From Roland.vanRijswijk at surfnet.nl Thu Aug 2 11:37:35 2012 From: Roland.vanRijswijk at surfnet.nl (Roland van Rijswijk - Deij) Date: Thu, 2 Aug 2012 13:37:35 +0200 Subject: [Opendnssec-develop] HSM initialised and access documented on the wiki Message-ID: Hi guys, As promised in the last teleconference, I have initialised the HSM that was donated by SafeNet for use by the OpenDNSSEC team. If you want to use the HSM, please read the information I put up on the wiki first: https://wiki.opendnssec.org/display/OpenDNSSEC/HSM+for+testing Then, using the instructions supplied on the wiki page send me a signed e-mail with your host certificate and I will configure the HSM for your use. Cheers, Roland -- Roland M. van Rijswijk - Deij -- SURFnet bv -- w: http://www.surfnet.nl/en/ -- t: +31-30-2305388 -- e: roland.vanrijswijk at surfnet.nl From sara at sinodun.com Fri Aug 3 21:48:29 2012 From: sara at sinodun.com (Sara Dickinson) Date: Fri, 3 Aug 2012 14:48:29 -0700 Subject: [Opendnssec-develop] RE: Meeting 2012-08-07 Message-ID: Hi All, We have a scheduled team meeting: Date: Tuesday 7 August 2012 Time: 14:00-15:00 CEST, 13:00-14:00 BST The agenda and outstanding actions can be found here: http://wiki.opendnssec.org/display/OpenDNSSEC/2012-08-07+Meeting I have set up a trial of Cisco Webex for this meeting. - If you want to join via a PC then sign up for a Webex account and join using the meeting number (231195625) - If you want to dial in from a phone then there are local numbers available for each country (the trial doesn't provide toll-free dial in): http://www.cisco.com/web/about/doing_business/conferencing/index.html Sara. -------------- next part -------------- An HTML attachment was scrubbed... URL: From sara at sinodun.com Tue Aug 7 11:27:40 2012 From: sara at sinodun.com (Sara Dickinson) Date: Tue, 7 Aug 2012 12:27:40 +0100 Subject: [Opendnssec-develop] RE: Meeting 2012-08-07 In-Reply-To: References: Message-ID: Hi All, I plan to open the Webex meeting 10 minutes early just so anyone who wants to can check that they can connect/dial in case we have any issues.... The actual meeting will still start at 14:00 CEST. Sara. On 3 Aug 2012, at 22:48, Sara Dickinson wrote: > Hi All, > > We have a scheduled team meeting: > > Date: Tuesday 7 August 2012 > Time: 14:00-15:00 CEST, 13:00-14:00 BST > > The agenda and outstanding actions can be found here: > > http://wiki.opendnssec.org/display/OpenDNSSEC/2012-08-07+Meeting > > > I have set up a trial of Cisco Webex for this meeting. > - If you want to join via a PC then sign up for a Webex account and join using the meeting number (231195625) > - If you want to dial in from a phone then there are local numbers available for each country (the trial doesn't provide toll-free dial in): > http://www.cisco.com/web/about/doing_business/conferencing/index.html > > > Sara. > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -------------- next part -------------- An HTML attachment was scrubbed... URL: From sara at sinodun.com Tue Aug 7 12:02:12 2012 From: sara at sinodun.com (Sara Dickinson) Date: Tue, 7 Aug 2012 13:02:12 +0100 Subject: [Opendnssec-develop] RE: Meeting 2012-08-07 In-Reply-To: References: Message-ID: <13D123A5-CD5A-495C-8C36-399E2FFA2909@sinodun.com> The best laid plans...... No audio on the client and meeting number not recognised on the toll numbers........... I suggest we fall back to the nominet system for the meeting. Sorry. Sara. On 3 Aug 2012, at 22:48, Sara Dickinson wrote: > Hi All, > > We have a scheduled team meeting: > > Date: Tuesday 7 August 2012 > Time: 14:00-15:00 CEST, 13:00-14:00 BST > > The agenda and outstanding actions can be found here: > > http://wiki.opendnssec.org/display/OpenDNSSEC/2012-08-07+Meeting > > > I have set up a trial of Cisco Webex for this meeting. > - If you want to join via a PC then sign up for a Webex account and join using the meeting number (231195625) > - If you want to dial in from a phone then there are local numbers available for each country (the trial doesn't provide toll-free dial in): > http://www.cisco.com/web/about/doing_business/conferencing/index.html > > > Sara. > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop From sara at sinodun.com Tue Aug 7 15:03:31 2012 From: sara at sinodun.com (Sara (Sinodun)) Date: Tue, 7 Aug 2012 16:03:31 +0100 Subject: [Opendnssec-develop] Re: Meeting 2012-08-07 - sorry! In-Reply-To: References: Message-ID: <5E6EC4BF-B87A-4908-A2BD-84F96B6DB60F@sinodun.com> All, Many apologies for the Webex 'incident' today. It all worked perfectly when I tested yesterday..... and so I am looking into what went wrong. Sara. On 3 Aug 2012, at 22:48, Sara Dickinson wrote: > Hi All, > > We have a scheduled team meeting: > > Date: Tuesday 7 August 2012 > Time: 14:00-15:00 CEST, 13:00-14:00 BST > > The agenda and outstanding actions can be found here: > > http://wiki.opendnssec.org/display/OpenDNSSEC/2012-08-07+Meeting > > > I have set up a trial of Cisco Webex for this meeting. > - If you want to join via a PC then sign up for a Webex account and join using the meeting number (231195625) > - If you want to dial in from a phone then there are local numbers available for each country (the trial doesn't provide toll-free dial in): > http://www.cisco.com/web/about/doing_business/conferencing/index.html > > > Sara. > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -------------- next part -------------- An HTML attachment was scrubbed... URL: From rick at openfortress.nl Tue Aug 7 15:05:21 2012 From: rick at openfortress.nl (Rick van Rein) Date: Tue, 7 Aug 2012 15:05:21 +0000 Subject: [Opendnssec-develop] Minutes of 2012-08-07 Message-ID: <20120807150521.GI27140@newphantom.local> Hello, The meetings of today's meeting are now available online, https://wiki.opendnssec.org/display/OpenDNSSEC/2012-08-07+Minutes As always -- feedback is welcome, changes too. Cheers, -Rick From jerry at opendnssec.org Wed Aug 8 07:30:11 2012 From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Wed, 8 Aug 2012 09:30:11 +0200 Subject: [Opendnssec-develop] Minutes of 2012-08-07 In-Reply-To: <20120807150521.GI27140@newphantom.local> References: <20120807150521.GI27140@newphantom.local> Message-ID: Hi all, These are my comments on yesterday meeting: 2. - Sion explains that not all (older) SQLite installs supported transactional behaviour. So we've surrounded it with another lock. This may run into a race condition in some situations. Whether an install is transactional is not easily deduced by looking at it, or querying parameters. Actually looks like transactions has been around in SQLite since 2001 / v2.0 so all SQLite installations today do support transactional behavior. Just because you have transaction does not mean you can't get dead locks, its more the other way around that because of transaction you do get dead locks. This is more a matter of database design, SQL usage and the type of transaction locking the database engine does (database/table/row/column etc). - Matthijs adds thatit could help to test it if it is installation-dependent. Many of the problems we have with SQLite is very installation and OS depended. Beside the issue with locks there is the problem with the extreme slow read/write that some have reported, for example on a FreeBSD 8+ installation on very modern hardware Enforcer took 45min to do a run (cycle) on 870 zones to check if there was anything to do. I do not think we should really spend time to track these issues down since there are so many things that can affect performance but we should make MySQL the primary database engine since we know it works better. - ACTION POINT Jerry & Sion: See if this works. See if what works? Locking? - Rick finds the SQLite FAQ on http://www.sqlite.org/faq.html#q6and sees that sqlite3_threadsafe() could be called during configure to determine if the installation is suitable for OpenDNSSEC; if not, the user can be asked to install their own version and supply a path to use from OpenDNSSEC. This will enable us to remove our (problematic) locking issues. Thread safety does not have anything to do with multiple programs accessing the database. Checking thread safety is more a matter for 2.0 and the multi threaded Enforcer. (more on SQLite threads http://www.sqlite.org/threadsafe.html) The locking we have outside the database today is to hinder other programs to access the database while we work at it. That kind of access should be possible with the transactional behavior that SQLite has. - Yuri wonders if this issue will influence 2.0 releases, and so if this is going to continue being a problem. No it won't, we just add a little check for thread safety :) 5. - Sion adds some concern about duplicating code, as the broad setup of each test is often the same. This is something me and Sara has discussed also and she raised the same concern. My point for having it like this is that it may look like every test setup the same way today and making that a mandatory way of setting up will break tests in the future that can't be setup like that. But there are other way of setting simple code and that is by adding more functions where the code is the same. Me and Sara talked about adding ods_start_enforcer instead of the two lines that are there now and things like that. We could add a ods_standard_setup that mimics the setup done is more tests today without enforcing a setup routine. 6. 1.4.0-alpha3 - I am ready to tag/ball/release when you say so Rick! /Jerry From sion at nominet.org.uk Wed Aug 8 08:00:24 2012 From: sion at nominet.org.uk (=?ISO-8859-1?Q?Si=F4n_Lloyd?=) Date: Wed, 8 Aug 2012 09:00:24 +0100 Subject: [Opendnssec-develop] Minutes of 2012-08-07 In-Reply-To: References: <20120807150521.GI27140@newphantom.local> Message-ID: <50221C98.90005@nominet.org.uk> On 08/08/12 08:30, Jerry Lundstr?m wrote: > Hi all, > > These are my comments on yesterday meeting: > > 2. > > - Sion explains that not all (older) SQLite installs supported > transactional behaviour. So we've surrounded it with another lock. > This may run into a race condition in some situations. Whether an > install is transactional is not easily deduced by looking at it, or > querying parameters. > > Actually looks like transactions has been around in SQLite since 2001 > / v2.0 so all SQLite installations today do support transactional > behavior. > > Just because you have transaction does not mean you can't get dead > locks, its more the other way around that because of transaction you > do get dead locks. This is more a matter of database design, SQL usage > and the type of transaction locking the database engine does > (database/table/row/column etc). Transactions guarantee that your work is "all or nothing". Locking prevents concurrent processes from updating the same row of a table at the same time. At the time it was being written it was not clear which distributions were setting the locking style compile time flag correctly. (If I recall correctly we were seeing issues on solaris, but then we are possibly taking about solaris 8?..) > 5. > > - Sion adds some concern about duplicating code, as the broad setup of > each test is often the same. To be clear I am not too worried about duplicating code. What I was saying was that the one test I wrote was largely "cut 'n' paste"; and if we are asking folk who are not so familiar with the tests to write some it would be useful to have a clip board of code snippets and some template tests that can form the starting point. That said, utility functions that can be called would make the tests more readable. Sion From jerry at opendnssec.org Wed Aug 8 08:45:54 2012 From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Wed, 8 Aug 2012 10:45:54 +0200 Subject: [Opendnssec-develop] Fwd: [Opendnssec-commits] [svn.opendnssec.org/svn/dnssec] r6500 - branches/OpenDNSSEC-1.3/signer/src/daemon In-Reply-To: <20120806064954.9015757DFF@keihatsu.kirei.se> References: <20120806064954.9015757DFF@keihatsu.kirei.se> Message-ID: Hi Matthijs, This "fix" isn't the best it seems, it now leaks file descriptors: After start: # lsof|grep ods-sign|wc -l 92 After a while: # lsof|grep ods-sign|wc -l 218 when forcing signing: # ods-signer sign example.com Zone example.com scheduled for immediate re-sign. # lsof|grep ods-sign|wc -l 281 # ods-signer sign example.com Zone example.com scheduled for immediate re-sign. # lsof|grep ods-sign|wc -l 344 ---------- Forwarded message ---------- From: Date: Mon, Aug 6, 2012 at 8:49 AM Subject: [Opendnssec-commits] [svn.opendnssec.org/svn/dnssec] r6500 - branches/OpenDNSSEC-1.3/signer/src/daemon To: Author: matthijs Date: 2012-08-06 08:49:54 +0200 (Mon, 06 Aug 2012) New Revision: 6500 Modified: branches/OpenDNSSEC-1.3/signer/src/daemon/worker.c Log: create context within while loop (will reload engine on creating libhsm context error) Modified: branches/OpenDNSSEC-1.3/signer/src/daemon/worker.c =================================================================== --- branches/OpenDNSSEC-1.3/signer/src/daemon/worker.c 2012-08-02 22:11:39 UTC (rev 6499) +++ branches/OpenDNSSEC-1.3/signer/src/daemon/worker.c 2012-08-06 06:49:54 UTC (rev 6500) @@ -591,7 +591,9 @@ static void worker_drudge(worker_type* worker) { + engine_type* engine = NULL; zone_type* zone = NULL; + task_type* task = NULL; rrset_type* rrset = NULL; ods_status status = ODS_STATUS_OK; worker_type* chief = NULL; @@ -600,19 +602,13 @@ ods_log_assert(worker); ods_log_assert(worker->type == WORKER_DRUDGER); - ods_log_debug("[%s[%i]] create hsm context", - worker2str(worker->type), worker->thread_num); - ctx = hsm_create_context(); - if (!ctx) { - ods_log_crit("[%s[%i]] error creating libhsm context", - worker2str(worker->type), worker->thread_num); - } - + engine = (engine_type*) worker->engine; while (worker->need_to_exit == 0) { ods_log_debug("[%s[%i]] report for duty", worker2str(worker->type), worker->thread_num); chief = NULL; zone = NULL; + task = NULL; lock_basic_lock(&worker->engine->signq->q_lock); /* [LOCK] schedule */ @@ -620,45 +616,43 @@ /* [UNLOCK] schedule */ lock_basic_unlock(&worker->engine->signq->q_lock); if (rrset) { - /* set up the work */ - if (chief && chief->task) { - zone = chief->task->zone; - } - if (!zone) { - ods_log_error("[%s[%i]] unable to drudge: no zone reference", + ods_log_assert(chief); + ods_log_debug("[%s[%i]] create hsm context", + worker2str(worker->type), worker->thread_num); + ctx = hsm_create_context(); + if (!ctx) { + ods_log_crit("[%s[%i]] error creating libhsm context", worker2str(worker->type), worker->thread_num); - } - if (zone && ctx) { - ods_log_assert(rrset); - ods_log_assert(zone->dname); + engine->need_to_reload = 1; + chief->jobs_failed++; + } else { + ods_log_assert(ctx); + lock_basic_lock(&chief->worker_lock); + task = chief->task; + ods_log_assert(task); + zone = task->zone; + lock_basic_unlock(&chief->worker_lock); + ods_log_assert(zone); ods_log_assert(zone->signconf); + ods_log_assert(rrset); worker->clock_in = time(NULL); status = rrset_sign(ctx, rrset, zone->dname, zone->signconf, chief->clock_in, zone->stats); - } else { - status = ODS_STATUS_ASSERT_ERR; - } - - if (chief) { lock_basic_lock(&chief->worker_lock); if (status == ODS_STATUS_OK) { chief->jobs_completed += 1; } else { chief->jobs_failed += 1; - /* destroy context? */ } lock_basic_unlock(&chief->worker_lock); - - if (worker_fulfilled(chief) && chief->sleeping) { - ods_log_debug("[%s[%i]] wake up chief[%u], work is done", - worker2str(worker->type), worker->thread_num, - chief->thread_num); - worker_wakeup(chief); - chief = NULL; - } } - rrset = NULL; + if (worker_fulfilled(chief) && chief->sleeping) { + ods_log_debug("[%s[%i]] wake up chief[%u], work is done", + worker2str(worker->type), worker->thread_num, + chief->thread_num); + worker_wakeup(chief); + } } else { ods_log_debug("[%s[%i]] nothing to do", worker2str(worker->type), worker->thread_num); _______________________________________________ Opendnssec-commits mailing list Opendnssec-commits at lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-commits From sara at sinodun.com Wed Aug 8 10:29:10 2012 From: sara at sinodun.com (Sara Dickinson) Date: Wed, 8 Aug 2012 11:29:10 +0100 Subject: [Opendnssec-develop] Minutes of 2012-08-07 In-Reply-To: References: <20120807150521.GI27140@newphantom.local> Message-ID: On 8 Aug 2012, at 08:30, Jerry Lundstr?m wrote: > 1.4.0-alpha3 - I am ready to tag/ball/release when you say so Rick! To summarise the plans for upcoming releases: 1.3.10: --------- - We will release 1.3.10 with fixes for issues: 303, 298, 285, 282 and 304. Only 304 is not closed yet - Jerry has already tested this today and found a small issue so once this is addressed we will go ahead with a release. - All other issues currently marked as 1.3.10 will be moved to 1.3.11 (the fixes for 306 and 258 are only in trunk right now). 1.4.0a3: ---------- Jerry please go ahead with this release asap so .ca can test the recent fixes. 1.4.0a4 ---------- Planned for next week or the week after if possible (target 15th Aug?). Waiting for - OPENDNSSEC-130: (PIN daemon) Rickard to return from holiday, give final OK and push the code into trunk - OPENDNSSEC-294: Multi-threaded enforcer code to go into trunk (Sion). - OPENDNSSEC-250: To be resolved (Sion/Rick/Matthijs). 1.4.0b1 ----------- Planned for 2 weeks after alpha if possible (target 29th Aug) - Jenkins testing on DNS adaptors, etc. - Sara to chase testing on all outstanding issues. 1.4.0rc1 - target 12th Sept. 1.4.0 - target 19th Sept. Please let me know if you think there will be any problem with this! Sara. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerry at opendnssec.org Wed Aug 8 10:36:02 2012 From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Wed, 8 Aug 2012 12:36:02 +0200 Subject: [Opendnssec-develop] Minutes of 2012-08-07 In-Reply-To: References: <20120807150521.GI27140@newphantom.local> Message-ID: On Wed, Aug 8, 2012 at 12:29 PM, Sara Dickinson wrote: > 1.4.0a3: > ---------- > Jerry please go ahead with this release asap so .ca can test the recent > fixes. Will tag as soon as 304 is done since it affect trunk also. /Jerry From jerry at opendnssec.org Wed Aug 8 12:23:50 2012 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Wed, 8 Aug 2012 14:23:50 +0200 Subject: [Opendnssec-develop] Minutes of 2012-08-07 In-Reply-To: References: <20120807150521.GI27140@newphantom.local> Message-ID: <869C46A6-15C5-4240-9583-BCD46D285FD3@opendnssec.org> On Aug 8, 2012, at 12:29 , Sara Dickinson wrote: > 1.4.0a3: > ---------- > Jerry please go ahead with this release asap so .ca can test the recent fixes. It's done and files are up http://www.opendnssec.org/files/source/testing/ . -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ From sara at sinodun.com Wed Aug 8 16:12:54 2012 From: sara at sinodun.com (Sara Dickinson) Date: Wed, 8 Aug 2012 17:12:54 +0100 Subject: Fwd: [Opendnssec-develop] RE: Project versions in JIRA References: Message-ID: All, In line with below I have just updated the versioning in JIRA for both 1.4 and 2.0 to reflect the flow from alpha->beta->release_candidate. So 1.4.0 has been renamed to 1.4.0rc1 and 2.0.0 to 2.0.0rc1. If you have any saved queries relying on these versions then they will need updating :-) Sara. Begin forwarded message: > From: Sara Dickinson > Date: 8 June 2012 16:24:22 GMT+01:00 > To: "opendnssec-develop at lists.opendnssec.org" > Subject: [Opendnssec-develop] RE: Project versions in JIRA > > Hi All, > > Looking at JIRA today I can see there there is both a 1.4.0 and 1.4.0b1 version both with unresolved issues. (And a version 1.4.0a2 but with no issues against it.) I don't know how project (sub)versions were handled in the past with PT but I have seen the following type of approach work well in JIRA: > > - at the start of a new release create a version called e.g. 1.4.0a1 and use this throughout the development phase > - when it is time to release the first alpha, create a version for the next release (e.g. 1.4.0.a2). Move all unresolved issue from 1.4.0a1 to 1.4.0a2 and release 1.4.0a1 > - repeat through beta and release candidates. > - if needed create (sub)versions in advance for issues that are allocated to those versions > - when the full release is made then JIRA has the option of merging all the sub-versions into a 1.4.0 version to tidy things up. > > This would mean that it would be way easier to use the built in functionality of JIRA in terms of generating change logs (completed issues to compare to the NEWS file) and roadmaps (lists of outstanding issues for a particular version) as we go through 'pre-releases'. It also makes it very easy to distinguish between released and development versions. > > But... there are *many* other ways to do version management so all comments and suggestions welcome! I did read a little about using version hierarchies with greenhopper but it looks like this has some bugs and limitations and I like the simplicity of the above approach. > > Regards > > Sara._______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop From jerry at opendnssec.org Thu Aug 9 08:33:55 2012 From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Thu, 9 Aug 2012 10:33:55 +0200 Subject: [Opendnssec-develop] Enforcer NG kasp policy checks Message-ID: Hi all, This is interesting, as I'm trying to get the tests running on Enforcer NG I just got: Aug 9 10:18:36 debian64-ods01 ods-enforcerd: [enforcer] updatePolicy Key lifetime unreasonably short with respect to TTL and MaxZoneTTL. Will not insert key! This policy works on 1.3/1.4. Do we know how much more strict the NG is on the policies and if it will affect our users? Or is this maybe that MaxZoneTTL is new and does not have a default value? /Jerry From yuri at nlnetlabs.nl Thu Aug 9 10:02:53 2012 From: yuri at nlnetlabs.nl (Yuri Schaeffer) Date: Thu, 09 Aug 2012 12:02:53 +0200 Subject: [Opendnssec-develop] Enforcer NG kasp policy checks In-Reply-To: References: Message-ID: <50238ACD.40404@nlnetlabs.nl> > Aug 9 10:18:36 debian64-ods01 ods-enforcerd: [enforcer] updatePolicy > Key lifetime unreasonably short with respect to TTL and MaxZoneTTL. > Will not insert key! > Or is this maybe that MaxZoneTTL is new and does not have a default value? The MaxZoneTTL directive is new, the default value is 24 hours. This is hardcoded with the same value in 1.x. For 1.x having a key lifetime shorter then the time it takes to roll a key isn't a problem - it performs just one rollover at the time and is thus bound by the TTLs anyway, lifetime is stretched. Whereas for 2.x the enforcer would never fully complete a roll, always hopping to the next new key, so this is refused. This affects users that try to rollover MORE then possible, which in 1.x is bound to something *somewhat* sane... Among other features, 2.x supports insanity. ;) I think this is the only case where the enforcer-ng outright refuses to take action instead of delaying. //yuri From sara at sinodun.com Thu Aug 9 14:34:40 2012 From: sara at sinodun.com (Sara Dickinson) Date: Thu, 9 Aug 2012 15:34:40 +0100 Subject: [Opendnssec-develop] RE: Reminder - Enforcer NG teleconf this Friday, 10th Aug at 14:00 CEST Message-ID: <72C45A6F-51BF-483D-A3BC-CBBEFCB76307@sinodun.com> Hi All, A reminder that there is an Enforcer NG telecon this Friday Date: 10th Aug 2012 Time: 14:00 CEST Suggested agenda is here: http://wiki.opendnssec.org/display/OpenDNSSEC/2012-08-09+Enforcer+NG+teleconf Regards Sara. From sara at sinodun.com Thu Aug 9 15:33:15 2012 From: sara at sinodun.com (Sara Dickinson) Date: Thu, 9 Aug 2012 16:33:15 +0100 Subject: [Opendnssec-develop] RE: Developer workshop Sept 2012 Message-ID: <7ABB7759-CEC6-4C5F-8A23-FC27F78688BE@sinodun.com> Hi all, The current proposal based on the doodle and various discussions is to have a 1 day developer workshop on Friday 21st September in Amsterdam (i.e the Friday before RIPE). The idea would be to just have a one day workshop and we can plan additional meetings over the following days around RIPE if needed. So: - If anyone thinks we should have 2 full days instead then please speak up now! - If anyone wants to attend but cannot make this date please let me know To my knowledge the current list of participants is: Sara Jerry Yuri Matthijs Jakob Patrik (Sion) Would it be possible for NLNet labs to host this? If not I will look for options at the RIPE conference hotel. Thanks Sara. From sara at sinodun.com Fri Aug 10 15:21:05 2012 From: sara at sinodun.com (Sara Dickinson) Date: Fri, 10 Aug 2012 16:21:05 +0100 Subject: [Opendnssec-develop] Enforcer NG teleconf this Friday, 10th Aug at 14:00 CEST Message-ID: <33421E82-EF86-47B5-BC48-02F8EED4B6B3@sinodun.com> Hi All, The minutes from the Enforcer NG call today are now available: https://wiki.opendnssec.org/display/OpenDNSSEC/2012-08-10+Enforcer+NG+teleconf Comments/corrections welcome! Sara. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerry at opendnssec.org Mon Aug 13 07:55:50 2012 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Mon, 13 Aug 2012 09:55:50 +0200 Subject: [Opendnssec-develop] test platform change: centos64-ods03 => ubuntu12-amd64-ods03 Message-ID: Hi, I am reinstalling on of the VMs now as agreed, removing Cent OS amd64 and installing Ubuntu 12.04 amd64. -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ From yuri at nlnetlabs.nl Mon Aug 13 08:31:47 2012 From: yuri at nlnetlabs.nl (Yuri Schaeffer) Date: Mon, 13 Aug 2012 10:31:47 +0200 Subject: [Opendnssec-develop] RE: Developer workshop Sept 2012 In-Reply-To: <7ABB7759-CEC6-4C5F-8A23-FC27F78688BE@sinodun.com> References: <7ABB7759-CEC6-4C5F-8A23-FC27F78688BE@sinodun.com> Message-ID: <5028BB73.8060503@nlnetlabs.nl> On 08/09/2012 05:33 PM, Sara Dickinson wrote: > Would it be possible for NLNet labs to host this? If not I will look > for options at the RIPE conference hotel. Naturally. What cookies do we need to go with the tea? //yuri From jerry at opendnssec.org Tue Aug 14 11:56:05 2012 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Tue, 14 Aug 2012 13:56:05 +0200 Subject: [Opendnssec-develop] Info about possible login problems to issues.opendnssec.org Message-ID: Hi, There might have been a problem to login to issues.opendnssec.org for some of you if you created the account on wiki.opendnssec.org. This should now have been resolved. Please contact me if you still have problems logging into issues.opendnssec.org or wiki.opendnssec.org. Cheers, Jerry -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From jerry at opendnssec.org Wed Aug 15 06:11:53 2012 From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Wed, 15 Aug 2012 08:11:53 +0200 Subject: [Opendnssec-develop] An API for OpenDNSSEC and SoftHSM and more Message-ID: Hello all, Some time ago we started to talk about an API for OpenDNSSEC here in the .SE office and I came up with an idea that instead of changing the code we have today we can quite quickly implement something that sits on top of OpenDNSSEC, exposes different interfaces outwards and runs commands inwards. It would give us the possibility to have an API up and running without much code change and as time goes along we could change the interface between that software, which are now running console commands and parsing output, to a more programmable interface (example protobuf) or do enough change so that we can expose the interface directly. - Lim During the summer and my free time after work hours I've (ta-da!) just happened to have written such a framework which I call Lim [1] (swedish work for glue since it glues stuff together). Its a framework written i Perl using