[Opendnssec-develop] Meeting 20120228

Siôn Lloyd sion at nominet.org.uk
Tue Feb 28 14:42:25 UTC 2012 

On 27/02/12 09:01, Rickard Bellgrim wrote:
> Hi
>
> We have a meeting tomorrow.
>
> Date: Tuesday 28 February
> Time: 14:00-15:00 CET, 13:00-14:00 GMT
>
> Agenda:
> https://wiki.opendnssec.org/display/OpenDNSSEC/2012-02-28+Agenda
>
> // Rickard
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop

It's going to take me a while to get the notes up on the website... In 
case you can't wait, the notes I typed up during the call are here, I've 
not read through them yet.

Sion



Who will write minutes?

Sion; also on the call are Jakob, Rickard, Jerry and Matthijs

Agree on the agenda

Action points
Rickard: Discuss "hsm_get_key_rdata produces wrongly encoded DNSKEYs" 
with the user and work towards a solution for their problem.

Rewrite the patch; signer engine will reuse the key from backup so it is 
afe to do so. Worry is if in middle of keyrollover, the export will not 
match the signer.
Matthijs - had idea to not rely on backup from 1.4 as it is causing 
issues in 1.3. So the assumption might not hold in future.
Other solution is to mark the version number, and switch to "incorrect" 
output if required. Then rollover will eventually get rid of the 
incorrect keys, means that the enforcer needs to track this in kasp and 
send the info to the signer.
This is the safest way, but no-one seems to like it too much. However, 
relying on backup files is not nice either.
It is in the users interest to remove faulty keys ASAP, we could give a 
big warning to users to migrate to a key with no leading zeros, and bar 
the use of keys after the patch is applied.

ACTION - ALL discuss this on the list to get to a solution

Updates OpenDNSSEC

Signer:
1.3 reads serial from backup even if the rest is corrupted.
Playing with test framework for dns adapters.

Nothing else

Updates Enforcer NG

Yuri is not here. Next teleconf is Thursday

Updates SoftHSM

Destruction of singleton was causing segfaults on exit - fixed.

Testing

Live demo yesterday, more SIDN tests have been added to Jenkins. Waiting 
on more VMs.

Can we release?
OpenDNSSEC 1.3.7

Serial numbers fixed.
New bug reported from training (duplicate RRs?), and 2 more issues:
enforcer pidfile issue (could check for pid)
signer can get into endless loop
Can release once these are fixed.

OpenDNSSEC 1.4.0a1

Are new bugs (in 1.3.6) also in trunk?
enforcer issues - yes
signer - not the ones with backup files
NSEC3PARAM issue, maybe.

New signer architecture can be found here:
https://wiki.opendnssec.org/display/OpenDNSSEC/Signer+Engine+Adapter+Architecture

Configuration needs to be documented; probably needed for alpha?

Needs to branch off 1.3 documentation? Where should the 1.4 specific 
documentation go?
Sara has some documentation on this, but it might not cover this situation.

OpenDNSSEC 2.0.0a3

Meeting on Thursday.

SoftHSM 2.0.0

Maybe 1.3.2? Nothing for 2.0

Next meeting

Same time on 13th

AOB

No

More information about the Opendnssec-develop mailing list