.2.2 branch Message-ID: <60E0FAC48923D348BF7B1861488E606E06FE8BBA@kambx3.SIDN.local> Hi guys, Is it still necessary to test 1.2.2 branch? If yes, I will try to test as much as possible this week. Regards, Nick Nick van den Heuvel Testanalist SIDN | Utrechtseweg 310 | 6812 AR | Postbus 5022 | 6802 EA | ARNHEM T +31 (0)26 352 55 00 | F +31 (0)26 352 55 05 nick.vandenheuvel at sidn.nl | www.sidn.nl -------------- next part -------------- An HTML attachment was scrubbed... URL: From matthijs at NLnetLabs.nl Mon Jul 11 13:07:10 2011 From: matthijs at NLnetLabs.nl (Matthijs Mekking) Date: Mon, 11 Jul 2011 15:07:10 +0200 Subject: [Opendnssec-develop] Testing ODS 1.2.2 branch In-Reply-To: <60E0FAC48923D348BF7B1861488E606E06FE8BBA@kambx3.SIDN.local> References: <60E0FAC48923D348BF7B1861488E606E06FE8BBA@kambx3.SIDN.local> Message-ID: <4E1AF57E.2000206@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yes, it is still necessary to test the 1.2 branch before we release 1.2.2. The developers (including me) should check and report if there are pending patches before you can start testing. Best regards, Matthijs On 07/11/2011 03:05 PM, Nick van den Heuvel wrote: > Hi guys, > > > > Is it still necessary to test 1.2.2 branch? If yes, I will try to test > as much as possible this week. > > > > Regards, > > Nick > > > > Nick van den Heuvel > > Testanalist > > > > SIDN | Utrechtseweg 310 | 6812 AR | Postbus 5022 | 6802 EA | ARNHEM > T +31 (0)26 352 55 00 | F +31 (0)26 352 55 05 > nick.vandenheuvel at sidn.nl | www.sidn.nl > > > > > > > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJOGvV+AAoJEA8yVCPsQCW5i+MIAMgFGLO3t5sTxKEe2e68V5JI r2GwLq//4GH193QqzKUja8xlzxBhyXY/V0x1JEXAWFcD9VsgNT7k1ihvbUHnbrUU pnur9HK3BnUaYVaS6G7crh4vt6/yoSh0ai/ckp4JEvfasTQDmayxdiJ1NdDRcpXv hdU2WF20Mjrg/kLEfnSTYcqrFaXY8fXIxPMSsNpdACbLenjyUuw5d7pUnhlNoU8F j5P7MBA/qFPkBsFrykfmDyWSA7eFVzQmamHSRX+sqDVeR6oh4Z2WX9zof7e135if NtJ4MxeAPVl2saas+AB2L/2wyx2n5MRM8EC+zAhEfJGs0a7NGOfOYSAhf5/DWis= =qbzY -----END PGP SIGNATURE----- From owner-dnssec-trac at kirei.se Mon Jul 11 22:59:49 2011 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Mon, 11 Jul 2011 22:59:49 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #253: Configuration parsing unusable on Windows Message-ID: <063.21687b67a28bb9a27282b6aacd00d826@kirei.se> #253: Configuration parsing unusable on Windows --------------------------------------+------------------------------------- Reporter: jaroslav.imrich@? | Owner: rb Type: defect | Status: new Priority: minor | Component: SoftHSM Version: trunk | Keywords: --------------------------------------+------------------------------------- Configuration parsing code uses colon to parse individual entries but colon is often used to define path on Windows. Code can successfuly parse string "0:/var/softhsm/slot0.db" but it cannot parse "0:c:\SoftHSM\slot0.db" because of the second colon. Attached patch fixes this issue with minimum amount of changes. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Tue Jul 12 06:38:16 2011 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 12 Jul 2011 06:38:16 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #253: Configuration parsing unusable on Windows In-Reply-To: <063.21687b67a28bb9a27282b6aacd00d826@kirei.se> References: <063.21687b67a28bb9a27282b6aacd00d826@kirei.se> Message-ID: <078.a23ab5852c7511e768aac05563311ade@kirei.se> #253: Configuration parsing unusable on Windows --------------------------------------+------------------------------------- Reporter: jaroslav.imrich@? | Owner: rb Type: defect | Status: closed Priority: minor | Component: SoftHSM Version: trunk | Resolution: fixed Keywords: | --------------------------------------+------------------------------------- Changes (by rb): * status: new => closed * resolution: => fixed Comment: Thanks. Fixed in r5316. -- Ticket URL: OpenDNSSEC OpenDNSSEC From rickard at opendnssec.org Tue Jul 12 11:54:35 2011 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Tue, 12 Jul 2011 13:54:35 +0200 Subject: [Opendnssec-develop] Meeting tomorrow Message-ID: Hi It is time for a meeting tomorrow: Date: Wednesday 13 July Time: 14:00-15:00 CEST, 13:00-14:00 BST http://trac.opendnssec.org/wiki/Meetings/Agenda/2011-07-13 // Rickard From owner-dnssec-trac at kirei.se Tue Jul 12 11:55:53 2011 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 12 Jul 2011 11:55:53 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #100: Certificate support + C_Encrypt and C_Decrypt support In-Reply-To: <063.7e7e24c70d6d211c49a31709f23add49@kirei.se> References: <063.7e7e24c70d6d211c49a31709f23add49@kirei.se> Message-ID: <078.0d6d4c4c8c1690c3d9b7ff936ee35d8e@kirei.se> #100: Certificate support + C_Encrypt and C_Decrypt support ----------------------------------------------+----------------------------- Reporter: calderon.thomas@? | Owner: rb Type: enhancement | Status: closed Priority: major | Component: SoftHSM Version: trunk | Resolution: fixed Keywords: Certificate, C_Encrypt, C_Decrypt | ----------------------------------------------+----------------------------- Changes (by rb): * status: accepted => closed * resolution: => fixed -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Tue Jul 12 12:00:07 2011 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 12 Jul 2011 12:00:07 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #240: Remove $Id tags from configuration files In-Reply-To: <065.d999458c6817b10e81d4259aa2c1fbec@kirei.se> References: <065.d999458c6817b10e81d4259aa2c1fbec@kirei.se> Message-ID: <080.0338d804ccb0fef1ef331d2e77d81982@kirei.se> #240: Remove $Id tags from configuration files ------------------------------------------+--------------------------------- Reporter: Ond?ej Sur? | Owner: rb Type: enhancement | Status: new Priority: trivial | Component: Unknown Version: trunk | Resolution: Keywords: | ------------------------------------------+--------------------------------- Comment (by rb): Not fixed in 1.3.0... -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Tue Jul 12 12:10:22 2011 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 12 Jul 2011 12:10:22 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #246: Kaspcheck validates kasp.xml when NSEC3 algorithm is 0 In-Reply-To: <057.ef3068d0c172b6bf23251027cbef494f@kirei.se> References: <057.ef3068d0c172b6bf23251027cbef494f@kirei.se> Message-ID: <072.f6aab5a25fb7ca23245403298048eba0@kirei.se> #246: Kaspcheck validates kasp.xml when NSEC3 algorithm is 0 --------------------------------+------------------------------------------- Reporter: Nick van den Heuvel | Owner: alex Type: defect | Status: assigned Priority: minor | Component: Unknown Version: 1.3.0 | Resolution: Keywords: 1.3.0rc3 | --------------------------------+------------------------------------------- Changes (by rb): * owner: rb => alex * status: new => assigned -- Ticket URL: OpenDNSSEC OpenDNSSEC From rickard at opendnssec.org Tue Jul 12 12:17:13 2011 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Tue, 12 Jul 2011 14:17:13 +0200 Subject: [Opendnssec-develop] Testing ODS 1.2.2 branch In-Reply-To: <4E1AF57E.2000206@nlnetlabs.nl> References: <60E0FAC48923D348BF7B1861488E606E06FE8BBA@kambx3.SIDN.local> <4E1AF57E.2000206@nlnetlabs.nl> Message-ID: On Mon, Jul 11, 2011 at 3:07 PM, Matthijs Mekking wrote: > The developers (including me) should check and report if there are > pending patches before you can start testing. * No bug reports in Trac. * NSEC3 problem reported by Bryton on the user list. // Rickard From owner-dnssec-trac at kirei.se Tue Jul 12 12:19:41 2011 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 12 Jul 2011 12:19:41 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #185: SoftHSM under Cygwin In-Reply-To: <055.aa769925ca759b25ca67c9324d728d03@kirei.se> References: <055.aa769925ca759b25ca67c9324d728d03@kirei.se> Message-ID: <070.1d3eb8dfc17cf6ac041f7b3674b890be@kirei.se> #185: SoftHSM under Cygwin ------------------------------+--------------------------------------------- Reporter: smokimk@? | Owner: rb Type: defect | Status: accepted Priority: major | Component: SoftHSM Version: trunk | Resolution: Keywords: | ------------------------------+--------------------------------------------- Comment (by rb): You should get DLL files now, if you try the version in trunk. It works with MinGW. -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Tue Jul 12 17:40:06 2011 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 12 Jul 2011 17:40:06 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #240: Remove $Id tags from configuration files In-Reply-To: <065.d999458c6817b10e81d4259aa2c1fbec@kirei.se> References: <065.d999458c6817b10e81d4259aa2c1fbec@kirei.se> Message-ID: <080.3c5492800222306e4d58937f4d4c0f1e@kirei.se> #240: Remove $Id tags from configuration files ------------------------------------------+--------------------------------- Reporter: Ond?ej Sur? | Owner: jakob Type: enhancement | Status: assigned Priority: trivial | Component: Unknown Version: trunk | Resolution: Keywords: | ------------------------------------------+--------------------------------- Changes (by jakob): * owner: rb => jakob * status: new => assigned Comment: This is very stange, I get the different $Id$ tags