AnyEvent (asynchronous event engine), HTTP::*, JSON::XS, SOAP::Lite and XMLRPC::Lite that can receive requests in RESTful JSON(/XML also coming), SOAP, XML-RPC and JSON-RPC (v2) using HTTPS as transport layer. - Remote Procedure Call (RPC) It might sound funny and strange to support 4+ different RPC protocols but I've worked with all of them for a while and I do not see any problems overlaying them. RESTful, XML-RPC and JSON-RPC is not as strict as SOAP (dependent on order of variables etc) and making SOAP looser is easy and good since it makes it easier to understand and use. All SOAP calls have also been tested with SoapUI [2] (Java SOAP) and if they work and validates in that tool they will work from the enterprise Java VM applications many large companies run (IBM, Oracle and Sun). Currently the RESTful implementation is not fully up to the RESTful spec, the call URI are for example /do_something_here rather then /do/something/here but I'm working on that and it will be very easy to map and rewrite URI's [3]. - Plugins The framework itself knows nothing about OpenDNSSEC or SoftHSM, that functionality is added by plugins and I've finished a plugin for OpenDNSSEC [4] and for SoftHSM [5]. The OpenDNSSEC plugin supports all commands that can be made to ods-control, ods-ksmutil, ods-signer, ods-hsmutil (please let me know if I missed any) and to manage the different configuration files that exists. SoftHSM plugin supports all commands to softhsm and the configuration file. I am also working on a new plugin called DNS [6] that can be used to manage zone files unrelated to what software there is on the system, this plugin will be able to create, modify and delete whole zone files or individual resource records within a zone file (example getting all mx RR's in example.com; GET /dns/zone/example.com/rr/mx). - CLI Beside the API there is also a CLI (lim-cli) that you can use to manage remote Lim installations and the plugins that implemented CLI support. This CLI has support for auto completion (with the right libraries [7]) and it mimics Cisco iOS, tab twice to get a completion list if there are more then one option and press ? anywhere to get the help text of that section and available commands or what type of argument it should have (right now there is only auto completion). - Agent Daemon To use the framework you run a agent daemon (lim-agentd) on the system which you want to manage and it will load and initiate all the plugins it finds on the system. The plugins will evaluate if there exists the right software for it with the right version and if it does it will expose the API. Right now there is only one way to authenticate communication between the agent and CLI and that is by strict validation of certification used in the HTTPS communication, so both server and client will check the certification and it has to match things in the key.pem you provide. Later on there will be more ways and layers of authentication. - Web Interface As for a web interface, when I started coding Lim I was quick on creating a web interface but it is really really hard to make a good and intuitive web interface. This is still something that will be done but I want to have a lot more functionality working before I start looking into it again so it will be clearer what can and can not be done and how to build a web interface framework so that it will be easy for plugins to plug in their functionality. - Packaging To use the software I have packaged it [8] for most of the distributions from the get go, mostly because I wanted to see how hard it was to do and frankly it wasn't that hard. Please note that I have not had time to install fresh VMs to test all the repositories. Debian 6 (squeeze) / 7 (wheezy) and unstable (sid) apt repository and instructions can be found at http://jelu.github.com/lim/debian/ . Ubuntu 10.04 / 10.10 / 11.04 / 11.10 / 12.04 PPA repository and instructions can be found at https://launchpad.net/~jelu/+archive/lim . EPEL 6 (Red Hat 6+ / CentOS 6+ / Scientific Linux 6+ etc...) repository and instructions can be found at http://jelu.github.com/lim/epel/ . - TODO / What happens now? There are still a lot to do before I want to release it to the general public, mainly documentation and wiki pages (I will "soonish" create a quick&dirty guide about getting it working on a fresh Ubuntu), but please look it through and give your 2 cents. I have talked with Patrik about this and he would like me to make a presentation about this for the OAB meeting in September and maybe we could also have some time for this on the developer meeting the days before to discuss it more in detail. Many thanks for reading it all :) /Jerry [1] https://github.com/jelu/lim [2] http://www.soapui.org/ [3] https://github.com/jelu/lim/blob/master/TODO [4] https://github.com/jelu/lim-plugin-opendnssec [5] https://github.com/jelu/lim-plugin-softhsm [6] https://github.com/jelu/lim-plugin-dns [7] https://github.com/jelu/anyevent-readline-gnu http://search.cpan.org/~hayashi/Term-ReadLine-Gnu http://search.cpan.org/~mlehmann/AnyEvent-ReadLine-Gnu [8] http://jelu.github.com/lim -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ From jerry at opendnssec.org Wed Aug 15 09:29:31 2012 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Wed, 15 Aug 2012 11:29:31 +0200 Subject: [Opendnssec-develop] Developer workshop Sept 2012 In-Reply-To: <7ABB7759-CEC6-4C5F-8A23-FC27F78688BE@sinodun.com> References: <7ABB7759-CEC6-4C5F-8A23-FC27F78688BE@sinodun.com> Message-ID: Hi, On Aug 9, 2012, at 17:33 , Sara Dickinson wrote: > - If anyone thinks we should have 2 full days instead then please speak up now! As it looks now for us attending RIPE, there is a CENTR Tech meeting on Sunday with dinner on Saturday which would leave some time to have extended meeting on Saturday. Could we start getting together an agenda so we can see how much time we would need? (There is a lot of the table to discuss I think) /Jerry -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From Roland.vanRijswijk at surfnet.nl Wed Aug 15 10:08:44 2012 From: Roland.vanRijswijk at surfnet.nl (Roland van Rijswijk - Deij) Date: Wed, 15 Aug 2012 12:08:44 +0200 Subject: [Opendnssec-develop] An API for OpenDNSSEC and SoftHSM and more In-Reply-To: References: Message-ID: Hi Jerry, Looks like 'lim' is a great contribution to the project, I look forward to your presentation at the OAB meeting! One consideration I would like to raise is that it would be good to do a security audit when you feel the code is more or less feature complete. Thanks for the effort you've put in to this! Cheers, Roland -- Roland M. van Rijswijk - Deij -- SURFnet bv -- w: http://www.surfnet.nl/en/ -- t: +31-30-2305388 -- e: roland.vanrijswijk at surfnet.nl From jerry at opendnssec.org Thu Aug 16 10:41:52 2012 From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Thu, 16 Aug 2012 12:41:52 +0200 Subject: [Opendnssec-develop] Next tele conf 23/8 Message-ID: <5784581023448806021@unknownmsgid> Hi, Is it possible/ok for everyone if we move the meeting to 15:00 CEST otherwise I wont be able to attend. Cheers, Jerry From sion at nominet.org.uk Thu Aug 16 11:10:44 2012 From: sion at nominet.org.uk (=?ISO-8859-1?Q?Si=F4n_Lloyd?=) Date: Thu, 16 Aug 2012 12:10:44 +0100 Subject: [Opendnssec-develop] Next tele conf 23/8 In-Reply-To: <5784581023448806021@unknownmsgid> References: <5784581023448806021@unknownmsgid> Message-ID: <502CD534.3060004@nominet.org.uk> On 16/08/12 11:41, Jerry Lundstr?m wrote: > Hi, > > Is it possible/ok for everyone if we move the meeting to 15:00 CEST > otherwise I wont be able to attend. > > Fine by me. From jakob at kirei.se Thu Aug 16 11:22:32 2012 From: jakob at kirei.se (Jakob Schlyter) Date: Thu, 16 Aug 2012 13:22:32 +0200 Subject: [Opendnssec-develop] Next tele conf 23/8 In-Reply-To: <502CD534.3060004@nominet.org.uk> References: <5784581023448806021@unknownmsgid> <502CD534.3060004@nominet.org.uk> Message-ID: <9447BAF5-965A-4FAB-BE5F-27BF614ABC86@kirei.se> On 16 aug 2012, at 13:10, Si?n Lloyd wrote: > On 16/08/12 11:41, Jerry Lundstr?m wrote: >> Hi, >> >> Is it possible/ok for everyone if we move the meeting to 15:00 CEST >> otherwise I wont be able to attend. >> >> > > Fine by me. +1 j From yuri at nlnetlabs.nl Thu Aug 16 11:57:53 2012 From: yuri at nlnetlabs.nl (Yuri Schaeffer) Date: Thu, 16 Aug 2012 13:57:53 +0200 Subject: [Opendnssec-develop] Next tele conf 23/8 In-Reply-To: <5784581023448806021@unknownmsgid> References: <5784581023448806021@unknownmsgid> Message-ID: <502CE041.1070101@nlnetlabs.nl> > Is it possible/ok for everyone if we move the meeting to 15:00 CEST > otherwise I wont be able to attend. ok. From sara at sinodun.com Fri Aug 17 07:39:51 2012 From: sara at sinodun.com (Sara (Sinodun)) Date: Fri, 17 Aug 2012 08:39:51 +0100 Subject: [Opendnssec-develop] Next tele conf 23/8 In-Reply-To: <502CE041.1070101@nlnetlabs.nl> References: <5784581023448806021@unknownmsgid> <502CE041.1070101@nlnetlabs.nl> Message-ID: On 16 Aug 2012, at 12:57, Yuri Schaeffer wrote: >> Is it possible/ok for everyone if we move the meeting to 15:00 CEST >> otherwise I wont be able to attend. > fine by me From sara at sinodun.com Fri Aug 17 10:56:34 2012 From: sara at sinodun.com (Sara Dickinson) Date: Fri, 17 Aug 2012 11:56:34 +0100 Subject: [Opendnssec-develop] Developer workshop Sept 2012 In-Reply-To: References: <7ABB7759-CEC6-4C5F-8A23-FC27F78688BE@sinodun.com> Message-ID: <96B9686D-ED53-4250-A578-CA4ABF9673A8@sinodun.com> Hi All, I have put together an initial agenda for the workshop for review: http://wiki.opendnssec.org/display/OpenDNSSEC/Developer+workshop+Sept+2012 The timings are very rough - feedback, comments and suggestions please! Sara. P.S. Yuri - thank you NLNet Labs for hosting.... I vote for chocolate chip :-) On 15 Aug 2012, at 10:29, Jerry Lundstr?m wrote: > Hi, > > On Aug 9, 2012, at 17:33 , Sara Dickinson wrote: >> - If anyone thinks we should have 2 full days instead then please speak up now! > > > As it looks now for us attending RIPE, there is a CENTR Tech meeting on Sunday with dinner on Saturday which would leave some time to have extended meeting on Saturday. > > Could we start getting together an agenda so we can see how much time we would need? (There is a lot of the table to discuss I think) > > /Jerry > From jerry at opendnssec.org Fri Aug 17 11:03:55 2012 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Fri, 17 Aug 2012 13:03:55 +0200 Subject: [Opendnssec-develop] Developer workshop Sept 2012 In-Reply-To: <96B9686D-ED53-4250-A578-CA4ABF9673A8@sinodun.com> References: <7ABB7759-CEC6-4C5F-8A23-FC27F78688BE@sinodun.com> <96B9686D-ED53-4250-A578-CA4ABF9673A8@sinodun.com> Message-ID: Hi, On Aug 17, 2012, at 12:56 , Sara Dickinson wrote: > http://wiki.opendnssec.org/display/OpenDNSSEC/Developer+workshop+Sept+2012 > The timings are very rough - feedback, comments and suggestions please! Can we start at 09.30 - 10.00? Me and Patrik are thinking about coming down in the morning, if so the plane will arrive at 08.35 and I guess it will at least take an hour to get to Science Park. I don't know how Jakob plans on flying but I think its about the same time (he flies from Gothenburg). /Jerry -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From jakob at kirei.se Fri Aug 17 11:07:00 2012 From: jakob at kirei.se (Jakob Schlyter) Date: Fri, 17 Aug 2012 13:07:00 +0200 Subject: [Opendnssec-develop] Developer workshop Sept 2012 In-Reply-To: References: <7ABB7759-CEC6-4C5F-8A23-FC27F78688BE@sinodun.com> <96B9686D-ED53-4250-A578-CA4ABF9673A8@sinodun.com> Message-ID: <654EB565-94E6-4628-AA71-64E5CFC1B545@kirei.se> On 17 aug 2012, at 13:03, Jerry Lundstr?m wrote: > Me and Patrik are thinking about coming down in the morning, if so the plane will arrive at 08.35 and I guess it will at least take an hour to get to Science Park. I don't know how Jakob plans on flying but I think its about the same time (he flies from Gothenburg). I'll arrive 7.45. We could just grab a cab from the Airport and be there about 9.20? (it should take about 20 minutes with cab from AMS) j From jerry at opendnssec.org Fri Aug 17 11:12:52 2012 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Fri, 17 Aug 2012 13:12:52 +0200 Subject: [Opendnssec-develop] Developer workshop Sept 2012 In-Reply-To: <654EB565-94E6-4628-AA71-64E5CFC1B545@kirei.se> References: <7ABB7759-CEC6-4C5F-8A23-FC27F78688BE@sinodun.com> <96B9686D-ED53-4250-A578-CA4ABF9673A8@sinodun.com> <654EB565-94E6-4628-AA71-64E5CFC1B545@kirei.se> Message-ID: <6A862A26-EC47-4FF3-A62D-FDC8ECF1765C@opendnssec.org> On Aug 17, 2012, at 13:07 , Jakob Schlyter wrote: > I'll arrive 7.45. We could just grab a cab from the Airport and be there about 9.20? (it should take about 20 minutes with cab from AMS) Yes, start 09.30 should be doable unless there are delays (*knock on wood*). /Jerry -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From sara at sinodun.com Fri Aug 17 11:14:17 2012 From: sara at sinodun.com (Sara Dickinson) Date: Fri, 17 Aug 2012 12:14:17 +0100 Subject: [Opendnssec-develop] Developer workshop Sept 2012 In-Reply-To: <6A862A26-EC47-4FF3-A62D-FDC8ECF1765C@opendnssec.org> References: <7ABB7759-CEC6-4C5F-8A23-FC27F78688BE@sinodun.com> <96B9686D-ED53-4250-A578-CA4ABF9673A8@sinodun.com> <654EB565-94E6-4628-AA71-64E5CFC1B545@kirei.se> <6A862A26-EC47-4FF3-A62D-FDC8ECF1765C@opendnssec.org> Message-ID: <3BBC7865-1268-46E0-B442-041C25EF36CA@sinodun.com> On 17 Aug 2012, at 12:12, Jerry Lundstr?m wrote: > On Aug 17, 2012, at 13:07 , Jakob Schlyter wrote: >> I'll arrive 7.45. We could just grab a cab from the Airport and be there about 9.20? (it should take about 20 minutes with cab from AMS) > > > Yes, start 09.30 should be doable unless there are delays (*knock on wood*). > No problem (fingers