From jerry at opendnssec.org Mon Oct 1 15:04:27 2012 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Mon, 1 Oct 2012 17:04:27 +0200 Subject: [Opendnssec-develop] Authoritiative: file vs database In-Reply-To: <38DF2B40-2636-44CF-9F29-4F2BD58FDDD5@sinodun.com> References: <620D9AF6-4E0A-4BF0-AA30-CE413C87FEE7@opendnssec.org> <4B34C3CC-0532-4F8F-9A36-3C2C6F6EBF04@kirei.se> <1B62FCD2-B284-4B3A-B4D9-07E9610E581D@opendnssec.org> <38DF2B40-2636-44CF-9F29-4F2BD58FDDD5@sinodun.com> Message-ID: <604985BF-478F-4FF4-A509-CC91903A7291@opendnssec.org> On Sep 29, 2012, at 15:25 , Sara Dickinson wrote: > Sorry - should have been clearer. This solution does solve the current issue with conflicts between the signer and enforcer use of a single zone list file. However Jakob and I had a conversation about this from an architectural point of view in terms of the interface between the enforcer and signer, and possibly replacing the/var/opendnssec/*. xml files with something else in future. Also, we initially thought this solution could simplify the HA set of of a secondary signer since the user would only have to copy the /var/opendnssec dir across but this is not the case. Then it should actually be the other way around, we should put all files in /etc. If you look at the FHS definition /etc is clearly the most suitable place for these configure files then /var is. /Jerry -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From sara at sinodun.com Mon Oct 1 15:16:11 2012 From: sara at sinodun.com (Sara Dickinson) Date: Mon, 1 Oct 2012 16:16:11 +0100 Subject: [Opendnssec-develop] RE: Team meeting Monday 1st October @ 14:00 CEST - Minutes Message-ID: All, The minutes from the meeting today are available for review at: http://wiki.opendnssec.org/display/OpenDNSSEC/2012-10-01+Minutes Regards Sara. > On 29 Sep 2012, at 15:23, Sara Dickinson wrote: > >> Hi All, >> >> As agreed in the developer workshop we have a scheduled team meeting on Monday: >> >> Date: Monday 1st October 2012 >> Time: 15:00-14:00 CEST, 14:00-15:00 BST > > Erm, that should be: > > Time: 14:00-15:00 CEST, 13:00-14:00 BST > > :-) > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerry at opendnssec.org Mon Oct 1 15:42:05 2012 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Mon, 1 Oct 2012 17:42:05 +0200 Subject: [Opendnssec-develop] Team meeting Monday 1st October @ 14:00 CEST - Minutes In-Reply-To: References: Message-ID: On Oct 1, 2012, at 17:16 , Sara Dickinson wrote: > http://wiki.opendnssec.org/display/OpenDNSSEC/2012-10-01+Minutes I'm at home sick so I couldn't attend. To answer one of the action points, yes we can host Coverity on the server and its actually not .SE server, its OpenDNSSEC (svb) company server. /Jerry -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ From jerry at opendnssec.org Wed Oct 10 08:01:25 2012 From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Wed, 10 Oct 2012 10:01:25 +0200 Subject: [Opendnssec-develop] Important: Moving SVN Message-ID: Hi all, We will move our SVN repository today so you won't be able to check in or out for a few hours now. There might also be a TTL issue for some of you so unless you want to add a temporary entry in hosts you can just wait until tomorrow. Cheers -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ From jakob at kirei.se Wed Oct 10 08:20:29 2012 From: jakob at kirei.se (Jakob Schlyter) Date: Wed, 10 Oct 2012 10:20:29 +0200 Subject: [Opendnssec-develop] Important: Moving SVN In-Reply-To: References: Message-ID: <85544788-9998-4A03-B7DC-AA83368F23EB@kirei.se> On 10 okt 2012, at 10:01, Jerry Lundstr?m wrote: > We will move our SVN repository today so you won't be able to check in > or out for a few hours now. Developers with SSH access will need to make sure [1] their SVN path now is: svn+ssh://svn.opendnssec.org/svn/dnssec. The SSH key will change after the move -- the new fingerprint is available as SSHFP (RSA/DSA) and below: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 2048 14:f9:a0:5e:d5:58:f5:18:cc:81:50:55:48:07:52:ee svn.opendnssec.org (RSA) 1024 7d:df:15:56:9a:36:ee:01:b7:09:ca:c3:dd:95:d6:4c svn.opendnssec.org (DSA) 256 0c:ab:b0:43:93:b5:8b:6f:32:2a:4b:5e:f7:9f:71:56 svn.opendnssec.org (ECDSA) -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJQdS9JAAoJEFLuRkUbE/eMOUQQAK5B6sQjphh3viwGd6k/xa2G wSLwGvu/Vq3QpsXbNRDhCB1q+i0gsMAGhUGcF9HHkofYBjN0P4bZ6MGBNpK4ttyr 9nuuUwXLEeyPkSEiV0KparcwomgG+F8ArecXfQHLL3+WSa6fInGjuQL2NBcvpZXF HsGq7zs/Iyv4+GuBkgkoTdVn6zPBsmvezzVo25TV+uTE+Xga/3X+tlXkBgPt37S+ GkbkDcc/7RpxDfTa4HZLdlsZXIqwjALmSileCXcZT/xkaUQNsY82/KWfx05CbcmV hWJdVN8auzMpPHvOTL7nznjc+2oigTJ4levFR8XeB5LjCve16x638Vijk774tOHt N/Xgh3Pik9cqzasXvpSDqF7ZAAsGtaIR+ZUKFPfrw5xRkSVU11yzHt/ON5klwO36 jZ9Y3D/W6XnvJYEOUoVVDl74BiCpi5GvBXZ6xxhuY7UUkg7j2ytOYp2ZTWA4UfNp A9qSDWaJTkvDkl5fK7trv+cqn89ZAopLYvai0lr0NB3gsJ5G6kn5Lxk1AODRGLdZ zoHYNab/gyILRz2INdHm5mCgXkU94lpl9mMcFb+dbsRMSBPg9IrtBGlCfVYwUbQe xa7tE2cV76px3csgD850Sp0o6JKUOGTQ3KsukvGWpUd+ENqzSC2sq/IUDAYhdoFn kFaNK4pHXY+5W8635K2N =4eKq -----END PGP SIGNATURE----- Please verify the new key with the fingerprints above before use! jakob [1] Use 'svn status' to check. If you have the old path, you can use the following command to change it: svn switch --relocate \ svn+ssh://keihatsu.kirei.se/svn/dnssec \ svn+ssh://svn.opendnssec.org/svn/dnssec -- Jakob Schlyter Kirei AB - http://www.kirei.se/ From jerry at opendnssec.org Wed Oct 10 09:51:42 2012 From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Wed, 10 Oct 2012 11:51:42 +0200 Subject: [Opendnssec-develop] Re: Important: Moving SVN In-Reply-To: References: Message-ID: On Wed, Oct 10, 2012 at 10:01 AM, Jerry Lundstr?m wrote: > We will move our SVN repository today so you won't be able to check in > or out for a few hours now. SVN repo is now moved and svn+ssh works. We still need to fix DKIM and svnweb so if you can please hold of your commits. -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ From jakob at kirei.se Wed Oct 10 09:52:24 2012 From: jakob at kirei.se (Jakob Schlyter) Date: Wed, 10 Oct 2012 11:52:24 +0200 Subject: [Opendnssec-develop] Re: Important: Moving SVN In-Reply-To: References: Message-ID: On 10 okt 2012, at 11:51, Jerry Lundstr?m wrote: > SVN repo is now moved and svn+ssh works. Although DNS is not yet updated. Stay turned. jakob From jerry at opendnssec.org Wed Oct 10 11:46:02 2012 From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Wed, 10 Oct 2012 13:46:02 +0200 Subject: [Opendnssec-develop] Re: Important: Moving SVN In-Reply-To: References: Message-ID: On Wed, Oct 10, 2012 at 11:52 AM, Jakob Schlyter wrote: > Although DNS is not yet updated. Stay turned. DNS has now been updated. Do get around not messing with DKIM commit mails are now sent from its own address and author added to subject. Commit emails are almost the same, added URL to FishEye. SVN web are both up also http://svn.opendnssec.org http://dist.opendnssec.org . You can commit now (if your DNS is up to date or you added it in hosts). -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ From rickard at opendnssec.org Wed Oct 10 12:29:06 2012 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Wed, 10 Oct 2012 14:29:06 +0200 Subject: [Opendnssec-develop] Re: Important: Moving SVN In-Reply-To: References: Message-ID: > SVN web are both up also http://svn.opendnssec.org http://dist.opendnssec.org . > > You can commit now (if your DNS is up to date or you added it in hosts). I did the relocate trick, but now I get: user at ubuntu:~/opendnssec/ods-svn$ svn up svn: Network connection closed unexpectedly The old key has been removed from known_hosts // Rickard From jerry at opendnssec.org Mon Oct 15 09:03:36 2012 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Mon, 15 Oct 2012 11:03:36 +0200 Subject: [Opendnssec-develop] Telephone call on 18 oct Message-ID: Hi, Can we move the call one hour later? Otherwise I won't make it :/ -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From sion at nominet.org.uk Mon Oct 15 09:17:54 2012 From: sion at nominet.org.uk (=?ISO-8859-1?Q?Si=F4n_Lloyd?