From rick at openfortress.nl Thu May 2 09:05:04 2013 From: rick at openfortress.nl (Rick van Rein (OpenFortress)) Date: Thu, 2 May 2013 11:05:04 +0200 Subject: [Opendnssec-develop] How to replicate signer-stuck with SoftHSM Message-ID: Hello all, I've been trying to replicate our problems with the signer getting stuck (OPENDNSSEC-400). It seems to occur fairly often (2 out of 4 multi-zone additions) after we removed on our signer. I have tried to reproduce the problems with SoftHSM. I even inserted a random delay of 1-5 seconds in C_GenerateKeyPair (patch attached) in the hope to lure the Signer into a race condition, like attempting to sign a zone before the keys have established, for instance due to reading the new zone list. Much to my surprise, all keys are created before the Signer kicks into action. This is quite different from what we see on our live platform with a real, replicated HSM. I am wondering if this could be caused by lack of concurrency support in SoftHSM, which could either cause different behaviour from the Enforcer? Alternatively, I can imagine a global lock on the SoftHSM that blocks the Signer from jumping into action as early as it does with our fullblown HSM. I tested on SoftHSM 1.2.1. Any suggestions are kindly welcomed; if I can replicate the race condition somehow, I'd imagine it'd be good input for the project. Cheers, -Rick -------------- next part -------------- A non-text attachment was scrubbed... Name: softhsm-1.2.1-slowkeygen.patch Type: application/octet-stream Size: 885 bytes Desc: not available URL: -------------- next part -------------- From matthijs at nlnetlabs.nl Thu May 2 09:48:40 2013 From: matthijs at nlnetlabs.nl (Matthijs Mekking) Date: Thu, 02 May 2013 11:48:40 +0200 Subject: [Opendnssec-develop] RE: 1.3.14 release In-Reply-To: <7C9BBFA5-7D45-40A9-8315-C367215ADD17@sinodun.com> References: <7C9BBFA5-7D45-40A9-8315-C367215ADD17@sinodun.com> Message-ID: <51823678.10008@nlnetlabs.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I have been working on OPENDNSSEC-403: Debugging lock state. Is that something we can put in 1.3.14? If so, I will commit it to the branch. Best regards, Matthijs On 04/26/2013 03:34 PM, Sara Dickinson wrote: > Hi All, > > In the team meeting this week we agreed that we should go ahead > with a 1.3.14 release, but since there were only 3 of us there I > would like to double check this with the list before going ahead! > > The issues fixed in 1.3.14 would be the following: > > * OPENDNSSEC-367: ods-ksmutil: Require user confirmation if the > alogrithm for a key is changed in a policy (as this rollover is not > handled cleanly) * OPENDNSSEC-91: Make the keytype flag required > when rolling keys > > Bugfixes: * OPENDNSSEC-247: Signer Engine: TTL on NSEC3 was not > updated on SOA Minimum change. * OPENDNSSEC-396: Use TTLs from kasp > when generating DNSKEY and DS records for output. * OPENDNSSEC-398: > The ods-ksmutil key rollover command does not work correctly when > rolling all keys using the --policy option * SUPPORT-40: Signer > Engine: Keep occluded data in signed zone files/transfers. > > Unless I hear any objection then I will plan to do the release next > week (Jerry - I can do any day except Wednesday - how about you?). > > Regards > > Sara. > > _______________________________________________ Opendnssec-develop > mailing list Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQEcBAEBAgAGBQJRgjZ4AAoJEA8yVCPsQCW5srgIALIF2MXOr8ieYyPOa24gktMi YsYP0Jm62RDjT4+du6efeXpDkuvH+J9mzmfel84FBP7wCm+g6DRUXHvQI8JdSuj8 lwabH6W00NggqEKX6fHvflr+4qRjiLAC3yzMcwB/wduEhPpFEodN3zamKk1Zt4RW f3/x7/J0tAd9mWiVC1/T5QNxCjEUJC3ADL9YyNjIi3ahvVCj+LM+tRHUtgaQZcI+ voE14gRy6/WYrL2UbWeOjqOWNEXCU+sEK8cUr0puOLIrXdakMYOt+eOk/EGnY8qh uXP07Tj1WUTwkYkVyRhwLT+M4xJX2hdNSrotTHXY+zjgWJ4C3H2DTAKR5S4bZHI= =CmAs -----END PGP SIGNATURE----- From sara at sinodun.com Thu May 2 10:45:52 2013 From: sara at sinodun.com (Sara Dickinson) Date: Thu, 2 May 2013 11:45:52 +0100 Subject: [Opendnssec-develop] RE: 1.3.14 release In-Reply-To: <51823678.10008@nlnetlabs.nl> References: <7C9BBFA5-7D45-40A9-8315-C367215ADD17@sinodun.com> <51823678.10008@nlnetlabs.nl> Message-ID: <377A3570-3DC2-440B-BDC5-03EA0697009B@sinodun.com> Hi Matthijs, If you can submit today we could do the release tomorrow. Sara. On 2 May 2013, at 10:48, Matthijs Mekking wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > I have been working on OPENDNSSEC-403: Debugging lock state. Is that > something we can put in 1.3.14? If so, I will commit it to the branch. > > Best regards, > Matthijs > > On 04/26/2013 03:34 PM, Sara Dickinson wrote: >> Hi All, >> >> In the team meeting this week we agreed that we should go ahead >> with a 1.3.14 release, but since there were only 3 of us there I >> would like to double check this with the list before going ahead! >> >> The issues fixed in 1.3.14 would be the following: >> >> * OPENDNSSEC-367: ods-ksmutil: Require user confirmation if the >> alogrithm for a key is changed in a policy (as this rollover is not >> handled cleanly) * OPENDNSSEC-91: Make the keytype flag required >> when rolling keys >> >> Bugfixes: * OPENDNSSEC-247: Signer Engine: TTL on NSEC3 was not >> updated on SOA Minimum change. * OPENDNSSEC-396: Use TTLs from kasp >> when generating DNSKEY and DS records for output. * OPENDNSSEC-398: >> The ods-ksmutil key rollover command does not work correctly when >> rolling all keys using the --policy option * SUPPORT-40: Signer >> Engine: Keep occluded data in signed zone files/transfers. >> >> Unless I hear any objection then I will plan to do the release next >> week (Jerry - I can do any day except Wednesday - how about you?). >> >> Regards >> >> Sara. >> >> _______________________________________________ Opendnssec-develop >> mailing list Opendnssec-develop at lists.opendnssec.org >> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop >> > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with undefined - http://www.enigmail.net/ > > iQEcBAEBAgAGBQJRgjZ4AAoJEA8yVCPsQCW5srgIALIF2MXOr8ieYyPOa24gktMi > YsYP0Jm62RDjT4+du6efeXpDkuvH+J9mzmfel84FBP7wCm+g6DRUXHvQI8JdSuj8 > lwabH6W00NggqEKX6fHvflr+4qRjiLAC3yzMcwB/wduEhPpFEodN3zamKk1Zt4RW > f3/x7/J0tAd9mWiVC1/T5QNxCjEUJC3ADL9YyNjIi3ahvVCj+LM+tRHUtgaQZcI+ > voE14gRy6/WYrL2UbWeOjqOWNEXCU+sEK8cUr0puOLIrXdakMYOt+eOk/EGnY8qh > uXP07Tj1WUTwkYkVyRhwLT+M4xJX2hdNSrotTHXY+zjgWJ4C3H2DTAKR5S4bZHI= > =CmAs > -----END PGP SIGNATURE----- From sara at sinodun.com Thu May 2 14:19:46 2013 From: sara at sinodun.com (Sara Dickinson) Date: Thu, 2 May 2013 15:19:46 +0100 Subject: [Opendnssec-develop] RE: Developer meetings at RIPE 66 Message-ID: <65973734-5B9F-4594-8B19-D7D9446B203A@sinodun.com> Hi All, Based on the feedback to the doodle I have booked a meeting room at RIPE for the following times: Tuesday 14th 10:00-12:30 (Note the board meeting starts at 13:00 so probably finish around 12) Wednesday 15th 16:00-18:00 A rough agenda for the meetings can be found here: https://wiki.opendnssec.org/display/OpenDNSSEC/Developer+workshop+-+RIPE+66 Please let me know if there are other topics you like to cover. I would also like to propose that we try to do an informal 'Meet the team' session at 18:00 on Wednesday for any users who would like to put some faces to names or bug us in person for that feature they really want :-) I'm hoping as many of us as possible could be around the bar (maybe even wearing ODS t-shirts if we have them...) to chat to interested users over a beer? If enough of us are up for this then I can publicise it on the ODS/RIPE lists and in the DNS-WG OpenDNSSEC presentation. Sara. From sara at sinodun.com Fri May 3 08:56:20 2013 From: sara at sinodun.com (Sara