for a clean checkout and my local releases branch. I'll look into this. -- Ticket URL: OpenDNSSEC OpenDNSSEC From rick at openfortress.nl Wed Jul 13 13:21:15 2011 From: rick at openfortress.nl (Rick van Rein) Date: Wed, 13 Jul 2011 13:21:15 +0000 Subject: [Opendnssec-develop] Meeting notes 2011-07-13 Message-ID: <20110713132115.GA1656@phantom.vanrein.org> Hello, The notes of today's meeting are available on http://trac.opendnssec.org/wiki/Meetings/Minutes/2011-07-13 Any comments, please let me know. -Rick From nick.vandenheuvel at sidn.nl Thu Jul 14 08:42:39 2011 From: nick.vandenheuvel at sidn.nl (Nick van den Heuvel) Date: Thu, 14 Jul 2011 08:42:39 +0000 Subject: [Opendnssec-develop] Meeting notes 2011-07-13 In-Reply-To: <20110713132115.GA1656@phantom.vanrein.org> References: <20110713132115.GA1656@phantom.vanrein.org> Message-ID: <60E0FAC48923D348BF7B1861488E606E06FFC811@kambx3.SIDN.local> Hi Rick, Thanks for the minutes! Regarding my action point. I did send some performance values in June to the development list. See attachment. Regards, Nick -----Original Message----- From: opendnssec-develop-bounces at lists.opendnssec.org [mailto:opendnssec-develop-bounces at lists.opendnssec.org] On Behalf Of Rick van Rein Sent: woensdag 13 juli 2011 15:21 To: opendnssec-develop at lists.opendnssec.org Subject: [Opendnssec-develop] Meeting notes 2011-07-13 Hello, The notes of today's meeting are available on http://trac.opendnssec.org/wiki/Meetings/Minutes/2011-07-13 Any comments, please let me know. -Rick _______________________________________________ Opendnssec-develop mailing list Opendnssec-develop at lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -------------- next part -------------- An embedded message was scrubbed... From: =?iso-8859-1?Q?Si=F4n_Lloyd?= Subject: [Opendnssec-develop] Performance values Date: Wed, 29 Jun 2011 13:35:37 +0000 Size: 12200 URL: From nick.vandenheuvel at sidn.nl Thu Jul 14 09:38:28 2011 From: nick.vandenheuvel at sidn.nl (Nick van den Heuvel) Date: Thu, 14 Jul 2011 09:38:28 +0000 Subject: [Opendnssec-develop] Testing OpenDNSSEC 1.2.2 Message-ID: <60E0FAC48923D348BF7B1861488E606E06FFC86A@kambx3.SIDN.local> Hi guys, Today I will start with testing 1.2.2. I expect to have the complete results next week. Regards, Nick -------------- next part -------------- An HTML attachment was scrubbed... URL: From yuri at nlnetlabs.nl Thu Jul 14 15:48:55 2011 From: yuri at nlnetlabs.nl (Yuri Schaeffer) Date: Thu, 14 Jul 2011 17:48:55 +0200 Subject: [Opendnssec-develop] Enforcer: Multiple keys in same role Message-ID: <1310658535.2159.35.camel@thorin> Hi, I have finally heard of use cases for multiple keys in the same role (politics, geeks and paranoids). So I have been thinking about an algorithm to decide which keys to keep and which to decommission. I propose to link keys to their policy by role|algorithm|lifetime|repository. This information is already present at the key, but no link to the policy is defined. a policy may look like this (collection of KeyConfigurations): zsk1 (alg a1, lifetime l1, repository r) zsk2 (alg a2, lifetime l1, repository r) ksk1 (alg a1, lifetime l2, repository r) ksk2 (alg a2, lifetime l2, repository r) no csks The algorithm looks like this: ------ 1) Decommission all keys with KeyConfiguration not in Policy. /* We toggle goal, no immediate consequences */ 2) for each KeyConfiguration Kc: (not Exists key in Kc) OR (newest key in Kc is EOL)? decommission each key in Kc introduce new key ----- cons: - two exact same keys are not possible. Enforcer will still work, but outcome might be unsuspected for users (one key will be thrown away immediately after generation). pros: - keys from some old KeyConfiguration will automatically outroduce. Even if they are not end of life. This is probably what the user wants. - Switching to an unsigned zone works as intended. What do you think? //Yuri From rickard at opendnssec.org Fri Jul 15 08:06:51 2011 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Fri, 15 Jul 2011 10:06:51 +0200 Subject: [Opendnssec-develop] Enforcer: Multiple keys in same role In-Reply-To: <1310658535.2159.35.camel@thorin> References: <1310658535.2159.35.camel@thorin> Message-ID: > role|algorithm|lifetime|repository. Is the lifetime defined as an interval (from x to y) or a duration (z months)? If it is a duration, then e.g. ZSKs during rollover would look the same within one policy. > The algorithm looks like this: > ------ > 1) > Decommission all keys with KeyConfiguration not in Policy. > /* We toggle goal, no immediate consequences */ > > 2) > for each KeyConfiguration Kc: > ?