=) Date: Mon, 15 Oct 2012 10:17:54 +0100 Subject: [Opendnssec-develop] Telephone call on 18 oct In-Reply-To: References: Message-ID: <507BD4C2.4000100@nominet.org.uk> On 15/10/12 10:03, Jerry Lundstr?m wrote: > Hi, > > Can we move the call one hour later? Otherwise I won't make it :/ > > I can make either time. Sion From yuri at nlnetlabs.nl Mon Oct 15 09:25:07 2012 From: yuri at nlnetlabs.nl (Yuri Schaeffer) Date: Mon, 15 Oct 2012 11:25:07 +0200 Subject: [Opendnssec-develop] Telephone call on 18 oct In-Reply-To: References: Message-ID: <507BD673.3020309@nlnetlabs.nl> > Can we move the call one hour later? Otherwise I won't make it :/ no problem From sara at sinodun.com Mon Oct 15 11:04:02 2012 From: sara at sinodun.com (Sara Dickinson) Date: Mon, 15 Oct 2012 12:04:02 +0100 Subject: [Opendnssec-develop] Telephone call on 18 oct In-Reply-To: <507BD673.3020309@nlnetlabs.nl> References: <507BD673.3020309@nlnetlabs.nl> Message-ID: <9638CCE6-B0AD-4F7A-98DF-EEF3092B14FF@sinodun.com> On 15 Oct 2012, at 10:25, Yuri Schaeffer wrote: >> Can we move the call one hour later? Otherwise I won't make it :/ Sure. From jerry at opendnssec.org Tue Oct 16 12:11:05 2012 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Tue, 16 Oct 2012 14:11:05 +0200 Subject: [Opendnssec-develop] svn.opendnssec.org down Message-ID: <8A5A57CA-B9AA-420F-A785-8BA1D08B80CA@opendnssec.org> Hi, The SVN is currently down, will try and get it back up asap! -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From jerry at opendnssec.org Tue Oct 16 13:58:03 2012 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Tue, 16 Oct 2012 15:58:03 +0200 Subject: [Opendnssec-develop] Re: svn.opendnssec.org down In-Reply-To: <8A5A57CA-B9AA-420F-A785-8BA1D08B80CA@opendnssec.org> References: <8A5A57CA-B9AA-420F-A785-8BA1D08B80CA@opendnssec.org> Message-ID: On Oct 16, 2012, at 14:11 , Jerry Lundstr?m wrote: > The SVN is currently down, will try and get it back up asap! It's now up again. The problem we where having was trying to get IPv6 to work on the dom0. We have eth0/eth1 bonded on bond0 and then a bridge (br0) on top of that and adding IPv6 on the br0 does not work. A ping6 to the default gateway work but if we try and ping anything on the outside the traffic does not get to the interface (nothing showing in tcpdump) and all we get is "Network is down". IPv6 on the bond0 works but we need br0 for KVM. If anyone have setup a bonding bridge and got IPv6 working, please let me know :) /Jerry -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From sara at sinodun.com Thu Oct 18 07:28:37 2012 From: sara at sinodun.com (Sara Dickinson) Date: Thu, 18 Oct 2012 08:28:37 +0100 Subject: [Opendnssec-develop] RE: Team meeting Thursday 18th October (Today) @ 15:00 CEST References: Message-ID: <5375EE06-723A-4B37-A701-E82B885B6579@sinodun.com> Hi All, We have a scheduled team meeting today: Date: Thursday 18th October 2012 Time: 15:00-16:00 CEST, 14:00-15:00 BST The agenda and outstanding actions can be found here: http://wiki.opendnssec.org/display/OpenDNSSEC/2012-10-18+agenda (This will be a Google+ Hangout again.) Regards Sara. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerry at opendnssec.org Thu Oct 18 09:02:44 2012 From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Thu, 18 Oct 2012 11:02:44 +0200 Subject: [Opendnssec-develop] Lim::Plugin::OpenDNSSEC and SoftHSM Message-ID: Hi, As discussed at the physical developer meeting and RIPE, we talked about moving the Lim plugins for OpenDNSSEC and SoftHSM into the SVN/contrib. After some thinking I don't believe this is the best thing to do right now as it will put more strain on the projects and release phases. There are also operational things to consider, I have already everything setup with a developer process (git flow) and packaging for most platforms, that would have to change if moved to SVN. The framework and plugins are currently in alpha and I hope to have a release candidate out sometime in Q1 2013. If anyone wants to help by testing or coding, please let me know and I'll get you started. -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ From jerry at opendnssec.org Thu Oct 18 10:46:43 2012 From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Thu, 18 Oct 2012 12:46:43 +0200 Subject: [Opendnssec-develop] Re: svn.opendnssec.org down In-Reply-To: References: <8A5A57CA-B9AA-420F-A785-8BA1D08B80CA@opendnssec.org> Message-ID: <-6864534731609728086@unknownmsgid> Hi, There will be a short downtime tomorrow friday for svn.opendnssec.org and dist.opendnssec.org during the day. This is to try and enable IPv6. I will send an email shortly before the downtime and it will be very short (~15min). /Jerry From jerry at opendnssec.org Thu Oct 18 14:52:46 2012 From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Thu, 18 Oct 2012 16:52:46 +0200 Subject: [Opendnssec-develop] Re: svn.opendnssec.org down In-Reply-To: <-6864534731609728086@unknownmsgid> References: <8A5A57CA-B9AA-420F-A785-8BA1D08B80CA@opendnssec.org> <-6864534731609728086@unknownmsgid> Message-ID: On Thu, Oct 18, 2012 at 12:46 PM, Jerry Lundstr?m wrote: > There will be a short downtime tomorrow friday for svn.opendnssec.org > and dist.opendnssec.org during the day. This is to try and enable > IPv6. > > I will send an email shortly before the downtime and it will be very > short (~15min). The downtime tomorrow is canceled. -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ From sara at sinodun.com Thu Oct 18 16:05:48 2012 From: sara at sinodun.com (Sara Dickinson) Date: Thu, 18 Oct 2012 17:05:48 +0100 Subject: [Opendnssec-develop] RE: Team meeting Thursday 18th October (Today) @ 15:00 CEST In-Reply-To: <5375EE06-723A-4B37-A701-E82B885B6579@sinodun.com> References: <5375EE06-723A-4B37-A701-E82B885B6579@sinodun.com> Message-ID: <8E98C8B4-FAD6-4BFB-A280-AEF1B537C907@sinodun.com> All, The minutes from the meeting today are now available for review: http://wiki.opendnssec.org/display/OpenDNSSEC/2012-10-18+Minutes Regards Sara. On 18 Oct 2012, at 08:28, Sara Dickinson wrote: > Hi All, > > We have a scheduled team meeting today: > > Date: Thursday 18th October 2012 > Time: 15:00-16:00 CEST, 14:00-15:00 BST > > The agenda and outstanding actions can be found here: > > http://wiki.opendnssec.org/display/OpenDNSSEC/2012-10-18+agenda > > (This will be a Google+ Hangout again.) > > Regards > > Sara. > > > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop From matthijs at nlnetlabs.nl Fri Oct 19 07:51:59 2012 From: matthijs at nlnetlabs.nl (Matthijs Mekking) Date: Fri, 19 Oct 2012 09:51:59 +0200 Subject: [Opendnssec-develop] OpenHardware HSM In-Reply-To: <8E98C8B4-FAD6-4BFB-A280-AEF1B537C907@sinodun.com> References: <5375EE06-723A-4B37-A701-E82B885B6579@sinodun.com> <8E98C8B4-FAD6-4BFB-A280-AEF1B537C907@sinodun.com> Message-ID: <5081069F.5090706@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - From the minutes: Matthijs also reports that he has seem some discussion on a DNS OPS mailing list of efforts to develop an open source HSM and possibly a software HSM with more features than SoftHMS 1.x - he will forward the archive to the developer mailing list. That should be an open hardware HSM and it was on the dns-oarc mailing list and this is the thread: https://lists.dns-oarc.net/pipermail/dns-operations/2012-October/009166.html Best regards, Matthijs On 10/18/2012 06:05 PM, Sara Dickinson wrote: > All, > > The minutes from the meeting today are now available for review: > > http://wiki.opendnssec.org/display/OpenDNSSEC/2012-10-18+Minutes > > Regards > > Sara. > > On 18 Oct 2012, at 08:28, Sara Dickinson wrote: > >> Hi All, >> >> We have a scheduled team meeting today: >> >> Date: Thursday 18th October 2012 Time: 15:00-16:00 CEST, >> 14:00-15:00 BST >> >> The agenda and outstanding actions can be found here: >> >> http://wiki.opendnssec.org/display/OpenDNSSEC/2012-10-18+agenda >> >> (This will be a Google+ Hangout again.) >> >> Regards >> >> Sara. >> >> >> _______________________________________________ >> Opendnssec-develop mailing list >> Opendnssec-develop at lists.opendnssec.org >> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop > > _______________________________________________ Opendnssec-develop > mailing list Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQEcBAEBAgAGBQJQgQafAAoJEA8yVCPsQCW5YiwH/16UG2Vr04EoDeiv3ScJ3LDS P6y6iBgoB4MfT8An2DA3041QNMg2bqCkUZYwmjwNbFSk3DuDQWnAif204c8LTfWE 8hoHct7oWo4piucQQoXNXhZpABGV1KylC8XXsJQEZ9lDA5K4nMWvXVbI3xE8Jdz6 Fxll2DRWDg85eIpUWPmfHzwfuSl50+TKrO8sGPCQccMFaUNeuOD4z5Nts0VlqeTH +VRPGnU9d0AmdV2BiaEKpEIO1ufkQ9czR3oXKdBvmtarPUG/2ytnl/aaHNbD5Ein jJnDWtEj1+iZazukCD181Z2EzpA/5gjnbVQYlu1FNjY8Fb5edpE+RYlGRxx9sEs= =XeVo -----END PGP SIGNATURE----- From rick at openfortress.nl Fri Oct 19 07:57:49 2012 From: rick at openfortress.nl (Rick van Rein) Date: Fri, 19 Oct 2012 07:57:49 +0000 Subject: [Opendnssec-develop] OpenHardware HSM In-Reply-To: <5081069F.5090706@nlnetlabs.nl> References: <5375EE06-723A-4B37-A701-E82B885B6579@sinodun.com> <8E98C8B4-FAD6-4BFB-A280-AEF1B537C907@sinodun.com> <5081069F.5090706@nlnetlabs.nl> Message-ID: <20121019075749.GA10577@newphantom.local> Hello, > Matthijs also reports that he has seem some discussion on a DNS OPS > mailing list of efforts to develop an open source HSM That ought to be straightforward -- setup SoftHSM 2.x or a similar PKCS #11 implementation on any PC-ish device. On a Raspberry Pi perhaps? The real problem with an HSM would be support of "business scenario's" such as redundancy and backup, and perhaps juggling tokens to gain access. This is a lot of hard work, and support-intensive; so it is not an extremely bad idea IMHO to at least have the option of taking it in from a vendor. > That should be an open hardware HSM and it was on the dns-oarc mailing > list and this is the thread: A low-end, open solution that might aspire to the people looking for it could be http://www.yubico.com/yubihsm Cheers, -Rick From sion at nominet.org.uk Fri Oct 19 08:58:33 2012 From: sion at nominet.org.uk (=?ISO-8859-1?Q?Si=F4n_Lloyd?