crossed!). Start time updated. From yuri at nlnetlabs.nl Mon Aug 20 07:37:53 2012 From: yuri at nlnetlabs.nl (Yuri Schaeffer) Date: Mon, 20 Aug 2012 09:37:53 +0200 Subject: [Opendnssec-develop] An API for OpenDNSSEC and SoftHSM and more In-Reply-To: References: Message-ID: <5031E951.8060606@nlnetlabs.nl> On 08/15/2012 08:11 AM, Jerry Lundstr?m wrote: > and maybe we could also have > some time for this on the developer meeting the days before to discuss > it more in detail. Yes. And perhaps a presentation at the dev meeting as well. From matthijs at nlnetlabs.nl Tue Aug 21 06:41:32 2012 From: matthijs at nlnetlabs.nl (Matthijs Mekking) Date: Tue, 21 Aug 2012 08:41:32 +0200 Subject: [Opendnssec-develop] Next tele conf 23/8 In-Reply-To: <5784581023448806021@unknownmsgid> References: <5784581023448806021@unknownmsgid> Message-ID: <50332D9C.3010108@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Works for me On 08/16/2012 12:41 PM, Jerry Lundstr?m wrote: > Hi, > > Is it possible/ok for everyone if we move the meeting to 15:00 > CEST otherwise I wont be able to attend. > > Cheers, Jerry _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJQMy2ZAAoJEA8yVCPsQCW5vV0IAKVpZJqRG5Im19iBsZaLJAS1 NJUCd5v2LxcoWD1MNRH/exvAdTNG7vJ8IyRaOm/qBX79oNBm2RvddTR51c2NHvEK ucOhv+/xNG97ygZnvLZB3ZbUXp5MseCZLgcvTfRJaZFZTXJEnefjl3uvLfOfoSLv LeGcH4hOFAIKveoR5Q5AXFDE3hzPdaO3qwikBHpZUzMhTZSVCsYUvM3q4RTRasJ9 b2TLW3MkYXfycL3cFHyNqKOViha8QmgzCBB8IqqjQvXyNPtnXFW6J9ZYMlcnEYpP OLaqWL3EUyjaD8p91p8+ncM4R4hhh62O4RQzQzfe2FOSN3Vo5gwEflJNLW0blGA= =+fbS -----END PGP SIGNATURE----- From jerry at opendnssec.org Wed Aug 22 09:47:07 2012 From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Wed, 22 Aug 2012 11:47:07 +0200 Subject: [Opendnssec-develop] An API for OpenDNSSEC and SoftHSM and more In-Reply-To: References: Message-ID: Hi Roland, On Wed, Aug 15, 2012 at 12:08 PM, Roland van Rijswijk - Deij wrote: > One consideration I would like to raise is that it would be good to do a security audit when you feel the code is more or less feature complete. Thanks for that suggestion and yes it is something I have thought about. /Jerry -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ From jerry at opendnssec.org Wed Aug 22 09:51:00 2012 From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Wed, 22 Aug 2012 11:51:00 +0200 Subject: [Opendnssec-develop] An API for OpenDNSSEC and SoftHSM and more In-Reply-To: <5031E951.8060606@nlnetlabs.nl> References: <5031E951.8060606@nlnetlabs.nl> Message-ID: Hi everyone attending the developer meeting, On Mon, Aug 20, 2012 at 9:37 AM, Yuri Schaeffer wrote: > Yes. And perhaps a presentation at the dev meeting as well. Seeing that the agenda is kinda full, how many of you want this presentation at the dev meeting? Maybe we can extend the meeting or the interested ones stay behind for a while? /Jerry -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ From sara at sinodun.com Wed Aug 22 10:15:55 2012 From: sara at sinodun.com (Sara Dickinson) Date: Wed, 22 Aug 2012 11:15:55 +0100 Subject: [Opendnssec-develop] RE: Team meeting 2012-08-23 @ 15:00 CEST Message-ID: <4661A8A5-8236-4FFF-A75E-EBDE4D3B0555@sinodun.com> Hi All, We have a scheduled team meeting tomorrow: Date: Thursday 23rd August 2012 Time: 15:00-14:00 CEST, 14:00-15:00 BST The agenda and outstanding actions can be found here: http://wiki.opendnssec.org/display/OpenDNSSEC/2012-08-23+Agenda You will note that I have changed the agenda format slightly to make it a more release based approach. The motivation for this is includes: - less duplication - make it easier to see when an action is tied to a release - make it easier to fold in the 2.0 meeting to this one (mainly a placeholder for now) I would like to suggest we try this out for a couple of meetings and then decide if we want to stick with it? Feedback and comments please! Sara. -------------- next part -------------- An HTML attachment was scrubbed... URL: From sara at sinodun.com Wed Aug 22 15:54:32 2012 From: sara at sinodun.com (Sara Dickinson) Date: Wed, 22 Aug 2012 16:54:32 +0100 Subject: [Opendnssec-develop] RE: Regression testing Message-ID: <231199C9-4F46-4C2A-85F9-45B7E5EFBED6@sinodun.com> Hi All, Following up from the discussion at the last team meeting I have tried to come up with a first pass at dividing up the regression tests between the team. I know that you are all just dying to write some regression tests so here goes :-) https://wiki.opendnssec.org/display/OpenDNSSEC/Test+coverage - Firstly this list is not complete so please review, amend, update as you see fit! - Secondly I have picked what I _think_ are the most important tests to implement for 1.4. The balance is between the effort required but to try to give good coverage and fill the gap of what the auditor did. I have put names against these to get us started (based on my best understanding of availability in the next few weeks). If you disagree with what tests I have picked or have a longing to test a different area then please let me know and we can shuffle things around. To summarise my thinking: Matthijs - work on the new DNS adaptor tests (OPENDNSSEC-172) Jerry - work on setting up an external validator to make sure the zones are valid (OPENDNSSEC-143) Sion - work on tests for the new threaded Enforcer (which are good Enforcer tests anyway) Yuri - work alongside Sion to increase the coverage for the 'Policy->Signconf.xml' path that the Auditor checked previously. Sara - work on key management tests Jakob - work on zone management tests - Finally I am hoping that everyone can have a go at spending some time on this in the next week or two ready for the 1.4 beta. If this is an issue because of other commitments/vacation/etc then please let me know. Or if there is anyone not listed above who wants to volunteer to write some tests then please let me know too! Good luck! Sara. From jerry at opendnssec.org Thu Aug 23 10:35:17 2012 From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Thu, 23 Aug 2012 12:35:17 +0200 Subject: [Opendnssec-develop] RE: Team meeting 2012-08-23 @ 15:00 CEST In-Reply-To: <4661A8A5-8236-4FFF-A75E-EBDE4D3B0555@sinodun.com> References: <4661A8A5-8236-4FFF-A75E-EBDE4D3B0555@sinodun.com> Message-ID: <28434774170454434@unknownmsgid> Hi, If the trafic is on my side I will make it to 15:00 otherwise I might be 10 mins late. /Jerry On 22 aug 2012, at 12:15, Sara Dickinson wrote: Hi All, We have a scheduled team meeting tomorrow: Date: Thursday 23rd August 2012 Time: 15:00-14:00 CEST, 14:00-15:00 BST The agenda and outstanding actions can be found here: http://wiki.opendnssec.org/display/OpenDNSSEC/2012-08-23+Agenda You will note that I have changed the agenda format slightly to make it a more release based approach. The motivation for this is includes: - less duplication - make it easier to see when an action is tied to a release - make it easier to fold in the 2.0 meeting to this one (mainly a placeholder for now) I would like to suggest we try this out for a couple of meetings and then decide if we want to stick with it? Feedback and comments please! Sara. _______________________________________________ Opendnssec-develop mailing list Opendnssec-develop at lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerry at opendnssec.org Fri Aug 24 05:42:21 2012 From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Fri, 24 Aug 2012 07:42:21 +0200 Subject: [Opendnssec-develop] Multithreaded Enforcer issues before we can merge with trunk Message-ID: Hi, So yesterday at the telephone conference meeting we discussed the multithreaded Enforcer and Sion have tested the functionality of the branch and is happy with it. I would now like everyone comment on the issues I see that are left to resolve before we merge the code into trunk. 1. Logging Today nothing has been made to the logging of the functions called when doing work in multiple threads. Without threads the Enforcer logs what zone it starts processing and then a few log lines about the progress, theses log lines now come all mixed up so you can not differentiate between the log lines what zone it is about. So how should we solve this? - Maybe prepend zone to all log lines? - Remove most log lines while working and just return one line per zone when finished successful or with error? - ? 2. Enabling of multithreaded Enforcer The branch I have set up have a configuration option (--enable-enforcer-workers) to enable multithreaded Enforcer at compile time. Is this the right approach or do we want this always compiled and controlled by conf.xml ? ----- These are the issues I see so far (I actually thought there was more). /Jerry -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ From sara at sinodun.com Fri Aug 24 08:44:52 2012 From: sara at sinodun.com (Sara (Sinodun)) Date: Fri, 24 Aug 2012 09:44:52 +0100 Subject: [Opendnssec-develop] Multithreaded Enforcer issues before we can merge with trunk In-Reply-To: References: Message-ID: On 24 Aug 2012, at 06:42, Jerry Lundstr?m wrote: > Hi, > > So yesterday at the telephone conference meeting we discussed the > multithreaded Enforcer and Sion have tested the functionality of the > branch and is happy with it. I would now like everyone comment on the > issues I see that are left to resolve before we merge the code into > trunk. > > 1. Logging > > Today nothing has been made to the logging of the functions called > when doing work in multiple threads. Without threads the Enforcer logs > what zone it starts processing and then a few log lines about the > progress, theses log lines now come all mixed up so you can not > differentiate between the log lines what zone it is about. > > So how should we solve this? > - Maybe prepend zone to all log lines? +1. Simpler, doesn't reduce what is logged compared to current behaviour and can be post-processed easily if needed. > - Remove most log lines while working and just return one line per > zone when finished successful or with error? > - ? > > 2. Enabling of multithreaded Enforcer > > The branch I have set up have a configuration option > (--enable-enforcer-workers) to enable multithreaded Enforcer at > compile time. > > Is this the right approach or do we want this always compiled and > controlled by conf.xml ? I vote for conf.xml to make testing/roll-back easier (with a default of disabled). > > ----- > > These are the issues I see so far (I actually thought there was more). :-) > > /Jerry > > -- > Jerry Lundstr?m - OpenDNSSEC Developer > http://www.opendnssec.org/ > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -------------- next part -------------- An HTML attachment was scrubbed... URL: From sion at nominet.org.uk Fri Aug 24 09:08:03 2012 From: sion at nominet.org.uk (=?ISO-8859-1?Q?Si=F4n_Lloyd?=) Date: Fri, 24 Aug 2012 10:08:03 +0100 Subject: [Opendnssec-develop] Multithreaded Enforcer issues before we can merge with trunk In-Reply-To: References: Message-ID: <50374473.2040701@nominet.org.uk> On 24/08/12 09:44, Sara (Sinodun) wrote: > > On 24 Aug 2012, at 06:42, Jerry Lundstr?m wrote: > >> Hi, >> >> So yesterday at the telephone conference meeting we discussed the >> multithreaded Enforcer and Sion have tested the functionality of the >> branch and is happy with it. I would now like everyone comment on the >> issues I see that are left to resolve before we merge the code into >> trunk. >> >> 1. Logging >> >> Today nothing has been made to the logging of the functions called >> when doing work in multiple threads. Without threads the Enforcer logs >> what zone it starts processing and then a few log lines about the >> progress, theses log lines now come all mixed up so you can not >> differentiate between the log lines what zone it is about. >> >> So how should we solve this? >> - Maybe prepend zone to all log lines? > > +1. Simpler, doesn't reduce what is logged compared to current behaviour > and can be post-processed easily if needed. > +1 Does this decision effect the enforcer-NG also? Do we want it to be consistent? >> - Remove most log lines while working and just return one line per >> zone when finished successful or with error? >> - ? >> >> 2. Enabling of multithreaded Enforcer >> >> The branch I have set up have a configuration option >> (--enable-enforcer-workers) to enable multithreaded Enforcer at >> compile time. >> >> Is this the right approach or do we want this always compiled and >> controlled by conf.xml ? > > I vote for conf.xml to make testing/roll-back easier (with a default > of disabled). > +1; although leave the compile flag in, in case folk want to build without it? It also means that package maintainers will not need to build two versions (or decide on one or the other) Are we going to make the "enforcer workers" tag mandatory? I vote for optional and if it doesn't exist then workers == 1. Sion -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerry at opendnssec.org Fri Aug 24 09:13:03 2012 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Fri, 24 Aug 2012 11:13:03 +0200 Subject: [Opendnssec-develop] Multithreaded Enforcer issues before we can merge with trunk In-Reply-To: <50374473.2040701@nominet.org.uk> References: <50374473.2040701@nominet.org.uk> Message-ID: <4703B5B8-914D-4397-B343-AF03B5A931E2@opendnssec.org> On Aug 24, 2012, at 11:08 , Si?n Lloyd wrote: >>> 1. Logging > +1 Does this decision effect the enforcer-NG also? Do we want it to be consistent? No this does not affect NG and there is very little logging in NG today (or at least what I've seen). >>> 2. Enabling of multithreaded Enforcer > +1; although leave the compile flag in, in case folk want to build without it? > > It also means that package maintainers will not need to build two versions (or decide on one or the other) > Are we going to make the "enforcer workers" tag mandatory? I vote for