Dickinson) Date: Fri, 3 May 2013 09:56:20 +0100 Subject: [Opendnssec-develop] RE: 1.3.14 release In-Reply-To: <377A3570-3DC2-440B-BDC5-03EA0697009B@sinodun.com> References: <7C9BBFA5-7D45-40A9-8315-C367215ADD17@sinodun.com> <51823678.10008@nlnetlabs.nl> <377A3570-3DC2-440B-BDC5-03EA0697009B@sinodun.com> Message-ID: <000D743A-A33C-4333-92B0-DF08311F0901@sinodun.com> Hi All, The plan is now to release 1.3.14 early next week (probably Tuesday) in order that Matthijs can add some extra options to his solution for OPENDNSSEC-403. Regards Sara. On 2 May 2013, at 11:45, Sara Dickinson wrote: > Hi Matthijs, > > If you can submit today we could do the release tomorrow. > > Sara. > > On 2 May 2013, at 10:48, Matthijs Mekking wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Hi, >> >> I have been working on OPENDNSSEC-403: Debugging lock state. Is that >> something we can put in 1.3.14? If so, I will commit it to the branch. >> >> Best regards, >> Matthijs >> >> On 04/26/2013 03:34 PM, Sara Dickinson wrote: >>> Hi All, >>> >>> In the team meeting this week we agreed that we should go ahead >>> with a 1.3.14 release, but since there were only 3 of us there I >>> would like to double check this with the list before going ahead! >>> >>> The issues fixed in 1.3.14 would be the following: >>> >>> * OPENDNSSEC-367: ods-ksmutil: Require user confirmation if the >>> alogrithm for a key is changed in a policy (as this rollover is not >>> handled cleanly) * OPENDNSSEC-91: Make the keytype flag required >>> when rolling keys >>> >>> Bugfixes: * OPENDNSSEC-247: Signer Engine: TTL on NSEC3 was not >>> updated on SOA Minimum change. * OPENDNSSEC-396: Use TTLs from kasp >>> when generating DNSKEY and DS records for output. * OPENDNSSEC-398: >>> The ods-ksmutil key rollover command does not work correctly when >>> rolling all keys using the --policy option * SUPPORT-40: Signer >>> Engine: Keep occluded data in signed zone files/transfers. >>> >>> Unless I hear any objection then I will plan to do the release next >>> week (Jerry - I can do any day except Wednesday - how about you?). >>> >>> Regards >>> >>> Sara. >>> From jakob at kirei.se Fri May 3 09:20:56 2013 From: jakob at kirei.se (Jakob Schlyter) Date: Fri, 3 May 2013 11:20:56 +0200 Subject: [Opendnssec-develop] Developer meetings at RIPE 66 In-Reply-To: <65973734-5B9F-4594-8B19-D7D9446B203A@sinodun.com> References: <65973734-5B9F-4594-8B19-D7D9446B203A@sinodun.com> Message-ID: <27C454C6-F0CA-444F-92D1-C4BB2A3AF1F5@kirei.se> On 2 maj 2013, at 16:19, Sara Dickinson wrote: > Tuesday 14th 10:00-12:30 (Note the board meeting starts at 13:00 so probably finish around 12) I'll join this. > Wednesday 15th 16:00-18:00 I have to fly back on Wednesday morning so I cannot attend this. I'm available all monday if people want to meet up. jakob From sara at sinodun.com Mon May 6 09:34:34 2013 From: sara at sinodun.com (Sara Dickinson) Date: Mon, 6 May 2013 10:34:34 +0100 Subject: [Opendnssec-develop] RE: Team meeting - Tuesday 7 May @ 14:00 CET References: <5DB6F213-E704-49E7-B9C0-59D2F931FCA2@sinodun.com> Message-ID: <61C220B4-1662-488E-B056-75E685DB91A1@sinodun.com> Hi All, We have a team meeting tomorrow: Date: Tuesday 7 May 2013 Time: 14:00-15:00 CET, 13:00-14:00 GMT Method: Google+ Agenda: https://wiki.opendnssec.org/display/OpenDNSSEC/2013-05-07+Agenda Sara. -------------- next part -------------- An HTML attachment was scrubbed... URL: From sara at sinodun.com Tue May 7 09:59:06 2013 From: sara at sinodun.com (Sara Dickinson) Date: Tue, 7 May 2013 10:59:06 +0100 Subject: [Opendnssec-develop] Fwd: OpenDNSSEC dinner at RIPE 66 (Dublin) References: <73A4EF1F-FB6A-4CC5-972F-F1B26FDCECED@sinodun.com> Message-ID: <81914394-D1F5-43FF-8D7E-FC70F77BF9AC@sinodun.com> Begin forwarded message: > Are people interested in getting together for dinner on Tuesday evening? If so I have started a separate doodle for that:http://www.doodle.com/xhmihu2i4h4zzyh3 > > I've been recommended this as an interesting place to eat: http://www.lgueuleton.com/index.html. If anyone has any other suggestions please let me know. > > Sara. Hi there, Realised that I didn't forward the dinner invite to everyone! Sara. From sara at sinodun.com Tue May 7 13:49:30 2013 From: sara at sinodun.com (Sara Dickinson) Date: Tue, 7 May 2013 14:49:30 +0100 Subject: [Opendnssec-develop] RE: Team meeting - Tuesday 7 May @ 14:00 CET References: <61C220B4-1662-488E-B056-75E685DB91A1@sinodun.com> Message-ID: Hi All, Minutes from the meeting today are available for review: https://wiki.opendnssec.org/display/OpenDNSSEC/2013-05-07+Minutes Sara. Begin forwarded message: > From: Sara Dickinson > Date: 6 May 2013 10:34:34 GMT+01:00 > To: OpenDNSSEC Developers > Subject: [Opendnssec-develop] RE: Team meeting - Tuesday 7 May @ 14:00 CET > > Hi All, > > We have a team meeting tomorrow: > > Date: Tuesday 7 May 2013 > Time: 14:00-15:00 CET, 13:00-14:00 GMT > Method: Google+ > Agenda: https://wiki.opendnssec.org/display/OpenDNSSEC/2013-05-07+Agenda > > > Sara. > > > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop -------------- next part -------------- An HTML attachment was scrubbed... URL: From sara at sinodun.com Tue May 7 14:11:17 2013 From: sara at sinodun.com (Sara Dickinson) Date: Tue, 7 May 2013 15:11:17 +0100 Subject: [Opendnssec-develop] RE: OpenDNSSEC 1.3.14 release candidate Message-ID: <9C06DDD5-C916-49B1-81C8-C627D1B81453@sinodun.com> All, Version 1.3.14rc1 of OpenDNSSEC is now available. This is a release candidate for testing purposes: OpenDNSSEC 1.3.14rc1 ----------------------------------- Updates: * OPENDNSSEC-367: ods-ksmutil: Require user confirmation if the alogrithm for a key is changed in a policy (as this rollover is not handled cleanly) * OPENDNSSEC-91: Make the keytype flag required when rolling keys * OPENDNSSEC-403: Signer Engine: new command 'ods-signer locks' that shows locking information (for debugging purposes). Bugfixes: * OPENDNSSEC-247: Signer Engine: TTL on NSEC3 was not updated on SOA Minimum change. * OPENDNSSEC-396: Use TTLs from kasp when generating DNSKEY and DS records for output. * OPENDNSSEC-398: The ods-ksmutil key rollover command does not work correctly when rolling all keys using the --policy option * SUPPORT-40: Signer Engine: Keep occluded data in signed zone files/transfers. Download: * http://dist.opendnssec.org/source/testing/opendnssec-1.3.14rc1.tar.gz * http://dist.opendnssec.org/source/testing/opendnssec-1.3.14rc1.tar.gz.sig * Checksum sha1: 539245a53b9c65eb49737ac0208e6a2c58474f0d * Checksum sha256: ba72ff759f881ee9462aeb568e950fd7998d1773449c917e807ba49a2acb0de3 A full 1.3.14 release is planned for Thursday 16th May. //OpenDNSSEC team From sara at sinodun.com Sun May 12 15:50:20 2013 From: sara at sinodun.com (Sara Dickinson) Date: Sun, 12 May 2013 16:50:20 +0100 Subject: [Opendnssec-develop] RE: Review of JIRA issues References: <4FBA11EE-C5D5-4DF8-BB45-DAF6AC8F6B08@sinodun.com> Message-ID: <96F8FED6-FF6A-410A-B938-E427C2D918C8@sinodun.com> Hi All, With no feedback on the previous list of issues here are the remaining unassigned 'Future release' issues available for nomination to a specific release or for closure: OPENDNSSEC-329 RFC 6725 deprecates the use of RSA/MD5 Unassigned OPENDNSSEC-328 man pages for configuration xml files Unassigned OPENDNSSEC-232 Handle DNS views Unassigned OPENDNSSEC-211 Make OPENDNSSEC resistant against symlink problems Unassigned OPENDNSSEC-136 Powerfail/crash recovery Unassigned OPENDNSSEC-104 Tool from going from ZKT to OPENDNSSEC Unassigned OPENDNSSEC-73 Add rollback SOA/RRSIG RR with high serial number Unassigned OPENDNSSEC-65 Implement support for DSA Unassigned OPENDNSSEC-62 Implement support