=) Date: Fri, 19 Oct 2012 09:58:33 +0100 Subject: [Opendnssec-develop] done with backup done Message-ID: <50811639.9020301@nominet.org.uk> Morning. I have marked the "backup done" command as deprecated and added a user confirmation step (plus a force flag for anyone using scripts). See svn r6745. Is this too much? Is the risk of causing existing scripts to hang greater than the potential damage of keys being incorrectly marked as backed up? Sion From sara at sinodun.com Fri Oct 19 09:23:14 2012 From: sara at sinodun.com (Sara Dickinson) Date: Fri, 19 Oct 2012 10:23:14 +0100 Subject: [Opendnssec-develop] done with backup done In-Reply-To: <50811639.9020301@nominet.org.uk> References: <50811639.9020301@nominet.org.uk> Message-ID: <89FA0693-04CB-4686-A065-31D17B150896@sinodun.com> On 19 Oct 2012, at 09:58, Si?n Lloyd wrote: > Morning. > > I have marked the "backup done" command as deprecated and added a user confirmation step (plus a force flag for anyone using scripts). See svn r6745. > > Is this too much? Is the risk of causing existing scripts to hang greater than the potential damage of keys being incorrectly marked as backed up? Since we are convinced users should be using 'prepare/commit' and not 'done' then we probably have to take this approach to 'force' them over so they deal with changes in 1.4, not in 2.0 when it is gone for good. As long as we communicate it properly in the release notes and wiki documentation then IMHO this is the right thing. Sara. > > Sion > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop From rick at openfortress.nl Fri Oct 19 10:25:49 2012 From: rick at openfortress.nl (Rick van Rein) Date: Fri, 19 Oct 2012 10:25:49 +0000 Subject: [Opendnssec-develop] done with backup done In-Reply-To: <50811639.9020301@nominet.org.uk> References: <50811639.9020301@nominet.org.uk> Message-ID: <20121019102549.GG10807@newphantom.local> Hello, Wow, you are fast, Sion! > I have marked the "backup done" command as deprecated and added a > user confirmation step (plus a force flag for anyone using scripts). > See svn r6745. I've documented the change, as promised, on https://wiki.opendnssec.org/display/DOCS/ods-ksmutil I wasn't aware that this change had never reached the Wiki, otherwise I would have volunteered documenting it much sooner. It's good that you at least checked, Sara! > Is this too much? Is the risk of causing existing scripts to hang > greater than the potential damage of keys being incorrectly marked > as backed up? Hmm, yeah, that is indeed a concern. Hanging backup scripts might not be very friendly if your goal is to protect users from doing something that could hurt them. If scripts take their input from /dev/null then the scripts might not even hang, but simply fail to confirm the backup -- and proceed. I suppose the question is -- what changes would someone notice for sure? Backup processes themselves are not usually monitored as closely as their importance warrants, but what you are creating here is different and actually makes sense to me: the Enforcer will never learn about successful backups, and stop to rollover. That is something people should notice, and chase down to the log entries that say DEPRECATED -- ARE YOU SURE and so on. It's a pretty strong mechanism though. Effectively this would happen if 2.0.0 is brought out without "backup done" and then no keys are rolling. By then, there would be no DEPRECATED reports anymore, but some form of "unknown command" message that the sysop would find when rolling doesn't take place. The key question is if that stop-to-roll-if-I-leave-my-scripts-in- place should happen when switching to 1.4.0 or 2.0.0 -- IMHO, the sooner the better. Cheers, -Rick From jerry at opendnssec.org Fri Oct 19 10:53:55 2012 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Fri, 19 Oct 2012 12:53:55 +0200 Subject: [Opendnssec-develop] done with backup done In-Reply-To: <20121019102549.GG10807@newphantom.local> References: <50811639.9020301@nominet.org.uk> <20121019102549.GG10807@newphantom.local> Message-ID: On Oct 19, 2012, at 12:25 , Rick van Rein wrote: > I've documented the change, as promised, on > https://wiki.opendnssec.org/display/DOCS/ods-ksmutil You have documented it in the wrong space, should be in DOCSTRUNK and not DOCS. DOCS is 1.3 and DOCSTRUNK is 1.4. Could be easily missed since I don't know if this information has gone out to everyone. https://wiki.opendnssec.org/display/DOCSTRUNK/ods-ksmutil /Jerry -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ From jerry at opendnssec.org Tue Oct 23 09:18:09 2012 From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Tue, 23 Oct 2012 11:18:09 +0200 Subject: [Opendnssec-develop] Fwd: [issues.opendnssec.org] (OPENDNSSEC-342) Case-sensite comparison in auditor References: <1548002792.87.1350983003305.JavaMail.jira@mountaineer.surfnet.nl> Message-ID: <212227659215132608@unknownmsgid> Hi, I forward this to the developer list for discussion. We have it in https://wiki.opendnssec.org/display/OpenDNSSEC/Release+Management+Processto support older versions and it is somewhat confusing since we have been using minor version numbering as major releases. According to current process we today should support 1.2 and 1.1 but if that feasible? /Jerry Begin forwarded message: *From:* Si?n Lloyd (JIRA) *Date:* 23 oktober 2012 11:03:22 CEST *To:* jerry at opendnssec.org *Subject:* *[issues.opendnssec.org] (OPENDNSSEC-342) Case-sensite comparison in auditor* Si?n Lloydresolved [image: Bug] OPENDNSSEC-342 as *Fixed* *Case-sensite comparison in auditor* Patched the code in the 1.3 branch (see rev 6758) I am going to patch the auditor held in trunk, but should we really be patching 1.2? *Change By:* Si?n Lloyd(2012-10-23 11:02) *Status:* Open Resolved *Assignee:* Alex Dalitz Si?n Lloyd *Fix Version/s:* 1.3.11 *Fix Version/s:* 1.2.3 *Resolution:* Fixed This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators . For more information on JIRA, see: http://www.atlassian.com/software/jira -------------- next part -------------- An HTML attachment was scrubbed... URL: From sion at nominet.org.uk Tue Oct 23 09:48:20 2012 From: sion at nominet.org.uk (=?ISO-8859-1?Q?Si=F4n_Lloyd?=) Date: Tue, 23 Oct 2012 10:48:20 +0100 Subject: [Opendnssec-develop] Fwd: [issues.opendnssec.org] (OPENDNSSEC-342) Case-sensite comparison in auditor In-Reply-To: <212227659215132608@unknownmsgid> References: <1548002792.87.1350983003305.JavaMail.jira@mountaineer.surfnet.nl> <212227659215132608@unknownmsgid> Message-ID: <508667E4.6070802@nominet.org.uk> This particular issue is not typical... I believe that it affects the auditor only if it is used with a signer other than the ODS signer (in this case BIND). That said, I think that it is worth having this discussion; but maybe in the context of a "show stopping" bug being found in 1.2. In that case I think that we should patch it; but we'd need to test it somehow as we do not want to have to run 1.2 on jenkins. Would it be possible to run 1.2 through the tests written for 1.3? I can't remember how much the interface has changed but I suspect that this would be a fair amount of work. Sion On 23/10/12 10:18, Jerry Lundstr?m wrote: > Hi, > > I forward this to the developer list for discussion. > > We have it in > https://wiki.opendnssec.org/display/OpenDNSSEC/Release+Management+Process > to support older versions and it is somewhat confusing since we have > been using minor version numbering as major releases. > > According to current process we today should support 1.2 and 1.1 but > if that feasible? > > /Jerry > > Begin forwarded message: > >> *From:* Si?n Lloyd (JIRA) > > >> *Date:* 23 oktober 2012 11:03:22 CEST >> *To:* jerry at opendnssec.org >> *Subject:* *[issues.opendnssec.org ] >> (OPENDNSSEC-342) Case-sensite comparison in auditor* >> >> Si?n Lloyd >> >> resolved Bug OPENDNSSEC-342 >> as *Fixed* >> *Case-sensite comparison in auditor* >> >> >> >> >> >> Patched the code in the 1.3 branch (see rev 6758) >> I am going to patch the auditor held in trunk, but should we really >> be patching 1.2? >> >> *Change By:* Si?n Lloyd >> >> (2012-10-23 11:02) >> *Status:* Open Resolved >> *Assignee:* Alex Dalitz Si?n Lloyd >> *Fix Version/s:* 1.3.11 >> *Fix Version/s:* 1.2.3 >> *Resolution:* Fixed >> >> This message is automatically generated by JIRA. >> If you think it was sent incorrectly, please contact your JIRA >> administrators >> . >> For more information on JIRA, see: >> http://www.atlassian.com/software/jira >> > > > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerry at opendnssec.org Tue Oct 23 10:07:11 2012 From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Tue, 23 Oct 2012 12:07:11 +0200 Subject: [Opendnssec-develop] Fwd: [issues.opendnssec.org] (OPENDNSSEC-342) Case-sensite comparison in auditor In-Reply-To: <16728099.45007.1350986072217.JavaMail.mobile-sync@vclw8> References: <1548002792.87.1350983003305.JavaMail.jira@mountaineer.surfnet.nl> <212227659215132608@unknownmsgid> <16728099.45007.1350986072217.JavaMail.mobile-sync@vclw8> Message-ID: <652756169011496391@unknownmsgid> I think the issue is generic, domain names are case insensitive. But regardless of the issue its good if we come to an understanding what we should and should not do. Current process says we should so are we to spend time to fix bugs and setup tests or ... should we change the process? And dont forget, we still have some "large" users running 1.0. /Jerry On 23 okt 2012, at 11:49, "Si?n Lloyd" wrote: This particular issue is not typical... I believe that it affects the auditor only if it is used with a signer other than the ODS signer (in this case BIND). That said, I think that it is worth having this discussion; but maybe in the context of a "show stopping" bug being found in 1.2. In that case I think that we should patch it; but we'd need to test it somehow as we do not want to have to run 1.2 on jenkins. Would it be possible to run 1.2 through the tests written for 1.3? I can't remember how much the interface has changed but I suspect that this would be a fair amount of work. Sion On 23/10/12 10:18, Jerry Lundstr?m wrote: Hi, I forward this to the developer list for discussion. We have it in https://wiki.opendnssec.org/display/OpenDNSSEC/Release+Management+Processto support older versions and it is somewhat confusing since we have been using minor version numbering as major releases. According to current process we today should support 1.2 and 1.1 but if that feasible? /Jerry Begin forwarded message: *From:* Si?n Lloyd (JIRA) *Date:* 23 oktober 2012 11:03:22 CEST *To:* jerry at opendnssec.org *Subject:* *[issues.opendnssec.org] (OPENDNSSEC-342) Case-sensite comparison in auditor* Si?n Lloydresolved [image: Bug] OPENDNSSEC-342 as *Fixed* *Case-sensite comparison in auditor* Patched the code in the 1.3 branch (see rev 6758) I am going to patch the auditor held in trunk, but should we really be patching 1.2? *Change By:* Si?n Lloyd(2012-10-23 11:02) *Status:* Open Resolved *Assignee:* Alex Dalitz Si?n Lloyd *Fix Version/s:* 1.3.11 *Fix Version/s:* 1.2.3 *Resolution:* Fixed This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators . For more information on JIRA, see: http://www.atlassian.com/software/jira _______________________________________________ Opendnssec-develop mailing listOpendnssec-develop at lists.opendnssec.orghttps://lists.opendnssec.org/mailman/listinfo/opendnssec-develop _______________________________________________ Opendnssec-develop mailing list Opendnssec-develop at lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -------------- next part -------------- An HTML attachment was scrubbed... URL: From matthijs at nlnetlabs.nl Tue Oct 23 10:44:36 2012 From: matthijs at nlnetlabs.nl (Matthijs Mekking) Date: Tue, 23 Oct 2012 12:44:36 +0200 Subject: [Opendnssec-develop] jenkins down Message-ID: <50867514.4090508@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Looks like jenkins.opendnssec.org (gw1.sinodun.com) is down, it doesn't ping Matthijs -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQEcBAEBAgAGBQJQhnUUAAoJEA8yVCPsQCW58OIH+wfB59K94jEaanWaFknd4Gsi QXKGilXDga/hFwXCVAorh+XgMS7Adln+FQLkK5T3XhP38xIWnOUZIVt/1OEgqB+3 6CvQ+7uvxv2WLpkv0Qeiav+qH1GY7KycBMXADVLP3zNaMoqWcQq015fZiEwF1Cgu iHEz50c7DWgr941TL9R1ALEsbNkyNLyeCSeBPKELD2694un/Nb1BUVIiifx8iDtj BT2uPV0eghbP2e3L468jDCa21okA6EVvjkULVFNRfQ0JFYO1blQIv3y1udekiH2S ZqLdApFVQ5+cX5swiUkQkynPZ5LSgCaC+K/ttoyV/i2Q92qySIHpS2UfxcZ7kyQ= =fJHY -----END PGP SIGNATURE----- From jerry at opendnssec.org Tue Oct 23 11:17:08 2012 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Tue, 23 Oct 2012 13:17:08 +0200 Subject: [Opendnssec-develop] jenkins down In-Reply-To: <50867514.4090508@nlnetlabs.nl> References: <50867514.4090508@nlnetlabs.nl> Message-ID: On Oct 23, 2012, at 12:44 , Matthijs Mekking wrote: > Looks like jenkins.opendnssec.org (gw1.sinodun.com) is down, it > doesn't ping I bet its a link issue since none of them are online, we will just have to wait :) -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From jad at sinodun.com Tue Oct 23 12:39:58 2012 From: jad at sinodun.com (John Dickinson) Date: Tue, 23 Oct 2012 13:39:58 +0100 Subject: [Opendnssec-develop] jenkins down In-Reply-To: References: <50867514.4090508@nlnetlabs.nl> Message-ID: Sorry I have been out of the office all morning. The esxi server crashed and is unable to reboot due to a corrupt boot image. Will sort it ASAP. John On 23 Oct 2012, at 12:17, Jerry Lundstr?m wrote: > On Oct 23, 2012, at 12:44 , Matthijs Mekking wrote: > >> Looks like jenkins.opendnssec.org (gw1.sinodun.com) is down, it >> doesn't ping > > > I bet its a link issue since none of them are online, we will just have to wait :) > > -- > Jerry Lundstr?m - OpenDNSSEC Developer > http://www.opendnssec.org/ > From jad at sinodun.com Tue Oct 23 15:04:50 2012 From: jad at sinodun.com (John Dickinson) Date: Tue, 23 Oct 2012 16:04:50 +0100 Subject: [Opendnssec-develop] jenkins down In-Reply-To: References: <50867514.4090508@nlnetlabs.nl> Message-ID: Hi, This is fixed. It appears we had a power cut last night that outlasted our UPS and so crashed the hypervisor destroying it. The VMs were actually OK and have been moved to a running hypervisor. Please let me know if there are any issues. John. On 23 Oct 2012, at 13:39, John Dickinson wrote: > Sorry I have been out of the office all morning. The esxi server crashed and is unable to reboot due to a corrupt boot image. Will sort it ASAP. > > John > > On 23 Oct 2012, at 12:17, Jerry Lundstr?m wrote: > >> On Oct 23, 2012, at 12:44 , Matthijs Mekking wrote: >> >>> Looks like jenkins.opendnssec.org (gw1.sinodun.com) is down, it >>> doesn't ping >> >> >> I bet its a link issue since none of them are online, we will just have to wait :) >> >> -- >> Jerry Lundstr?m - OpenDNSSEC Developer >> http://www.opendnssec.org/ >> > > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop From sara at sinodun.com Wed Oct 24 09:00:58 2012 From: sara at sinodun.com (Sara (Sinodun)) Date: Wed, 24 Oct 2012 10:00:58 +0100 Subject: [Opendnssec-develop] RE: I'm off sick today Message-ID: <8983E11F-18AE-4BD9-B6A5-8CF4CE681AC3@sinodun.com> Hi all, I've not been well this week and will be off again today. Hope to be better tomorrow.... :( Sara. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerry at opendnssec.org Wed Oct 24 11:06:48 2012 From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Wed, 24 Oct 2012 13:06:48 +0200 Subject: [Opendnssec-develop] jenkins down In-Reply-To: References: <50867514.4090508@nlnetlabs.nl> Message-ID: On Tue, Oct 23, 2012 at 5:04 PM, John Dickinson wrote: > Please let me know if there are any issues. Does not look like Jenkins is running the jobs on schedule, its not picking up todays commits. I've spread out all jobs across an hour and there was a commit today about 3 hours ago and it hasn't started building that. I've also restarted Jenkins but it still didn't start any jobs. Can you see if there is some other logs which might tell us whats going on? -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ From jad at sinodun.com Wed Oct 24 12:07:03 2012 From: jad at sinodun.com (John Dickinson) Date: Wed, 24 Oct 2012 13:07:03 +0100 Subject: [Opendnssec-develop] jenkins down In-Reply-To: References: <50867514.4090508@nlnetlabs.nl> Message-ID: getting error in the log like this one: Failed to access subversion repository http://svn.opendnssec.org/trunk/OpenDNSSEC Investigating? John On 24 Oct 2012, at 12:06, Jerry Lundstr?m wrote: > On Tue, Oct 23, 2012 at 5:04 PM, John Dickinson wrote: >> Please let me know if there are any issues. > > Does not look like Jenkins is running the jobs on schedule, its not > picking up todays commits. I've spread out all jobs across an hour and > there was a commit today about 3 hours ago and it hasn't started > building that. I've also restarted Jenkins but it still didn't start > any jobs. > > Can you see if there is some other logs which might tell us whats going on? > > -- > Jerry Lundstr?m - OpenDNSSEC Developer > http://www.opendnssec.org/ From jad at sinodun.com Wed Oct 24 12:27:15 2012 From: jad at sinodun.com (John Dickinson) Date: Wed, 24 Oct 2012 13:27:15 +0100 Subject: [Opendnssec-develop] jenkins down In-Reply-To: References: <50867514.4090508@nlnetlabs.nl> Message-ID: Intermittent name resolution problem caused by one of my resolvers also having been knocked over by the the power outage! Looks like it is running now. John On 24 Oct 2012, at 13:07, John Dickinson wrote: > getting error in the log like this one: > > Failed to access subversion repository http://svn.opendnssec.org/trunk/OpenDNSSEC > > Investigating? > > John > On 24 Oct 2012, at 12:06, Jerry Lundstr?m wrote: > >> On Tue, Oct 23, 2012 at 5:04 PM, John Dickinson wrote: >>> Please let me know if there are any issues. >> >> Does not look like Jenkins is running the jobs on schedule, its not >> picking up todays commits. I've spread out all jobs across an hour and >> there was a commit today about 3 hours ago and it hasn't started >> building that. I've also restarted Jenkins but it still didn't start >> any jobs. >> >> Can you see if there is some other logs which might tell us whats going on? >> >> -- >> Jerry Lundstr?m - OpenDNSSEC Developer >> http://www.opendnssec.org/ > From jerry at opendnssec.org Wed Oct 24 12:32:01 2012 From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Wed, 24 Oct 2012 14:32:01 +0200 Subject: [Opendnssec-develop] jenkins down In-Reply-To: References: <50867514.4090508@nlnetlabs.nl> Message-ID: On Wed, Oct 24, 2012 at 2:27 PM, John Dickinson wrote: > Intermittent name resolution problem caused by one of my resolvers also having been knocked over by the the power outage! > > Looks like it is running now. Great! Thanks. -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ From sion at nominet.org.uk Wed Oct 24 12:39:25 2012 From: sion at nominet.org.uk (=?ISO-8859-1?Q?Si=F4n_Lloyd?=) Date: Wed, 24 Oct 2012 13:39:25 +0100 Subject: [Opendnssec-develop] jenkins down In-Reply-To: References: <50867514.4090508@nlnetlabs.nl> Message-ID: <5087E17D.2010402@nominet.org.uk> On 24/10/12 13:32, Jerry Lundstr?m wrote: > On Wed, Oct 24, 2012 at 2:27 PM, John Dickinson wrote: >> Intermittent name resolution problem caused by one of my resolvers also having been knocked over by the the power outage! >> >> Looks like it is running now. > Great! Thanks. > looks like it still has issues... hudson.util.IOException2: revision check failed on http://svn.opendnssec.org/trunk/OpenDNSSEC followed by a few yards of java errors. From jad at sinodun.com Wed Oct 24 13:06:23 2012 From: jad at sinodun.com (John Dickinson) Date: Wed, 24 Oct 2012 14:06:23 +0100 Subject: [Opendnssec-develop] jenkins down In-Reply-To: <5087E17D.2010402@nominet.org.uk> References: <50867514.4090508@nlnetlabs.nl> <5087E17D.2010402@nominet.org.uk> Message-ID: On 24 Oct 2012, at 13:39, Si?n Lloyd wrote: > On 24/10/12 13:32, Jerry Lundstr?m wrote: >> On Wed, Oct 24, 2012 at 2:27 PM, John Dickinson wrote: >>> Intermittent name resolution problem caused by one of my resolvers also having been knocked over by the the power outage! >>> >>> Looks like it is running now. >> Great! Thanks. >> > > looks like it still has issues... > > hudson.util.IOException2: revision check failed on http://svn.opendnssec.org/trunk/OpenDNSSEC > The log shows that error at Oct 11, 2012 10:21:08 UTC - before I fixed the name resolution issue. Are you seeing it more recently? > followed by a few yards of java errors. I hate Java errors! John > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop From jad at sinodun.com Wed Oct 24 13:11:42 2012 From: jad at sinodun.com (John Dickinson) Date: Wed, 24 Oct 2012 14:11:42 +0100 Subject: [Opendnssec-develop] jenkins down In-Reply-To: References: <50867514.4090508@nlnetlabs.nl> <5087E17D.2010402@nominet.org.uk> Message-ID: On 24 Oct 2012, at 14:06, John Dickinson wrote: > > On 24 Oct 2012, at 13:39, Si?n Lloyd wrote: > >> On 24/10/12 13:32, Jerry Lundstr?m wrote: >>> On Wed, Oct 24, 2012 at 2:27 PM, John Dickinson wrote: >>>> Intermittent name resolution problem caused by one of my resolvers also having been knocked over by the the power outage! >>>> >>>> Looks like it is running now. >>> Great! Thanks. >>> >> >> looks like it still has issues... >> >> hudson.util.IOException2: revision check failed on http://svn.opendnssec.org/trunk/OpenDNSSEC >> > > The log shows that error at Oct 11, 2012 10:21:08 UTC - before I fixed the name resolution issue. Are you seeing it more recently? > Sorry that should be Oct 24, 2012 10:07:42 UTC (must search the log in the correct direction). - Still before I fixed the name resolution issue. There may have been a backlog of email notifications. John >> followed by a few yards of java errors. > > I hate Java errors! > > John > >> _______________________________________________ >> Opendnssec-develop mailing list >> Opendnssec-develop at lists.opendnssec.org >> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop > From sion at nominet.org.uk Wed Oct 24 13:12:30 2012 From: sion at nominet.org.uk (=?ISO-8859-1?Q?Si=F4n_Lloyd?=) Date: Wed, 24 Oct 2012 14:12:30 +0100 Subject: [Opendnssec-develop] jenkins down In-Reply-To: References: <50867514.4090508@nlnetlabs.nl> <5087E17D.2010402@nominet.org.uk> Message-ID: <5087E93E.5070307@nominet.org.uk> On 24/10/12 14:06, John Dickinson wrote: > The log shows that error at Oct 11, 2012 10:21:08 UTC - before I fixed the name resolution issue. Are you seeing it more recently? If I am reading it correctly this is in a build that kicked off at 12:22 today (build no199). >> followed by a few yards of java errors. > I hate Java errors! :) From jerry at opendnssec.org Wed Oct 24 13:16:47 2012 From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Wed, 24 Oct 2012 15:16:47 +0200 Subject: [Opendnssec-develop] jenkins down In-Reply-To: <5087E93E.5070307@nominet.org.uk> References: <50867514.4090508@nlnetlabs.nl> <5087E17D.2010402@nominet.org.uk> <5087E93E.5070307@nominet.org.uk> Message-ID: On Wed, Oct 24, 2012 at 3:12 PM, Si?n Lloyd wrote: > On 24/10/12 14:06, John Dickinson wrote: >> >> The log shows that error at Oct 11, 2012 10:21:08 UTC - before I fixed the >> name resolution issue. Are you seeing it more recently? > > If I am reading it correctly this is in a build that kicked off at 12:22 > today (build no199). Or build #200 for build-opendnssec-trunk-mysql ERROR: Failed to update http://svn.opendnssec.org/trunk/OpenDNSSEC org.tmatesoft.svn.core.SVNException: svn: E175002: OPTIONS /trunk/OpenDNSSEC failed svn: E175002: unknown host https://jenkins.opendnssec.org/job/build-opendnssec-trunk-mysql/200/consoleText -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ From jerry at opendnssec.org Wed Oct 24 13:58:23 2012 From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Wed, 24 Oct 2012 15:58:23 +0200 Subject: [Opendnssec-develop] jenkins down In-Reply-To: References: <50867514.4090508@nlnetlabs.nl> <5087E17D.2010402@nominet.org.uk> <5087E93E.5070307@nominet.org.uk> Message-ID: Hi, Seems to work now, maybe it was a caching issue. -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ From jad at sinodun.com Wed Oct 24 13:59:46 2012 From: jad at sinodun.com (John Dickinson) Date: Wed, 24 Oct 2012 14:59:46 +0100 Subject: [Opendnssec-develop] jenkins down In-Reply-To: References: <50867514.4090508@nlnetlabs.nl> <5087E17D.2010402@nominet.org.uk> <5087E93E.5070307@nominet.org.uk> Message-ID: <273ED62F-FA4D-4C2C-99E2-FA856B8BC708@sinodun.com> Yep I think so. The jenkins master server is now running a local unbound instance. John On 24 Oct 2012, at 14:58, Jerry Lundstr?m wrote: > Hi, > > Seems to work now, maybe it was a caching issue. > > -- > Jerry Lundstr?m - OpenDNSSEC Developer > http://www.opendnssec.org/ From sara at sinodun.com Thu Oct 25 13:27:59 2012 From: sara at sinodun.com (Sara Dickinson) Date: Thu, 25 Oct 2012 14:27:59 +0100 Subject: [Opendnssec-develop] Fwd: [issues.opendnssec.org] (OPENDNSSEC-342) Case-sensite comparison in auditor In-Reply-To: <652756169011496391@unknownmsgid> References: <1548002792.87.1350983003305.JavaMail.jira@mountaineer.surfnet.nl> <212227659215132608@unknownmsgid> <16728099.45007.1350986072217.JavaMail.mobile-sync@vclw8> <652756169011496391@unknownmsgid> Message-ID: Hi there, Good spot Jerry - so there is a difference between what is stated on the wiki page and what (as far as I can tell) has actually been done over the lifetime of ODS as a product. 1) Release process: I believe Rickard put that process page together some time (years) ago - I seem to remember that we looked at it in the developer workshop in 2011 and realised it was wrong. I have a long standing JIRA issue from then to update it (http://issues.opendnssec.org/browse/OPENDNSSEC-121) but it doesn't say what was decided.....? I did also find a discussion of version support at the RIPE 64 board meeting (https://wiki.opendnssec.org/download/attachments/2621467/OAB+meeting+minutes+v1.pdf?version=1&modificationDate=1337869309000) but it seems to only reach a conclusion about what do to with regard to 'support contracts' and in that case the plan is to support the current and the previous major version (I wasn't there but I imagine 1.2, 1.3 and 1.4 were considered 'major' versions in this context?). Anyone else remember anything from either meeting? I think we need to revisit and agree on what the process should be before changing anything.... Anyhoo - even if we decide to change approach and support 'the current and previous major release' once 1.4 is shipped we would stop support for 1.2 anyway so I'm not sure it would be worth the effort to support it in the short term. I believe the most sensible approach might be to continue to support 1.3 after the release of 1.4 since this should have a relatively low overhead and provide support to the majority of users who I believe are on 1.3. 