optional and if it doesn't exist then workers == 1. We can easily redo it to --disable-enforcer-workers. /Jerry -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From yuri at nlnetlabs.nl Fri Aug 24 09:40:47 2012 From: yuri at nlnetlabs.nl (Yuri Schaeffer) Date: Fri, 24 Aug 2012 11:40:47 +0200 Subject: [Opendnssec-develop] Multithreaded Enforcer issues before we can merge with trunk In-Reply-To: <50374473.2040701@nominet.org.uk> References: <50374473.2040701@nominet.org.uk> Message-ID: <50374C1F.3040800@nlnetlabs.nl> >> +1. Simpler, doesn't reduce what is logged compared to current behaviour >> and can be post-processed easily if needed. Agree. +1 > +1 Does this decision effect the enforcer-NG also? Do we want it to be > consistent? No. Much to my regret enf-ng does not enforce zones in parallel. On 08/24/2012 11:13 AM, Jerry Lundstr?m wrote: > No this does not affect NG and there is very little logging in NG today (or at least what I've seen). If you ramp up the verbosity it can quite upset the syslog daemon. //yuri From jerry at opendnssec.org Fri Aug 24 09:44:08 2012 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Fri, 24 Aug 2012 11:44:08 +0200 Subject: [Opendnssec-develop] EnforcerNG (was: Multithreaded Enforcer issues before we can merge with trunk) In-Reply-To: <50374C1F.3040800@nlnetlabs.nl> References: <50374473.2040701@nominet.org.uk> <50374C1F.3040800@nlnetlabs.nl> Message-ID: On Aug 24, 2012, at 11:40 , Yuri Schaeffer wrote: > No. Much to my regret enf-ng does not enforce zones in parallel. Uhm What? :/ Wasn't that a big part of the rewrite? /Jerry -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From yuri at nlnetlabs.nl Fri Aug 24 10:13:09 2012 From: yuri at nlnetlabs.nl (Yuri Schaeffer) Date: Fri, 24 Aug 2012 12:13:09 +0200 Subject: [Opendnssec-develop] EnforcerNG In-Reply-To: References: <50374473.2040701@nominet.org.uk> <50374C1F.3040800@nlnetlabs.nl> Message-ID: <503753B5.3040402@nlnetlabs.nl> On 08/24/2012 11:44 AM, Jerry Lundstr?m wrote: > On Aug 24, 2012, at 11:40 , Yuri Schaeffer wrote: >> No. Much to my regret enf-ng does not enforce zones in parallel. > Uhm What? :/ > > Wasn't that a big part of the rewrite? In my opinion it was, but it has been decided otherwise. The reason is singular as far as I can tell. Zones could share keys. Thus creating new keys / deciding to reuse an existing key creates a race condition for those policies. I see 3 options: - locking. only needed for sharedkeys and only once per lifetime (I've always been in favor for this) - Do not process zones with such policy parallel to other zones with same policy. - No enforcing in parallel. but only handle user i/o, resalting, generating signconf etc. To prevent locking. The latter is chosen. From sara at sinodun.com Fri Aug 24 13:12:13 2012 From: sara at sinodun.com (Sara Dickinson) Date: Fri, 24 Aug 2012 14:12:13 +0100 Subject: [Opendnssec-develop] EnforcerNG In-Reply-To: <503753B5.3040402@nlnetlabs.nl> References: <50374473.2040701@nominet.org.uk> <50374C1F.3040800@nlnetlabs.nl> <503753B5.3040402@nlnetlabs.nl> Message-ID: <40DDD68B-D4C4-48F3-983C-8E5D4613CA66@sinodun.com> On 24 Aug 2012, at 11:13, Yuri Schaeffer wrote: > > In my opinion it was, but it has been decided otherwise. > > The reason is singular as far as I can tell. Zones could share keys. > Thus creating new keys / deciding to reuse an existing key creates a > race condition for those policies. So how does the multi-threaded enforcer avoid this problem? From jerry at opendnssec.org Fri Aug 24 13:23:27 2012 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Fri, 24 Aug 2012 15:23:27 +0200 Subject: [Opendnssec-develop] EnforcerNG In-Reply-To: <40DDD68B-D4C4-48F3-983C-8E5D4613CA66@sinodun.com> References: <50374473.2040701@nominet.org.uk> <50374C1F.3040800@nlnetlabs.nl> <503753B5.3040402@nlnetlabs.nl> <40DDD68B-D4C4-48F3-983C-8E5D4613CA66@sinodun.com> Message-ID: On Aug 24, 2012, at 15:12 , Sara Dickinson wrote: >> The reason is singular as far as I can tell. Zones could share keys. >> Thus creating new keys / deciding to reuse an existing key creates a >> race condition for those policies. > > So how does the multi-threaded enforcer avoid this problem? With locks when doing stuff with shared keys policies and database transactions. -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From sara at sinodun.com Fri Aug 24 14:19:12 2012 From: sara at sinodun.com (Sara Dickinson) Date: Fri, 24 Aug 2012 15:19:12 +0100 Subject: [Opendnssec-develop] EnforcerNG In-Reply-To: References: <50374473.2040701@nominet.org.uk> <50374C1F.3040800@nlnetlabs.nl> <503753B5.3040402@nlnetlabs.nl> <40DDD68B-D4C4-48F3-983C-8E5D4613CA66@sinodun.com> Message-ID: On 24 Aug 2012, at 14:23, Jerry Lundstr?m wrote: > On Aug 24, 2012, at 15:12 , Sara Dickinson wrote: >>> The reason is singular as far as I can tell. Zones could share keys. >>> Thus creating new keys / deciding to reuse an existing key creates a >>> race condition for those policies. >> >> So how does the multi-threaded enforcer avoid this problem? > > With locks when doing stuff with shared keys policies and database transactions. You agree with Yuri then :-) It would be nicer to have the same solution in both releases but if there may be reasons this can't be done. Sounds like something to discuss at the developer workshop? >>>> 2. Enabling of multithreaded Enforcer >> +1; although leave the compile flag in, in case folk want to build without it? >> >> It also means that package maintainers will not need to build two versions (or decide on one or the other) >> Are we going to make the "enforcer workers" tag mandatory? I vote for optional and if it doesn't exist then workers == 1. > > > We can easily redo it to --disable-enforcer-workers. A --disable-enforcer-workers compile flag sound like the right answer to me. Agree with Sion on tag handling. From jerry at opendnssec.org Mon Aug 27 07:18:55 2012 From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Mon, 27 Aug 2012 09:18:55 +0200 Subject: [Opendnssec-develop] Trunk testing jenkins Message-ID: I'm doing work with the jenkins tests in trunk now, its disabled in jenkins for now. -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ From matthijs at nlnetlabs.nl Mon Aug 27 08:02:42 2012 From: matthijs at nlnetlabs.nl (Matthijs Mekking) Date: Mon, 27 Aug 2012 10:02:42 +0200 Subject: [Opendnssec-develop] Multithreaded Enforcer issues before we can merge with trunk In-Reply-To: <50374C1F.3040800@nlnetlabs.nl> References: <50374473.2040701@nominet.org.uk> <50374C1F.3040800@nlnetlabs.nl> Message-ID: <503B29A2.5040804@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/24/2012 11:40 AM, Yuri Schaeffer wrote: >>> +1. Simpler, doesn't reduce what is logged compared to current >>> behaviour and can be post-processed easily if needed. > > Agree. +1 Also +1 for prepending/adding the zone name to the log lines. ods-signer also mentions the zone name in most log lines. About the configuration: I also am in favor of putting it in conf.xml, like the . Make it optional, pick a sane default (1 would be sane imo). I would argue that we do not need a --disable-enforcer-workers. Behavior should be the same when having the enforcer-workers and its number is set to 1. > >> +1 Does this decision effect the enforcer-NG also? Do we want it >> to be consistent? > > No. Much to my regret enf-ng does not enforce zones in parallel. > > On 08/24/2012 11:13 AM, Jerry Lundstr?m wrote: >> No this does not affect NG and there is very little logging in >> NG > today (or at least what I've seen). > > If you ramp up the verbosity it can quite upset the syslog daemon. Signer can also already upset syslog if you turn on debug or deeebug verbosity (messages drop due to rate limiting). There are ways to configure syslog not to throttle log messages (if that is what you meant with "upsetting syslog"). Best regards, Matthijs > > //yuri _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJQOymiAAoJEA8yVCPsQCW58u4H/1a35V+/TGI4hT6Cs5/MsSsw ag48RDJAZPdJJabSt500m1e16MPEJcLFZrfnvwUWih7j3VqagoXg8ekLn8wQIkxK GongwCyka/CQFDuvIS/5PQLOwCjucYFrDbqpmNzIHJjU6eoHaeL8KtNPHJrdM0qy Nh1hNLc8OSklApg1BQaJEoqH4vMqd6MkN1pnt0PwlNqIPmjxEb7TVyMrheI3m+U1 H0vW0zDGHzz/BiTMWPSJRyKvRFa9H1FEzYd1/57UKBtnZXfSP9wcURF6Yf1icXgV TZC8+930kkt3JnohVCN+pH6mTfaXbXmh+JvNXDkHFwgLfwC1CU5GrhrRwRzNCU8= =pPlk -----END PGP SIGNATURE----- From matthijs at nlnetlabs.nl Mon Aug 27 08:38:15 2012 From: matthijs at nlnetlabs.nl (Matthijs Mekking) Date: Mon, 27 Aug 2012 10:38:15 +0200 Subject: [Opendnssec-develop] Re: Minutes Team meeting 2012-08-23 @ 15:00 CEST In-Reply-To: <4661A8A5-8236-4FFF-A75E-EBDE4D3B0555@sinodun.com> References: <4661A8A5-8236-4FFF-A75E-EBDE4D3B0555@sinodun.com> Message-ID: <503B31F7.60401@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all, I finished the minutes from previous weeks teleconf. Sorry for the delay. https://wiki.opendnssec.org/display/OpenDNSSEC/2012-08-23+Minutes Please read and review and edit where needed. I tried hard to capture what was said about the action point regarding OPENDNSSEC-143, that may require some extra attention. Best regards, Matthijs On 08/22/2012 12:15 PM, Sara Dickinson wrote: > Hi All, > > We have a scheduled team meeting tomorrow: > > Date: Thursday 23rd August 2012 Time: 15:00-14:00 CEST, 14:00-15:00 > BST > > The agenda and outstanding actions can be found here: > > http://wiki.opendnssec.org/display/OpenDNSSEC/2012-08-23+Agenda > > You will note that I have changed the agenda format slightly to > make it a more release based approach. The motivation for this is > includes: - less duplication - make it easier to see when an action > is tied to a release - make it easier to fold in the 2.0 meeting to > this one (mainly a placeholder for now) > > I would like to suggest we try this out for a couple of meetings > and then decide if we want to stick with it? Feedback and comments > please! > > Sara. > > > _______________________________________________ Opendnssec-develop > mailing list Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJQOzH3AAoJEA8yVCPsQCW5BQAH/i3s7BwePsT70WdJFJXXdMlE ItmWYCHckUsnicThNRxoigFmmtFalGwGNO/2Kw/88PLidjMx7wgjCvAAZTSKjBHd 6JN+Nkl7JmCoB3xZSizl37jWciHSyI/ZF/d3IQZ2tXKpqRAWHyDH0fhZanhpGZ6w o/mCdRAqXgJr/je688ax2iES88rSSB9Z2L+tywtqUkaAIhdTka5Tcwn4nYPc5EcH cYvtYHaQV+s8LypEaiSe4v/vDwgspu51W2uaJydQm3sEJmMv/MWwi8a2ZBcvEeGs Csmc82xrelKcHmjCGg5bJJ3vcl9NepQ14GzlDGvDznLOpvf6zspzM15AagcJ5+o= =Ro07 -----END PGP SIGNATURE----- From jerry at opendnssec.org Mon Aug 27 09:23:12 2012 From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Mon, 27 Aug 2012 11:23:12 +0200 Subject: [Opendnssec-develop] Re: Trunk testing jenkins In-Reply-To: References: Message-ID: On Mon, Aug 27, 2012 at 9:18 AM, Jerry Lundstr?m wrote: > I'm doing work with the jenkins tests in trunk now, its disabled in > jenkins for now. Done. -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ From jerry at opendnssec.org Mon Aug 27 09:25:20 2012 From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Mon, 27 Aug 2012 11:25:20 +0200 Subject: [Opendnssec-develop] Adapter tests up and running on trunk Message-ID: Hi, The 2 adapter tests are now running on trunk and did so successfully on all platforms. Matthijs hinted there will be more :) /Jerry -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ From yuri at nlnetlabs.nl Mon Aug 27 09:40:20 2012 From: yuri at nlnetlabs.nl (Yuri Schaeffer) Date: Mon, 27 Aug 2012 11:40:20 +0200 Subject: [Opendnssec-develop] Multithreaded Enforcer issues before we can merge with trunk In-Reply-To: <503B29A2.5040804@nlnetlabs.nl> References: <50374473.2040701@nominet.org.uk> <50374C1F.3040800@nlnetlabs.nl> <503B29A2.5040804@nlnetlabs.nl> Message-ID: <503B4084.9010105@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Signer can also already upset syslog if you turn on debug or > deeebug verbosity (messages drop due to rate limiting). There are > ways to configure syslog not to throttle log messages (if that is > what you meant with "upsetting syslog"). Yes. I've set "$SystemLogRateLimitInterval 0" in rsyslogd config. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlA7QIQACgkQI3PTR4mhaviaYwCfZP2zeZ/K7R73X5ctYnXaWpur 1DsAnjxF5vLY5ZIHOWbNhw/5vMmYCyK0 =2l/F -----END PGP SIGNATURE----- From jerry at opendnssec.org Mon Aug 27 12:39:36 2012 From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Mon, 27 Aug 2012 14:39:36 +0200 Subject: [Opendnssec-develop] Multithreaded Enforcer issues before we can merge with trunk In-Reply-To: <503B4084.9010105@nlnetlabs.nl> References: <50374473.2040701@nominet.org.uk> <50374C1F.3040800@nlnetlabs.nl> <503B29A2.5040804@nlnetlabs.nl> <503B4084.9010105@nlnetlabs.nl> Message-ID: Hi, Okey, so most people seem to like prepending zone name to log lines, check. For the other thing, enabling workers, I will make it so that if you do not specify //Enforcer/WorkerThreads or set it to 1 it will have the old behavior and large then that will enable the workers. This is to be able to switch between behaviors later on without recompiling. I will start coding on this to push 1.4.0a4 so if you don't agree give your 2c asap. /Jerry From jerry at opendnssec.org Mon Aug 27 12:58:32 2012 From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Mon, 27 Aug 2012 14:58:32 +0200 Subject: [Opendnssec-develop] EnforcerNG In-Reply-To: References: <50374473.2040701@nominet.org.uk> <50374C1F.3040800@nlnetlabs.nl> <503753B5.3040402@nlnetlabs.nl> <40DDD68B-D4C4-48F3-983C-8E5D4613CA66@sinodun.com> Message-ID: On Fri, Aug 24, 2012 at 4:19 PM, Sara Dickinson wrote: > You agree with Yuri then :-) It would be nicer to have the same solution in both releases but if there may be reasons this can't be done. > Sounds like something to discuss at the developer workshop? Yes, especially since if we introduce multithreaded enforcer for 1.4 that functionality won't exists in 2.0 since it only process one zone at a time (or I misunderstood Yuri). -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ From rickard at opendnssec.org Mon Aug 27 15:04:21 2012 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Mon, 27 Aug 2012 17:04:21 +0200 Subject: [Opendnssec-develop] Merge OpenDNSSEC-pin2 into trunk Message-ID: Hi I have tried to merge the PIN handling back into trunk, but there are some conflicts. Wondering if anyone have any good SVN tricks to resolve this? // Rickard From jerry at opendnssec.org Mon Aug 27 15:18:52 2012 From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Mon, 27 Aug 2012 17:18:52 +0200 Subject: [Opendnssec-develop] Merge OpenDNSSEC-pin2 into trunk In-Reply-To: References: Message-ID: On Mon, Aug 27, 2012 at 5:04 PM, Rickard Bellgrim wrote: > I have tried to merge the PIN handling back into trunk, but there are > some conflicts. Wondering if anyone have any good SVN tricks to > resolve this? There are not tricks when there are conflicts, you need run through the conflicts and fix them one by one. /Jerry -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ From rickard at opendnssec.org Tue Aug 28 06:16:09 2012 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Tue, 28 Aug 2012 08:16:09 +0200 Subject: [Opendnssec-develop] Merge OpenDNSSEC-pin2 into trunk In-Reply-To: References: Message-ID: On Mon, Aug 27, 2012 at 5:18 PM, Jerry Lundstr?m wrote: > On Mon, Aug 27, 2012 at 5:04 PM, Rickard Bellgrim > wrote: >> I have tried to merge the PIN handling back into trunk, but there are >> some conflicts. Wondering if anyone have any good SVN tricks to >> resolve this? > > There are not tricks when there are conflicts, you need run through > the conflicts and fix them one by one. Reintegrate did the trick: user at ubuntu:~/opendnssec/ods-svn/trunk/OpenDNSSEC/libhsm$ svn merge --reintegrate ^/branches/OpenDNSSEC-pin2/libhsm // Rickard From jerry at opendnssec.org Tue Aug 28 07:43:07 2012 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Tue, 28 Aug 2012 09:43:07 +0200 Subject: [Opendnssec-develop] Merge OpenDNSSEC-pin2 into trunk In-Reply-To: References: Message-ID: On Aug 28, 2012, at 08:16 , Rickard Bellgrim wrote: > Reintegrate did the trick: > user at ubuntu:~/opendnssec/ods-svn/trunk/OpenDNSSEC/libhsm$ svn merge > --reintegrate ^/branches/OpenDNSSEC-pin2/libhsm Nice, didn't know about that. A few things about the code: - Do we need to check the size of the shared memory returned? It does not specify what happens if there already is a share memory segment and its a different size then what you specify in shmget(), might be good to check the size if it might have been changed between compilation/version etc. - Tools to destroy/recreate the share memory segment? As in above if the share memory segment is changed between versions/compilations then for migration there might be good if there is a tool to recreate or destroy the segment. And it might be something some sysadmins want. - Not save the pin? If I see it correctly the pin is saved in shared memory whether you want it or not, maybe this should be an option for the paranoid? /Jerry -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From rickard at opendnssec.org Tue Aug 28 08:26:02 2012 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Tue, 28 Aug 2012 10:26:02 +0200 Subject: [Opendnssec-develop] Merge OpenDNSSEC-pin2 into trunk In-Reply-To: References: Message-ID: > - Do we need to check the size of the shared memory returned? > It does not specify what happens if there already is a share memory segment and its a different size then what you specify in shmget(), might be good to check the size if it might have been changed between compilation/version etc. If there is a memory segment but it is smaller than the given size, then shmget will fail with the error EINVAL. This will happen if we increase HSM_MAX_SESSIONS or HSM_MAX_PIN_LENGTH. The memory segment would need to be destroyed with the command below. I can add a comment about this in the code, so that we remember this in future releases. If we decrease HSM_MAX_SESSIONS or HSM_MAX_PIN_LENGTH, then the alignment in any existing memory would be wrong. Thus a bad PIN will be given back to the code. The code is however written so that the PIN will be removed from the shared memory if it causes a failed login attempt. > - Tools to destroy/recreate the share memory segment? > As in above if the share memory segment is changed between versions/compilations then for migration there might be good if there is a tool to recreate or destroy the segment. And it might be something some sysadmins want. For now it is: ipcrm -M 0x0d50d5ec https://wiki.opendnssec.org/display/DOCSTRUNK/Running+OpenDNSSEC#RunningOpenDNSSEC-HSMlogin > - Not save the pin? > If I see it correctly the pin is saved in shared memory whether you want it or not, maybe this should be an option for the paranoid? If it is not saved in the shared memory, then it will not propagate to the daemons which are waiting for the PIN to appear. // Rickard From jerry at opendnssec.org Tue Aug 28 08:52:43 2012 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Tue, 28 Aug 2012 10:52:43 +0200 Subject: [Opendnssec-develop] Merge OpenDNSSEC-pin2 into trunk In-Reply-To: References: Message-ID: On Aug 28, 2012, at 10:26 , Rickard Bellgrim wrote: >> - Do we need to check the size of the shared memory returned? >> It does not specify what happens if there already is a share memory segment and its a different size then what you specify in shmget(), might be good to check the size if it might have been changed between compilation/version etc. > > If there is a memory segment but it is smaller than the given size, > then shmget will fail with the error EINVAL. This will happen if we > increase HSM_MAX_SESSIONS or HSM_MAX_PIN_LENGTH. The memory segment > would need to be destroyed with the command below. I can add a comment > about this in the code, so that we remember this in future releases. > > If we decrease HSM_MAX_SESSIONS or HSM_MAX_PIN_LENGTH, then the > alignment in any existing memory would be wrong. Thus a bad PIN will > be given back to the code. The code is however written so that the PIN > will be removed from the shared memory if it causes a failed login > attempt. I think it would be better to not touch that memory area if the size miss match since otherwise you might corrupt the memory of a running daemon if you recompiled/installed a new version and did not migrate correctly. >> - Tools to destroy/recreate the share memory segment? >> As in above if the share memory segment is changed between versions/compilations then for migration there might be good if there is a tool to recreate or destroy the segment. And it might be something some sysadmins want. > > For now it is: > ipcrm -M 0x0d50d5ec Okey, just thought it would be nice for the users to have a ods-hsmutil clear-login command so they don't have to know about the segment key. >> - Not save the pin? >> If I see it correctly the pin is saved in shared memory whether you want it or not, maybe this should be an option for the paranoid? > > If it is not saved in the shared memory, then it will not propagate to > the daemons which are waiting for the PIN to appear. Ah, I read the code wrong, sorry. One more thing. When it does hsm_open() and use the hsm_pin_block() callback it will block until there is a pin in memory and that code it before it creates a pid and other stuff. This might be problematically since the user can start multiple and he/she might not understand why its not starting up, I also wonder what happens to the start up scripts if there is no pin in memory, just hangs? Would be good with some syslog messages also "I am waiting on pin?" etc. /Jerry -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From rickard at opendnssec.org Tue Aug 28 09:10:28 2012 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Tue, 28 Aug 2012 11:10:28 +0200 Subject: [Opendnssec-develop] Merge OpenDNSSEC-pin2 into trunk In-Reply-To: References: Message-ID: > I think it would be better to not touch that memory area if the size miss match since otherwise you might corrupt the memory of a running daemon if you recompiled/installed a new version and did not migrate correctly. I can have a look on this. And add proper log messages. > When it does hsm_open() and use the hsm_pin_block() callback it will block until there is a pin in memory and that code it before it creates a pid and other stuff. This might be problematically since the user can start multiple and he/she might not understand why its not starting up, I also wonder what happens to the start up scripts if there is no pin in memory, just hangs? > > Would be good with some syslog messages also "I am waiting on pin?" etc. Would it be better to stop/fail the daemons instead of waiting for the PIN? With a log message saying that you first need to login? // Rickard From sara at sinodun.com Tue Aug 28 10:34:41 2012 From: sara at sinodun.com (Sara Dickinson) Date: Tue, 28 Aug 2012 11:34:41 +0100 Subject: [Opendnssec-develop] Merge OpenDNSSEC-pin2 into trunk In-Reply-To: References: Message-ID: <2D30787A-B58C-4320-88C0-58D22A696C5F@sinodun.com> On 28 Aug 2012, at 10:10, Rickard Bellgrim wrote: >> >> Would be good with some syslog messages also "I am waiting on pin?" etc. > > Would it be better to stop/fail the daemons instead of waiting for the > PIN? With a log message saying that you first need to login? > Good catch Jerry. I vote to fail the daemons and generate a log message. Sara. From jerry at opendnssec.org Tue Aug 28 10:41:20 2012 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Tue, 28 Aug 2012 12:41:20 +0200 Subject: [Opendnssec-develop] Merge OpenDNSSEC-pin2 into trunk In-Reply-To: <2D30787A-B58C-4320-88C0-58D22A696C5F@sinodun.com> References: <2D30787A-B58C-4320-88C0-58D22A696C5F@sinodun.com> Message-ID: On Aug 28, 2012, at 12:34 , Sara Dickinson wrote: > On 28 Aug 2012, at 10:10, Rickard Bellgrim wrote: >>> Would be good with some syslog messages also "I am waiting on pin?" etc. >> Would it be better to stop/fail the daemons instead of waiting for the >> PIN? With a log message saying that you first need to login? > Good catch Jerry. I vote to fail the daemons and generate a log message. +1 fail -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From rickard at opendnssec.org Tue Aug 28 12:17:13 2012 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Tue, 28 Aug 2012 14:17:13 +0200 Subject: [Opendnssec-develop] Merge OpenDNSSEC-pin2 into trunk In-Reply-To: References: <2D30787A-B58C-4320-88C0-58D22A696C5F@sinodun.com> Message-ID: > +1 fail The daemons will now only start if there is a PIN in the shared memory. The user first needs to run "ods-hsmutil login". Logging has been added and the documentation is up to date. // Rickard From sara at sinodun.com Tue Aug 28 13:45:07 2012 From: sara at sinodun.com (Sara Dickinson) Date: Tue, 28 Aug 2012 14:45:07 +0100 Subject: [Opendnssec-develop] Merge OpenDNSSEC-pin2 into trunk In-Reply-To: References: <2D30787A-B58C-4320-88C0-58D22A696C5F@sinodun.com> Message-ID: <485345D4-6B0A-4B0D-A806-C32CC829D49C@sinodun.com> On 28 Aug 2012, at 13:17, Rickard Bellgrim wrote: >> +1 fail > > The daemons will now only start if there is a PIN in the shared > memory. The user first needs to run "ods-hsmutil login". Logging has > been added and the documentation is up to date. > > // Rickard Great - so looks like this is all ready to go and the JIRA issue can be closed? Thanks Rickard. Sara. From rickard at opendnssec.org Tue Aug 28 13:45:51 2012 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Tue, 28 Aug 2012 15:45:51 +0200 Subject: [Opendnssec-develop] Merge OpenDNSSEC-pin2 into trunk In-Reply-To: <485345D4-6B0A-4B0D-A806-C32CC829D49C@sinodun.com> References: <2D30787A-B58C-4320-88C0-58D22A696C5F@sinodun.com> <485345D4-6B0A-4B0D-A806-C32CC829D49C@sinodun.com> Message-ID: > Great - so looks like this is all ready to go and the JIRA issue can be closed? ACK From jerry at opendnssec.org Wed Aug 29 06:36:06 2012 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Wed, 29 Aug 2012 08:36:06 +0200 Subject: [Opendnssec-develop] Working on Jenkins and the test framework Message-ID: Hi, I will be working on today and I will try and disable all email now. Cheers -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From sara at sinodun.com Wed Aug 29 09:52:35 2012 From: sara at sinodun.com (Sara Dickinson) Date: Wed, 29 Aug 2012 10:52:35 +0100 Subject: [Opendnssec-develop] Multithreaded Enforcer issues before we can merge with trunk In-Reply-To: References: <50374473.2040701@nominet.org.uk> <50374C1F.3040800@nlnetlabs.nl> <503B29A2.5040804@nlnetlabs.nl> <503B4084.9010105@nlnetlabs.nl> Message-ID: <13C13737-CF13-47CE-830D-EBD1349253FE@sinodun.com> On 27 Aug 2012, at 13:39, Jerry Lundstr?m wrote: > I will start coding on this to push 1.4.0a4 The NEWS file is up to date so please go ahead with the 1.4.0a4 release as soon as you are finished with this (today/tomorrow?). From sara at sinodun.com Wed Aug 29 10:19:03 2012 From: sara at sinodun.com (Sara Dickinson) Date: Wed, 29 Aug 2012 11:19:03 +0100 Subject: [Opendnssec-develop] RE: 1.4 beta release Message-ID: Hi All, I had an action to chase down the outstanding issues for 1.4 and I believe we are now in a position where none of the remaining issues would block a beta release. So given the discussion in the team meeting last week I think the only things needed for a beta are: - OPENDNSSEC-172 - DNS adaptor tests (Matthijs) - OPENDNSSEC-317 - Repeat the pre-release auditor testing against 1.4 (Jerry with help from Rickard) I would like to target the end of next week for a beta release (7th Sept). Jerry/Matthijs - having had some time to investigate do you think this is possible? If not - please let me know what you need to make progress. Thanks Sara. From jerry at opendnssec.org Wed Aug 29 10:59:38 2012 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Wed, 29 Aug 2012 12:59:38 +0200 Subject: [Opendnssec-develop] Multithreaded Enforcer issues before we can merge with trunk In-Reply-To: <13C13737-CF13-47CE-830D-EBD1349253FE@sinodun.com> References: <50374473.2040701@nominet.org.uk> <50374C1F.3040800@nlnetlabs.nl> <503B29A2.5040804@nlnetlabs.nl> <503B4084.9010105@nlnetlabs.nl> <13C13737-CF13-47CE-830D-EBD1349253FE@sinodun.com> Message-ID: <341FCCDA-DCE1-4ED3-93F8-C6619D0E98BF@opendnssec.org> On Aug 29, 2012, at 11:52 , Sara Dickinson wrote: > The NEWS file is up to date so please go ahead with the 1.4.0a4 release > as soon as you are finished with this (today/tomorrow?). It won't be finished this week but sometime next week. -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From jerry at opendnssec.org Wed Aug 29 11:00:48 2012 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Wed, 29 Aug 2012 13:00:48 +0200 Subject: [Opendnssec-develop] 1.4 beta release In-Reply-To: References: Message-ID: <3ABDFE5E-859D-492A-BCE5-243674F059DF@opendnssec.org> On Aug 29, 2012, at 12:19 , Sara Dickinson wrote: > I would like to target the end of next week for a beta release (7th Sept). Is it wise since it looks like we will have 1.4.0a4 next week? Do we need a new alpha really? Can't we go straight to beta if we feel that all features are there? -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From sara at sinodun.com Wed Aug 29 11:12:08 2012 From: sara at sinodun.com (Sara Dickinson) Date: Wed, 29 Aug 2012 12:12:08 +0100 Subject: [Opendnssec-develop] Multithreaded Enforcer issues before we can merge with trunk In-Reply-To: <341FCCDA-DCE1-4ED3-93F8-C6619D0E98BF@opendnssec.org> References: <50374473.2040701@nominet.org.uk> <50374C1F.3040800@nlnetlabs.nl> <503B29A2.5040804@nlnetlabs.nl> <503B4084.9010105@nlnetlabs.nl> <13C13737-CF13-47CE-830D-EBD1349253FE@sinodun.com> <341FCCDA-DCE1-4ED3-93F8-C6619D0E98BF@opendnssec.org> Message-ID: <1C3A1AF2-F64F-4723-AD5E-E808560FEED7@sinodun.com> On 29 Aug 2012, at 11:59, Jerry Lundstr?m wrote: > On Aug 29, 2012, at 11:52 , Sara Dickinson wrote: >> The NEWS file is up to date so please go ahead with the 1.4.0a4 release >> as soon as you are finished with this (today/tomorrow?). > > > It won't be finished this week but sometime next week. > Why? I didn't think the changes agreed were that big and isn't the completing the alpha 4 release the top priority? From sara at sinodun.com Wed Aug 29 11:35:31 2012 From: sara at sinodun.com (Sara Dickinson) Date: Wed, 29 Aug 2012 12:35:31 +0100 Subject: [Opendnssec-develop] 1.4 beta release In-Reply-To: <3ABDFE5E-859D-492A-BCE5-243674F059DF@opendnssec.org> References: <3ABDFE5E-859D-492A-BCE5-243674F059DF@opendnssec.org> Message-ID: <91251EDA-2360-4A70-9878-2026657BDAC7@sinodun.com> On 29 Aug 2012, at 12:00, Jerry Lundstr?m wrote: >> I would like to target the end of next week for a beta release (7th Sept). > > > Is it wise since it looks like we will have 1.4.0a4 next week? > > Do we need a new alpha really? Can't we go straight to beta if we feel that all features are there? 2 reasons for an alpha 4 (this week if possible) in my opinion: - this beta date is a target and could slip (what is your estimate for completing the testing?) - it was agreed in the team meeting a few weeks ago that since the alpha 4 contains significant changes (multi-threaded enforcer and PIN storage) it should be released as soon as those developments were finished, rather than waiting for beta. Plus you normally vote for release early, release often! -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerry at opendnssec.org Wed Aug 29 11:38:04 2012 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Wed, 29 Aug 2012 13:38:04 +0200 Subject: [Opendnssec-develop] Multithreaded Enforcer issues before we can merge with trunk In-Reply-To: <1C3A1AF2-F64F-4723-AD5E-E808560FEED7@sinodun.com> References: <50374473.2040701@nominet.org.uk> <50374C1F.3040800@nlnetlabs.nl> <503B29A2.5040804@nlnetlabs.nl> <503B4084.9010105@nlnetlabs.nl> <13C13737-CF13-47CE-830D-EBD1349253FE@sinodun.com> <341FCCDA-DCE1-4ED3-93F8-C6619D0E98BF@opendnssec.org> <1C3A1AF2-F64F-4723-AD5E-E808560FEED7@sinodun.com> Message-ID: <0EC685C8-CBC5-4FC1-89B2-C9124FDE5386@opendnssec.org> On Aug 29, 2012, at 13:12 , Sara Dickinson wrote: > Why? I didn't think the changes agreed were that big and isn't the completing the alpha 4 release the top priority? It is not hard but its a bit too chew on, yes it has priority but other non-opendnssec stuff has intervened. -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From jerry at opendnssec.org Wed Aug 29 11:41:16 2012 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Wed, 29 Aug 2012 13:41:16 +0200 Subject: [Opendnssec-develop] 1.4 beta release In-Reply-To: <91251EDA-2360-4A70-9878-2026657BDAC7@sinodun.com> References: <3ABDFE5E-859D-492A-BCE5-243674F059DF@opendnssec.org> <91251EDA-2360-4A70-9878-2026657BDAC7@sinodun.com> Message-ID: <05EC4201-B098-465B-BAE9-B5BFAAA7C340@opendnssec.org> On Aug 29, 2012, at 13:35 , Sara Dickinson wrote: > - this beta date is a target and could slip (what is your estimate for completing the testing?) Testing should be done on the beta, not the alpha. If we release alpha 4 early next week and beta a few days later I don't see why we should release alpha 4. The difference between alpha and beta is that when its beta its feature frozen meaning we should not add something new but we can still fix a broken feature we already added. -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From jerry at opendnssec.org Wed Aug 29 12:47:48 2012 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Wed, 29 Aug 2012 14:47:48 +0200 Subject: [Opendnssec-develop] Re: Working on Jenkins and the test framework In-Reply-To: References: Message-ID: On Aug 29, 2012, at 08:36 , Jerry Lundstr?m wrote: > I will be working on today and I will try and disable all email now. I'm done with it now and it looks good. What I did was to add more waiting time in ods-control since I believe it is a problem on the VMs and that it gave false results. The VMs are just so damn slow that it times out waiting for processes to start (over 5 seconds to start) and that in turn returns errors. I also added a retry for all tests so they will be retried one more time. Hopefully this will eliminate the failing of tests from time to time we have been seeing. /Jerry -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From matthijs at nlnetlabs.nl Wed Aug 29 13:01:07 2012 From: matthijs at nlnetlabs.nl (Matthijs Mekking) Date: Wed, 29 Aug 2012 15:01:07 +0200 Subject: [Opendnssec-develop] 1.4 beta release In-Reply-To: <05EC4201-B098-465B-BAE9-B5BFAAA7C340@opendnssec.org> References: <3ABDFE5E-859D-492A-BCE5-243674F059DF@opendnssec.org> <91251EDA-2360-4A70-9878-2026657BDAC7@sinodun.com> <05EC4201-B098-465B-BAE9-B5BFAAA7C340@opendnssec.org> Message-ID: <503E1293.90100@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Actually that is correct, according to wikipedia. I guess, despite earlier conclusions, I would have nothing against releasing beta next week, skipping an a4 release. Best regards, Matthijs On 08/29/2012 01:41 PM, Jerry Lundstr?m wrote: > On Aug 29, 2012, at 13:35 , Sara Dickinson wrote: >> - this beta date is a target and could slip (what is your >> estimate for completing the testing?) > > > Testing should be done on the beta, not the alpha. > > If we release alpha 4 early next week and beta a few days later I > don't see why we should release alpha 4. > > The difference between alpha and beta is that when its beta its > feature frozen meaning we should not add something new but we can > still fix a broken feature we already added. > > -- Jerry Lundstr?m - OpenDNSSEC Developer > http://www.opendnssec.org/ > > > > _______________________________________________ Opendnssec-develop > mailing list Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJQPhKTAAoJEA8yVCPsQCW5jJYH/3e5iRHKwgVleha5UXBz21G1 zGpnEGH7Kx4J3YPKnMHq33ERC+nd7kZayC0O/Hc3qnFaPhcnpbBJ361q/etrIb8N NKo0NdWOufKXcKEUpZsinMWqpk9SZIDng+qdu+HYYvivYZEWSEBZhi5d2vnIgFYj 118TtwmGM/6VIH0aGX/8/jbCFuRqGQjUSlIgvKiN5pPkFx1J9/UFyaTTiBjV+Zwe mkRlN2C3B75dFwNRtVrFGelWDBSf52FGOa17f4TJ30SmIr87T5uXJxk8m3RHrbyK OodQ9NWJgApWt6n7SVc+s0GiWziO2aY/KrFLCM8zCI204T5Mqjs8W+BVCWvYdTk= =r0FY -----END PGP SIGNATURE----- From sara at sinodun.com Wed Aug 29 13:02:08 2012 From: sara at sinodun.com (Sara Dickinson) Date: Wed, 29 Aug 2012 14:02:08 +0100 Subject: [Opendnssec-develop] 1.4 beta release In-Reply-To: <05EC4201-B098-465B-BAE9-B5BFAAA7C340@opendnssec.org> References: <3ABDFE5E-859D-492A-BCE5-243674F059DF@opendnssec.org> <91251EDA-2360-4A70-9878-2026657BDAC7@sinodun.com> <05EC4201-B098-465B-BAE9-B5BFAAA7C340@opendnssec.org> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > On Aug 29, 2012, at 13:35 , Sara Dickinson wrote: >> >> So given the discussion in the team meeting last week I think the >> only things needed for a beta are: >> >> - OPENDNSSEC-172 - DNS adaptor tests (Matthijs) >> - OPENDNSSEC-317 - Repeat the pre-release auditor testing against 1.4 (Jerry with help >> from Rickard) On 29 Aug 2012, at 12:41, Jerry Lundstr?m wrote: > Testing should be done on the beta, not the alpha. OK - I think I see the confusion now. You don't think that OPENDNSSEC-317 needs to be done before the beta, it just needs to be before the full release? I has assumed from our discussion in the team meeting that everyone agreed both items should be done before the beta. I would vote for this but given that the multi-threaded enforcer won't be finished this week we can discuss this next Tuesday in the team meeting. Regardless of the release decision I believe that running the auditor is the next highest priority for the 1.4 release after finishing the functionality. Is there any reason it couldn't be done by the end of next week? -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: GPGTools - http://gpgtools.org iQEcBAEBAgAGBQJQPhLUAAoJEAuxXeCvTgIIEG8H/AndcYBBAu7m8D5Ebawkes7E 5mTmbMiyPHFBknYrHUS8YW8qsHKeIYMNyNYnWqw19KQCoysrpf5Afl8FiJhSr6zP WG0IAVaDd5mRvXVOK+7XY4R9yQvyn7KgntoRkH7EAXbNZz+zEv3P896Y1uhL7kZM Fu/p3sJvhb65r6/IhsuNY3rjUxcoL/mHD9PyfZigH0y3btOPzM1kKsvUY94up/DK ThmVuIF8/6ho2WF+NeoYFkN8qfi33vQdwxhArK5gVRkm6zMrpWcOR6iNIFwigplO aYZv7O/IiB3M1NCgQ71zqz79An5TuWvn05Kc8oxBd6UiHVx8qx6PT3WduzyAJhk= =Ayx5 -----END PGP SIGNATURE----- From jerry at opendnssec.org Wed Aug 29 13:19:33 2012 From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Wed, 29 Aug 2012 15:19:33 +0200 Subject: [Opendnssec-develop] 1.4 beta release In-Reply-To: References: <3ABDFE5E-859D-492A-BCE5-243674F059DF@opendnssec.org> <91251EDA-2360-4A70-9878-2026657BDAC7@sinodun.com> <05EC4201-B098-465B-BAE9-B5BFAAA7C340@opendnssec.org> Message-ID: <10010917789845559@unknownmsgid> Hi, I don't think I said it should be done before the beta, think I said it should be done for the beta and by that I mean on the beta. Can be easy to mixed up over the telephone conference :/ Risks I see are things like getting the auditor to work for 1.4 adapters and if we need to modify it (who knows Ruby the best?). I also only have 3 full work days next week for OpenDNSSEC and I don't know when Rickard is available. /Jerry On 29 aug 2012, at 15:02, Sara Dickinson wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > >> On Aug 29, 2012, at 13:35 , Sara Dickinson wrote: >>> >>> So given the discussion in the team meeting last week I think the >>> only things needed for a beta are: >>> >>> - OPENDNSSEC-172 - DNS adaptor tests (Matthijs) >>> - OPENDNSSEC-317 - Repeat the pre-release auditor testing against 1.4 (Jerry with help >>> from Rickard) > > > On 29 Aug 2012, at 12:41, Jerry Lundstr?m wrote: > >> Testing should be done on the beta, not the alpha. > > OK - I think I see the confusion now. You don't think that OPENDNSSEC-317 needs to be done before the beta, it just needs to be before the full release? I has assumed from our discussion in the team meeting that everyone agreed both items should be done before the beta. I would vote for this but given that the multi-threaded enforcer won't be finished this week we can discuss this next Tuesday in the team meeting. > > Regardless of the release decision I believe that running the auditor is the next highest priority for the 1.4 release after finishing the functionality. > > Is there any reason it couldn't be done by the end of next week? > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2.0.18 (Darwin) > Comment: GPGTools - http://gpgtools.org > > iQEcBAEBAgAGBQJQPhLUAAoJEAuxXeCvTgIIEG8H/AndcYBBAu7m8D5Ebawkes7E > 5mTmbMiyPHFBknYrHUS8YW8qsHKeIYMNyNYnWqw19KQCoysrpf5Afl8FiJhSr6zP > WG0IAVaDd5mRvXVOK+7XY4R9yQvyn7KgntoRkH7EAXbNZz+zEv3P896Y1uhL7kZM > Fu/p3sJvhb65r6/IhsuNY3rjUxcoL/mHD9PyfZigH0y3btOPzM1kKsvUY94up/DK > ThmVuIF8/6ho2WF+NeoYFkN8qfi33vQdwxhArK5gVRkm6zMrpWcOR6iNIFwigplO > aYZv7O/IiB3M1NCgQ71zqz79An5TuWvn05Kc8oxBd6UiHVx8qx6PT3WduzyAJhk= > =Ayx5 > -----END PGP SIGNATURE----- From sara at sinodun.com Wed Aug 29 13:47:30 2012 From: sara at sinodun.com (Sara Dickinson) Date: Wed, 29 Aug 2012 14:47:30 +0100 Subject: [Opendnssec-develop] 1.4 beta release In-Reply-To: <10010917789845559@unknownmsgid> References: <3ABDFE5E-859D-492A-BCE5-243674F059DF@opendnssec.org> <91251EDA-2360-4A70-9878-2026657BDAC7@sinodun.com> <05EC4201-B098-465B-BAE9-B5BFAAA7C340@opendnssec.org> <10010917789845559@unknownmsgid> Message-ID: <0A6D14A3-D147-477E-B349-2DBA9DED2AB3@sinodun.com> On 29 Aug 2012, at 14:19, Jerry Lundstr?m wrote: > Hi, > > I don't think I said it should be done