(not Exists key in Kc) OR (newest key in Kc is EOL)? > ? ?decommission each key in Kc > ? ?introduce new key Isn't it more you need to think of? E.g. algorithm rollover? // Rickard From yuri at NLnetLabs.nl Fri Jul 15 12:46:05 2011 From: yuri at NLnetLabs.nl (Yuri Schaeffer) Date: Fri, 15 Jul 2011 14:46:05 +0200 Subject: [Opendnssec-develop] Enforcer: Multiple keys in same role In-Reply-To: References: <1310658535.2159.35.camel@thorin> Message-ID: <4E20368D.5000701@nlnetlabs.nl> > Is the lifetime defined as an interval (from x to y) or a duration (z > months)? If it is a duration, then e.g. ZSKs during rollover would > look the same within one policy. Lifetime is a duration, but I'm not sure where you are heading at. If two ZSKs are introduced at the same time and have the same lifetime, they will roll simultaneously. >> The algorithm looks like this: >> ------ >> 1) >> Decommission all keys with KeyConfiguration not in Policy. >> /* We toggle goal, no immediate consequences */ >> >> 2) >> for each KeyConfiguration Kc: >> (not Exists key in Kc) OR (newest key in Kc is EOL)? >> decommission each key in Kc >> introduce new key > > Isn't it more you need to think of? E.g. algorithm rollover? I *think* this covers it. An algorithm rollover would work: step 1. the old key gets goal hidden. (because config no longer present) step 2. a new key is introduced (because no (usable) key for new config exists) Then, Everything rolls as usual In case the old config isn't removed, the zone will be double signed since step 1 is then skipped. This is what we want to support for the paranoids et al. -- Yuri Schaeffer NLnet Labs http://www.nlnetlabs.nl From sion at nominet.org.uk Fri Jul 15 13:39:07 2011 From: sion at nominet.org.uk (=?ISO-8859-1?Q?Si=F4n_Lloyd?=) Date: Fri, 15 Jul 2011 14:39:07 +0100 Subject: [Opendnssec-develop] Hudson/Jenkins test Message-ID: <4E2042FB.4080104@nominet.org.uk> I just ran the simulate_test_engine.sh script (twice, to make sure) and we see some errors: Zone unknown.rr.org was not correctly signed Zone example.com was not correctly signed Zone all.rr.org failed successfully Zone all.rr.binary.org signed successfully There are a number of auditor entries in the logs, and I am not sure if we expect some of them (given that one zone is expected to fail). Some examples: Jul 15 14:28:23 sion ods-auditor[27776]: RRSIGS should include algorithm RSASHA256 for unknown.rr.org, SOA, have : Jul 15 14:28:23 sion ods-auditor[27776]: RRSet (unknown.rr.org, SOA) failed verification : No signatures in the RRSet : unknown.rr.org, SOA, tag = none Jul 15 14:28:23 sion ods-auditor[27776]: non-DNSSEC RRSet TYPE731 included in Output that was not present in Input : a.unknown.rr.org. 3600 IN TYPE731 \# 6 abcdef012345 Jul 15 14:28:23 sion ods-auditor[27776]: Output zone does not contain non-DNSSEC RRSet : TYPE731, a.unknown.rr.org. 3600 CLASS32 TYPE731 \# 6 abcdef012345 Jul 15 14:28:23 sion ods-auditor[27776]: non-DNSSEC RRSet TYPE62347 included in Output that was not present in Input : b.unknown.rr.org. 3600 IN TYPE62347 \# 0 Jul 15 14:28:23 sion ods-auditor[27776]: Output zone does not contain non-DNSSEC RRSet : TYPE62347, b.unknown.rr.org. 3600 HS TYPE62347 \# 0 Jul 15 14:28:24 sion ods-auditor[27783]: RRSet (ns1.example.com, SSHFP) failed verification : Signature failed to cryptographically verify, tag = 20170 Also; the signer segfaults as it shuts down: Jul 15 14:28:34 sion ods-signerd: [engine] signer shutdown Jul 15 14:28:35 sion kernel: [21587.173476] ods-signerd[27721]: segfault at 20 ip 00007f07c696aee7 sp 00007fff2d9338a0 error 4 in libldns.so.1.6.10[7f07c6953000+47000] This is on a 64-bit kubuntu 11 machine. Could someone confirm for me if they see the same behaviour? (maybe wait until Monday now.) Cheers. Sion From rickard at opendnssec.org Fri Jul 15 14:19:14 2011 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Fri, 15 Jul 2011 16:19:14 +0200 Subject: [Opendnssec-develop] Enforcer: Multiple keys in same role In-Reply-To: <4E20368D.5000701@nlnetlabs.nl> References: <1310658535.2159.35.camel@thorin> <4E20368D.5000701@nlnetlabs.nl> Message-ID: On Fri, Jul 15, 2011 at 2:46 PM, Yuri Schaeffer wrote: >> Is the lifetime defined as an interval (from x to y) or a duration (z >> months)? If it is a duration, then e.g. ZSKs during rollover would >> look the same within one policy. > > Lifetime is a duration, but I'm not sure where you are heading at. > If two ZSKs are introduced at the same time and have the same lifetime, > they will roll simultaneously. How would you know which one is the oldest if you only have the duration and not the interval? And how