2) Is this issue with the auditor a show-stopper? The reporter only marked it as minor since I suppose they are using the patch they developed. In general though, I would argue (as we would have with other fixes) users should upgrade to 1.3 for the fix unless they had a show stopping reason not to. Sara. On 23 Oct 2012, at 11:07, Jerry Lundstr?m wrote: > I think the issue is generic, domain names are case insensitive. > > But regardless of the issue its good if we come to an understanding what we should and should not do. > > Current process says we should so are we to spend time to fix bugs and setup tests or ... should we change the process? > > And dont forget, we still have some "large" users running 1.0. > > /Jerry > > On 23 okt 2012, at 11:49, "Si?n Lloyd" wrote: > >> This particular issue is not typical... I believe that it affects the auditor only if it is used with a signer other than the ODS signer (in this case BIND). >> >> That said, I think that it is worth having this discussion; but maybe in the context of a "show stopping" bug being found in 1.2. >> >> In that case I think that we should patch it; but we'd need to test it somehow as we do not want to have to run 1.2 on jenkins. Would it be possible to run 1.2 through the tests written for 1.3? I can't remember how much the interface has changed but I suspect that this would be a fair amount of work. >> >> Sion >> >> >> On 23/10/12 10:18, Jerry Lundstr?m wrote: >>> Hi, >>> >>> I forward this to the developer list for discussion. >>> >>> We have it in https://wiki.opendnssec.org/display/OpenDNSSEC/Release+Management+Process to support older versions and it is somewhat confusing since we have been using minor version numbering as major releases. >>> >>> According to current process we today should support 1.2 and 1.1 but if that feasible? >>> >>> /Jerry >>> >>> Begin forwarded message: >>> >>>> From: Si?n Lloyd (JIRA) >>>> Date: 23 oktober 2012 11:03:22 CEST >>>> To: jerry at opendnssec.org >>>> Subject: [issues.opendnssec.org] (OPENDNSSEC-342) Case-sensite comparison in auditor >>>> >>>> >>>> >>>> Si?n Lloyd resolved OPENDNSSEC-342 as Fixed >>>> Case-sensite comparison in auditor >>>> >>>> Patched the code in the 1.3 branch (see rev 6758) >>>> I am going to patch the auditor held in trunk, but should we really be patching 1.2? >>>> >>>> Change By: Si?n Lloyd (2012-10-23 11:02) >>>> Status: Open Resolved >>>> Assignee: Alex Dalitz Si?n Lloyd >>>> Fix Version/s: 1.3.11 >>>> Fix Version/s: 1.2.3 >>>> Resolution: Fixed >>>> This message is automatically generated by JIRA. >>>> If you think it was sent incorrectly, please contact your JIRA administrators. >>>> For more information on JIRA, see: http://www.atlassian.com/software/jira >>> >>> >>> _______________________________________________ >>> Opendnssec-develop mailing list >>> >>> Opendnssec-develop at lists.opendnssec.org >>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop >> >> _______________________________________________ >> Opendnssec-develop mailing list >> Opendnssec-develop at lists.opendnssec.org >> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop From sion at nominet.org.uk Thu Oct 25 13:37:45 2012 From: sion at nominet.org.uk (=?ISO-8859-1?Q?Si=F4n_Lloyd?=) Date: Thu, 25 Oct 2012 14:37:45 +0100 Subject: [Opendnssec-develop] Fwd: [issues.opendnssec.org] (OPENDNSSEC-342) Case-sensite comparison in auditor In-Reply-To: References: <1548002792.87.1350983003305.JavaMail.jira@mountaineer.surfnet.nl> <212227659215132608@unknownmsgid> <16728099.45007.1350986072217.JavaMail.mobile-sync@vclw8> <652756169011496391@unknownmsgid> Message-ID: <508940A9.3080006@nominet.org.uk> On 25/10/12 14:27, Sara Dickinson wrote: > 2) Is this issue with the auditor a show-stopper? The reporter only marked it as minor since I suppose they are using the patch they developed. In general though, I would argue (as we would have with other fixes) users should upgrade to 1.3 for the fix unless they had a show stopping reason not to. > > Not at all show stopping. I think that the only reason it appears is because they use BIND as the signer. The auditor and the ODS signer are matched in the way they treat NSEC3 records. From rickard at opendnssec.org Thu Oct 25 14:11:38 2012 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Thu, 25 Oct 2012 16:11:38 +0200 Subject: [Opendnssec-develop] SoftHSM performance Message-ID: Hi I have compared the performance between SoftHSMv1 and SoftHSMv2 (OpenSSL and Botan). SoftHSMv2 OpenSSL: ods-hsmspeed -r SoftHSM -i 50000 -s 1024 -t 1 1032.66 sig/s SoftHSMv2 Botan: ods-hsmspeed -r SoftHSM -i 10000 -s 1024 -t 1 236.15 sig/s SoftHSMv1: ods-hsmspeed -r SoftHSM -i 50000 -s 1024 -t 1 1376.68 sig/s SoftHSMv2 is currently having some threading issues. Thus not possible to do multi-threaded tests. The negative with Botan is the overhead when e.g. creating the RSA C++ object. SoftHSMv1 utilizes an object cache, so that the Botan key objects does not need to be recreated all of the time. Is that something we want for SoftHSMv2? E.g. an 1-key cache? // Rickard From sara at sinodun.com Fri Oct 26 09:15:44 2012 From: sara at sinodun.com (Sara Dickinson) Date: Fri, 26 Oct 2012 10:15:44 +0100 Subject: [Opendnssec-develop] Fwd: [issues.opendnssec.org] (OPENDNSSEC-342) Case-sensite comparison in auditor In-Reply-To: <508940A9.3080006@nominet.org.uk> References: <1548002792.87.1350983003305.JavaMail.jira@mountaineer.surfnet.nl> <212227659215132608@unknownmsgid> <16728099.45007.1350986072217.JavaMail.mobile-sync@vclw8> <652756169011496391@unknownmsgid> <508940A9.3080006@nominet.org.uk> Message-ID: <460EB7ED-F65E-4E72-84F9-D7B756A9F61B@sinodun.com> On 25 Oct 2012, at 14:37, Si?n Lloyd wrote: > On 25/10/12 14:27, Sara Dickinson wrote: >> 2) Is this issue with the auditor a show-stopper? The reporter only marked it as minor since I suppose they are using the patch they developed. In general though, I would argue (as we would have with other fixes) users should upgrade to 1.3 for the fix unless they had a show stopping reason not to. >> >> > > Not at all show stopping. I think that the only reason it appears is because they use BIND as the signer. The auditor and the ODS signer are matched in the way they treat NSEC3 records. So is the upshot we agree this shouldn't be patched to 1.2? (I'll add an item to the agenda of the next team meeting to discuss support of older versions anyway.) With regard to 1.3.11 it seems we should wait for a fix for OPENDNSSEC-345 as well as 338 before releasing? Jerry are you OK to test all the 1.3.11 issues you reported or do you want anyone else to help out? http://issues.opendnssec.org/secure/IssueNavigator.jspa?reset=true&jqlQuery=fixVersion+%3D+%221.3.11%22+AND+project+%3D+OPENDNSSEC+ORDER+BY+status+ASC%2C+resolution+DESC%2C+key+DESC Also is OPENDSNSEC-343 an accidental duplicate of 342 or am I missing something? Sara. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jakob at kirei.se Fri Oct 26 11:19:12 2012 From: jakob at kirei.se (Jakob Schlyter) Date: Fri, 26 Oct 2012 13:19:12 +0200 Subject: [Opendnssec-develop] SoftHSM performance In-Reply-To: References: Message-ID: <9FB52667-11A0-487B-96F7-FEAE87BA50EB@kirei.se> On 25 okt 2012, at 16:11, Rickard Bellgrim wrote: > I have compared the performance between SoftHSMv1 and SoftHSMv2 > (OpenSSL and Botan). > > SoftHSMv2 OpenSSL: > ods-hsmspeed -r SoftHSM -i 50000 -s 1024 -t 1 > 1032.66 sig/s > > SoftHSMv2 Botan: > ods-hsmspeed -r SoftHSM -i 10000 -s 1024 -t 1 > 236.15 sig/s Ouch. > The negative with Botan is the overhead when e.g. creating the RSA C++ > object. SoftHSMv1 utilizes an object cache, so that the Botan key > objects does not need to be recreated all of the time. Is that > something we want for SoftHSMv2? E.g. an 1-key cache? Would such a cache scale for multiple keys as well? jakob From rickard at opendnssec.org Fri Oct 26 11:38:15 2012 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Fri, 26 Oct 2012 13:38:15 +0200 Subject: [Opendnssec-develop] SoftHSM performance In-Reply-To: <9FB52667-11A0-487B-96F7-FEAE87BA50EB@kirei.se> References: <9FB52667-11A0-487B-96F7-FEAE87BA50EB@kirei.se> Message-ID: > Would such a cache scale for multiple keys as well? As long as you are using the same key within one session. My idea was to save the latest private/public key within the session and reuse it if the next object handle matched. // Rickard From sara at sinodun.com Mon Oct 29 10:39:30 2012 From: sara at sinodun.com (Sara Dickinson) Date: Mon, 29 Oct 2012 10:39:30 +0000 Subject: [Opendnssec-develop] RE: Team Meeting - Tuesday 30th Oct @ 14.00 CET Message-ID: Hi All, We have a scheduled team meeting tomorrow: Date: Tuesday 30 October 2012 Time: 14:00-15:00 CET, 13:00-14:00 GMT Method: Google+ Agenda: http://wiki.opendnssec.org/display/OpenDNSSEC/2012-10-30+agenda Sara. From sara at sinodun.com Tue Oct 30 11:32:19 2012 From: sara at sinodun.com (Sara Dickinson) Date: Tue, 30 Oct 2012 11:32:19 +0000 Subject: [Opendnssec-develop] RE: Jenkins tests Message-ID: <07E6E18C-F39E-454C-AAAC-60221FF48A5F@sinodun.com> Hi All, I got thinking the other day about how we are using jenkins and wanted to propose an approach for discussion. We are still developing the framework, test coverage and learning how to write tests but I thought it was worth an email. There are two main things that I think need agreeing: 1) What is the general process for jenkins tests? 