before the beta, think I said > it should be done for the beta and by that I mean on the beta. Can be > easy to mixed up over the telephone conference :/ Thanks for clarifying - yes I had misunderstood this :-) Matthijs - thanks for you input too. So lets keep working on 1.4 and make a decision next Tuesday on a beta release? > > Risks I see are things like getting the auditor to work for 1.4 > adapters and if we need to modify it (who knows Ruby the best?). I > also only have 3 full work days next week for OpenDNSSEC and I don't > know when Rickard is available. OK - lets plan this offline with Rickard. I have time next week to help with this. > > /Jerry From jerry at opendnssec.org Thu Aug 30 13:26:34 2012 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Thu, 30 Aug 2012 15:26:34 +0200 Subject: [Opendnssec-develop] Multithreaded Enforcer issues before we can merge with trunk In-Reply-To: <0EC685C8-CBC5-4FC1-89B2-C9124FDE5386@opendnssec.org> References: <50374473.2040701@nominet.org.uk> <50374C1F.3040800@nlnetlabs.nl> <503B29A2.5040804@nlnetlabs.nl> <503B4084.9010105@nlnetlabs.nl> <13C13737-CF13-47CE-830D-EBD1349253FE@sinodun.com> <341FCCDA-DCE1-4ED3-93F8-C6619D0E98BF@opendnssec.org> <1C3A1AF2-F64F-4723-AD5E-E808560FEED7@sinodun.com> <0EC685C8-CBC5-4FC1-89B2-C9124FDE5386@opendnssec.org> Message-ID: Hi, So I think most of the logging things are done. Was I did was to have thread specific log prefix. Also it will not call the Signer to update the zone for each zone, it calls the Signer at the end to update all zones. Here is an syslog output: Aug 30 15:21:48 ods13support ods-enforcerd: zonelist filename set to /etc/opendnssec/zonelist.xml. Aug 30 15:21:48 ods13support ods-enforcerd: Zone example.com found. Aug 30 15:21:48 ods13support ods-enforcerd: [main] example.com: Policy for example.com set to default. Aug 30 15:21:48 ods13support ods-enforcerd: [main] example.com: Config will be output to /var/opendnssec/signconf/example.com.xml. Aug 30 15:21:48 ods13support ods-enforcerd: [worker[4]]: Policy default found in DB. Aug 30 15:21:48 ods13support ods-enforcerd: [worker[4]] example.com: WARNING: KSK rollover for zone 'example.com' not completed as there are no keys in the 'ready' state; ods-enforcerd will try again when it runs next Aug 30 15:21:48 ods13support ods-enforcerd: [worker[4]] example.com: No change to: /var/opendnssec/signconf/example.com.xml Aug 30 15:21:48 ods13support ods-enforcerd: Could not call signer engine to update all zones Aug 30 15:21:48 ods13support ods-enforcerd: Will continue: call 'ods-signer update --all' to manually update all zones What do people think? -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From matthijs at nlnetlabs.nl Thu Aug 30 13:53:21 2012 From: matthijs at nlnetlabs.nl (Matthijs Mekking) Date: Thu, 30 Aug 2012 15:53:21 +0200 Subject: [Opendnssec-develop] Multithreaded Enforcer issues before we can merge with trunk In-Reply-To: References: <50374473.2040701@nominet.org.uk> <50374C1F.3040800@nlnetlabs.nl> <503B29A2.5040804@nlnetlabs.nl> <503B4084.9010105@nlnetlabs.nl> <13C13737-CF13-47CE-830D-EBD1349253FE@sinodun.com> <341FCCDA-DCE1-4ED3-93F8-C6619D0E98BF@opendnssec.org> <1C3A1AF2-F64F-4723-AD5E-E808560FEED7@sinodun.com> <0EC685C8-CBC5-4FC1-89B2-C9124FDE5386@opendnssec.org> Message-ID: <503F7051.9000706@nlnetlabs.nl> Like. Looks similar to the signer logging. Matthijs On 08/30/2012 03:26 PM, Jerry Lundstr?m wrote: > Hi, > > So I think most of the logging things are done. Was I did was to have thread specific log prefix. > > Also it will not call the Signer to update the zone for each zone, it calls the Signer at the end to update all zones. > > Here is an syslog output: > > Aug 30 15:21:48 ods13support ods-enforcerd: zonelist filename set to /etc/opendnssec/zonelist.xml. > Aug 30 15:21:48 ods13support ods-enforcerd: Zone example.com found. > Aug 30 15:21:48 ods13support ods-enforcerd: [main] example.com: Policy for example.com set to default. > Aug 30 15:21:48 ods13support ods-enforcerd: [main] example.com: Config will be output to /var/opendnssec/signconf/example.com.xml. > Aug 30 15:21:48 ods13support ods-enforcerd: [worker[4]]: Policy default found in DB. > Aug 30 15:21:48 ods13support ods-enforcerd: [worker[4]] example.com: WARNING: KSK rollover for zone 'example.com' not completed as there are no keys in the 'ready' state; ods-enforcerd will try again when it runs next > Aug 30 15:21:48 ods13support ods-enforcerd: [worker[4]] example.com: No change to: /var/opendnssec/signconf/example.com.xml > Aug 30 15:21:48 ods13support ods-enforcerd: Could not call signer engine to update all zones > Aug 30 15:21:48 ods13support ods-enforcerd: Will continue: call 'ods-signer update --all' to manually update all zones > > > What do people think? > > -- > Jerry Lundstr?m - OpenDNSSEC Developer > http://www.opendnssec.org/ > > > > > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 554 bytes Desc: OpenPGP digital signature URL: From sara at sinodun.com Thu Aug 30 14:13:45 2012 From: sara at sinodun.com (Sara Dickinson) Date: Thu, 30 Aug 2012 15:13:45 +0100 Subject: [Opendnssec-develop] Multithreaded Enforcer issues before we can merge with trunk In-Reply-To: <503F7051.9000706@nlnetlabs.nl> References: <50374473.2040701@nominet.org.uk> <50374C1F.3040800@nlnetlabs.nl> <503B29A2.5040804@nlnetlabs.nl> <503B4084.9010105@nlnetlabs.nl> <13C13737-CF13-47CE-830D-EBD1349253FE@sinodun.com> <341FCCDA-DCE1-4ED3-93F8-C6619D0E98BF@opendnssec.org> <1C3A1AF2-F64F-4723-AD5E-E808560FEED7@sinodun.com> <0EC685C8-CBC5-4FC1-89B2-C9124FDE5386@opendnssec.org> <503F7051.9000706@nlnetlabs.nl> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Yup - looks fine to me. Sara. On 30 Aug 2012, at 14:53, Matthijs Mekking wrote: > Like. Looks similar to the signer logging. > > Matthijs > > On 08/30/2012 03:26 PM, Jerry Lundstr?m wrote: >> Hi, >> >> So I think most of the logging things are done. Was I did was to have thread specific log prefix. >> >> Also it will not call the Signer to update the zone for each zone, it calls the Signer at the end to update all zones. >> >> Here is an syslog output: >> >> Aug 30 15:21:48 ods13support ods-enforcerd: zonelist filename set to /etc/opendnssec/zonelist.xml. >> Aug 30 15:21:48 ods13support ods-enforcerd: Zone example.com found. >> Aug 30 15:21:48 ods13support ods-enforcerd: [main] example.com: Policy for example.com set to default. >> Aug 30 15:21:48 ods13support ods-enforcerd: [main] example.com: Config will be output to /var/opendnssec/signconf/example.com.xml. >> Aug 30 15:21:48 ods13support ods-enforcerd: [worker[4]]: Policy default found in DB. >> Aug 30 15:21:48 ods13support ods-enforcerd: [worker[4]] example.com: WARNING: KSK rollover for zone 'example.com' not completed as there are no keys in the 'ready' state; ods-enforcerd will try again when it runs next >> Aug 30 15:21:48 ods13support ods-enforcerd: [worker[4]] example.com: No change to: /var/opendnssec/signconf/example.com.xml >> Aug 30 15:21:48 ods13support ods-enforcerd: Could not call signer engine to update all zones >> Aug 30 15:21:48 ods13support ods-enforcerd: Will continue: call 'ods-signer update --all' to manually update all zones >> >> >> What do people think? >> >> -- >> Jerry Lundstr?m - OpenDNSSEC Developer >> http://www.opendnssec.org/ >> >> >> >> >> _______________________________________________ >> Opendnssec-develop mailing list >> Opendnssec-develop at lists.opendnssec.org >> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop >> > > > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: GPGTools - http://gpgtools.org iQEcBAEBAgAGBQJQP3UdAAoJEAuxXeCvTgII2ecH/jEaq0ryDlwaU48CjkctdDNp CptJVQnE3XlywltLeaYxM6SnyUBsMxnRwSYGghr/PmQY71zQLZ+FA7Bgr0Hk6xdo QX+OlEoyNeoELfuLXmfD04w9b4Jzb/shuORZe9vAUBgHH/tVfcXLlqTfhuj78XSu bJOC1omoTb15ckQmzKYOT+3gmGjMkX81QiyWC/G+ElPvdyakrJYkSxuXQYuBZq6v Ob7IrXbkcFB1t60uosFrsSp7pOowjrrQRer+k2FUI7bzLGoaCPpT1AMbXPVZwcBU NdhVlpt8TRCgq5glpWuhzUtZ1aPjcB1m/Ufmneone38mjwmSdIdFsm8ifEar1ys= =ScsC -----END PGP SIGNATURE----- From jerry at opendnssec.org Thu Aug 30 14:20:32 2012 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Thu, 30 Aug 2012 16:20:32 +0200 Subject: [Opendnssec-develop] Multithreaded Enforcer issues before we can merge with trunk In-Reply-To: References: <50374473.2040701@nominet.org.uk> <50374C1F.3040800@nlnetlabs.nl> <503B29A2.5040804@nlnetlabs.nl> <503B4084.9010105@nlnetlabs.nl> <13C13737-CF13-47CE-830D-EBD1349253FE@sinodun.com> <341FCCDA-DCE1-4ED3-93F8-C6619D0E98BF@opendnssec.org> <1C3A1AF2-F64F-4723-AD5E-E808560FEED7@sinodun.com> <0EC685C8-CBC5-4FC1-89B2-C9124FDE5386@opendnssec.org> <503F7051.9000706@nlnetlabs.nl> Message-ID: Hi, Another thing just noticed, multithreaded Enforcer can only be used with MySQL. This is because SQLite locks the database internally and returns SQLITE_LOCKED and that makes the Enforcer fail for that zone. So to not delay the next release further I will only make the threads available if MySQL is the database backend. This does not mean that it will never work with SQLite, it just means there is more work to be done and a positive side effect of getting that to work will be that we can remove the file system lock we currently have. Now thats a GOOD thing :) /Jerry -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From jerry at opendnssec.org Fri Aug 31 08:19:36 2012 From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Fri, 31 Aug 2012 10:19:36 +0200 Subject: [Opendnssec-develop] Multithreaded Enforcer issues before we can merge with trunk In-Reply-To: References: <50374473.2040701@nominet.org.uk> <50374C1F.3040800@nlnetlabs.nl> <503B29A2.5040804@nlnetlabs.nl> <503B4084.9010105@nlnetlabs.nl> <13C13737-CF13-47CE-830D-EBD1349253FE@sinodun.com> <341FCCDA-DCE1-4ED3-93F8-C6619D0E98BF@opendnssec.org> <1C3A1AF2-F64F-4723-AD5E-E808560FEED7@sinodun.com> <0EC685C8-CBC5-4FC1-89B2-C9124FDE5386@opendnssec.org> <503F7051.9000706@nlnetlabs.nl> Message-ID: Hi, I'm off work Friday and Monday, please comment on the things I've sent and unless there are issues I will merge the code on Tuesday (unless someone else does it) and we can release 1.4.0b1 (right?). /Jerry -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ From sara at sinodun.com Fri Aug 31 10:06:46 2012 From: sara at sinodun.com (Sara Dickinson) Date: Fri, 31 Aug 2012 11:06:46 +0100 Subject: [Opendnssec-develop] Multithreaded Enforcer issues before we can merge with trunk In-Reply-To: References: <50374473.2040701@nominet.org.uk> <50374C1F.3040800@nlnetlabs.nl> <503B29A2.5040804@nlnetlabs.nl> <503B4084.9010105@nlnetlabs.nl> <13C13737-CF13-47CE-830D-EBD1349253FE@sinodun.com> <341FCCDA-DCE1-4ED3-93F8-C6619D0E98BF@opendnssec.org> <1C3A1AF2-F64F-4723-AD5E-E808560FEED7@sinodun.com> <0EC685C8-CBC5-4FC1-89B2-C9124FDE5386@opendnssec.org> <503F7051.9000706@nlnetlabs.nl> Message-ID: <2CB647FF-2775-493D-8225-9C46F88A47A4@sinodun.com> On 30 Aug 2012, at 15:20, Jerry Lundstr?m wrote: > Hi, > > Another thing just noticed, multithreaded Enforcer can only be used with MySQL. > > This is because SQLite locks the database internally and returns SQLITE_LOCKED and that makes the Enforcer fail for that zone. So to not delay the next release further I will only make the threads available if MySQL is the database backend. I don't see a problem with this. Anyone who has enough zones to need the multi-threaded enforcer should be using MySQL anyway - right? Sara. From jerry at opendnssec.org Fri Aug 31 10:43:09 2012 From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Fri, 31 Aug 2012 12:43:09 +0200 Subject: [Opendnssec-develop] Multithreaded Enforcer issues before we can merge with trunk In-Reply-To: <2CB647FF-2775-493D-8225-9C46F88A47A4@sinodun.com> References: <50374473.2040701@nominet.org.uk> <50374C1F.3040800@nlnetlabs.nl> <503B29A2.5040804@nlnetlabs.nl> <503B4084.9010105@nlnetlabs.nl> <13C13737-CF13-47CE-830D-EBD1349253FE@sinodun.com> <341FCCDA-DCE1-4ED3-93F8-C6619D0E98BF@opendnssec.org> <1C3A1AF2-F64F-4723-AD5E-E808560FEED7@sinodun.com> <0EC685C8-CBC5-4FC1-89B2-C9124FDE5386@opendnssec.org> <503F7051.9000706@nlnetlabs.nl> <2CB647FF-2775-493D-8225-9C46F88A47A4@sinodun.com> Message-ID: <-3887995951064484901@unknownmsgid> On 31 aug 2012, at 12:06, Sara Dickinson wrote: > I don't see a problem with this. Anyone who has enough zones to need the multi-threaded enforcer should be using MySQL anyway - right? Yes, thats right. /Jerry From sara at sinodun.com Fri Aug 31 11:09:23 2012 From: sara at sinodun.com (Sara Dickinson) Date: Fri, 31 Aug 2012 12:09:23 +0100 Subject: [Opendnssec-develop] RE: Team meetings - teleconf solution Message-ID: Hi All, So it turns out that the Webex trial meetings are very limited in terms of the PSTN access and they only allow access from a local number in the country the account is set up in. Even on the full account adding PSTN access from other countries ramps up the price. So I wanted to clarify the general requirement for this: If you want to be able to join the team meetings via telephone dial-in (i.e. you don't want to or can't use a PC based client for some reason) then can you please reply to this email to let me know. Thanks Sara. From sara at sinodun.com Fri Aug 31 15:18:32 2012 From: sara at sinodun.com (Sara Dickinson) Date: Fri, 31 Aug 2012 16:18:32 +0100 Subject: [Opendnssec-develop] Team meeting 2012-09-04 @ 14:00 CEST References: <4661A8A5-8236-4FFF-A75E-EBDE4D3B0555@sinodun.com> Message-ID: <7F04F18F-C19C-418C-99DB-842B6D0495CB@sinodun.com> Hi All, We have a scheduled team meeting next week: Date: Tuesday 4th September 2012 Time: 14:00-15:00 CEST, 13:00-14:00 BST The agenda and outstanding actions can be found here: http://wiki.opendnssec.org/display/OpenDNSSEC/2012-09-04+Agenda Sara. -------------- next part -------------- An HTML attachment was scrubbed... URL: