From rickard at opendnssec.org Mon Jan 2 13:01:36 2012 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Mon, 2 Jan 2012 14:01:36 +0100 Subject: [Opendnssec-develop] Off-by-one error and new year In-Reply-To: References: Message-ID: > I read the thread which seemed to focus on the operational aspects. What are the risks in the context of replay attack? You can replay the signature as long as the key used for signing is still valid according to your chain-of-trust. So yes, we perhaps also should recommend key rollovers. // Rickard From yuri at NLnetLabs.nl Tue Jan 3 10:29:02 2012 From: yuri at NLnetLabs.nl (Yuri Schaeffer) Date: Tue, 03 Jan 2012 11:29:02 +0100 Subject: [Opendnssec-develop] Visualizing enforcer-ng behavior. Message-ID: <4F02D86E.6040902@nlnetlabs.nl> Hi, I took at stab at visualizing enforcer-ng's behavior (in the repository at home/yuri/dnsForecast). Not yet finished nor pretty but the basic functionality is in forecast.py. On top of that I visualize the rollovers with prettify_cli.py. This is mostly intended as proof of concept. run it as ./forecast.py | ./prettify_cli.py preferably in a terminal with black background, it has colors! hardcoded is an existing CSK rolling to a KSK(20 days validity)/ZSK(7 days validity) with a different algorithm legenda: Y-axis: time numbers: key id color of key id: algorithm +/|/-: rumoured/omnipresent/unretentive green: introducing red: outroducing the columns represent respectively ds/dnskey/rrsigdnskey/rrsig In the future it should parse a kasp.xml and the current state in the commandline. But I'll put this in the fridge right now to work on more important stuff. What would be nice to have is a replacement for prettify_cli.py that outputs something (image/html/?) to be shown on a website. So if anyone feeling creative, please express it! //yuri -- Yuri Schaeffer NLnet Labs http://www.nlnetlabs.nl From jakob at kirei.se Wed Jan 4 08:23:40 2012 From: jakob at kirei.se (Jakob Schlyter) Date: Wed, 4 Jan 2012 09:23:40 +0100 Subject: [Opendnssec-develop] Visualizing enforcer-ng behavior. In-Reply-To: <4F02D86E.6040902@nlnetlabs.nl> References: <4F02D86E.6040902@nlnetlabs.nl> Message-ID: On 3 jan 2012, at 11:29, Yuri Schaeffer wrote: > ./forecast.py | ./prettify_cli.py > preferably in a terminal with black background, it has colors! Nice! Would it be possible the snake (aka "python") to generate real graphics? jakob From jerry at opendnssec.org Wed Jan 4 09:31:07 2012 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Wed, 4 Jan 2012 10:31:07 +0100 Subject: [Opendnssec-develop] OS/Dists to test on Message-ID: Hi, I've been setting up my own local build farm while I wait for the new VMs we are getting from SURFnet running on their production VMWare infrastructure (Thank you Roland!), I've actually got them but everything isn't finalized yet. This is the list so far, if anyone feels anything is missing please tell: Ubuntu Server 10.04.3 LTS amd64 (will add 12.04 LTS as soon as its out) Debian 6.0 amd64 Fedora 16 amd64 FreeBSD 8.2 amd64 OpenSUSE 12.1 amd64 CentOS 6.2 amd64 Scientific Linux 6.1 amd64 (new RHEL clone made by CERN and Fermilab) Solaris SunOS 11.11 x86 (i386? i686? amd64? who knows, solaris is weird!) OpenBSD 5.0 amd64 NetBSD 5.1 amd64 To be added once we can get sorted hows gonna pay for it: Red Hat Enterprise Linux 6.2 amd64 (RHEL) (covered by SURFnet) SUSE Linux Enterprise 11 amd64 (SLE) /Jerry -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From sion at nominet.org.uk Wed Jan 4 10:22:54 2012 From: sion at nominet.org.uk (=?ISO-8859-1?Q?Si=F4n_Lloyd?=) Date: Wed, 4 Jan 2012 10:22:54 +0000 Subject: [Opendnssec-develop] delete keys Message-ID: <4F04287E.4050900@nominet.org.uk> Before christmas I committed code to allow the deletion of keys: https://issues.opendnssec.org/browse/OPENDNSSEC-36 This story was both assigned and reported by me; so we need a volunteer to test the code and close or reopen the issue. One question is whether we should remove documentation for the --force flag; or if we should remove that functionality completely? Currently, if the key is not in the generate or dead state then the script exits... unless the --force flag is provided, in which case they are asked if they really want to continue. Sion From yuri at nlnetlabs.nl Wed Jan 4 12:59:34 2012 From: yuri at nlnetlabs.nl (Yuri Schaeffer) Date: Wed, 04 Jan 2012 13:59:34 +0100 Subject: [Opendnssec-develop] Visualizing enforcer-ng behavior. In-Reply-To: References: <4F02D86E.6040902@nlnetlabs.nl> Message-ID: <4F044D36.7070405@nlnetlabs.nl> > Nice! Would it be possible the snake (aka "python") to generate real graphics? Sure, the snake can take a PIL for that. But we need some other medicine to spark creativity at the developer. //yuri From rickard at opendnssec.org Wed Jan 4 13:34:10 2012 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Wed, 4 Jan 2012 14:34:10 +0100 Subject: [Opendnssec-develop] OS/Dists to test on In-Reply-To: References: Message-ID: > This is the list so far, if anyone feels anything is missing please tell: Some 32-bit OS, w.r.t the latest time bug. // Rickard From jerry at opendnssec.org Wed Jan 4 13:44:41 2012 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Wed, 4 Jan 2012 14:44:41 +0100 Subject: [Opendnssec-develop] OS/Dists to test on In-Reply-To: References: Message-ID: On Jan 4, 2012, at 14:34 , Rickard Bellgrim wrote: > Some 32-bit OS, w.r.t the latest time bug. That would not be caught in a build farm since you need to run long keys / key rollovers. I think we will need 2-3 other VMs that does that, runs week long tests. -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From AlexD at nominet.org.uk Wed Jan 4 13:58:57 2012 From: AlexD at nominet.org.uk (Alex Dalitz) Date: Wed, 4 Jan 2012 13:58:57 +0000 Subject: [Opendnssec-develop] OS/Dists to test on In-Reply-To: References: Message-ID: <0326297A-9682-443F-B568-C80D8321E70F@nominet.org.uk> >> Some 32-bit OS, w.r.t the latest time bug. > > > That would not be caught in a build farm since you need to run long keys / key rollovers. > > I think we will need 2-3 other VMs that does that, runs week long tests. Why can't we use the ENFORCER_TIMESHIFT to simulate long keys and rollovers? Alex. From sion at nominet.org.uk Wed Jan 4 14:12:34 2012 From: sion at nominet.org.uk (=?ISO-8859-1?Q?Si=F4n_Lloyd?=) Date: Wed, 4 Jan 2012 14:12:34 +0000 Subject: [Opendnssec-develop] kaspcheck replacement Message-ID: <4F045E52.2000503@nominet.org.uk> I've done some testing on the new kaspcheck script and I think that it behaves in (roughly) the same way as the ruby version. (One change is that it now exits early if the xml doesn't pass the rng tests.) So, I've changed the makefile in the enforcer/utils directory to build and install it. N.B. if you also build the auditor then the c version will be overwritten! There are some tests (enforcer/test/kaspcheck), written in ruby, that are based on the old tests. Hopefully these can be called from jenkins; this means that we will have a ruby requirement in our test environment. Enjoy. Sion From rickard at opendnssec.org Wed Jan 4 14:14:25 2012 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Wed, 4 Jan 2012 15:14:25 +0100 Subject: [Opendnssec-develop] OS/Dists to test on In-Reply-To: References: Message-ID: >> Some 32-bit OS, w.r.t the latest time bug. > > > That would not be caught in a build farm since you need to run long keys / key rollovers. > > I think we will need 2-3 other VMs that does that, runs week long tests. That would have been caught around the same time as the problem was reported. E.g. the test server does a complete re-sign of the zone where one of the signatures should have expired on 1 January. Since the system rebuilds all of the time, it would eventually have been caught. And there are perhaps other 32-bit specific code / errors that are not related to a time based event. // Rickard From rickard at opendnssec.org Wed Jan 4 14:17:09 2012 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Wed, 4 Jan 2012 15:17:09 +0100 Subject: [Opendnssec-develop] OS/Dists to test on In-Reply-To: References: Message-ID: > And there are perhaps other 32-bit specific code / errors that are not > related to a time based event. We can off course not have a complete coverage of OS versus 32-bit and 64-bit. But there should at least be one 32-bit machine. // Rickard From jerry at opendnssec.org Wed Jan 4 14:33:44 2012 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Wed, 4 Jan 2012 15:33:44 +0100 Subject: [Opendnssec-develop] OS/Dists to test on In-Reply-To: References: Message-ID: <8DE95E51-6221-4538-B70C-C367AC9D805B@opendnssec.org> On Jan 4, 2012, at 15:14 , Rickard Bellgrim wrote: > Since > the system rebuilds all of the time, it would eventually have been > caught. No the system does not rebuild all the time and tests needs to be fast to detect problem around the time of the check in. -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From jerry at opendnssec.org Wed Jan 4 14:34:40 2012 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Wed, 4 Jan 2012 15:34:40 +0100 Subject: [Opendnssec-develop] OS/Dists to test on In-Reply-To: <0326297A-9682-443F-B568-C80D8321E70F@nominet.org.uk> References: <0326297A-9682-443F-B568-C80D8321E70F@nominet.org.uk> Message-ID: On Jan 4, 2012, at 14:58 , Alex Dalitz wrote: > Why can't we use the ENFORCER_TIMESHIFT to simulate long keys and rollovers? Good point, forgot about that. But I think it would be nice to have set up that tests the real code also and not just a "hack". -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From AlexD at nominet.org.uk Wed Jan 4 14:43:19 2012 From: AlexD at nominet.org.uk (Alex Dalitz) Date: Wed, 4 Jan 2012 14:43:19 +0000 Subject: [Opendnssec-develop] OS/Dists to test on In-Reply-To: References: <0326297A-9682-443F-B568-C80D8321E70F@nominet.org.uk> Message-ID: >> Why can't we use the ENFORCER_TIMESHIFT to simulate long keys and rollovers? > > > Good point, forgot about that. > > But I think it would be nice to have set up that tests the real code also and not just a "hack". Sure! But for quickly testing a long-running system, it is very useful. It should have caught the ldns bug, for example (if we had thought to test for it...). I have a load of tests which check that the original enforcer ran as specified over long periods, using exactly this feature. It means that you can run a "long-running" test in a few seconds on a continuous integration test machine. Alex. From jakob at kirei.se Wed Jan 4 15:23:05 2012 From: jakob at kirei.se (Jakob Schlyter) Date: Wed, 4 Jan 2012 16:23:05 +0100 Subject: [Opendnssec-develop] bye bye auditor Message-ID: <589FEE0D-0B67-4108-9870-354E688F327B@kirei.se> The auditor is now official deprecated and removed from trunk. Please also be aware that the XML schema has changed as the auditor tag now has been removed. If you're testing trunk and find something broken, please report it via https://issues.opendnssec.org/. jakob From sion at nominet.org.uk Wed Jan 4 16:03:43 2012 From: sion at nominet.org.uk (=?ISO-8859-1?Q?Si=F4n_Lloyd?=) Date: Wed, 4 Jan 2012 16:03:43 +0000 Subject: [Opendnssec-develop] bye bye auditor In-Reply-To: <589FEE0D-0B67-4108-9870-354E688F327B@kirei.se> References: <589FEE0D-0B67-4108-9870-354E688F327B@kirei.se> Message-ID: <4F04785F.5010907@nominet.org.uk> On 04/01/12 15:23, Jakob Schlyter wrote: > The auditor is now official deprecated and removed from trunk. Please also be aware that the XML schema has changed as the auditor tag now has been removed. > > If you're testing trunk and find something broken, please report it via https://issues.opendnssec.org/. > > Should this have gone to the users list? I've cleaned up the enforcer code w.r.t. the auditor; but I've left it in the database to avoid more migration scripts. We can silently drop the columns when migrating to the enforcer-ng. Sion From rickard at opendnssec.org Thu Jan 5 07:45:01 2012 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Thu, 5 Jan 2012 08:45:01 +0100 Subject: [Opendnssec-develop] Visualizing enforcer-ng behavior. In-Reply-To: <4F02D86E.6040902@nlnetlabs.nl> References: <4F02D86E.6040902@nlnetlabs.nl> Message-ID: > run it as > ./forecast.py | ./prettify_cli.py > preferably in a terminal with black background, it has colors! Nice one! // Rickard From rickard at opendnssec.org Thu Jan 5 08:30:32 2012 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Thu, 5 Jan 2012 09:30:32 +0100 Subject: [Opendnssec-develop] delete keys In-Reply-To: <4F04287E.4050900@nominet.org.uk> References: <4F04287E.4050900@nominet.org.uk> Message-ID: > This story was both assigned and reported by me; so we need a volunteer to > test the code and close or reopen the issue. I can take it > One question is whether we should remove documentation for the --force flag; > or if we should remove that functionality completely? Currently, if the key > is not in the generate or dead state then the script exits... unless the > --force flag is provided, in which case they are asked if they really want > to continue. Is there a use case for having the --force flag? // Rickard From sion at nominet.org.uk Thu Jan 5 08:38:57 2012 From: sion at nominet.org.uk (=?ISO-8859-1?Q?Si=F4n_Lloyd?=) Date: Thu, 5 Jan 2012 08:38:57 +0000 Subject: [Opendnssec-develop] delete keys In-Reply-To: References: <4F04287E.4050900@nominet.org.uk> Message-ID: <4F0561A1.70200@nominet.org.uk> On 05/01/12 08:30, Rickard Bellgrim wrote: >> This story was both assigned and reported by me; so we need a volunteer to >> test the code and close or reopen the issue. > I can take it Thank you. >> One question is whether we should remove documentation for the --force flag; >> or if we should remove that functionality completely? Currently, if the key >> is not in the generate or dead state then the script exits... unless the >> --force flag is provided, in which case they are asked if they really want >> to continue. > Is there a use case for having the --force flag? > Test environments maybe? Published keys that have not become active (maybe if you lose access to them or want to increase the key length?) If you have multiple active keys in parallel? So no good use cases. Sion From rickard at opendnssec.org Thu Jan 5 08:55:20 2012 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Thu, 5 Jan 2012 09:55:20 +0100 Subject: [Opendnssec-develop] delete keys In-Reply-To: <4F0561A1.70200@nominet.org.uk> References: <4F04287E.4050900@nominet.org.uk> <4F0561A1.70200@nominet.org.uk> Message-ID: >>> One question is whether we should remove documentation for the --force >>> flag; >>> or if we should remove that functionality completely? Currently, if the >>> key >>> is not in the generate or dead state then the script exits... unless the >>> --force flag is provided, in which case they are asked if they really >>> want >>> to continue. >> >> Is there a use case for having the --force flag? >> > > Test environments maybe? > > Published keys that have not become active (maybe if you lose access to them > or want to increase the key length?) > > If you have multiple active keys in parallel? It sounds like it would be ok to have the --force flag in the code. But with the risk that they will break DNSSEC if they do not know what they are doing. From Roland.vanRijswijk at surfnet.nl Tue Jan 10 14:22:02 2012 From: Roland.vanRijswijk at surfnet.nl (Roland van Rijswijk) Date: Tue, 10 Jan 2012 15:22:02 +0100 Subject: [Opendnssec-develop] Minutes for Enforcer NG telecon 2012-01-10 Message-ID: Hi all, The minutes for today's Enforcer NG telecon can be found here: https://wiki.opendnssec.org/display/OpenDNSSEC/2012-01-10+-+Enforcer+NG+telecon Cheers, Roland -- Roland M. van Rijswijk -- SURFnet Middleware Services -- t: +31-30-2305388 -- e: roland.vanrijswijk at surfnet.nl From rickard at opendnssec.org Mon Jan 16 08:55:23 2012 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Mon, 16 Jan 2012 09:55:23 +0100 Subject: [Opendnssec-develop] Meeting 2012-01-17 Message-ID: Hi We have a meeting tomorrow. Date: Tuesday 17 January Time: 10:00-11:00 CET, 9:00-10:00 GMT Agenda: https://wiki.opendnssec.org/display/OpenDNSSEC/2012-01-17+Agenda // Rickard From jerry at opendnssec.org Mon Jan 16 09:29:03 2012 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Mon, 16 Jan 2012 10:29:03 +0100 Subject: [Opendnssec-develop] Enforcer validating conf.xml but signer doesn't because of segfault? Message-ID: <2CE5DE43-1CC4-450C-8124-6F9FB303FDF5@opendnssec.org> Hi, There is a bit of strangeness in the signer, it does not validate the conf.xml file but apparently the enforcer do. The comment in the code is that it segfaults, is this still true? branches/OpenDNSSEC-1.3/signer/src/parser/confparser.c: /* better not check: if not correct, this will segfault. status = xmlRelaxNGValidateDoc(rngctx,doc); if (status != 0) { ods_log_error("[%s] cfgfile validation failed %s", parser_str, cfgfile); xmlRelaxNGFreeValidCtxt(rngctx); xmlRelaxNGFree(schema); xmlRelaxNGFreeParserCtxt(rngpctx); xmlFreeDoc(rngdoc); xmlFreeDoc(doc); return ODS_STATUS_RNG_ERR; } */ -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From sion at nominet.org.uk Mon Jan 16 10:00:34 2012 From: sion at nominet.org.uk (=?ISO-8859-1?Q?Si=F4n_Lloyd?