2) What do we do with intermittent and platform dependant failures. So my proposals are: 1) We aim for clean builds every night. - We can configure jenkins to do a full, clean build of everything in the early morning (e.g. 1 or 2 am) then easily tell by looking at the results the following morning if any code submitted the previous day has broken anything. - If everyone gets in the habit of running any relevant regression tests locally before submitting code to trunk then we should have lots of sunny skies :-) In theory the overnight builds should only ever break when platform dependancies pop up and hopefully these would be seen during the day anyway. - Obviously if new tests are being added or actively developed then there may be failures during the day, but if these tests are not passing by the time you head home then the recommendation would be that the test is turned off overnight. 2) Assuming the above then we probably need to consider mechanisms to deal with 'awkward' failures. - I propose that if we have a test that fails intermittently then we turn if off or modify it until we can get it to run reliably (e.g.10-160-odscc10t160). - I think it is ok to turn off tests on specific platforms while testing/developing/bug fixing is in progress if having the test pass on say, 11 out of 12 platforms is helpful (rather than having to turn the whole test on an off every day). I think it is a better option than having a test failing and clouding the results for others. There may even be cases where a given platform doesn't support a tool needed for a given test in which case we would need a mechanism to suppress the test on a given platform. I'd like to know what people think about this. I also saw this the other day but don't think it has an big enough range for an international team :-) http://github.com/codedance/Retaliation#readme Sara. From matthijs at nlnetlabs.nl Tue Oct 30 13:36:36 2012 From: matthijs at nlnetlabs.nl (Matthijs Mekking) Date: Tue, 30 Oct 2012 14:36:36 +0100 Subject: [Opendnssec-develop] testing dns adapters document Message-ID: <508FD7E4.7060801@nlnetlabs.nl> Please review and add missing test cases. https://wiki.opendnssec.org/display/OpenDNSSEC/Testing+DNS+Adapters -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 551 bytes Desc: OpenPGP digital signature URL: From rickard at opendnssec.org Tue Oct 30 15:28:45 2012 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Tue, 30 Oct 2012 16:28:45 +0100 Subject: [Opendnssec-develop] SoftHSMv2 and IPC Message-ID: Hi I have been looking at the issues on Inter-Process Communication in SoftHSMv2. The current issue is that OpenBSD does not implement POSIX Semaphores and NetBSD has a maximum length of 14 characters on the names of the named semaphores. I tried to convert it over to System V semaphores, but then we have an issue that we hit the maximum number of semaphores and that there is no good equivalent to sem_unlink(). Currently there is one semaphore per object. Maybe we should re-design IPC part of SoftHSMv2? // Rickard From jerry at opendnssec.org Tue Oct 30 16:58:37 2012 From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Tue, 30 Oct 2012 17:58:37 +0100 Subject: [Opendnssec-develop] SoftHSMv2 and IPC In-Reply-To: References: Message-ID: Hi, On Tue, Oct 30, 2012 at 4:28 PM, Rickard Bellgrim wrote: > I have been looking at the issues on Inter-Process Communication in > SoftHSMv2. The current issue is that OpenBSD does not implement POSIX > Semaphores and NetBSD has a maximum length of 14 characters on the > names of the named semaphores. I tried to convert it over to System V > semaphores, but then we have an issue that we hit the maximum number > of semaphores and that there is no good equivalent to sem_unlink(). 14 characters is not a problem, thats 10^14 combinations if you just sprintf() a number as identification. Hitting the maximum number of semaphore is a bigger problem because it might not be changeable on some systems and hard for some users to do. > Currently there is one semaphore per object. Why do we have a semaphore per object? What is an object (is it a key_pair)? How does this work in v1? /Jerry -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ From rickard at opendnssec.org Tue Oct 30 21:19:18 2012 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Tue, 30 Oct 2012 22:19:18 +0100 Subject: [Opendnssec-develop] SoftHSMv2 and IPC In-Reply-To: References: Message-ID: > 14 characters is not a problem, thats 10^14 combinations if you just > sprintf() a number as identification. Hitting the maximum number of > semaphore is a bigger problem because it might not be changeable on > some systems and hard for some users to do. The name is now a string with the path and the UUID of the object. So currently it is longer than 14 characters. I only hit a maximum with the System V semaphores, but not with the POSIX semaphores. > Why do we have a semaphore per object? For synchronizing changes between processes. There is a memory layer and file layer. To minimize the number of semaphore, it would be better to re-design this part. > What is an object (is it a key_pair)? PKCS#11 Objects: CKO_DATA, CKO_PRIVATE_KEY, CKO_PUBLIC_KEY, CKO_SECRET_KEY, CKO_CERTIFICATE > How does this work in v1? All data are read from the SQLite database. // Rickard From jerry at opendnssec.org Wed Oct 31 07:42:04 2012 From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Wed, 31 Oct 2012 08:42:04 +0100 Subject: [Opendnssec-develop] SoftHSMv2 and IPC In-Reply-To: References: Message-ID: On Tue, Oct 30, 2012 at 10:19 PM, Rickard Bellgrim wrote: >> Why do we have a semaphore per object? > > For synchronizing changes between processes. There is a memory layer > and file layer. To minimize the number of semaphore, it would be > better to re-design this part. I've been looking at the code and from what I can see it uses semaphores as a type of revision for the object tokens and files to know when to reread them from disk, please correct me if I'm wrong. Since we have a file per key (I assume) then there is another limitation that you must be aware of, the number of files in a directory is limited depending on the file system used. This is why most file based backends like this split the first part of the files names into 2-3 levels of directories to increase the number of files it can have. The use of semaphores here is very strange in my view but it could work. There is one thing that came to mind, if instead of using semaphore you use the first bytes of the file and a revision marker then this type of object store could be used on a network based file system (NFS) running two active setups. Then put Lim (or similar) on top and you have a redundant network based (H)SM with REST/SOAP/* APIs. I also noticed that in ObjectFile::commitTransaction it releases the mutex for the object, releases the transaction lock and puts it out of transaction before storing the object. And in store() it does not lock the mutex before checking if its in transaction. This can lead to another thread/process starting an transaction after store() checked that and alter information of the ObjectFile as it is storing it. commitTransaction should not release the mutex, it should be locked during the store(). And I see a lot of mutexes, transaction locks and locks on the files itself all in different orders which will eventually lead to dead locks. /Jerry -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ From sara at sinodun.com Wed Oct 31 10:29:49 2012 From: sara at sinodun.com (Sara Dickinson) Date: Wed, 31 Oct 2012 10:29:49 +0000 Subject: [Opendnssec-develop] testing dns adapters document In-Reply-To: <508FD7E4.7060801@nlnetlabs.nl> References: <508FD7E4.7060801@nlnetlabs.nl> Message-ID: <9F12FBC9-F0EC-4A04-99E2-5B9E89718E2C@sinodun.com> Hi Matthijs, From looking at this it seems to me the following are rough areas to concentrate on: 1) Would it be best (if possible) to get someone else to do some manual testing of TCP & ACL to try to catch any major issues if this is too time consuming to do in jenkins right now? 2) In terms of jenkins tests then as you said, it seems focussing on IXFR functionality and scalability seems the obvious thing to prioritise. 3) I wonder if we should also consider setting up a jenkins test with the adapters using BIND and possibly validns on just one platform (since we don't know when we will have the benchmarking hardware). This could use a separate test directory and jenkins test and run once a day. It would give us a baseline and hopefully catch some issues. Given we no longer have the auditor we need to start thinking about other validation mechanisms anyway. I don't think the fact we can't support it easily on all platforms is an argument for not doing it at all? Sara. On 30 Oct 2012, at 13:36, Matthijs Mekking wrote: > Please review and add missing test cases. > > https://wiki.opendnssec.org/display/OpenDNSSEC/Testing+DNS+Adapters > > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop From matthijs at nlnetlabs.nl Wed Oct 31 10:37:47 2012 From: matthijs at nlnetlabs.nl (Matthijs Mekking) Date: Wed, 31 Oct 2012 11:37:47 +0100 Subject: [Opendnssec-develop] testing dns adapters document In-Reply-To: <9F12FBC9-F0EC-4A04-99E2-5B9E89718E2C@sinodun.com> References: <508FD7E4.7060801@nlnetlabs.nl> <9F12FBC9-F0EC-4A04-99E2-5B9E89718E2C@sinodun.com> Message-ID: <5090FF7B.5090508@nlnetlabs.nl> Hi, On 10/31/2012 11:29 AM, Sara Dickinson wrote: > Hi Matthijs, > >>From looking at this it seems to me the following are rough areas to concentrate on: > > 1) Would it be best (if possible) to get someone else to do some manual testing of TCP & ACL to try to catch any major issues if this is too time consuming to do in jenkins right now? That would certainly be useful. > 2) In terms of jenkins tests then as you said, it seems focussing on IXFR functionality and scalability seems the obvious thing to prioritise. IXFR functionality is something that can be put in jenkins. Scalability tests seems to me has to be done on a different platform. > 3) I wonder if we should also consider setting up a jenkins test with the adapters using BIND and possibly validns on just one platform (since we don't know when we will have the benchmarking hardware). This could use a separate test directory and jenkins test and run once a day. It would give us a baseline and hopefully catch some issues. Given we no longer have the auditor we need to start thinking about other validation mechanisms anyway. I don't think the fact we can't support it easily on all platforms is an argument for not doing it at all? Either on one jenkins platform or outside jenkins, an interoperability test that can be replayed would be very nice to have. With that in mind, putting it in the daily test dir in jenkins would make sense to me. Lets see how far we can get with the scripts from Nominet. Best regards, Matthijs > > Sara. > > On 30 Oct 2012, at 13:36, Matthijs Mekking wrote: > >> Please review and add missing test cases. >> >> https://wiki.opendnssec.org/display/OpenDNSSEC/Testing+DNS+Adapters >> >> _______________________________________________ >> Opendnssec-develop mailing list >> Opendnssec-develop at lists.opendnssec.org >> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop > > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 551 bytes Desc: OpenPGP digital signature URL: From sion at nominet.org.uk Wed Oct 31 11:03:42 2012 From: sion at nominet.org.uk (=?ISO-8859-1?Q?Si=F4n_Lloyd?=) Date: Wed, 31 Oct 2012 11:03:42 +0000 Subject: [Opendnssec-develop] testing dns adapters document In-Reply-To: <9F12FBC9-F0EC-4A04-99E2-5B9E89718E2C@sinodun.com> References: <508FD7E4.7060801@nlnetlabs.nl> <9F12FBC9-F0EC-4A04-99E2-5B9E89718E2C@sinodun.com> Message-ID: <5091058E.1030505@nominet.org.uk> On 31/10/12 10:29, Sara Dickinson wrote: > 3) I wonder if we should also consider setting up a jenkins test with the adapters using BIND and possibly validns on just one platform (since we don't know when we will have the benchmarking hardware). This could use a separate test directory and jenkins test and run once a day. It would give us a baseline and hopefully catch some issues. Given we no longer have the auditor we need to start thinking about other validation mechanisms anyway. I don't think the fact we can't support it easily on all platforms is an argument for not doing it at all? > What is the problem with relying on the distros version of BIND? We rely on the distro providing gcc etc... Sion From matthijs at nlnetlabs.nl Wed Oct 31 12:29:05 2012 From: matthijs at nlnetlabs.nl (Matthijs Mekking) Date: Wed, 31 Oct 2012 13:29:05 +0100 Subject: [Opendnssec-develop] Fwd: Re: [Unbound-users] DNSSEC validation failure of .nl TLD In-Reply-To: <50910B90.8020507@sidn.nl> References: <50910B90.8020507@sidn.nl> Message-ID: <50911991.9040801@nlnetlabs.nl> The statement of SIDN is in Dutch. Here is a public version: http://www.miek.nl/blog/archives/2012/10/31/dnssec_storing_28_oktober_2012/index.html Marco also sent an explanation to unbound-users, see below. It looks like an operator error also occurred. SUPPORT-41 is also created with respect to this incident. Best regards, Matthijs -------- Original Message -------- Subject: Re: [Unbound-users] DNSSEC validation failure of .nl TLD Date: Wed, 31 Oct 2012 12:29:20 +0100 From: Marco Davids (SIDN) Organization: SIDN To: Hi, On 10/29/12 20:14, Casey Deccio wrote: > Looks like perhaps the new ZSK wasn't pre-published long enough. As promised a brief (informal) follow-up on what happened. Indeed the new ZSK wasn't pre-published long enough. After OpenDNSSEC generated it and just prior to publishing it in the DNS, the software encountered a problem. As a result of that, the zonefile was never published. In fact, we missed two zonefileupdates before we got all the right people mobilised and where ready to restart the process. When we published the new zonefile, OpenDNSSEC figured that the pre-publication time was long enough and started to include new RRSIg's, made by the new ZSK. This resulted in validation errors. So, the observation of Casey was just right. We will maintain to look into this issue further and we will implement protective measures to prevent this from happening again. Regards, _______________________________________________ Unbound-users mailing list Unbound-users at unbound.net http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 551 bytes Desc: OpenPGP digital signature URL: From sara at sinodun.com Wed Oct 31 12:42:57 2012 From: sara at sinodun.com (Sara Dickinson) Date: Wed, 31 Oct 2012 12:42:57 +0000 Subject: [Opendnssec-develop] testing dns adapters document In-Reply-To: <5090FF7B.5090508@nlnetlabs.nl> References: <508FD7E4.7060801@nlnetlabs.nl> <9F12FBC9-F0EC-4A04-99E2-5B9E89718E2C@sinodun.com> <5090FF7B.5090508@nlnetlabs.nl> Message-ID: <1EE1E1D4-5D2B-49D2-B216-633CD80A723C@sinodun.com> On 31 Oct 2012, at 10:37, Matthijs Mekking wrote: > Hi, > > On 10/31/2012 11:29 AM, Sara Dickinson wrote: >> Hi Matthijs, >> >>> From looking at this it seems to me the following are rough areas to concentrate on: >> >> 1) Would it be best (if possible) to get someone else to do some manual testing of TCP & ACL to try to catch any major issues if this is too time consuming to do in jenkins right now? > > That would certainly be useful. I can take a pass at the ACL stuff later this week - any volunteers for the TCP side of things? > >> 2) In terms of jenkins tests then as you said, it seems focussing on IXFR functionality and scalability seems the obvious thing to prioritise. > > IXFR functionality is something that can be put in jenkins. Scalability > tests seems to me has to be done on a different platform. > >> 3) I wonder if we should also consider setting up a jenkins test with the adapters using BIND and possibly validns on just one platform (since we don't know when we will have the benchmarking hardware). This could use a separate test directory and jenkins test and run once a day. It would give us a baseline and hopefully catch some issues. Given we no longer have the auditor we need to start thinking about other validation mechanisms anyway. I don't think the fact we can't support it easily on all platforms is an argument for not doing it at all? > > Either on one jenkins platform or outside jenkins, an interoperability > test that can be replayed would be very nice to have. With that in mind, > putting it in the daily test dir in jenkins would make sense to me. Lets > see how far we can get with the scripts from Nominet. Jerry - could you help out with setting up BIND and validns (or similar) for this work? Thanks Sara. From jerry at opendnssec.org Wed Oct 31 13:32:41 2012 From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Wed, 31 Oct 2012 14:32:41 +0100 Subject: [Opendnssec-develop] testing dns adapters document In-Reply-To: <1EE1E1D4-5D2B-49D2-B216-633CD80A723C@sinodun.com> References: <508FD7E4.7060801@nlnetlabs.nl> <9F12FBC9-F0EC-4A04-99E2-5B9E89718E2C@sinodun.com> <5090FF7B.5090508@nlnetlabs.nl> <1EE1E1D4-5D2B-49D2-B216-633CD80A723C@sinodun.com> Message-ID: On Wed, Oct 31, 2012 at 1:42 PM, Sara Dickinson wrote: > Jerry - could you help out with setting up BIND and validns (or similar) for this work? If, who that will write the test, makes it so a normal user can start BIND in the background and get the IXFR/AXFR to tests and then shutdown BIND for each test as we do with OpenDNSSEC then we can probably run it on most of the platforms if not all. So it is best if someone start trying this locally and when we have something that runs we can look at what we need to do on each platform. -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/