would the lifetime help you to decide which one to roll? I was also wondering what you need the repository for? Once the key has been created, then libhsm will find it for you. Well, we do have the operation to mark a key as backed up. Or maybe I am just not clear with the concept... // Rickard From yuri at NLnetLabs.nl Fri Jul 15 15:12:23 2011 From: yuri at NLnetLabs.nl (Yuri Schaeffer) Date: Fri, 15 Jul 2011 17:12:23 +0200 Subject: [Opendnssec-develop] Enforcer: Multiple keys in same role In-Reply-To: References: <1310658535.2159.35.camel@thorin> <4E20368D.5000701@nlnetlabs.nl> Message-ID: <4E2058D7.70203@nlnetlabs.nl> > How would you know which one is the oldest if you only have the > duration and not the interval? And how would the lifetime help you to > decide which one to roll? Ah yes, well a key has an inception date as well. A policy obviously does not, so inception date has no influence on the policy-key relation. What I was trying to explain was that we need this (implicit) relationship between key and policy to decide which keys to keep. It has no influence on the actual rollover mechanism. > I was also wondering what you need the repository for? Once the key > has been created, then libhsm will find it for you. The policy tells me which repository to create the keymaterial in. The keys tell in which it was created. These two can drift apart. After a while a zone might have a new policy using another HSM but my old keys must still point to the old HSM. Having no explicit relation between key and policy makes policy rollovers trivial. I want to use the repository for the implicit relationship so someone could for example sign a zone with two identical keys but stored on a different HSM. So I propose to link keys to their policy exactly how they are specified in the kasp.xml: > ... > > 9 > PT2400S > SoftHSM > > ... //yuri -- Yuri Schaeffer NLnet Labs http://www.nlnetlabs.nl From owner-dnssec-trac at kirei.se Wed Jul 20 08:40:08 2011 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Wed, 20 Jul 2011 08:40:08 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #254: Configure fails on RHEL6 Message-ID: <045.8d44cd6f4983171c76ec3e68339efcde@kirei.se> #254: Configure fails on RHEL6 --------------------+------------------------------------------------------- Reporter: vanrein | Owner: rb Type: defect | Status: new Priority: major | Component: Unknown Version: 1.3.0 | Keywords: configure libldns rhel6 --------------------+------------------------------------------------------- Hello, I'm building OpenDNSSEC 1.3.0 on RHEL6. Using EPEL, I've installed libldns + devel 1.6.10. When configuring, I get an error: {{{ | checking for ldns-config... /usr/bin/ldns-config | checking what are the ldns includes... -I/usr/include | checking what are the ldns libs... -L/usr/lib64/python2.6 -L/usr/lib64 | -lpython2.6 -L/usr/lib64 -lcrypto -lldns | checking for ldns_rr_new in -lldns... no | configure: error: Can't find ldns library }}} Interestingly, libldns.so (.so.1 .so.1.6.10) are available in /usr/lib64, which is -L'ed above. The library is included in the ld.so.cache. The library offers the required symbol: {{{ | shellfish# nm -D /usr/lib64/libldns.so | grep ldns_rr_new | 0000000000018750 T ldns_rr_new | 000000000001ad60 T ldns_rr_new_frm_fp | 000000000001aaa0 T ldns_rr_new_frm_fp_l | 000000000001aa90 T ldns_rr_new_frm_str | 00000000000187e0 T ldns_rr_new_frm_type | 000000000001aa70 T ldns_rr_new_question_frm_str }}} I actually picked up the little C program from ./configure and compiled it with {{{ | gcc check.c -L /usr/lib64/ -lcrypto -lldns }}} and got a clean zero exit code as well as a proper a.out output. Something in the ./configure logic seems to be teasing me (I find those very hard to read) -- any idea what problem I am running into here? Thanks, -Rick -- Ticket URL: OpenDNSSEC OpenDNSSEC From rick at openfortress.nl Wed Jul 20 10:32:49 2011 From: rick at openfortress.nl (Rick van Rein) Date: Wed, 20 Jul 2011 10:32:49 +0000 Subject: [Opendnssec-develop] Re: #254: Configure fails on RHEL6 In-Reply-To: <4E269AAA.7000300@nominet.org.uk> References: <4E269AAA.7000300@nominet.org.uk> Message-ID: <20110720103249.GA13203@phantom.vanrein.org> Hello Sion, > Might there be an old install of ldns that is picked up first by > configure but not when you compile the code from the command line? Nope: 1. The message for an old version would be another; 2. This is a freshly installed machine to which I added ldns through EPEL only. 3. Find / -name libldns\* locates no reachable library beyond the EPEL package. > We do not have any RHEL machines; but I could