for GOST Unassigned OPENDNSSEC-49 Inventory and formal codes for all syslog messages Unassigned OPENDNSSEC-43 eppclient should be configurable with SHA1 and/or SHA256 for DS Unassigned Regards Sara Begin forwarded message: > From: Sara Dickinson > Date: 26 April 2013 14:51:10 GMT+01:00 > To: OpenDNSSEC Developers > Subject: [Opendnssec-develop] RE: Review of JIRA issues > > Hi All, > > As part on the ongoing review of our JIRA issues I would like to ask for comments on the following issues which currently have a Fix version of 'Future release': > > > OPENDNSSEC-293 Reporting of important messages through email in addition to the current syslog method. Jakob Schlyter > OPENDNSSEC-251 Support for offline KSK Jakob Schlyter > OPENDNSSEC-94 Read-only Repsitories Jakob Schlyter > OPENDNSSEC-95 Implement --disable-signer for the Enforcer Jakob Schlyter > OPENDNSSEC-310 Revisit how the daemons are initialised and provide example init scripts Jerry Lundstr?m > OPENDNSSEC-89 ods-control should be able to take a conf.xml file as a command line arg Jerry Lundstr?m > OPENDNSSEC-316 Privileges on shared PIN memory Rickard Bellgrim > OPENDNSSEC-125 Implement a KASP visualization tool Yuri Schaeffer > OPENDNSSEC-314 Bootstrap ODS from signed zone Yuri Schaeffer > OPENDNSSEC-100 Implement 5011 Yuri Schaeffer > OPENDNSSEC-360 Fix new build environment for contrib/eppclient Unassigned > OPENDNSSEC-352 $ make test Unassigned > OPENDNSSEC-335 Implement hook to be called for backup after key generation Unassigned > > > Plan: > - If no-one nominates an issue it will be left with a fix version of 'Future release'. > - If anyone feels any issue should be nominated for a particular release then please reply to this email indicating which release and why. > - I was planning a brief review of all issues with a specific fix version during the developer meeting at RIPE. > > BTW: There are about a dozen further (unassigned) issues for 'Future release' that I will present for review in an email next week. I have already been through those assigned to Matthijs and Sion offline with them and several issues have been nominated for specific releases. > > Regards > > Sara. > > > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop From rick at openfortress.nl Sun May 12 15:56:00 2013 From: rick at openfortress.nl (Rick van Rein (OpenFortress)) Date: Sun, 12 May 2013 17:56:00 +0200 Subject: [Opendnssec-develop] Review of JIRA issues In-Reply-To: <96F8FED6-FF6A-410A-B938-E427C2D918C8@sinodun.com> References: <4FBA11EE-C5D5-4DF8-BB45-DAF6AC8F6B08@sinodun.com> <96F8FED6-FF6A-410A-B938-E427C2D918C8@sinodun.com> Message-ID: Hello Sara, > OPENDNSSEC-329 RFC 6725 deprecates the use of RSA/MD5 Unassigned That's just something for the operator to implement, and for us to avoid in default configurations and perhaps to add to documentation? > OPENDNSSEC-328 man pages for configuration xml files Unassigned If Roland agrees, I should be able to write those. I'll ask him when he is available again in two weeks. > OPENDNSSEC-232 Handle DNS views Unassigned IMHO, an important shortcoming in current OpenDNSSEC; specifically because setting up a 2nd system for another view is quite a big thing for OpenDNSSEC. I would like to nominate this one. -Rick From rickard at opendnssec.org Mon May 13 06:26:35 2013 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Mon, 13 May 2013 08:26:35 +0200 Subject: [Opendnssec-develop] How to replicate signer-stuck with SoftHSM In-Reply-To: References: Message-ID: The Enforcer will never tell the Signer to use a key before it has been created with C_GenerateKeyPair. Could it be that your HSM returns from this function call before the key is available in the HSM (and synchronized within the cluster)? SoftHSM will only return from C_GenerateKeyPair when the key has been created, so there is no lock in that respect. // Rickard On Thu, May 2, 2013 at 11:05 AM, Rick van Rein (OpenFortress) < rick at openfortress.nl> wrote: > Hello all, > > I've been trying to replicate our problems with the signer getting stuck > (OPENDNSSEC-400). It seems to occur fairly often (2 out of 4 multi-zone > additions) after we removed on our signer. > > I have tried to reproduce the problems with SoftHSM. I even inserted a > random delay of 1-5 seconds in C_GenerateKeyPair (patch attached) in the > hope to lure the Signer into a race condition, like attempting to sign a > zone before the keys have established, for instance due to reading the new > zone list. Much to my surprise, all keys are created before the Signer > kicks into action. This is quite different from what we see on our live > platform with a real, replicated HSM. > > I am wondering if this could be caused by lack of concurrency support in > SoftHSM, which could either cause different behaviour from the Enforcer? > Alternatively, I can imagine a global lock on the SoftHSM that blocks the > Signer from jumping into action as early as it does with our fullblown HSM. > I tested on SoftHSM 1.2.1. > > Any suggestions are kindly welcomed; if I can replicate the race condition > somehow, I'd imagine it'd be good input for the project. > > > Cheers, > -Rick > > > > > > > > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rick at openfortress.nl Mon May 13 07:46:23 2013 From: rick at openfortress.nl (Rick van Rein (OpenFortress)) Date: Mon, 13 May 2013 09:46:23 +0200 Subject: [Opendnssec-develop] How to replicate signer-stuck with SoftHSM In-Reply-To: References:

Message-ID: <2E725D33-632E-4D91-8C35-5943C2C8761A@openfortress.nl> Hi Rickard, Good to hear from you. > The Enforcer will never tell the Signer to use a key before it has been created with C_GenerateKeyPair. Could it be that your HSM returns from this function call before the key is available in the HSM (and synchronized within the cluster)? That is one option that I'm contemplating. SafeNet is rather strict in their implementation of PKCS #11, although they are not flawless. But the signer should never do things that leads to deadlock. So it could go either way, and we're investigating which party to ask to remove the bug. The two-out-of-four fault rate so far for multiple zones at once would match with the one-out-of-two selection of a reading HSM from our replicated set. A variation might be that PKCS #11 describes certain liberties that are revealed with a different key-creating and key-using command; I seem to recall, but haven't found back yet, that one process does not always get to see updates in another; and if the signer reads the entire zone list, including not-seen-before zones and only then reopens the HSM slot, things could go awry. In general however, the fault pattern seems to be caused by reading the zone list when an unknown zone is updated by the Enforcer. The new zone list includes ones that have no keys assigned yet, which could lead to exceptional behaviour. The SoftHSM avoids this behaviour, probably due to a global lock that holds its access to the Enforcer until it is entirely done? Could you confirm that the SoftHSM lock is global? We do see the signer report that it will try again on the extra zones that it finds too early in the zone list, but it does not actually do this and instead it locks down entirely. With 1.3.14, we'll have a debug-locks command listing the locks of the signer, that should prove to be helpful. Cheers, -Rick From rickard at opendnssec.org Mon May 13 08:37:22 2013 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Mon, 13 May 2013 10:37:22 +0200 Subject: [Opendnssec-develop] How to replicate signer-stuck with SoftHSM In-Reply-To: <2E725D33-632E-4D91-8C35-5943C2C8761A@openfortress.nl> References:

<2E725D33-632E-4D91-8C35-5943C2C8761A@openfortress.nl> Message-ID: > A variation might be that PKCS #11 describes certain liberties that are > revealed with a different key-creating and key-using command; I seem to > recall, but haven't found back yet, that one process does not always get to > see updates in another; and if the signer reads the entire zone list, > including not-seen-before zones and only then reopens the HSM slot, things > could go awry. > It could be the case the the signer finds the zone in the zone list, but it will newer find the signconf unless the keys are generated. > In general however, the fault pattern seems to be caused by reading the > zone list when an unknown zone is updated by the Enforcer. The new zone > list includes ones that have no keys assigned yet, which could lead to > exceptional behaviour. The SoftHSM avoids this behaviour, probably due to > a global lock that holds its access to the Enforcer until it is entirely > done? Could you confirm that the SoftHSM lock is global? > The calling application won't get an object handle unless the key has been generated. So there is no need for a lock like that. The Signer Engine cannot pick a key at random, it needs to know exactly which key to use. This is what the Enforcer tells the Signer Engine via the signconf. // Rickard -------------- next part -------------- An HTML attachment was scrubbed... URL: From matthijs at nlnetlabs.nl Mon May 13 09:06:25 2013 From: matthijs at nlnetlabs.nl (Matthijs Mekking) Date: Mon, 13 May 2013 11:06:25 +0200 Subject: [Opendnssec-develop] Review of JIRA issues In-Reply-To: References: <4FBA11EE-C5D5-4DF8-BB45-DAF6AC8F6B08@sinodun.com> <96F8FED6-FF6A-410A-B938-E427C2D918C8@sinodun.com> Message-ID: <5190AD11.2010101@nlnetlabs.nl> On 05/12/2013 05:56 PM, Rick van Rein (OpenFortress) wrote: > Hello Sara, > >> OPENDNSSEC-329 RFC 6725 deprecates the use of RSA/MD5 Unassigned > > That's just something for the operator to implement, and for us to avoid in default configurations and perhaps to add to documentation? I have added that, if we should remove RSA/MD5 from OpenDNSSEC (first announce it of course that we will deprecate it at foo time). For example, Unbound will already consider RRsets signed with this algorithm to be insecure. I think the conclusion was to keep it as it is for now. > >> OPENDNSSEC-328 man pages for configuration xml files Unassigned > > If Roland agrees, I should be able to write those. I'll ask him when he is available again in two weeks. > >> OPENDNSSEC-232 Handle DNS views Unassigned > > IMHO, an important shortcoming in current OpenDNSSEC; specifically because setting up a 2nd system for another view is quite a big thing for OpenDNSSEC. I would like to nominate this one. > > -Rick > > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop > From rick at openfortress.nl Mon May 13 09:27:42 2013 From: rick at openfortress.nl (Rick van Rein (OpenFortress)) Date: Mon, 13 May 2013 11:27:42 +0200 Subject: [Opendnssec-develop] How to replicate signer-stuck with SoftHSM In-Reply-To: References:

<2E725D33-632E-4D91-8C35-5943C2C8761A@openfortress.nl> Message-ID: Hello Rickard, >> A variation might be that PKCS #11 describes certain liberties that are revealed with a different key-creating and key-using command; I seem to recall, but haven't found back yet, that one process does not always get to see updates in another; and if the signer reads the entire zone list, including not-seen-before zones and only then reopens the HSM slot, things could go awry. > > It could be the case the the signer finds the zone in the zone list, but it will newer find the signconf unless the keys are generated. I imagine this scenario: - Enforcer creates keys in one view, say on HSM #1 - Enforcer creates signconf - Enforcer sends an update for the zone to the Signer - Signer looks up keys from another view, possibly on HSM #2 - This view does not contain the keys yet --> we'd have to establish if this is PKCS #11 compliant (making it a Signer bug) or not (making it an HSM bug) >> In general however, the fault pattern seems to be caused by reading the zone list when an unknown zone is updated by the Enforcer. The new zone list includes ones that have no keys assigned yet, which could lead to exceptional behaviour. The SoftHSM avoids this behaviour, probably due to a global lock that holds its access to the Enforcer until it is entirely done? Could you confirm that the SoftHSM lock is global? > > The calling application won't get an object handle unless the key has been generated. So there is no need for a lock like that. OK. Then I continue to wonder why the Signer does not run on the 1st zone while the Enforcer is generating keys for its 2nd zone. Especially with 1-5 seconds random delay that I built into C_GenerateKeyPair. > The Signer Engine cannot pick a key at random, it needs to know exactly which key to use. This is what the Enforcer tells the Signer Engine via the signconf. Of course. But it is not quite clear if the 2nd zone being updated gets stuck during the first run (where it finds it has no signconf yet) or on a second run (where it accesses signconf-defined keys that are not present in the HSM view it has). -Rick From jerry at opendnssec.org Mon May 13 12:33:48 2013 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Mon, 13 May 2013 14:33:48 +0200 Subject: [Opendnssec-develop] Maintenance of dist.opendnssec.org and SVN today Monday 15:30 - 16:00 CET Message-ID: <7238A6BD-E1C7-4CB9-B75E-720EEF15824E@opendnssec.org> Hi, Would like to do some maintenance work on the servers here at .SE so please don't use SVN during this time. /Jerry -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From rickard at opendnssec.org Mon May 13 13:10:42 2013 From: rickard at opendnssec.org (Rickard Bellgrim) Date: Mon, 13 May 2013 15:10:42 +0200 Subject: [Opendnssec-develop] How to replicate signer-stuck with SoftHSM In-Reply-To: References:

<2E725D33-632E-4D91-8C35-5943C2C8761A@openfortress.nl>

Message-ID: > I imagine this scenario: > - Enforcer creates keys in one view, say on HSM #1 > - Enforcer creates signconf > - Enforcer sends an update for the zone to the Signer > - Signer looks up keys from another view, possibly on HSM #2 > - This view does not contain the keys yet > --> we'd have to establish if this is PKCS #11 compliant (making it a > Signer bug) or not (making it an HSM bug) > > Clustering is handled outside of PKCS#11, but it is part of the HSM software. If an HSM generates a key pair, then another application should be able to us it. If not, then there is something wrong with the clustering code in the HSM. It is not High-Availability, but maybe Availability-With-Some-Delay. // Rickard -------------- next part -------------- An HTML attachment was scrubbed... URL: From jakob at kirei.se Mon May 13 13:27:21 2013 From: jakob at kirei.se (Jakob Schlyter) Date: Mon, 13 May 2013 14:27:21 +0100 Subject: [Opendnssec-develop] git for SoftHSMv2? Message-ID: In order to get some more public code review and patches, Patrik and I have briefly discussed moving SoftHSMv2 to git (preferably at github). Giant patches (like the recent one from Francis) could perhaps be handled more smoothly, and it would also give us useful experience and pave the way for moving OpenDNSSEC to git in the future. Any thoughts on this? jakob From sara at sinodun.com Mon May 13 13:37:48 2013 From: sara at sinodun.com (Sara Dickinson) Date: Mon, 13 May 2013 14:37:48 +0100 Subject: [Opendnssec-develop] Fwd: [Opendnssec-user] OpenDNSSEC - Meet the team @ RIPE 66 - Wednesday not Thursday! References: Message-ID: Hi All, Sorry that should be 6pm *Wednesday 15th* not Thursday! Sara. Begin forwarded message: > From: Sara Dickinson > Subject: [Opendnssec-user] RE: OpenDNSSEC - Meet the team @ RIPE 66 > Date: 13 May 2013 14:07:20 BST > To: "opendnssec-user at lists.opendnssec.org List" > > Hi All, > > Several members of the OpenDNSSEC team are at RIPE 66 this week and we are planning to be in Bellini's bar at 6pm on Thursday for an informal 'Meet the team' session. > > If you would like to put names to faces, ask any questions or just drop by for a chat then please do! Hope to see you there - we will be the ones wearing the big blue buttons :-) > > Sara. > > _______________________________________________ > Opendnssec-user mailing list > Opendnssec-user at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: opendnssec_logo_120.png Type: image/png Size: 2848 bytes Desc: not available URL: From jerry at opendnssec.org Mon May 13 13:47:42 2013 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Mon, 13 May 2013 15:47:42 +0200 Subject: [Opendnssec-develop] git for SoftHSMv2? In-Reply-To: References: Message-ID: <7AA4A143-F172-4EEF-812E-39C37E3F5FB9@opendnssec.org> On May 13, 2013, at 15:27 , Jakob Schlyter wrote: > Any thoughts on this? +111!!!!!!11!!!!11oneoneoneone!! PS. Reserve the "group"/company name right now? -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ From jakob at kirei.se Mon May 13 13:48:27 2013 From: jakob at kirei.se (Jakob Schlyter) Date: Mon, 13 May 2013 14:48:27 +0100 Subject: [Opendnssec-develop] git for SoftHSMv2? In-Reply-To: <7AA4A143-F172-4EEF-812E-39C37E3F5FB9@opendnssec.org> References: <7AA4A143-F172-4EEF-812E-39C37E3F5FB9@opendnssec.org> Message-ID: <0F11A1FE-79B5-4ECB-BE08-A0928FD7474A@kirei.se> On 13 maj 2013, at 14:47, Jerry Lundstr?m wrote: > +111!!!!!!11!!!!11oneoneoneone!! That's a lot. > PS. Reserve the "group"/company name right now? Done that looong time ago; https://github.com/opendnssec jakob From rene at xpt.nl Mon May 13 15:33:17 2013 From: rene at xpt.nl (=?iso-8859-1?Q?Ren=E9_Post?=) Date: Mon, 13 May 2013 17:33:17 +0200 Subject: [Opendnssec-develop] git for SoftHSMv2? In-Reply-To: <0F11A1FE-79B5-4ECB-BE08-A0928FD7474A@kirei.se> References: <7AA4A143-F172-4EEF-812E-39C37E3F5FB9@opendnssec.org> <0F11A1FE-79B5-4ECB-BE08-A0928FD7474A@kirei.se> Message-ID: <3940E0D0-7F22-40F0-8AF0-FCFA1E8E6A57@xpt.nl> Yes, I would like this very much too. Using git svn I can pull the softHSMv2 trunk from opendnssec.org. It might be useful to map the user names in the svn changelog to github usernames via --authors-file option of git svn? Ren? On May 13, 2013, at 3:48 PM, Jakob Schlyter wrote: > On 13 maj 2013, at 14:47, Jerry Lundstr?m wrote: > >> +111!!!!!!11!!!!11oneoneoneone!! > > That's a lot. > >> PS. Reserve the "group"/company name right now? > > Done that looong time ago; https://github.com/opendnssec > > > jakob > > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop From sara at sinodun.com Mon May 13 18:16:48 2013 From: sara at sinodun.com (Sara Dickinson) Date: Mon, 13 May 2013 19:16:48 +0100 Subject: [Opendnssec-develop] Fwd: Developer meetings at RIPE 66 References: <65973734-5B9F-4594-8B19-D7D9446B203A@sinodun.com> Message-ID: Hi All, Reminder for those interested we will meet at 10am tomorrow in the Applan room Sara. Begin forwarded message: > From: Sara Dickinson > Subject: RE: Developer meetings at RIPE 66 > Date: 2 May 2013 15:19:46 BST > To: OpenDNSSEC Developers > > Hi All, > > Based on the feedback to the doodle I have booked a meeting room at RIPE for the following times: > > Tuesday 14th 10:00-12:30 (Note the board meeting starts at 13:00 so probably finish around 12) > Wednesday 15th 16:00-18:00 > > A rough agenda for the meetings can be found here: > > https://wiki.opendnssec.org/display/OpenDNSSEC/Developer+workshop+-+RIPE+66 > > Please let me know if there are other topics you like to cover. > > I would also like to propose that we try to do an informal 'Meet the team' session at 18:00 on Wednesday for any users who would like to put some faces to names or bug us in person for that feature they really want :-) I'm hoping as many of us as possible could be around the bar (maybe even wearing ODS t-shirts if we have them...) to chat to interested users over a beer? If enough of us are up for this then I can publicise it on the ODS/RIPE lists and in the DNS-WG OpenDNSSEC presentation. > > Sara. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jerry at opendnssec.org Tue May 14 07:45:40 2013 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Tue, 14 May 2013 09:45:40 +0200 Subject: [Opendnssec-develop] git for SoftHSMv2? In-Reply-To: <3940E0D0-7F22-40F0-8AF0-FCFA1E8E6A57@xpt.nl> References: <7AA4A143-F172-4EEF-812E-39C37E3F5FB9@opendnssec.org> <0F11A1FE-79B5-4ECB-BE08-A0928FD7474A@kirei.se> <3940E0D0-7F22-40F0-8AF0-FCFA1E8E6A57@xpt.nl> Message-ID: <9438E2D0-4F76-4016-8EAE-8750FB56BC32@opendnssec.org> On May 13, 2013, at 17:33 , Ren? Post wrote: > Using git svn I can pull the softHSMv2 trunk from opendnssec.org. > It might be useful to map the user names in the svn changelog to github usernames via --authors-file option of git svn? Don't worry Rene, if/when we move to git we will make sure all history and users are preserved. -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ From rene at xpt.nl Wed May 15 11:58:01 2013 From: rene at xpt.nl (=?iso-8859-1?Q?Ren=E9_Post?=) Date: Wed, 15 May 2013 13:58:01 +0200 Subject: [Opendnssec-develop] git for SoftHSMv2? In-Reply-To: <9438E2D0-4F76-4016-8EAE-8750FB56BC32@opendnssec.org> References: <7AA4A143-F172-4EEF-812E-39C37E3F5FB9@opendnssec.org> <0F11A1FE-79B5-4ECB-BE08-A0928FD7474A@kirei.se> <3940E0D0-7F22-40F0-8AF0-FCFA1E8E6A57@xpt.nl> <9438E2D0-4F76-4016-8EAE-8750FB56BC32@opendnssec.org> Message-ID: <56AEB512-ABC8-4CB5-B0D6-B7B8C3D85788@xpt.nl> Made a quick conversion of trunk/softHSMv2 using svn2git, results of which can be found in a test repository at https://github.com/rene-post/softHSMv2 Note that I intentionally left out the tags and branches. I mapped the svn user names to github usernames using an authors file that includes an email address for every user. This worked for all committers to softHSMv2 except Rickard. He used an email address that doesn't match the one I choose. I think that for the real conversion it would be best to ask everybody which email address would be preferred. These email addresses are inserted in the changesets so you would need to feel comfortable with them being out there in public. Ren? On May 14, 2013, at 9:45 AM, Jerry Lundstr?m wrote: > On May 13, 2013, at 17:33 , Ren? Post wrote: > >> Using git svn I can pull the softHSMv2 trunk from opendnssec.org. >> It might be useful to map the user names in the svn changelog to github usernames via --authors-file option of git svn? > > > Don't worry Rene, if/when we move to git we will make sure all history and users are preserved. > > -- > Jerry Lundstr?m - OpenDNSSEC Developer > http://www.opendnssec.org/ > -------------- next part -------------- An HTML attachment was scrubbed... URL: From sara at sinodun.com Wed May 15 13:10:20 2013 From: sara at sinodun.com (Sara Dickinson) Date: Wed, 15 May 2013 14:10:20 +0100 Subject: [Opendnssec-develop] Review of JIRA issues In-Reply-To: References: <4FBA11EE-C5D5-4DF8-BB45-DAF6AC8F6B08@sinodun.com> <96F8FED6-FF6A-410A-B938-E427C2D918C8@sinodun.com> Message-ID: On 12 May 2013, at 16:56, Rick van Rein (OpenFortress) wrote: > >> OPENDNSSEC-328 man pages for configuration xml files Unassigned > > If Roland agrees, I should be able to write those. I'll ask him when he is available again in two weeks. Cool - thanks. > >> OPENDNSSEC-232 Handle DNS views Unassigned > > IMHO, an important shortcoming in current OpenDNSSEC; specifically