=) Date: Mon, 16 Jan 2012 10:00:34 +0000 Subject: [Opendnssec-develop] Enforcer validating conf.xml but signer doesn't because of segfault? In-Reply-To: <2CE5DE43-1CC4-450C-8124-6F9FB303FDF5@opendnssec.org> References: <2CE5DE43-1CC4-450C-8124-6F9FB303FDF5@opendnssec.org> Message-ID: <4F13F542.8000509@nominet.org.uk> On 16/01/12 09:29, Jerry Lundstr?m wrote: > Hi, > > There is a bit of strangeness in the signer, it does not validate the conf.xml file but apparently the enforcer do. The comment in the code is that it segfaults, is this still true? The same code is not commented out in trunk... Was there a problem with a specific version of libxml maybe? I've not seen segfaults with the enforcer (or more recently with the kaspcheck rewrite which has tests that look for RNG validation failures). > branches/OpenDNSSEC-1.3/signer/src/parser/confparser.c: > > /* > better not check: if not correct, this will segfault. > status = xmlRelaxNGValidateDoc(rngctx,doc); > if (status != 0) { > ods_log_error("[%s] cfgfile validation failed %s", parser_str, > cfgfile); > xmlRelaxNGFreeValidCtxt(rngctx); > xmlRelaxNGFree(schema); > xmlRelaxNGFreeParserCtxt(rngpctx); > xmlFreeDoc(rngdoc); > xmlFreeDoc(doc); > return ODS_STATUS_RNG_ERR; > } > */ > > From jerry at opendnssec.org Mon Jan 16 10:29:40 2012 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Mon, 16 Jan 2012 11:29:40 +0100 Subject: [Opendnssec-develop] Enforcer validating conf.xml but signer doesn't because of segfault? In-Reply-To: <4F13F542.8000509@nominet.org.uk> References: <2CE5DE43-1CC4-450C-8124-6F9FB303FDF5@opendnssec.org> <4F13F542.8000509@nominet.org.uk> Message-ID: <6766CCCC-5409-4D81-936F-EE2A332DF355@opendnssec.org> On Jan 16, 2012, at 11:00 , Si?n Lloyd wrote: > The same code is not commented out in trunk... Was there a problem with a specific version of libxml maybe? I guess it was: ------------------------------------------------------------------------ r4449 | matthijs | 2011-02-15 19:15:50 +0100 (Tue, 15 Feb 2011) | 3 lines segfault in libxml2? Shall we add it back in then? -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From matthijs at nlnetlabs.nl Mon Jan 16 10:35:49 2012 From: matthijs at nlnetlabs.nl (Matthijs Mekking) Date: Mon, 16 Jan 2012 11:35:49 +0100 Subject: [Opendnssec-develop] Enforcer validating conf.xml but signer doesn't because of segfault? In-Reply-To: <6766CCCC-5409-4D81-936F-EE2A332DF355@opendnssec.org> References: <2CE5DE43-1CC4-450C-8124-6F9FB303FDF5@opendnssec.org> <4F13F542.8000509@nominet.org.uk> <6766CCCC-5409-4D81-936F-EE2A332DF355@opendnssec.org> Message-ID: <4F13FD85.4030505@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Not sure this is still a problem. You can try it with a rnc invalid conf.xml Matthijs On 01/16/2012 11:29 AM, Jerry Lundstr?m wrote: > On Jan 16, 2012, at 11:00 , Si?n Lloyd wrote: > >> The same code is not commented out in trunk... Was there a problem with a specific version of libxml maybe? > > I guess it was: > > ------------------------------------------------------------------------ > r4449 | matthijs | 2011-02-15 19:15:50 +0100 (Tue, 15 Feb 2011) | 3 lines > > segfault in libxml2? > > > > Shall we add it back in then? > > -- > Jerry Lundstr?m - OpenDNSSEC Developer > http://www.opendnssec.org/ > > > > > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPE/2FAAoJEA8yVCPsQCW5AUoIAIsV2QRn+Qh9uAm21//lBWfB yXTnvzrASmcO3j6er47qhoQUmxWQe6bQ43UPGuA429EWvXEp9w/dPwLQKlrp1gQD c5YnmS1+Gxs096vmuGuUqk0ZduBJ9VvqlCqMR778IJ+zxpxCJYdg+2OCL32vP2Ec fz/m+b+20VgTJLN6qfW0VuaYr/ywFSkFziFzTaLFssGIBi3az8aP0DPvqwTo9FF9 asXvLjcs6T5ytkjuiAzl3b6wiVUqDCbEX9UpMHiq7jBBvt8iQCN6JuCu1kZLX6iT A1r3YspJ5TMqF9lE2598giKYPWJCUPxYpeVvl+TDU0Htzl0/8XrQk7XvNkagG/Y= =BtTk -----END PGP SIGNATURE----- From jerry at opendnssec.org Mon Jan 16 10:41:16 2012 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Mon, 16 Jan 2012 11:41:16 +0100 Subject: [Opendnssec-develop] Enforcer validating conf.xml but signer doesn't because of segfault? In-Reply-To: <4F13FD85.4030505@nlnetlabs.nl> References: <2CE5DE43-1CC4-450C-8124-6F9FB303FDF5@opendnssec.org> <4F13F542.8000509@nominet.org.uk> <6766CCCC-5409-4D81-936F-EE2A332DF355@opendnssec.org> <4F13FD85.4030505@nlnetlabs.nl> Message-ID: On Jan 16, 2012, at 11:35 , Matthijs Mekking wrote: > Not sure this is still a problem. You can try it with a rnc invalid conf.xml It works fine on ubuntu 10.04.3. Do you remember what version of libxml2 made the segfault? -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From matthijs at nlnetlabs.nl Mon Jan 16 10:42:03 2012 From: matthijs at nlnetlabs.nl (Matthijs Mekking) Date: Mon, 16 Jan 2012 11:42:03 +0100 Subject: [Opendnssec-develop] Enforcer validating conf.xml but signer doesn't because of segfault? In-Reply-To: References: <2CE5DE43-1CC4-450C-8124-6F9FB303FDF5@opendnssec.org> <4F13F542.8000509@nominet.org.uk> <6766CCCC-5409-4D81-936F-EE2A332DF355@opendnssec.org> <4F13FD85.4030505@nlnetlabs.nl> Message-ID: <4F13FEFB.7030204@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/16/2012 11:41 AM, Jerry Lundstr?m wrote: > > On Jan 16, 2012, at 11:35 , Matthijs Mekking wrote: > >> Not sure this is still a problem. You can try it with a rnc invalid conf.xml > > It works fine on ubuntu 10.04.3. > > Do you remember what version of libxml2 made the segfault? No, it is a long time ago. > > -- > Jerry Lundstr?m - OpenDNSSEC Developer > http://www.opendnssec.org/ > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPE/77AAoJEA8yVCPsQCW5m14H/RZv/UjErm5gu2Cc2Z+BQAm0 lp3A8tAFkBPmdGPSo/mzFncPoOTRVBzKNW0TLVHZ6ctpGrbNo3ma/TrFw9RIkKmZ fghJqWQ/p7ED1t2o96+ZrhSje8vYj205F4RJfHUlpiKLoih+1+1KT7PGvuxo372Y 2muo1n3Dm1BQf1MBi+CTyyR26cxLV4d5PHNOKvRLQc/Nzz6j6AFLobOJjOFk0zVw 9rXrm24NjRv6kR1bS3SIzX0Z1QTs7dPb4er26Q1E7nVgTZa6UuHKmf85lNRfgNdf uTwK3yytlVBFJUII9d5iJ3A2aotj7VBiq71v92WGyzemfUQGGNcIuV/C88B7XeI= =7kBH -----END PGP SIGNATURE----- From matthijs at nlnetlabs.nl Mon Jan 16 10:51:14 2012 From: matthijs at nlnetlabs.nl (Matthijs Mekking) Date: Mon, 16 Jan 2012 11:51:14 +0100 Subject: [Opendnssec-develop] Re: [Opendnssec-commits] [svn.opendnssec.org/svn/dnssec] r6067 - branches/OpenDNSSEC-1.3 In-Reply-To: References: <20120116104052.C402357D8D@keihatsu.kirei.se> Message-ID: <4F140122.8000004@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Can we bump it right after releasing please? It is quite handy for developing: see the difference between last release and upcoming one. On 01/16/2012 11:46 AM, Jerry Lundstr?m wrote: > I believe that is part of the release process. > > On Jan 16, 2012, at 11:40 , matthijs at nlnetlabs.nl wrote: > >> Author: matthijs >> Date: 2012-01-16 11:40:52 +0100 (Mon, 16 Jan 2012) >> New Revision: 6067 >> >> Modified: >> branches/OpenDNSSEC-1.3/version.m4 >> Log: >> let's update to the next version >> >> >> >> Modified: branches/OpenDNSSEC-1.3/version.m4 >> =================================================================== >> --- branches/OpenDNSSEC-1.3/version.m4 2012-01-16 09:49:47 UTC (rev 6066) >> +++ branches/OpenDNSSEC-1.3/version.m4 2012-01-16 10:40:52 UTC (rev 6067) >> @@ -2,4 +2,4 @@ >> # >> # this file contains the current OpenDNSSEC version >> >> -define([OPENDNSSEC_VERSION], [1.3.4]) >> +define([OPENDNSSEC_VERSION], [1.3.5]) >> >> _______________________________________________ >> Opendnssec-commits mailing list >> Opendnssec-commits at lists.opendnssec.org >> https://lists.opendnssec.org/mailman/listinfo/opendnssec-commits > > > -- > Jerry Lundstr?m - OpenDNSSEC Developer > http://www.opendnssec.org/ > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPFAEiAAoJEA8yVCPsQCW5v/IH/0M7NGiZRC/2cl3L1akb8Cz7 yux3S3vTBLr5dbgCgiiGPYxCp6vAhe4KMp2YcMt6wepPbeVPFliS1xzv/o8XUOay Bz5RzmswraQeMszOVIfdoUL6gRj9wM7mIncS1pz4n7XInub2iruq364FMG/xEGVz ymJr6DdenPAcJq3HUCIGDBNSbqaC5z4B7bsT2bFQPlS/JG20jkNJI5ROam9ryzPB TexCbU/qSEEhRJAR9gjhJOg8QHZpNKr/V25I/krR282rFONPIDc/zVA1xae8pHuA RerP8i33JEJDVtz5l24atjmKnOETUyA1xineMIS6995OX2FKqhbTVm/hHbHDU8U= =+aIl -----END PGP SIGNATURE----- From rickard at opendnssec.org Mon Jan 16 12:13:44 2012 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Mon, 16 Jan 2012 13:13:44 +0100 Subject: [Opendnssec-develop] Re: [Opendnssec-commits] [svn.opendnssec.org/svn/dnssec] r6067 - branches/OpenDNSSEC-1.3 In-Reply-To: <4F140122.8000004@nlnetlabs.nl> References: <20120116104052.C402357D8D@keihatsu.kirei.se> <4F140122.8000004@nlnetlabs.nl> Message-ID: > Can we bump it right after releasing please? It is quite handy for > developing: see the difference between last release and upcoming one. Yes, but we then need to modify: https://wiki.opendnssec.org/display/OpenDNSSEC/Release+Engineering Suggestion on new text: 1. Make sure that you have the correct version number (in version.m4) and release date in the branch. ... 8. Set a new version number on the code which the release was based on. This is to be able to distinguish between the release and upcoming development. // Rickard From jerry at opendnssec.org Mon Jan 16 13:21:21 2012 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Mon, 16 Jan 2012 14:21:21 +0100 Subject: [Opendnssec-develop] Suggestion: New permanent agenda topic for meetings: Can we release? Message-ID: <5B94E6D8-E1FC-4664-A150-00AD9920B1DF@opendnssec.org> Hi, To quote Jakob -"Release Early, Release Often.", I would like to suggest a new agenda topic we could have at each meeting, named (or something similar): Can we release? We go through the issues for next release of each project and if all are closed or will be closed the following days we pick a day/date for the next release. If there aren't any issues for the next release we all could try looking up if there are any interesting ones we should put into the next release. Since we have a meeting very 2 weeks this could become very sprint'ish. What do you think? /Jerry -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From rickard at opendnssec.org Mon Jan 16 13:40:45 2012 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Mon, 16 Jan 2012 14:40:45 +0100 Subject: [Opendnssec-develop] Suggestion: New permanent agenda topic for meetings: Can we release? In-Reply-To: <5B94E6D8-E1FC-4664-A150-00AD9920B1DF@opendnssec.org> References: <5B94E6D8-E1FC-4664-A150-00AD9920B1DF@opendnssec.org> Message-ID: > What do you think? Great suggestion, it is added to the agenda. // Rickard From matthijs at nlnetlabs.nl Mon Jan 16 14:19:15 2012 From: matthijs at nlnetlabs.nl (Matthijs Mekking) Date: Mon, 16 Jan 2012 15:19:15 +0100 Subject: [Opendnssec-develop] Suggestion: New permanent agenda topic for meetings: Can we release? In-Reply-To: <5B94E6D8-E1FC-4664-A150-00AD9920B1DF@opendnssec.org> References: <5B94E6D8-E1FC-4664-A150-00AD9920B1DF@opendnssec.org> Message-ID: <4F1431E3.8080806@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In favor! On 01/16/2012 02:21 PM, Jerry Lundstr?m wrote: > Hi, > > To quote Jakob -"Release Early, Release Often.", I would like to suggest a new agenda topic we could have at each meeting, named (or something similar): Can we release? > > We go through the issues for next release of each project and if all are closed or will be closed the following days we pick a day/date for the next release. If there aren't any issues for the next release we all could try looking up if there are any interesting ones we should put into the next release. Since we have a meeting very 2 weeks this could become very sprint'ish. > > What do you think? > > /Jerry > > -- > Jerry Lundstr?m - OpenDNSSEC Developer > http://www.opendnssec.org/ > > > > > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPFDHjAAoJEA8yVCPsQCW5kN0H/3HzKhFTh+yASLt/Dnm7jqbF 5SgP5QAWTDje7xHHQpgBSeIHCAsCbVfeJlqMjAzFntShAYoWfXUCj33lPV9fmPAJ 3UxgsYpjrxEqFA32si62u2Qpf40/BE/391njP4coMWUgS9uW2bVCN7fD3Yh7h02z CStnK5V87Ybn+E/oEXxwDp5hCC2Ock6kw3oMn5/xE0+9/sS1TM9nd1wv1UoY01u+ AzRYZlVJWLjfnsQ2t0Ubf4zZmxQUAcZOwE6/ZFwdtDKuBLsI2SAdWt4pq7DG3Vd1 yfb4sDk/iukFs/3ObJ9FvXZvCB92v4FNBDG5v9UwjFFkw3B3QyTTdTnqwFnBlkg= =TzjM -----END PGP SIGNATURE----- From jakob at kirei.se Mon Jan 16 19:55:28 2012 From: jakob at kirei.se (Jakob Schlyter) Date: Mon, 16 Jan 2012 20:55:28 +0100 Subject: [Opendnssec-develop] Suggestion: New permanent agenda topic for meetings: Can we release? In-Reply-To: <4F1431E3.8080806@nlnetlabs.nl> References: <5B94E6D8-E1FC-4664-A150-00AD9920B1DF@opendnssec.org> <4F1431E3.8080806@nlnetlabs.nl> Message-ID: <09FF35B7-8B23-4037-9E3A-3E09C29EA551@kirei.se> Yes. j From rick at openfortress.nl Tue Jan 17 10:41:32 2012 From: rick at openfortress.nl (Rick van Rein) Date: Tue, 17 Jan 2012 10:41:32 +0000 Subject: [Opendnssec-develop] Meeting notes 2012-01-17 Message-ID: <20120117104131.GA7672@newphantom.local> Hello, I've written and onlinified today's meeting notes: https://wiki.opendnssec.org/display/OpenDNSSEC/2012-01-17+Minutes I found the editor for these pages to be quite buggy and hard to handle; the layout should suffice but it's definately not as good as I'm used to (but I may just be spoilt, used as I am to pdfLaTeX). Cheers, -Rick From sion at nominet.org.uk Tue Jan 17 11:03:47 2012 From: sion at nominet.org.uk (=?ISO-8859-1?Q?Si=F4n_Lloyd?=) Date: Tue, 17 Jan 2012 11:03:47 +0000 Subject: [Opendnssec-develop] Meeting notes 2012-01-17 In-Reply-To: <20120117104131.GA7672@newphantom.local> References: <20120117104131.GA7672@newphantom.local> Message-ID: <4F155593.7040907@nominet.org.uk> On 17/01/12 10:41, Rick van Rein wrote: > I found the editor for these pages to be quite buggy and hard to > handle; the layout should suffice but it's definately not as good > as I'm used to (but I may just be spoilt, used as I am to pdfLaTeX). > I agree, I found writing the notes for the previous meeting harder work than for earlier ones. I don't know if the experience is different in different browsers? (I use google chrome on linux.) Sion From matthijs at nlnetlabs.nl Tue Jan 17 11:24:57 2012 From: matthijs at nlnetlabs.nl (Matthijs Mekking) Date: Tue, 17 Jan 2012 12:24:57 +0100 Subject: [Opendnssec-develop] Meeting notes 2012-01-17 In-Reply-To: <4F155593.7040907@nominet.org.uk> References: <20120117104131.GA7672@newphantom.local> <4F155593.7040907@nominet.org.uk> Message-ID: <4F155A89.8040105@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Although I have no experience yet myself, I heard Roland mention that he really preferred the new system over the old one. Especially with respect to the markup language. Best regards, Matthijs On 01/17/2012 12:03 PM, Si?n Lloyd wrote: > On 17/01/12 10:41, Rick van Rein wrote: >> I found the editor for these pages to be quite buggy and hard to >> handle; the layout should suffice but it's definately not as good >> as I'm used to (but I may just be spoilt, used as I am to pdfLaTeX). >> > > I agree, I found writing the notes for the previous meeting harder work > than for earlier ones. I don't know if the experience is different in > different browsers? (I use google chrome on linux.) > > Sion > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPFVqJAAoJEA8yVCPsQCW5Ji8IALOfUZH6Cr9ldcFigsHJPEvQ zFREE3/jZs8XNZ6YhufGKCEdn4ABPmi5BlPaGcl9JBkDR8UvA6vjxYo82ZrsEpU3 BvDA4QvqODDDGGvRDHoT5ST6lM3lI1aCiDLxEwMvlDcwZL9VWwSN2HZzHrCBH24A xOOj+dDD01063Jwb930cNh7IUJu9aIPdz5MyrejUnN8LzRTCV+BmA7k2EWleWGOb vx/2il8SxQtBt4lBjSsykr5epHheCA0XKvSXLsfYqzU64zU/hiwQCR9rXxhH84bc F1zRiaGvs0tBjMTu8ju0vLRXorKyueVu198JHCa93KW4/A2DUtTPgpkevJpRjZg= =pBuH -----END PGP SIGNATURE----- From rickard at opendnssec.org Tue Jan 17 12:47:11 2012 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Tue, 17 Jan 2012 13:47:11 +0100 Subject: [Opendnssec-develop] SoftHSM 1.3.1 Message-ID: Hi SoftHSM 1.3.1 is ready for release. Jakob, you can go ahead with the release engineering. // Rickard From rick at openfortress.nl Tue Jan 17 12:50:31 2012 From: rick at openfortress.nl (Rick van Rein) Date: Tue, 17 Jan 2012 12:50:31 +0000 Subject: [Opendnssec-develop] Re: [Opendnssec-otr] Off-by-one error and new year In-Reply-To: References: Message-ID: <20120117125031.GA8904@newphantom.local> Hello Rickard, Good text. Especially good that you made a "grep" with a test that is known to work for this problem. > Remove the affected signatures: > If there are signatures in the zone with extra long validity periods, > then it is recommended to drop all of the signatures and re-sign the > zone. This can be done with the following commands: > > ods-signer clear > > ods-signer sign This temporarily breaks the domain's validity, right? This should be avoided if possible -- which I think it is. There is no immediate need to do flush signatures --the signatures are valid, but they shouldn't last so long-- and the following step of key rollover stops future problems from happening. I would not want to remove these signatures in a way that breaks validation. and would hope to see support of that in an email of this kind. > Mitigate replay attacks: > If your are changing your zone data, then there is a chance for an > attacker to replay old data since the signature is still valid. You > need to assess the risk and possible cost of such an attack. If you > need to mitigate such an attack, then you need to roll your keys: > > ods-ksmutil key rollover --zone You also mentioned potential future domain invalidity, is that also a reason to be choosing to do this? I suppose it comes down to a choice, right? clear+resign or do a KSK rollover (including parent actions). > Solution: > The issue has been fixed in ldns 1.6.12. Upgrade to this version in > order to not get affected the next time. "next time" meaning "you should upgrade to the new LDNS before the end of the current year" right? I hope these are useful remarks. Thanks, -Rick From rickard at opendnssec.org Tue Jan 17 13:00:47 2012 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Tue, 17 Jan 2012 14:00:47 +0100 Subject: [Opendnssec-develop] Re: [Opendnssec-otr] Off-by-one error and new year In-Reply-To: <20120117125031.GA8904@newphantom.local> References: <20120117125031.GA8904@newphantom.local> Message-ID: >> Remove the affected signatures: >> If there are signatures in the zone with extra long validity periods, >> then it is recommended to drop all of the signatures and re-sign the >> zone. This can be done with the following commands: >> > ods-signer clear >> > ods-signer sign > > This temporarily breaks the domain's validity, right? ?This > should be avoided if possible -- which I think it is. "ods-signer clear" will clear the internal signatures. New ones will be created and distributed during the next scheduled re-sign. The sign command will force this to happen now. The keys are still there, just that we get a new set of signatures. Nothing will break here. > There is no immediate need to do flush signatures --the signatures > are valid, but they shouldn't last so long-- and the following step > of key rollover stops future problems from happening. ?I would > not want to remove these signatures in a way that breaks validation. > and would hope to see support of that in an email of this kind. I think I need to clarify that the two commands will remove and add new signatures in one "atomic operation". >> Mitigate replay attacks: >> If your are changing your zone data, then there is a chance for an >> attacker to replay old data since the signature is still valid. You >> need to assess the risk and possible cost of such an attack. If you >> need to mitigate such an attack, then you need to roll your keys: >> > ods-ksmutil key rollover --zone > You also mentioned potential future domain invalidity, is that > also a reason to be choosing to do this? The reason was that you want to invalidate any signatures that an attacker can replay. The signatures is valid far longer than the TTL. > I suppose it comes down to a choice, right? ?clear+resign or do a > KSK rollover (including parent actions). You should at least do clear+resign and on top of this also do key rollover. >> Solution: >> The issue has been fixed in ldns 1.6.12. Upgrade to this version in >> order to not get affected the next time. > > "next time" meaning "you should upgrade to the new LDNS before the > end of the current year" right? Yes, will fix that text. Thanks // Rickard From matthijs at nlnetlabs.nl Tue Jan 17 13:15:45 2012 From: matthijs at nlnetlabs.nl (Matthijs Mekking) Date: Tue, 17 Jan 2012 14:15:45 +0100 Subject: [Opendnssec-develop] Re: [Opendnssec-otr] Off-by-one error and new year In-Reply-To: References: <20120117125031.GA8904@newphantom.local> Message-ID: <4F157481.5020808@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/17/2012 02:00 PM, Rickard Bellgrim wrote: >>> Remove the affected signatures: >>> If there are signatures in the zone with extra long validity periods, >>> then it is recommended to drop all of the signatures and re-sign the >>> zone. This can be done with the following commands: >>>> ods-signer clear >>>> ods-signer sign >> >> This temporarily breaks the domain's validity, right? This >> should be avoided if possible -- which I think it is. > > "ods-signer clear" will clear the internal signatures. New ones will > be created and distributed during the next scheduled re-sign. The sign > command will force this to happen now. > > The keys are still there, just that we get a new set of signatures. > Nothing will break here. Rickard is right here (and faster than me with typing ;)). >>> Solution: >>> The issue has been fixed in ldns 1.6.12. Upgrade to this version in >>> order to not get affected the next time. >> >> "next time" meaning "you should upgrade to the new LDNS before the >> end of the current year" right? > > Yes, will fix that text. The next time the bug will have effect is 1st of January 2014. That date will be converted to December 31 2016. Best regards, Matthijs -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPFXSBAAoJEA8yVCPsQCW5ktkIAJ6V7kds/E7PP2ssAwUZtoz9 tbOKmSJ7Dnf/gwjf77F2TOQuqL5jiMXr9rUfbilRlgokLMag8j5wrr/Y1dmjWITm x81qkeASE5ajkbT9Fi7VHs6XibL1H3KOTSPdBu52wRq1EHHcUdBksnTPZxqcBioL D1r+qPO9MSjj2Ty0DaSn1MkiQla2hLACoN7c16UDA2bZ5s2+Z/Ygnu7hbAXvc1kn 1Ys0/a23XrcZEAjpkxaoi3vqBfJ3K5Boln6yyBnJRzQb4ioLnDZjJ//zHuHsez+2 IfMmhyQ98SzZfrVIM6L/T/IaCCKgMTEkkfXab7DjklPbSFaMeTHwP6iHy8e6X2g= =hZZ8 -----END PGP SIGNATURE----- From sion at nominet.org.uk Tue Jan 17 13:19:53 2012 From: sion at nominet.org.uk (=?ISO-8859-1?Q?Si=F4n_Lloyd?=) Date: Tue, 17 Jan 2012 13:19:53 +0000 Subject: [Opendnssec-develop] Re: [Opendnssec-otr] Off-by-one error and new year In-Reply-To: <4F157481.5020808@nlnetlabs.nl> References: <20120117125031.GA8904@newphantom.local> <4F157481.5020808@nlnetlabs.nl> Message-ID: <4F157579.9070802@nominet.org.uk> On 17/01/12 13:15, Matthijs Mekking wrote: > The next time the bug will have effect is 1st of January 2014. That date > will be converted to December 31 2016. > It might be worth adding this detail to the text? From rickard at opendnssec.org Tue Jan 17 13:26:29 2012 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Tue, 17 Jan 2012 14:26:29 +0100 Subject: [Opendnssec-develop] Re: [Opendnssec-otr] Off-by-one error and new year In-Reply-To: <4F157481.5020808@nlnetlabs.nl> References: <20120117125031.GA8904@newphantom.local> <4F157481.5020808@nlnetlabs.nl> Message-ID: > The next time the bug will have effect is 1st of January 2014. That date > will be converted to December 31 2016. Won't the signature be dated December 31 2014? Would it be enough to say that we recommend to upgrade before the next turn of the year. // Rickard From matthijs at NLnetLabs.nl Tue Jan 17 13:37:52 2012 From: matthijs at NLnetLabs.nl (Matthijs Mekking) Date: Tue, 17 Jan 2012 14:37:52 +0100 (CET) Subject: [Opendnssec-develop] Re: [Opendnssec-otr] Off-by-one error and new year In-Reply-To: References: <20120117125031.GA8904@newphantom.local> <4F157481.5020808@nlnetlabs.nl> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The calculation is weird, it does not come regurarly and the conversions are different each time. Next time it will really be from Jan 2014 to Dec 2016. However, this will occur when the date 01 Jan 2014 needs to be created (most likely expiration time again). Recommending to upgrade before the next turn is a (very) safe boundary. Best regards, Matthijs On Tue, 17 Jan 2012, Rickard Bellgrim wrote: >> The next time the bug will have effect is 1st of January 2014. That date >> will be converted to December 31 2016. > > Won't the signature be dated December 31 2014? > > Would it be enough to say that we recommend to upgrade before the next > turn of the year. > > // Rickard > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJPFXmwAAoJEA8yVCPsQCW5JWYIAL520SyCka5dxvIvGlJHqU/s cPjt+NQxGRSrC+sJFQP1x6q7j6sRrBgpJZJQ/4k9WvTRP+fUQEL+eyNNP33gEH7E Ry0zwsgzR7YZ1mne4qw0bV52NBucNbL+aCEjNxOvdfkApJPUUNc/DT1Sc/kqZECh gMzOtBan9f8CVKevsqummy5xBML7TVOqQ6Y/19pJ2FaNd3XVhFoWaTuPb5TDX5RV x0ldgGyMJcoAZ/LIBkD+lRq00xHzY/eCOcOg8TK0CLVj1dkmlVoWbvusCu1NX0Mu R79IoTMjpsPUp6vmAWk1Dq3+57FbW3auNiWWLSrX9i1+bOu7N0SszgA7sF94gu4= =3ROt -----END PGP SIGNATURE----- From Roland.vanRijswijk at surfnet.nl Tue Jan 17 13:41:55 2012 From: Roland.vanRijswijk at surfnet.nl (Roland van Rijswijk) Date: Tue, 17 Jan 2012 14:41:55 +0100 Subject: [Opendnssec-develop] Meeting notes 2012-01-17 In-Reply-To: <4F155A89.8040105@nlnetlabs.nl> References: <20120117104131.GA7672@newphantom.local> <4F155593.7040907@nominet.org.uk> <4F155A89.8040105@nlnetlabs.nl> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Although I have no experience yet myself, I heard Roland mention that he > really preferred the new system over the old one. Especially with > respect to the markup language. Yes and no :-). As long as you conform to how the system wants you to work it's much easier, if you are used to controlling the location of every comma it is a PITA ;-) I think it's an exercise in letting go for the purists among us :-P Cheers, Roland - -- Roland M. van Rijswijk - -- SURFnet Middleware Services - -- t: +31-30-2305388 - -- e: roland.vanrijswijk at surfnet.nl -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iQEcBAEBAgAGBQJPFXqmAAoJELddXisbx14rIWgIAJi9Hg92MPT3TtHXTxBejY/o pT+3AOEuQBVuKg3f/cDEuObXfUSTCXfHmuoGwJPcORRCANkCz6an48oTNyPGbLvM GwrOEM1ueS0asfLSvPxNIKHpjsNEPG7tMos0jA5kSY2oBEaYvuyl3wnvYYZWWqTv WDK9YUG19iw5jCLbBECPKprTAz/a+Gyfmi4ZrbsrYYa48yHP6YKRxGTkpJHoAC/F +mCVcw/9Q5IA4EErhErHjXC+pMkM3JTDlUcRLUOrAxhyaz+6ULh7xsmNVGGB312m hSXqdOJUHNusgmPtPBVJFc4CA9et6m2M422MZ3cTj23yHGomAHTqpVAXNHPtgn0= =Bcl0 -----END PGP SIGNATURE----- From rick at openfortress.nl Tue Jan 17 13:52:38 2012 From: rick at openfortress.nl (Rick van Rein) Date: Tue, 17 Jan 2012 13:52:38 +0000 Subject: [Opendnssec-develop] Re: [Opendnssec-otr] Off-by-one error and new year In-Reply-To: References: <20120117125031.GA8904@newphantom.local> Message-ID: <20120117135238.GA9483@newphantom.local> Hello, > The keys are still there, just that we get a new set of signatures. > Nothing will break here. Ah yes, of course. Indeed, a clarification of that seems useful :) Thanks, -Rick From AlexD at nominet.org.uk Tue Jan 17 14:32:58 2012 From: AlexD at nominet.org.uk (Alex Dalitz) Date: Tue, 17 Jan 2012 14:32:58 +0000 Subject: [Opendnssec-develop] libhsm error Message-ID: <73C68FBC-4154-4D81-96C3-891B0306B7AF@nominet.org.uk> Hi - Sorry about this, but can anybody please help me understand what I need to do when I get messages like these : [engine] setup: error initializing libhsm errno=268435462 (hsm_session_init(): PKCS#11 module load failed: /usr/local/lib/libsofthsm.so) ? Thanks! Alex. From rickard at opendnssec.org Tue Jan 17 14:38:20 2012 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Tue, 17 Jan 2012 15:38:20 +0100 Subject: [Opendnssec-develop] libhsm error In-Reply-To: <73C68FBC-4154-4D81-96C3-891B0306B7AF@nominet.org.uk> References: <73C68FBC-4154-4D81-96C3-891B0306B7AF@nominet.org.uk> Message-ID: > [engine] setup: error initializing libhsm errno=268435462 (hsm_session_init(): PKCS#11 module load failed: /usr/local/lib/libsofthsm.so) Libhsm could not find the library. Do you have the library in this location. The latest SoftHSM installs itself in a subdirectory: /usr/local/lib/softhsm/libsofthsm.so. Maybe need to update conf.xml // Rickard From jerry at opendnssec.org Tue Jan 17 14:44:29 2012 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Tue, 17 Jan 2012 15:44:29 +0100 Subject: [Opendnssec-develop] Meeting notes 2012-01-17 In-Reply-To: References: <20120117104131.GA7672@newphantom.local> <4F155593.7040907@nominet.org.uk> <4F155A89.8040105@nlnetlabs.nl> Message-ID: <97707047-926A-46B5-8E89-0096A772F8B3@opendnssec.org> On Jan 17, 2012, at 14:41 , Roland van Rijswijk wrote: > Yes and no :-). As long as you conform to how the system wants you to work it's much easier, if you are used to controlling the location of every comma it is a PITA ;-) Yeah and Atlassian people decided to drop the raw editing of markup all together in the new version of Confluence, it have made MANY upset and many more have reverted back to 4.x just because of that. Altho I find that it works most of the time, just a few hours ago I was editing a code part and apparently hit tab in the wrong place and it deleted the entire code part? had to cancel and redo. -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From matthijs at NLnetLabs.nl Tue Jan 17 15:31:59 2012 From: matthijs at NLnetLabs.nl (Matthijs Mekking) Date: Tue, 17 Jan 2012 16:31:59 +0100 (CET) Subject: [Opendnssec-develop] Meeting notes 2012-01-17 In-Reply-To: <97707047-926A-46B5-8E89-0096A772F8B3@opendnssec.org> References: <20120117104131.GA7672@newphantom.local> <4F155593.7040907@nominet.org.uk> <4F155A89.8040105@nlnetlabs.nl> <97707047-926A-46B5-8E89-0096A772F8B3@opendnssec.org> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have edited some action points. I believe they were pointin to the wrong person (namely me;)). The new list of action points are: - - Matthijs: Send proposal of zonelist.xml/db cmdline/file edit to dev list - - Rickard: Send off-by-one and ney year mail to users list - - Rickard: Discuss the hsm_get_key_rdata encoding DNSKEYs with user - - Jerry: Announc the existence of the maintainers list - - Rickard: Change the release management documentation accordingly Best regards, Matthijs On Tue, 17 Jan 2012, Jerry Lundstr?m wrote: > On Jan 17, 2012, at 14:41 , Roland van Rijswijk wrote: > >> Yes and no :-). As long as you conform to how the system wants you to work it's much easier, if you are used to controlling the location of every comma it is a PITA ;-) > > Yeah and Atlassian people decided to drop the raw editing of markup all together in the new version of Confluence, it have made MANY upset and many more have reverted back to 4.x just because of that. > > Altho I find that it works most of the time, just a few hours ago I was editing a code part and apparently hit tab in the wrong place and it deleted the entire code part? had to cancel and redo. > > -- > Jerry Lundstr?m - OpenDNSSEC Developer > http://www.opendnssec.org/ > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJPFZRvAAoJEA8yVCPsQCW5MmgH/AsufpfyxdftSCAJXGmKtJP7 +wrRrBLjCHGAQYWD0DVD11xhtJdQCxqTvL/6xTVVeSE3d9GByAVgVVLo1Ti2fGze X1F7KqhXPCJstH4u5HFCt1l8nZIeqRZh3sBYxX2uizGmV7gh6Xm63Zxt9ppkc+CU NAkyOM/dzwRAR27ES2NT5LSOShqrmvjCZa/xZoesu0ug2KK8SxPmdP2o4Jy1oJrl vnr8GYodmCOQQun4esYVklU5vRJsV1eZWJzN2O4qOQiNFGDYYf359C75fLYrymN7 JTNylUqcPBcPuTH1Wzn57VJj0P4wOOqdKv+utulphP804gIHFHZw6/7Hogmzq7U= =QZCq -----END PGP SIGNATURE----- From jakob at kirei.se Tue Jan 17 21:11:32 2012 From: jakob at kirei.se (Jakob Schlyter) Date: Tue, 17 Jan 2012 22:11:32 +0100 Subject: [Opendnssec-develop] SoftHSM 1.3.1 In-Reply-To: References: Message-ID: <179A205A-E124-496B-89FB-B960D9F70354@kirei.se> On 17 jan 2012, at 13:47, Rickard Bellgrim wrote: > SoftHSM 1.3.1 is ready for release. Jakob, you can go ahead with the > release engineering. it is done - tagged and bagged! j From rickard at opendnssec.org Tue Jan 17 21:22:04 2012 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Tue, 17 Jan 2012 22:22:04 +0100 Subject: [Opendnssec-develop] SoftHSM 1.3.1 In-Reply-To: <179A205A-E124-496B-89FB-B960D9F70354@kirei.se> References: <179A205A-E124-496B-89FB-B960D9F70354@kirei.se> Message-ID: >> SoftHSM 1.3.1 is ready for release. Jakob, you can go ahead with the >> release engineering. > > it is done - tagged and bagged! Thanks, just remember point 1 (date in NEWS file) and point 8 (bump the version number). // Rickard From jakob at kirei.se Tue Jan 17 21:24:28 2012 From: jakob at kirei.se (Jakob Schlyter) Date: Tue, 17 Jan 2012 22:24:28 +0100 Subject: [Opendnssec-develop] SoftHSM 1.3.1 In-Reply-To: References: <179A205A-E124-496B-89FB-B960D9F70354@kirei.se> Message-ID: On 17 jan 2012, at 22:22, Rickard Bellgrim wrote: >>> SoftHSM 1.3.1 is ready for release. Jakob, you can go ahead with the >>> release engineering. >> >> it is done - tagged and bagged! > > Thanks, just remember point 1 (date in NEWS file) and point 8 (bump > the version number). Right, I overlooked that as you had already changed the version number. I'll add the release date retroactively, but I will not update the distfile. Bumping the verison number is harder, as the release engineer (sounds fancy, right) does not necessarily know what the next version will be. It could be 1.3.2, but might also be 1.4.0. j From rickard at opendnssec.org Wed Jan 18 12:57:21 2012 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Wed, 18 Jan 2012 13:57:21 +0100 Subject: [Opendnssec-develop] OpenDNSSEC 1.3.5 Message-ID: Hi I believe that OpenDNSSEC 1.3.5 is ready for release. We still have one ticket that is not closed, but it should not be an blocking issue. * OPENDNSSEC-54 - Auditor and Signer should error on "\D" notation in zones I also bumped the ldns version to 1.6.12. Anything else? // Rickard From AlexD at nominet.org.uk Wed Jan 18 13:43:00 2012 From: AlexD at nominet.org.uk (Alex Dalitz) Date: Wed, 18 Jan 2012 13:43:00 +0000 Subject: [Opendnssec-develop] OpenDNSSEC 1.3.5 In-Reply-To: References: Message-ID: <243A18BE-D2AB-4087-9BF9-E7E578E1E372@nominet.org.uk> > I believe that OpenDNSSEC 1.3.5 is ready for release. We still have > one ticket that is not closed, but it should not be an blocking issue. > * OPENDNSSEC-54 - Auditor and Signer should error on "\D" notation in zones > > I also bumped the ldns version to 1.6.12. This issue should be fixed by ldns svnr3641, which occurred on the 11th January - I can't tell whether or not this fix made it into the 1.6.12 release which was made that day. Any ideas? Thanks, Alex. From matthijs at nlnetlabs.nl Wed Jan 18 14:00:38 2012 From: matthijs at nlnetlabs.nl (Matthijs Mekking) Date: Wed, 18 Jan 2012 15:00:38 +0100 Subject: [Opendnssec-develop] OpenDNSSEC 1.3.5 In-Reply-To: <243A18BE-D2AB-4087-9BF9-E7E578E1E372@nominet.org.uk> References: <243A18BE-D2AB-4087-9BF9-E7E578E1E372@nominet.org.uk> Message-ID: <4F16D086.7010302@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Short answer: No. But I think this is a real minor issue, surely not a blocking one. It should not stop the release. The new behavior with respect to this issue can be tested with ldns trunk. Best regards, Matthijs On 01/18/2012 02:43 PM, Alex Dalitz wrote: >> I believe that OpenDNSSEC 1.3.5 is ready for release. We still have >> one ticket that is not closed, but it should not be an blocking issue. >> * OPENDNSSEC-54 - Auditor and Signer should error on "\D" notation in zones >> >> I also bumped the ldns version to 1.6.12. > > This issue should be fixed by ldns svnr3641, which occurred on the 11th January - I can't tell whether or not this fix made it into the 1.6.12 release which was made that day. Any ideas? > > Thanks, > > > Alex._______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPFtCGAAoJEA8yVCPsQCW5ZAEIAL6DJfsIgfPfITF7t0poYBL1 gfbvYrY/Yh9iUGg54lgwerKCxpGWep7dnorcO21gbVMYdTIK69kuOczW9h/DCOfP l0Aas6yXEx2lvOZVJyLsR7grN3gw0ZTttQk1X9JHz5z3ysELbnRHWKIEVWTrPv0p DOZKJQ4Up4MeKupL01YSTGjvK4tFVjqCOg4Q4V44UTPSNxYitaJLt2hVL7T/eVxe S1Mbl0yJ9zER9v3Zw9FR+H85yoYRizJy2JWSaQCjiXhZx4PUZkTPn+nF+qtYHjqz WD4oR+mT4FDvzxRGslLpGi6ukRvsalaBL3OIezY02hP00rVWfGscWE2QNcKGPDU= =0tnG -----END PGP SIGNATURE----- From AlexD at nominet.org.uk Wed Jan 18 14:14:09 2012 From: AlexD at nominet.org.uk (Alex Dalitz) Date: Wed, 18 Jan 2012 14:14:09 +0000 Subject: [Opendnssec-develop] OpenDNSSEC 1.3.5 In-Reply-To: <4F16D086.7010302@nlnetlabs.nl> References: <243A18BE-D2AB-4087-9BF9-E7E578E1E372@nominet.org.uk> <4F16D086.7010302@nlnetlabs.nl> Message-ID: <27925F74-90A0-428F-A0C3-5C994FBA22CB@nominet.org.uk> > But I think this is a real minor issue, surely not a blocking one. Agree absolutely! Alex. From sion at nominet.org.uk Wed Jan 18 15:21:23 2012 From: sion at nominet.org.uk (=?ISO-8859-1?Q?Si=F4n_Lloyd?=) Date: Wed, 18 Jan 2012 15:21:23 +0000 Subject: [Opendnssec-develop] Fwd: Re: [Opendnssec-user] 1.3.x crasher when downgrading from 1.4.x In-Reply-To: References: Message-ID: <4F16E373.4080208@nominet.org.uk> Is anyone in a position to test this setup? The closest I can get is some centos 5.X VMs Sion -------- Original Message -------- Subject: Re: [Opendnssec-user] 1.3.x crasher when downgrading from 1.4.x Date: Wed, 18 Jan 2012 09:59:31 -0500 From: Paul Wouters To: Si?n Lloyd CC: On Wed, 18 Jan 2012, Si?n Lloyd wrote: >> To use 1.4.x, the Auditor section has to be removed from conf.xml. When >> migrating back, the absence of this section causes the ods-enforcer to >> segfault. > > We have seen issues like this in the past, and had attributed it to > particular versions of libxml2. > > Can you give us some details of your system? OS, version of libxml2, > architecture, etc... RHEL6 with all updates. x86_64. libxml2-2.7.6-4.el6_2.1.x86_64 Paul -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerry at opendnssec.org Wed Jan 18 15:28:42 2012 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Wed, 18 Jan 2012 16:28:42 +0100 Subject: [Opendnssec-develop] [Opendnssec-user] 1.3.x crasher when downgrading from 1.4.x In-Reply-To: <4F16E373.4080208@nominet.org.uk> References: <4F16E373.4080208@nominet.org.uk> Message-ID: <3A58C94E-D0F3-4F9E-8C58-1379987DB99A@opendnssec.org> On Jan 18, 2012, at 16:21 , Si?n Lloyd wrote: > Is anyone in a position to test this setup? I can. -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From rickard at opendnssec.org Thu Jan 19 09:17:25 2012 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Thu, 19 Jan 2012 10:17:25 +0100 Subject: [Opendnssec-develop] OpenDNSSEC 1.3.5 In-Reply-To: <27925F74-90A0-428F-A0C3-5C994FBA22CB@nominet.org.uk> References: <243A18BE-D2AB-4087-9BF9-E7E578E1E372@nominet.org.uk> <4F16D086.7010302@nlnetlabs.nl> <27925F74-90A0-428F-A0C3-5C994FBA22CB@nominet.org.uk> Message-ID: On Wed, Jan 18, 2012 at 3:14 PM, Alex Dalitz wrote: >> But I think this is a real minor issue, surely not a blocking one. > > Agree absolutely! Ok, the we all agree that we can go ahead with the release. Jakob? // Rickard From rickard at opendnssec.org Fri Jan 20 09:57:20 2012 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Fri, 20 Jan 2012 10:57:20 +0100 Subject: [Opendnssec-develop] OpenDNSSEC 1.3.5 In-Reply-To: References: <243A18BE-D2AB-4087-9BF9-E7E578E1E372@nominet.org.uk> <4F16D086.7010302@nlnetlabs.nl> <27925F74-90A0-428F-A0C3-5C994FBA22CB@nominet.org.uk> Message-ID: > Ok, the we all agree that we can go ahead with the release. Jakob? Ping From jakob at kirei.se Fri Jan 20 12:43:25 2012 From: jakob at kirei.se (Jakob Schlyter) Date: Fri, 20 Jan 2012 13:43:25 +0100 Subject: [Opendnssec-develop] OpenDNSSEC 1.3.5 In-Reply-To: References: <243A18BE-D2AB-4087-9BF9-E7E578E1E372@nominet.org.uk> <4F16D086.7010302@nlnetlabs.nl> <27925F74-90A0-428F-A0C3-5C994FBA22CB@nominet.org.uk> Message-ID: On 19 jan 2012, at 10:17, Rickard Bellgrim wrote: > On Wed, Jan 18, 2012 at 3:14 PM, Alex Dalitz wrote: >>> But I think this is a real minor issue, surely not a blocking one. >> >> Agree absolutely! > > Ok, the we all agree that we can go ahead with the release. Jakob? I'll take care of this later today or this weekend. j From jakob at kirei.se Mon Jan 23 09:38:44 2012 From: jakob at kirei.se (Jakob Schlyter) Date: Mon, 23 Jan 2012 10:38:44 +0100 Subject: [Opendnssec-develop] OpenDNSSEC 1.3.5 In-Reply-To: References: <243A18BE-D2AB-4087-9BF9-E7E578E1E372@nominet.org.uk> <4F16D086.7010302@nlnetlabs.nl> <27925F74-90A0-428F-A0C3-5C994FBA22CB@nominet.org.uk> Message-ID: <4EC95F9B-4388-4E49-B9AB-712BE32A57C5@kirei.se> On 19 jan 2012, at 10:17, Rickard Bellgrim wrote: > On Wed, Jan 18, 2012 at 3:14 PM, Alex Dalitz wrote: >>> But I think this is a real minor issue, surely not a blocking one. >> >> Agree absolutely! > > Ok, the we all agree that we can go ahead with the release. Jakob? it is done, please do your magic announce thing. jakob From jad at sinodun.com Mon Jan 23 11:38:44 2012 From: jad at sinodun.com (John Dickinson) Date: Mon, 23 Jan 2012 11:38:44 +0000 Subject: [Opendnssec-develop] Fwd: [Opendnssec-announce] OpenDNSSEC 1.3.5 References: Message-ID: The change to a new version of ldns has broken the CI build. You can see the nice pattern here https://jenkins.opendnssec.org/job/Build_OpenDNSSEC/99/ I will fix it up later today but should checking the status of the build and keeping the CI system up to date not be part of the Release Engineering process? If you still don't have an account on jenkins please let me know via jabber (jad at sinodun.com). John --- jad at sinodun.com Sinodun Internet Technologies Ltd. Stables 4, Suite 11, Howbery Park, Wallingford, Oxfordshire, OX10 8BA, U.K. +44 (0)1491 834957 Begin forwarded message: > From: Rickard Bellgrim > Subject: [Opendnssec-announce] OpenDNSSEC 1.3.5 > Date: January 23, 2012 10:12:33 AM GMT > To: opendnssec-announce at lists.opendnssec.org > > Version 1.3.5 of OpenDNSSEC has now been released. > > * Auditor: Include the zone name in the log messages. > * ldns 1.6.12 is required for bugfixes. > * ods-ksmutil: Suppress database connection information when no -v > flag is given. > * ods-enforcerd: Stop multiple instances of the enforcer running by > checking for the pidfile at startup. If you want to run multiple > instances then a different pidfile will need to be specified with the > -P flag. > * ods-ksmutil: ?zone delete? renames the signconf file; so that if the > zone is put back the signer will not pick up the old file. > * Signer Engine: Verbosity can now be set via conf.xml, default is 3. > > Bugfixes: > * Bugfix OPENDNSSEC-174: Configure the location for conf.xml with > ?config or -c when starting the signer. > * Bugfix OPENDNSSEC-192: Signer crashed on deleting NSEC3 for a domain > that becomes opt-out. > * Bugfix OPENDNSSEC-193: Auditor crashed with certain empty non-terminals. > * Signer Engine: A file descriptor for sockets with value zero is allowed. > * Signer Engine: Only log messages about a full signing queue in debug mode. > * Signer Engine: Fix time issues, make sure that the internal serial > does not wander off after a failed audit. > * Signer Engine: Upgrade ldns to avoid future problems on 32-bit > platforms with extra long signature expiration dates. More information > in separate announcement. > > Download the tarball from: > http://www.opendnssec.org/files/source/opendnssec-1.3.5.tar.gz > > // OpenDNSSEC team > _______________________________________________ > Opendnssec-announce mailing list > Opendnssec-announce at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-announce -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerry at opendnssec.org Mon Jan 23 11:49:28 2012 From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Mon, 23 Jan 2012 12:49:28 +0100 Subject: [Opendnssec-develop] Fwd: [Opendnssec-announce] OpenDNSSEC 1.3.5 In-Reply-To: References: Message-ID: On Mon, Jan 23, 2012 at 12:38 PM, John Dickinson wrote: > I will fix it up later today but should checking the status of the build and > keeping the CI system up to date not be part of the?Release > Engineering?process? It will be part of release process once its finalized, still beta'ish. /Jerry From jerry at opendnssec.org Mon Jan 23 16:08:32 2012 From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Mon, 23 Jan 2012 17:08:32 +0100 Subject: [Opendnssec-develop] Testing Message-ID: Hi, I began to document the testing setup last week but haven't finished yet, you can read it here: https://wiki.opendnssec.org/display/OpenDNSSEC/Testing It's based on the work me and John did and the discussions we have had about how it should be setup. The documentation so far might now give you so much but I hope to finish it this week with some images and all. Cheers, Jerry From rickard at opendnssec.org Tue Jan 24 13:20:53 2012 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Tue, 24 Jan 2012 14:20:53 +0100 Subject: [Opendnssec-develop] Testing In-Reply-To: References: Message-ID: Looking good so far! On Mon, Jan 23, 2012 at 5:08 PM, Jerry Lundstr?m wrote: > Hi, > > I began to document the testing setup last week but haven't finished > yet, you can read it here: > > https://wiki.opendnssec.org/display/OpenDNSSEC/Testing > > It's based on the work me and John did and the discussions we have had > about how it should be setup. The documentation so far might now give > you so much but I hope to finish it this week with some images and > all. > > Cheers, > Jerry > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop From rickard at opendnssec.org Tue Jan 24 16:16:49 2012 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Tue, 24 Jan 2012 17:16:49 +0100 Subject: [Opendnssec-develop] Enforcer NG alpha Message-ID: Hi We have four issues that needs to be fixed before we can do an alpha: OPENDNSSEC-185: Problems with ZSK rollover OPENDNSSEC-183: Wrong timing after introducing KSK OPENDNSSEC-186: Cannot submit/ds-seen a KSK OPENDNSSEC-206: Does not talk with the Signer // Rickard From jerry at opendnssec.org Wed Jan 25 10:21:39 2012 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Wed, 25 Jan 2012 11:21:39 +0100 Subject: [Opendnssec-develop] Re: Testing In-Reply-To: References: Message-ID: <820A5F2D-6914-43A6-B309-5B6700FA7683@opendnssec.org> On Jan 23, 2012, at 17:08 , Jerry Lundstr?m wrote: > https://wiki.opendnssec.org/display/OpenDNSSEC/Testing Most of the documentation is finished now, a few examples to look at on the subpages. Feel free to read and comment! -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From rickard at opendnssec.org Mon Jan 30 08:16:21 2012 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Mon, 30 Jan 2012 09:16:21 +0100 Subject: [Opendnssec-develop] Meeting 2012-02-01 Message-ID: Hi We have a telephone meeting on Wednesday. Date: Wednesday 1 February Time: 14:00-15:00 CET, 13:00-14:00 GMT Agenda: https://wiki.opendnssec.org/display/OpenDNSSEC/2012-02-01+Agenda // Rickard From jerry at opendnssec.org Mon Jan 30 14:56:43 2012 From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Mon, 30 Jan 2012 15:56:43 +0100 Subject: [Opendnssec-develop] Meeting 2012-02-01 In-Reply-To: References: Message-ID: Hi, You missed OpenDNSSEC 1.3.6. And to my action point, I understood it so that I was to contact the maintainers we know of and I did and all of them have joined the maintainers list! :) I don't really see a point announcing it to the general public just yet since its a locked mailing list, in time when we get a feel of who does what and what we need help with we can ask for volunteers. /Jerry On Mon, Jan 30, 2012 at 9:16 AM, Rickard Bellgrim wrote: > Hi > > We have a telephone meeting on Wednesday. > > Date: Wednesday 1 February > Time: 14:00-15:00 CET, 13:00-14:00 GMT > > Agenda: > https://wiki.opendnssec.org/display/OpenDNSSEC/2012-02-01+Agenda > > // Rickard > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop From rickard at opendnssec.org Mon Jan 30 15:12:16 2012 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Mon, 30 Jan 2012 16:12:16 +0100 Subject: [Opendnssec-develop] Meeting 2012-02-01 In-Reply-To: References: Message-ID: > You missed OpenDNSSEC 1.3.6. Updated that point > And to my action point, I understood it so that I was to contact the > maintainers we know of and I did and all of them have joined the > maintainers list! :) > > I don't really see a point announcing it to the general public just > yet since its a locked mailing list, in time when we get a feel of who > does what and what we need help with we can ask for volunteers. Updated that point. Just made a copy from the previous minutes. // Rickard