try on CentOS if you think > that will help? My guess would be that this is a 64-bit problem, rather than a RHEL problem. I find it hard to deciper what ./configure does, but it appears that it does not get all the -L arguments, specifically -L/usr/lib64 Is there a way for me to see in more detail what ./configure does? I did not find anything useful in config.log, it ends just before this problem: | #define HAVE_SETRESUID 1 | #define HAVE_SETRESGID 1 | #define STRPTIME_NEEDS_DEFINES 1 | #define RESTART_ENFORCERD_CMD "/usr/bin/pkill -HUP ods-enforcerd" | #define HAVE_LIBXML2 1 | | configure: exit 1 Thanks! -Rick From rick at openfortress.nl Wed Jul 20 14:38:45 2011 From: rick at openfortress.nl (Rick van Rein) Date: Wed, 20 Jul 2011 14:38:45 +0000 Subject: [Opendnssec-develop] Re: #254: Configure fails on RHEL6 In-Reply-To: <4E26DE43.2040603@nominet.org.uk> References: <4E269AAA.7000300@nominet.org.uk> <20110720103249.GA13203@phantom.vanrein.org> <4E26DE43.2040603@nominet.org.uk> Message-ID: <20110720143845.GA24067@phantom.vanrein.org> Hi all, > >Is there a way for me to see in more detail what ./configure does? I did > >not find anything useful in config.log, it ends just before this problem: > > Short of adding more echo statements I don't know; the autotools stuff > is a bit of a mystery to me. Who has made these scripts? > If you think that it just doesn't find libldns you could try adding the > --with-ldns=PATH flag? I tried that before filing the issue (of course). No difference. Thanks, -Rick From sion at nominet.org.uk Wed Jul 20 13:55:15 2011 From: sion at nominet.org.uk (=?ISO-8859-1?Q?Si=F4n_Lloyd?=) Date: Wed, 20 Jul 2011 14:55:15 +0100 Subject: [Opendnssec-develop] Re: #254: Configure fails on RHEL6 In-Reply-To: <20110720103249.GA13203@phantom.vanrein.org> References: <4E269AAA.7000300@nominet.org.uk> <20110720103249.GA13203@phantom.vanrein.org> Message-ID: <4E26DE43.2040603@nominet.org.uk> On 20/07/11 11:32, Rick van Rein wrote: > Hello Sion, > >> Might there be an old install of ldns that is picked up first by >> configure but not when you compile the code from the command line? > Nope: > > 1. The message for an old version would be another; > 2. This is a freshly installed machine to which I added ldns through EPEL only. > 3. Find / -name libldns\* locates no reachable library beyond the EPEL package. > Good. At least that can be ruled out. >> We do not have any RHEL machines; but I could try on CentOS if you think >> that will help? > My guess would be that this is a 64-bit problem, rather than a RHEL problem. > I find it hard to deciper what ./configure does, but it appears that it > does not get all the -L arguments, specifically -L/usr/lib64 > > Is there a way for me to see in more detail what ./configure does? I did > not find anything useful in config.log, it ends just before this problem: Short of adding more echo statements I don't know; the autotools stuff is a bit of a mystery to me. We run 64bit CentOS; but not version 6 and with home built ldns rpms. If you think that it just doesn't find libldns you could try adding the --with-ldns=PATH flag? From owner-dnssec-trac at kirei.se Thu Jul 21 12:28:31 2011 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Thu, 21 Jul 2011 12:28:31 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #254: Configure fails on RHEL6 In-Reply-To: <045.8d44cd6f4983171c76ec3e68339efcde@kirei.se> References: <045.8d44cd6f4983171c76ec3e68339efcde@kirei.se> Message-ID: <060.6ca3ab8273b25f19eaa253316cfb30da@kirei.se> #254: Configure fails on RHEL6 ------------------------------------+--------------------------------------- Reporter: vanrein | Owner: rb Type: defect | Status: new Priority: major | Component: Unknown Version: 1.3.0 | Resolution: Keywords: configure libldns rhel6 | ------------------------------------+--------------------------------------- Comment (by vanrein): Trying again showed that this *did* work with --with-ldns=/usr/lib64 so my memory must have been clouded. The only remaining _minor_ issue is that LDNS reports the library paths, and these are ignored in the ./configure script. The variable $LDNS_LIBS is not included in the line {{{ LIBS="-ldns $LIBS" }}} -- Ticket URL: OpenDNSSEC OpenDNSSEC From wouter at NLnetLabs.nl Thu Jul 21 12:34:08 2011 From: wouter at NLnetLabs.nl (W.C.A. Wijngaards) Date: Thu, 21 Jul 2011 14:34:08 +0200 Subject: [Opendnssec-develop] Re: #254: Configure fails on RHEL6 In-Reply-To: <20110720103249.GA13203@phantom.vanrein.org> References: <4E269AAA.7000300@nominet.org.uk> <20110720103249.GA13203@phantom.vanrein.org> Message-ID: <4E281CC0.3080504@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/20/2011 12:32 PM, Rick van Rein wrote: > My guess would be that this is a 64-bit problem, rather than a RHEL problem. > I find it hard to deciper what ./configure does, but it appears that it > does not get all the -L arguments, specifically -L/usr/lib64 It sounds like a typical /usr/lib and /usr/lib64 problem; more people have that with libraries mixed and trouble. (I recall lots of libcrypto trouble). > Is there a way for me to see in more detail what ./configure does? I did > not find anything useful in config.log, it ends just before this problem: > > | #define HAVE_SETRESUID 1 > | #define HAVE_SETRESGID 1 > | #define STRPTIME_NEEDS_DEFINES 1 > | #define RESTART_ENFORCERD_CMD "/usr/bin/pkill -HUP ods-enforcerd" > | #define HAVE_LIBXML2 1 > | > | configure: exit 1 You need to scroll back, and more back. And then more, past the lists of things, until it shows you exactly the gcc command it did and what that gcc said why it failed. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJOKBzAAAoJEJ9vHC1+BF+NpWcP/j+8yyjoeZOhp1/9HziWwnG+ m2esy9SiTqDEQWrIqqDzQOKp/31tUcj+z/WB3RP3IVZ/9hs9h/3+Yw2Y0Dxnn4Ki yimjNt1PkFTFiiEiIHwi4N9AFRn7cEd9wVZJRefEd+Oufah7mLo40ztFLzRpy8TF Y2dOuik+cryelC6p21+ow6OA1yE7iN79R5we/hyCZDat75BYGhL5i0U38VQQoBWI 6x8Te3ZXsM1thyiS8YFgYZ5/qfl0ciwyjCDF/QFkVmXVVT9dQXUOizm9vt4ZVWCN Xodiy7pO5qQTUbPYu4sTK/pWcAUMVRlLfxlYYvzOE3kdCyyzpKmCDyyO1EFvU9D5 BAxT6A6KXlxbu5PeBAVvL6kZqO9/6IKw3CtLSRm/AINMGrESoF0ZEF48AGnTF5M1 C5aOnMirPyqwXik9FuNklXe7XM9U0v2nVc5/AUex0Qpd4z6sfLd6Xw4EEt2CzMKD uhBJMRHgtsLUdx6nSAoz0cXstOuGvCxzXWF5T7/82DaWzQgzC810QOEz1J/Ionr0 vnbStKZHNKS1/ojAAsSXE8K0++36NdXOQgHf6UZByhLFOXlFrIQuXwJAidLC8k0+ 3kfVjGqyrDszpA0KLn/5rTr/AvVpACwvKOJNzE8tFdT3+QOasFh2s92flul3Fjz5 v9k2Wr1+d+ctGAFagmUv =5UHi -----END PGP SIGNATURE----- From nick.vandenheuvel at sidn.nl Thu Jul 21 14:35:38 2011 From: nick.vandenheuvel at sidn.nl (Nick van den Heuvel) Date: Thu, 21 Jul 2011 14:35:38 +0000 Subject: [Opendnssec-develop] Test results Open DNSSEC 1.2.2 - SIDN Message-ID: <60E0FAC48923D348BF7B1861488E606E06FFD42D@kambx3.SIDN.local> Hi Guys, I hereby send the test results of the regression test for OpenDNSSEC 1.2.2 which I downloaded last week from the repository (branch (version 1.2). Regards, Nick -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Report OpenDNSSEC 1.2.2.pdf Type: application/pdf Size: 287900 bytes Desc: Report OpenDNSSEC 1.2.2.pdf URL: From owner-dnssec-trac at kirei.se Fri Jul 22 12:55:45 2011 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 22 Jul 2011 12:55:45 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #255: Patch to contrib/opendnssec.spec Message-ID: <045.68dfad79e267652e97eb413eccae295e@kirei.se> #255: Patch to contrib/opendnssec.spec ------------------------+--------------------------------------------------- Reporter: vanrein | Owner: rb Type: enhancement | Status: new Priority: minor | Component: Unknown Version: 1.3.0 | Keywords: ------------------------+--------------------------------------------------- Hello, Here are a few patches that improve opendnssec.spec, which has shown to be needed/useful for OpenDNSSEC 1.3.0 on RHEL6: * removal of deprecated BuildPreReq: declaration * ensuring that all %file declarations are actually found * create username before first install (skip on later) * adapting ods-control to support chkconfig (one comment line) * stop running OpenDNSSEC prior to uninstall * inclusion of man-pages in %files Enjoy, -Rick -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Tue Jul 26 15:02:57 2011 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 26 Jul 2011 15:02:57 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #256: Lost argument in "ods-control signer" Message-ID: <045.d8a04dcb92df323797c31669f7b86da7@kirei.se> #256: Lost argument in "ods-control signer" --------------------+------------------------------------------------------- Reporter: vanrein | Owner: rb Type: defect | Status: new Priority: minor | Component: Unknown Version: 1.3.0 | Keywords: ods-control script --------------------+------------------------------------------------------- Hi, We tend to invoke "ods-control signer sign tralala.org" which is not working in 1.3.0. The modification to make it work again follows. Cheers, -Rick -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Tue Jul 26 15:25:16 2011 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 26 Jul 2011 15:25:16 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #256: Lost argument in "ods-control signer" In-Reply-To: <045.d8a04dcb92df323797c31669f7b86da7@kirei.se> References: <045.d8a04dcb92df323797c31669f7b86da7@kirei.se> Message-ID: <060.0754f40937b7cb7b7d06f2420d767461@kirei.se> #256: Lost argument in "ods-control signer" -------------------------------+-------------------------------------------- Reporter: vanrein | Owner: matthijs Type: defect | Status: accepted Priority: minor | Component: Unknown Version: 1.3.0 | Resolution: Keywords: ods-control script | -------------------------------+-------------------------------------------- Changes (by matthijs): * owner: rb => matthijs * status: new => accepted -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Tue Jul 26 15:33:01 2011 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Tue, 26 Jul 2011 15:33:01 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #256: Lost argument in "ods-control signer" In-Reply-To: <045.d8a04dcb92df323797c31669f7b86da7@kirei.se> References: <045.d8a04dcb92df323797c31669f7b86da7@kirei.se> Message-ID: <060.9854ee42e0acb63791ddbdb9686d5ad8@kirei.se> #256: Lost argument in "ods-control signer" -------------------------------+-------------------------------------------- Reporter: vanrein | Owner: matthijs Type: defect | Status: accepted Priority: minor | Component: Unknown Version: 1.3.0 | Resolution: Keywords: ods-control script | -------------------------------+-------------------------------------------- Comment (by matthijs): Thanks for reporting and providing a patch. fixed in trunk and 1.3 branch -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Wed Jul 27 03:02:16 2011 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Wed, 27 Jul 2011 03:02:16 -0000 Subject: [Opendnssec-develop] Re: [OpenDNSSEC] #256: Lost argument in "ods-control signer" In-Reply-To: <045.d8a04dcb92df323797c31669f7b86da7@kirei.se> References: <045.d8a04dcb92df323797c31669f7b86da7@kirei.se> Message-ID: <060.5cde202c1dae846e532bb4f16d3a1056@kirei.se> #256: Lost argument in "ods-control signer" -------------------------------+-------------------------------------------- Reporter: vanrein | Owner: matthijs Type: defect | Status: closed Priority: minor | Component: Unknown Version: 1.3.0 | Resolution: fixed Keywords: ods-control script | -------------------------------+-------------------------------------------- Changes (by matthijs): * status: accepted => closed * resolution: => fixed -- Ticket URL: OpenDNSSEC OpenDNSSEC From owner-dnssec-trac at kirei.se Fri Jul 29 17:52:12 2011 From: owner-dnssec-trac at kirei.se (OpenDNSSEC) Date: Fri, 29 Jul 2011 17:52:12 -0000 Subject: [Opendnssec-develop] [OpenDNSSEC] #257: Error in ods-signerd Message-ID: <057.4059ff51c872b25ae5022961c80d96b4@kirei.se> #257: Error in ods-signerd --------------------------------+------------------------------------------- Reporter: staffordp1@? | Owner: matthijs Type: defect | Status: new Priority: minor | Component: Signer Version: 1.3.0 | Keywords: nsec3params zone.c nsec3params_rr --------------------------------+------------------------------------------- Just an FYI: found bug /usr/local/src/opendnssec-1.3.0rc3/signer/src/signer/zone.c details: Imported keys, using your softHSM, but I mistakenly left the version as "Algorithm: 7 (?)". The ods-signerd didn't like it and dumped (no core) memory without exiting.... After that ods-signer didn't repsond, neither did ods-signerd. I found an issue within zone.c: This function was not getting executed within the long if statement:: dns_rr_new_frm_fp(&nsec3params_rr, fd, NULL, NULL, NULL) ... hence nsec3params_rr doesn't get initialized, so i moved it out of the if statement and it didn't error out. But now I wonder how the code handled the version "?" since it didn't give me any errors after I changed the code without fixing the keys. (after my change) {{{ 860 /* nsec3params part */ 861 if (zone->signconf->nsec_type == LDNS_RR_TYPE_NSEC3) { 862 863 if (!backup_read_check_str(fd, ";;Nsec3parameters:") || 864 !backup_read_check_str(fd, "salt") || 865 !backup_read_str(fd, &salt) || 866 !backup_read_check_str(fd, "algorithm") || 867 !backup_read_uint32_t(fd, &zone->signconf->nsec3_algo) || 868 !backup_read_check_str(fd, "optout") || 869 !backup_read_int(fd, &zone->signconf->nsec3_optout) || 870 !backup_read_check_str(fd, "iterations") || 871 !backup_read_uint32_t(fd, &zone->signconf->nsec3_iterations) || 872 !backup_read_check_str(fd, ";;Nsec3done") || 873 !backup_read_check_str(fd, ";;")) 874 { 875 goto recover_error; 876 } 877 878 if(ldns_rr_new_frm_fp(&nsec3params_rr, fd, NULL, NULL, NULL) != LDNS_STATUS_OK) { 879 fprintf(stdout, "Failed to define nsec3params_rr\n"); fflush(stdout); 880 goto recover_error; 881 } 882 } }}} -- Ticket URL: OpenDNSSEC OpenDNSSEC