because setting up a 2nd system for another view is quite a big thing for OpenDNSSEC. I would like to nominate this one. I've added it to the agenda for the workshop later today for discussion. Sara. > > -Rick > From jakob at kirei.se Fri May 17 11:50:57 2013 From: jakob at kirei.se (Jakob Schlyter) Date: Fri, 17 May 2013 13:50:57 +0200 Subject: [Opendnssec-develop] git for SoftHSMv2? In-Reply-To: <56AEB512-ABC8-4CB5-B0D6-B7B8C3D85788@xpt.nl> References: <7AA4A143-F172-4EEF-812E-39C37E3F5FB9@opendnssec.org> <0F11A1FE-79B5-4ECB-BE08-A0928FD7474A@kirei.se> <3940E0D0-7F22-40F0-8AF0-FCFA1E8E6A57@xpt.nl> <9438E2D0-4F76-4016-8EAE-8750FB56BC32@opendnssec.org> <56AEB512-ABC8-4CB5-B0D6-B7B8C3D85788@xpt.nl> Message-ID: <33A66CBC-9D00-436E-8AE4-81AAAA19BFD6@kirei.se> On 15 maj 2013, at 13:58, Ren? Post wrote: > Made a quick conversion of trunk/softHSMv2 using svn2git, results of which can be found in a test repository at https://github.com/rene-post/softHSMv2 > Note that I intentionally left out the tags and branches. thanks, I believe trunk is enough. > I mapped the svn user names to github usernames using an authors file that includes an email address for every user. > This worked for all committers to softHSMv2 except Rickard. He used an email address that doesn't match the one I choose. > > I think that for the real conversion it would be best to ask everybody which email address would be preferred. > These email addresses are inserted in the change sets so you would need to feel comfortable with them being out there in public. Good work! Could some person full of gitclue please review the import? jakob From sara at sinodun.com Mon May 20 14:39:37 2013 From: sara at sinodun.com (Sara Dickinson) Date: Mon, 20 May 2013 15:39:37 +0100 Subject: [Opendnssec-develop] Fwd: Minutes and Actions from RIPE 66 References: Message-ID: <00B4D520-6EC6-424B-BC0D-6FEFAF2F23EC@sinodun.com> Hi All, Please find below a list of the actions generated in the OAB meeting last week for your perusal with some added notes to give context. The minutes from the developers workshop are also available for review: https://wiki.opendnssec.org/display/OpenDNSSEC/Developer+workshop+-+RIPE+66+-+Minutes I'll add agenda items to the next team meeting (28th May) to discuss both. Thanks Sara. Begin forwarded message: > > ACTION: Sara will update the wiki with more detail on support of releases given the slight changes in policy agreed. The developers suggested changing the version policy to allow the addition of new command line options in patch releases. This was suggested as a pragmatic solution to the problem of wanting to implement very small new features being blocked by the maintenance overhead of a minor version bump. This proposal was accepted by the board. > ACTION: Patrik will talk to SIDN and CZ.NIC to see if they can offer testing resources for OpenDNSSEC enforcer-ng development. > ACTION: Sara and Yuri will discuss any outstanding 2.0 issues that block porting regression tests so this could happen asap. > ACTION: Patrik will ask Lars to do some benchmarking. Sara asks to be involved in this so there is no duplication of effort. The need for testing resources on 2.0 was identified in order to ensure the interface is as compatible as possible with 1.4 and to support the migration of the existing regression tests. > > ACTION: Olaf wants to keep a 'usability discussion' as a running agenda item, to see if we can improve usability and Sara can report what the current usability issues are. > ACTION: Sara will set up a wiki page where users can contribute usability scripts and she will email users to request input on usability issues they find they currently have to work around. There was an in depth discussion about understanding the strategy for usability improvements in the OAB. It was also clear from talking to users at the 'Meet and greet' that many consider usability and better monitoring tools as a higher priority than additional functionality so we will request more input from users on the specific usability features they would like. > ACTION: Development team will focus on firstly releasing a 2.0 enforcer-ng with same functionality as 1.4 but with improved performance. This means that the new functionality will not necessarily be exposed in the first release (the new features should not block the release but could go out if they are ready). The plan would be to add all remaining new features in 2.1, 2.2 as they are tested. The team will work towards a release strategy for 2.0 based on this approach. > ACTION: Sara will update the Roadmap web pages and remove 2.1 and 2.x tags. We will just mark the items for a future release and plan to do more smaller releases as features are ready. The general feeling was to avoid an 'all or nothing' approach with enforcer-ng which might lead to a very long release cycle. Also splitting the release up would allow us more flexibility to implement usability improvements (along side enforcer-ng functionality) if these were seen as high priority. > ACTION: Kirei/.se to investigate if they can contribute testing resources to SoftHSM v2 beta testing > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rick at openfortress.nl Tue May 21 05:57:26 2013 From: rick at openfortress.nl (Rick van Rein (OpenFortress)) Date: Tue, 21 May 2013 07:57:26 +0200 Subject: [Opendnssec-develop] Fwd: Minutes and Actions from RIPE 66 In-Reply-To: <00B4D520-6EC6-424B-BC0D-6FEFAF2F23EC@sinodun.com> References: <00B4D520-6EC6-424B-BC0D-6FEFAF2F23EC@sinodun.com> Message-ID: Hey Sara and others, > The minutes from the developers workshop are also available for review: Thanks. Textual: Should "a minor version bump (to 1.5) under the new policy" be "?under the current policy"? On the contents: It's a pitty that the version policy doesn't state "when the same options are used, the new feature must not lead to different behaviour". Shouldn't that have been part of the solution? On the contents of views: The uniqueness of zone names may well be assumed "at a low level in the code", but note that no implications follow from it; specifically, I doubt if it is assumed that the string represents a DNS zone. It should be possible to introduce a special format that is the functional equivalent of the tuple that should replace the zone name string, for instance "openfortress.nl at internal" -- all that seems to be required is that the signer strips off this "@" part when generating signatures and files. Surrounding tooling should setup such a view in a different in/out location, of course. Thanks, -Rick From matthijs at nlnetlabs.nl Tue May 21 08:15:34 2013 From: matthijs at nlnetlabs.nl (Matthijs Mekking) Date: Tue, 21 May 2013 10:15:34 +0200 Subject: [Opendnssec-develop] Fwd: Minutes and Actions from RIPE 66 In-Reply-To: References: <00B4D520-6EC6-424B-BC0D-6FEFAF2F23EC@sinodun.com> Message-ID: <519B2D26.2080200@nlnetlabs.nl> On 05/21/2013 07:57 AM, Rick van Rein (OpenFortress) wrote: > Hey Sara and others, > >> The minutes from the developers workshop are also available for >> review: > > Thanks. > > Textual: Should "a minor version bump (to 1.5) under the new policy" > be "?under the current policy"? To my understanding this should indeed read as "under the current policy". > On the contents: It's a pitty that the version policy doesn't state > "when the same options are used, the new feature must not lead to > different behaviour". Shouldn't that have been part of the > solution? We have agreed on that during the meetings. And I agree that we should such text that to the wiki. > On the contents of views: The uniqueness of zone names may well be > assumed "at a low level in the code", but note that no implications > follow from it; specifically, I doubt if it is assumed that the > string represents a DNS zone. It should be possible to introduce a > special format that is the functional equivalent of the > tuple that should replace the zone name string, for instance > "openfortress.nl at internal" -- all that seems to be required is that > the signer strips off this "@" part when generating signatures and > files. Surrounding tooling should setup such a view in a different > in/out location, of course. I was thinking of such an approach too during the Dublin meeting, but it is just reflecting the pain to some other part. The signer uses the zone name internally as the zone identifier, it can look up zones by the string representation of a name, or the domain name itself. The latter functionality should be adjusted to support views. It is doable, though it is some more work then expected, and I am not sure about how the enforcer-ng should be adapted. Best regards, Matthijs > > > Thanks, -Rick_______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 553 bytes Desc: OpenPGP digital signature URL: From matthijs at nlnetlabs.nl Tue May 21 08:50:01 2013 From: matthijs at nlnetlabs.nl (Matthijs Mekking) Date: Tue, 21 May 2013 10:50:01 +0200 Subject: [Opendnssec-develop] Introducing Hosnieh Message-ID: <519B3539.6090801@nlnetlabs.nl> Hi, Meet Hosnieh Rafiee. She is a PhD at Potsdam university, Berlin and is doing a project in collaboration with NLnet Labs relating to CGA-TSIG [1]. CGA-TSIG can be used for example to secure Dynamic Update. The project aims to implement Dynamic Update Adapters for OpenDNSSEC with CGA-TSIG support. Sion, can you add Hosnieh to the developers mailing list? Jerry, can you get Hosnieh access to the repository? Hosnieh, feel free to tell more about yourself to the team. Best regards, Matthijs [1] http://datatracker.ietf.org/doc/draft-rafiee-intarea-cga-tsig/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 553 bytes Desc: OpenPGP digital signature URL: From rafiee at hpi.uni-potsdam.de Tue May 21 09:42:34 2013 From: rafiee at hpi.uni-potsdam.de (Rafiee, Hosnieh) Date: Tue, 21 May 2013 09:42:34 +0000 Subject: [Opendnssec-develop] RE: Introducing Hosnieh In-Reply-To: <519B3539.6090801@nlnetlabs.nl> References: <519B3539.6090801@nlnetlabs.nl> Message-ID: <8EBBE4774B42FC45BA1143BE7F3F5A0F02C8E0@MXMA2012.hpi.uni-potsdam.de> Matthijs, Thank you for your virtual introduction :-) Hi Jerry, Hi Sion. Nice to meet you. As already Matthijs explained, I am doing my PhD at Hasso Plattner Institute, University of Potsdam, Germany. As my topic is privacy in IPv6 networks, I did and I am doing research in various areas (application layer, network layer services). One of this important services that I focused on, is DNS and the secure Authentication in DNS. This is Why I wrote that draft. Of course the new version will be coming soon :-). During my research about DNS, I read some RFCs and thought that I also can improve the current standards in IETF this is why I joined IETF last year and try to be an active member there. About programming, I have had several years of experience in developments with .net technology and worked as linux and Windows adminsitrators. I also have experience with C++, of course, this does not mean that I did nothing with C. My other activities are teaching at the university. Currently I involve in teaching a master seminar course. It is about penetrating and securing IPv6 networks. A group of my students now working on DNS attacks which is really cool. Because, later, we can test this tool against any DNS implementations. I also established an IPv6 lab at my institute. I will probably show a demo in German IPv6 congress, http://www.ipv6-kongress.de/events/ipv6-kongress/Programm-vorlaeufig.html . Finally, I hope that my contribution with you all can lead to several positive results. This is actually my goal. I think It was more than a short introduction. Best Regards, Hosnieh > -----Original Message----- > From: Matthijs Mekking [mailto:matthijs at nlnetlabs.nl] > Sent: Dienstag, 21. Mai 2013 10:50 > To: OpenDNSSEC Developers; Rafiee, Hosnieh > Subject: Introducing Hosnieh > > Hi, > > Meet Hosnieh Rafiee. She is a PhD at Potsdam university, Berlin and is > doing a project in collaboration with NLnet Labs relating to CGA-TSIG > [1]. CGA-TSIG can be used for example to secure Dynamic Update. The > project aims to implement Dynamic Update Adapters for OpenDNSSEC with > CGA-TSIG support. > > Sion, can you add Hosnieh to the developers mailing list? > > Jerry, can you get Hosnieh access to the repository? > > Hosnieh, feel free to tell more about yourself to the team. > > Best regards, > Matthijs > > > [1] http://datatracker.ietf.org/doc/draft-rafiee-intarea-cga-tsig/ From sara at sinodun.com Mon May 27 09:04:13 2013 From: sara at sinodun.com (Sara Dickinson) Date: Mon, 27 May 2013 10:04:13 +0100 Subject: [Opendnssec-develop] RE: Team meeting - Tuesday 28 May @ 14:00 CET Message-ID: Hi All, We have a team meeting tomorrow: Date: Tuesday 28 May 2013 Time: 14:00-15:00 CET, 13:00-14:00 GMT Method: Google+ Agenda: https://wiki.opendnssec.org/display/OpenDNSSEC/2013-05-28+Agenda Sara. From sara at sinodun.com Mon May 27 10:15:21 2013 From: sara at sinodun.com (Sara Dickinson) Date: Mon, 27 May 2013 11:15:21 +0100 Subject: [Opendnssec-develop] RE: Introducing Hosnieh In-Reply-To: <8EBBE4774B42FC45BA1143BE7F3F5A0F02C8E0@MXMA2012.hpi.uni-potsdam.de> References: <519B3539.6090801@nlnetlabs.nl> <8EBBE4774B42FC45BA1143BE7F3F5A0F02C8E0@MXMA2012.hpi.uni-potsdam.de> Message-ID: <1ACB2E17-69BB-4E7A-A81D-3495890555FD@sinodun.com> Hosnieh, Sorry for a late response - I was out of the office last week. Welcome! We look forward to working with you. Sara. On 21 May 2013, at 10:42, Rafiee, Hosnieh wrote: > Matthijs, Thank you for your virtual introduction :-) > > Hi Jerry, Hi Sion. Nice to meet you. As already Matthijs explained, I am doing my PhD at Hasso Plattner Institute, University of Potsdam, Germany. As my topic is privacy in IPv6 networks, I did and I am doing research in various areas (application layer, network layer services). One of this important services that I focused on, is DNS and the secure Authentication in DNS. This is Why I wrote that draft. Of course the new version will be coming soon :-). During my research about DNS, I read some RFCs and thought that I also can improve the current standards in IETF this is why I joined IETF last year and try to be an active member there. > > About programming, I have had several years of experience in developments with .net technology and worked as linux and Windows adminsitrators. I also have experience with C++, of course, this does not mean that I did nothing with C. > My other activities are teaching at the university. Currently I involve in teaching a master seminar course. It is about penetrating and securing IPv6 networks. A group of my students now working on DNS attacks which is really cool. Because, later, we can test this tool against any DNS implementations. I also established an IPv6 lab at my institute. I will probably show a demo in German IPv6 congress, http://www.ipv6-kongress.de/events/ipv6-kongress/Programm-vorlaeufig.html . > > Finally, I hope that my contribution with you all can lead to several positive results. This is actually my goal. > > > I think It was more than a short introduction. > > Best Regards, > Hosnieh > >> -----Original Message----- >> From: Matthijs Mekking [mailto:matthijs at nlnetlabs.nl] >> Sent: Dienstag, 21. Mai 2013 10:50 >> To: OpenDNSSEC Developers; Rafiee, Hosnieh >> Subject: Introducing Hosnieh >> >> Hi, >> >> Meet Hosnieh Rafiee. She is a PhD at Potsdam university, Berlin and is >> doing a project in collaboration with NLnet Labs relating to CGA-TSIG >> [1]. CGA-TSIG can be used for example to secure Dynamic Update. The >> project aims to implement Dynamic Update Adapters for OpenDNSSEC with >> CGA-TSIG support. >> >> Sion, can you add Hosnieh to the developers mailing list? >> >> Jerry, can you get Hosnieh access to the repository? >> >> Hosnieh, feel free to tell more about yourself to the team. >> >> Best regards, >> Matthijs >> >> >> [1] http://datatracker.ietf.org/doc/draft-rafiee-intarea-cga-tsig/ > > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop From rafiee at hpi.uni-potsdam.de Mon May 27 10:40:57 2013 From: rafiee at hpi.uni-potsdam.de (Rafiee, Hosnieh) Date: Mon, 27 May 2013 10:40:57 +0000 Subject: [Opendnssec-develop] No write access to my home folder Message-ID: <8EBBE4774B42FC45BA1143BE7F3F5A0F02FD77@MXMA2012.hpi.uni-potsdam.de> Hello, Unfortunately I do not have write permission to my home folder, "hosnieh". Would someone check this please. Thank you, Best Regards, Hosnieh From jerry at opendnssec.org Mon May 27 11:22:57 2013 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Mon, 27 May 2013 13:22:57 +0200 Subject: [Opendnssec-develop] Maintenance of dist.opendnssec.org and SVN today Monday 14:30 - 15:00 CET Message-ID: Hi, Yet again, I would like to do some maintenance work on the servers here at .SE so please don't use SVN during this time. /Jerry -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From jerry at opendnssec.org Mon May 27 12:57:10 2013 From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=) Date: Mon, 27 May 2013 14:57:10 +0200 Subject: [Opendnssec-develop] Re: Maintenance of dist.opendnssec.org and SVN today Monday 14:30 - 15:00 CET In-Reply-To: References: Message-ID: On May 27, 2013, at 13:22 , Jerry Lundstr?m wrote: > Yet again, I would like to do some maintenance work on the servers here at .SE so please don't use SVN during this time. Work is done, feel free to use SVN again. -- Jerry Lundstr?m - OpenDNSSEC Developer http://www.opendnssec.org/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 495 bytes Desc: Message signed with OpenPGP using GPGMail URL: From sara at sinodun.com Mon May 27 13:54:31 2013 From: sara at sinodun.com (Sara Dickinson) Date: Mon, 27 May 2013 14:54:31 +0100 Subject: [Opendnssec-develop] Fwd: Minutes and Actions from RIPE 66 In-Reply-To: <519B2D26.2080200@nlnetlabs.nl> References: <00B4D520-6EC6-424B-BC0D-6FEFAF2F23EC@sinodun.com> <519B2D26.2080200@nlnetlabs.nl> Message-ID: <40656BDA-AB9C-487B-A52B-2B7ED7F27952@sinodun.com> On 21 May 2013, at 09:15, Matthijs Mekking wrote: > On 05/21/2013 07:57 AM, Rick van Rein (OpenFortress) wrote: >> >> >> Textual: Should "a minor version bump (to 1.5) under the new policy" >> be "?under the current policy"? > > To my understanding this should indeed read as "under the current policy". Updated in the minutes :-) > >> On the contents: It's a pitty that the version policy doesn't state >> "when the same options are used, the new feature must not lead to >> different behaviour". Shouldn't that have been part of the >> solution? > > We have agreed on that during the meetings. And I agree that we should > such text that to the wiki. I have created a draft version of an updated policy page. If you use this link it will show the diff: https://wiki.opendnssec.org/pages/diffpagesbyversion.action?pageId=3212272&selectedPageVersions=2&selectedPageVersions=1 Sara. From rick at openfortress.nl Mon May 27 13:59:53 2013 From: rick at openfortress.nl (Rick van Rein (OpenFortress)) Date: Mon, 27 May 2013 15:59:53 +0200 Subject: [Opendnssec-develop] Fwd: Minutes and Actions from RIPE 66 In-Reply-To: <40656BDA-AB9C-487B-A52B-2B7ED7F27952@sinodun.com> References: <00B4D520-6EC6-424B-BC0D-6FEFAF2F23EC@sinodun.com> <519B2D26.2080200@nlnetlabs.nl> <40656BDA-AB9C-487B-A52B-2B7ED7F27952@sinodun.com> Message-ID: <57D96B4F-287F-49F2-92F5-89F3909A235C@openfortress.nl> Hi Sara, > I have created a draft version of an updated policy page. If you use this link it will show the diff: > > https://wiki.opendnssec.org/pages/diffpagesbyversion.action?pageId=3212272&selectedPageVersions=2&selectedPageVersions=1 Thanks. I think the following, > - Only backwards compatible bug fixes (these may include new command line utility options but will not change behaviour for existing option). should not suggest it is only to fix bugs and add a side-remark in brackets, but specifically mention the inclusion of new options as possible, > - Backwards compatible bug fixes, new command line utility options that will not change behaviour for existing option. This would help with new features that we've seen take very long to introduce in the past. -Rick From jakob at kirei.se Tue May 28 06:09:19 2013 From: jakob at kirei.se (Jakob Schlyter) Date: Tue, 28 May 2013 08:09:19 +0200 Subject: [Opendnssec-develop] Team meeting - Tuesday 28 May @ 14:00 CET In-Reply-To: References: Message-ID: On 27 maj 2013, at 11:04, Sara Dickinson wrote: > Time: 14:00-15:00 CET, 13:00-14:00 GMT Are you sure this is correct? Isn't it really: 14:00-15:00 CEST, 13:00-14.00 BST, 12:00-13:00 GMT ? jakob -- Jakob Schlyter Kirei AB - www.kirei.se From sara at sinodun.com Tue May 28 08:31:33 2013 From: sara at sinodun.com (Sara Dickinson) Date: Tue, 28 May 2013 09:31:33 +0100 Subject: [Opendnssec-develop] Team meeting - Tuesday 28 May @ 14:00 CET In-Reply-To: References:

Message-ID: <9DE2EBD5-C14F-4519-9286-CDEA7136BE20@sinodun.com> On 28 May 2013, at 07:09, Jakob Schlyter wrote: > On 27 maj 2013, at 11:04, Sara Dickinson wrote: > >> Time: 14:00-15:00 CET, 13:00-14:00 GMT > > Are you sure this is correct? Isn't it really: > > 14:00-15:00 CEST, 13:00-14.00 BST, 12:00-13:00 GMT ? Yikes - who knew a copy/paste error would almost lead to rift in the space time continuum?.. :-) I defer to the World clock: http://www.timeanddate.com/worldclock/meetingdetails.html?year=2013&month=5&day=28&hour=12&min=0&sec=0&p1=136&p2=16&p3=239 Sara. -------------- next part -------------- An HTML attachment was scrubbed... URL: From jakob at kirei.se Tue May 28 12:00:36 2013 From: jakob at kirei.se (Jakob Schlyter) Date: Tue, 28 May 2013 14:00:36 +0200 Subject: [Opendnssec-develop] SoftHSMv2 now at github Message-ID: The code repository for (the still unreleased) SoftHSMv2 has now been migrated to git and published at github. Please find the code at: - https://github.com/opendnssec/SoftHSMv2 Issue tracking will be handled by issues.opendnssec.org as before. We are considering migrating other parts of the project as well. If you have any feedback, please let us know. jakob From sara at sinodun.com Tue May 28 13:51:06 2013 From: sara at sinodun.com (Sara Dickinson) Date: Tue, 28 May 2013 14:51:06 +0100 Subject: Fwd: [Opendnssec-develop] RE: Team meeting - Tuesday 28 May @ 14:00 CET References: Message-ID: Hi All, Minutes from the meeting today are available online for review: https://wiki.opendnssec.org/display/OpenDNSSEC/2013-05-28+Minutes Sara. Begin forwarded message: > From: Sara Dickinson > Date: 27 May 2013 10:04:13 GMT+01:00 > To: "opendnssec-develop at lists.opendnssec.org Dev" > Subject: [Opendnssec-develop] RE: Team meeting - Tuesday 28 May @ 14:00 CET > > Hi All, > > We have a team meeting tomorrow: > > Date: Tuesday 28 May 2013 > Time: 14:00-15:00 CET, 13:00-14:00 GMT > Method: Google+ > Agenda: https://wiki.opendnssec.org/display/OpenDNSSEC/2013-05-28+Agenda > > > Sara. > > _______________________________________________ > Opendnssec-develop mailing list > Opendnssec-develop at lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop