From sara at sinodun.com  Wed Jun 19 10:58:50 2013
From: sara at sinodun.com (Sara Dickinson)
Date: Wed, 19 Jun 2013 11:58:50 +0100
Subject: [Opendnssec-maintainers] RE: 1.4.1 release candidate
Message-ID: <FBF693B9-387E-4491-9296-2FED788E53A1@sinodun.com>

All, 

Version 1.4.1rc1 of OpenDNSSEC is now available. This is a release candidate for testing purposes:


OpenDNSSEC 1.4.1rc1 - 2013-06-19
------------------------------------------------------
 
Updates:
* SUPPORT-58: Extend ods-signer sign <zone> with --serial <nr> so that the user can specify the SOA serial to use in the signed zone [OPENDNSSEC-401].
* OPENDNSSEC-91: Make the keytype flag required when rolling keys
 
Bugfixes:
* SUPPORT-60: Fix datecounter in case inbound serial is higher than outbound serial [OPENDNSSEC-420].
* OPENDNSSEC-247: Signer Engine: TTL on NSEC3 was not updated on SOA Minimum change.
* OPENDNSSEC-421: Signer Engine: Fix assertion error in case NSEC3 hash algorithm in signconf is not SHA1.
* OPENDNSSEC-421: ods-kaspcheck: Check whether NSEC3 hash algorithm in kasp is valid.
* Bugfix: The time when inbound serial is acquired was reset invalidly could cause OpenDNSSEC wanting AXFR responses while requesting IXFR (thanks Stuart Lau).
* Bugfix: Fix malform in Outbound IXFR/TCP subsequent packet (thanks Stuart Lau).
* OPENDNSSEC-398: The ods-ksmutil key rollover command does not work correctly when rolling all keys using the --policy option

Downloads:
* https://dist.opendnssec.org/source/testing/opendnssec-1.4.1rc1.tar.gz
* https://dist.opendnssec.org/source/testing/opendnssec-1.4.1rc1.tar.gz.sig
* Checksum sha1: b19e80d4ab9b93c3a34cb9858241716ee67ad85d
* Checksum sha256: b6728d2bafe3e5678e1f1676d165d78e0812e4f2896fac0fe3bbe8267e8e841a


A full 1.4.1 release is planned for Wednesday 26th June.

//OpenDNSSEC team




From pwouters at redhat.com  Wed Jun 19 17:44:02 2013
From: pwouters at redhat.com (Paul Wouters)
Date: Wed, 19 Jun 2013 13:44:02 -0400
Subject: [Opendnssec-maintainers] RE: 1.4.1 release candidate
In-Reply-To: <FBF693B9-387E-4491-9296-2FED788E53A1@sinodun.com>
References: <FBF693B9-387E-4491-9296-2FED788E53A1@sinodun.com>
Message-ID: <51C1EDE2.5070801@redhat.com>

On 06/19/2013 06:58 AM, Sara Dickinson wrote:
> All, 
> 
> Version 1.4.1rc1 of OpenDNSSEC is now available. This is a release candidate for testing purposes:

Compiled and packaged with no problems. Running a private rpm build on nohats.ca, which seems to work fine, although the upgrade caused me to have two
ods-signerd sets running and I had to manually kill one set. I'll keep an eye out for any problems in the next few days.

Paul



From matthijs at nlnetlabs.nl  Thu Jun 20 07:38:49 2013
From: matthijs at nlnetlabs.nl (Matthijs Mekking)
Date: Thu, 20 Jun 2013 09:38:49 +0200
Subject: [Opendnssec-maintainers] RE: 1.4.1 release candidate
In-Reply-To: <51C1EDE2.5070801@redhat.com>
References: <FBF693B9-387E-4491-9296-2FED788E53A1@sinodun.com>
	<51C1EDE2.5070801@redhat.com>
Message-ID: <51C2B189.2080002@nlnetlabs.nl>

Hi Paul,

On 06/19/2013 07:44 PM, Paul Wouters wrote:
> On 06/19/2013 06:58 AM, Sara Dickinson wrote:
>> All, 
>>
>> Version 1.4.1rc1 of OpenDNSSEC is now available. This is a release candidate for testing purposes:
> 
> Compiled and packaged with no problems. Running a private rpm build on nohats.ca, which seems to work fine, although the upgrade caused me to have two
> ods-signerd sets running and I had to manually kill one set. I'll keep an eye out for any problems in the next few days.

The signer does have some code to detect whether a different signer
process is already running. Could you elaborate a bit more on how your
upgrade (which commands) looks like?

Best regards,
  Matthijs

> 
> Paul
> 
> _______________________________________________
> Opendnssec-maintainers mailing list
> Opendnssec-maintainers at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-maintainers
> 



From jerry at opendnssec.org  Thu Jun 20 07:55:44 2013
From: jerry at opendnssec.org (=?iso-8859-1?Q?Jerry_Lundstr=F6m?=)
Date: Thu, 20 Jun 2013 09:55:44 +0200
Subject: [Opendnssec-maintainers] 1.4.1 release candidate
In-Reply-To: <51C2B189.2080002@nlnetlabs.nl>
References: <FBF693B9-387E-4491-9296-2FED788E53A1@sinodun.com>
	<51C1EDE2.5070801@redhat.com> <51C2B189.2080002@nlnetlabs.nl>
Message-ID: <B18DB3F6-E18F-4658-B60C-75FB18E4228D@opendnssec.org>

On Jun 20, 2013, at 09:38 , Matthijs Mekking wrote:

> On 06/19/2013 07:44 PM, Paul Wouters wrote:
>> 
>> Compiled and packaged with no problems. Running a private rpm build on nohats.ca, which seems to work fine, although the upgrade caused me to have two
>> ods-signerd sets running and I had to manually kill one set. I'll keep an eye out for any problems in the next few days.
> 
> The signer does have some code to detect whether a different signer
> process is already running. Could you elaborate a bit more on how your
> upgrade (which commands) looks like?


This is most likely a problem with the package rather then OpenDNSSEC. The package needs to handle an upgrade, shutting down all services before installing the new software and then starting it up again afterwards.

--
Jerry Lundstr?m - OpenDNSSEC Developer
http://www.opendnssec.org/



From pwouters at redhat.com  Thu Jun 20 14:10:36 2013
From: pwouters at redhat.com (Paul Wouters)
Date: Thu, 20 Jun 2013 10:10:36 -0400
Subject: [Opendnssec-maintainers] 1.4.1 release candidate
In-Reply-To: <B18DB3F6-E18F-4658-B60C-75FB18E4228D@opendnssec.org>
References: <FBF693B9-387E-4491-9296-2FED788E53A1@sinodun.com>
	<51C1EDE2.5070801@redhat.com> <51C2B189.2080002@nlnetlabs.nl>
	<B18DB3F6-E18F-4658-B60C-75FB18E4228D@opendnssec.org>
Message-ID: <51C30D5C.9070904@redhat.com>

On 06/20/2013 03:55 AM, Jerry Lundstr?m wrote:
> On Jun 20, 2013, at 09:38 , Matthijs Mekking wrote:
> 
>> On 06/19/2013 07:44 PM, Paul Wouters wrote:
>>>
>>> Compiled and packaged with no problems. Running a private rpm build on nohats.ca, which seems to work fine, although the upgrade caused me to have two
>>> ods-signerd sets running and I had to manually kill one set. I'll keep an eye out for any problems in the next few days.
>>
>> The signer does have some code to detect whether a different signer
>> process is already running. Could you elaborate a bit more on how your
>> upgrade (which commands) looks like?
> 
> 
> This is most likely a problem with the package rather then OpenDNSSEC. The package needs to handle an upgrade, shutting down all services before installing the new software and then starting it up again afterwards.

It does that:


%postun
if [ "$1" -ge "1" ]; then
  ods-ksmutil update all ||: >/dev/null 2>/dev/null
  /sbin/service ods-enforcerd condrestart >/dev/null 2>&1 || :
  /sbin/service ods-signerd condrestart >/dev/null 2>&1 || :
fi

Paul


From jerry at opendnssec.org  Thu Jun 20 14:39:56 2013
From: jerry at opendnssec.org (=?ISO-8859-1?Q?Jerry_Lundstr=F6m?=)
Date: Thu, 20 Jun 2013 16:39:56 +0200
Subject: [Opendnssec-maintainers] 1.4.1 release candidate
In-Reply-To: <28182112.10309.1371738410020.JavaMail.mobile-sync@vcat18>
References: <FBF693B9-387E-4491-9296-2FED788E53A1@sinodun.com>
	<51C1EDE2.5070801@redhat.com> <51C2B189.2080002@nlnetlabs.nl>
	<B18DB3F6-E18F-4658-B60C-75FB18E4228D@opendnssec.org>
	<28182112.10309.1371738410020.JavaMail.mobile-sync@vcat18>
Message-ID: <-3166206388093331356@unknownmsgid>

On 20 jun 2013, at 16:10, Paul Wouters <pwouters at redhat.com> wrote:

> %postun
> if [ "$1" -ge "1" ]; then
>  ods-ksmutil update all ||: >/dev/null 2>/dev/null
>  /sbin/service ods-enforcerd condrestart >/dev/null 2>&1 || :
>  /sbin/service ods-signerd condrestart >/dev/null 2>&1 || :
> fi

So it is updating the new software and triggering an configuration
update while the old software is running?

If so, please change to:

%prerun
- on update
  - stop services
  - wait for services to really exit, check pids or something

%postrun
- on update
  - do database updates if needed
  - issue config update (ksmutil, etc)
  - start services

/Jerry


From pwouters at redhat.com  Thu Jun 20 14:51:22 2013
From: pwouters at redhat.com (Paul Wouters)
Date: Thu, 20 Jun 2013 10:51:22 -0400
Subject: [Opendnssec-maintainers] 1.4.1 release candidate
In-Reply-To: <51C30D5C.9070904@redhat.com>
References: <FBF693B9-387E-4491-9296-2FED788E53A1@sinodun.com>
	<51C1EDE2.5070801@redhat.com> <51C2B189.2080002@nlnetlabs.nl>
	<B18DB3F6-E18F-4658-B60C-75FB18E4228D@opendnssec.org>
	<51C30D5C.9070904@redhat.com>
Message-ID: <51C316EA.80504@redhat.com>

On 06/20/2013 10:10 AM, Paul Wouters wrote:

> %postun
> if [ "$1" -ge "1" ]; then
>   ods-ksmutil update all ||: >/dev/null 2>/dev/null
>   /sbin/service ods-enforcerd condrestart >/dev/null 2>&1 || :
>   /sbin/service ods-signerd condrestart >/dev/null 2>&1 || :
> fi

I guess I should elaborate, as we don't use the ods-control script as that starts two services....

ods-signed initscript has:


  condrestart)
        [ -f /var/lock/subsys/ods-signerd ] && restart || :
	;;

and:

restart() {
	stop
	start
}

stop runs: /usr/sbin/ods-signer stop
which seems to work manually. If it fails with a non-zero exit code, it then sends a HUP signal to ods-signerd as well.

Note that my test machine has no large zones, so it could not be a delay from being busy

Paul


From pwouters at redhat.com  Thu Jun 20 14:54:20 2013
From: pwouters at redhat.com (Paul Wouters)
Date: Thu, 20 Jun 2013 10:54:20 -0400
Subject: [Opendnssec-maintainers] 1.4.1 release candidate
In-Reply-To: <-3166206388093331356@unknownmsgid>
References: <FBF693B9-387E-4491-9296-2FED788E53A1@sinodun.com>
	<51C1EDE2.5070801@redhat.com> <51C2B189.2080002@nlnetlabs.nl>
	<B18DB3F6-E18F-4658-B60C-75FB18E4228D@opendnssec.org>
	<28182112.10309.1371738410020.JavaMail.mobile-sync@vcat18>
	<-3166206388093331356@unknownmsgid>
Message-ID: <51C3179C.6010802@redhat.com>

On 06/20/2013 10:39 AM, Jerry Lundstr?m wrote:
> On 20 jun 2013, at 16:10, Paul Wouters <pwouters at redhat.com> wrote:
> 
>> %postun
>> if [ "$1" -ge "1" ]; then
>>  ods-ksmutil update all ||: >/dev/null 2>/dev/null
>>  /sbin/service ods-enforcerd condrestart >/dev/null 2>&1 || :
>>  /sbin/service ods-signerd condrestart >/dev/null 2>&1 || :
>> fi
> 
> So it is updating the new software and triggering an configuration
> update while the old software is running?

No, see: https://fedoraproject.org/wiki/Packaging:ScriptletSnippets#Scriptlet_Ordering

The %postun of the old package is run, but using the newly installed package binaries.

Paul


From sara at sinodun.com  Thu Jun 27 11:06:52 2013
From: sara at sinodun.com (Sara Dickinson)
Date: Thu, 27 Jun 2013 12:06:52 +0100
Subject: [Opendnssec-maintainers] OpenDNSSEC 1.4.1
Message-ID: <322E17E6-A7F6-4E2D-A325-B8FEEB2AF7C0@sinodun.com>

All, 

Version 1.4.1 of OpenDNSSEC has now been released. This is the latest stable release.

Updates:

* SUPPORT-58: Extend ods-signer sign <zone> with --serial <nr> so that the user can specify the SOA serial to use in the signed zone [OPENDNSSEC-401].
* OPENDNSSEC-91: Make the keytype flag required when rolling keys
 
Bugfixes:

* SUPPORT-60: Fix datecounter in case inbound serial is higher than outbound serial [OPENDNSSEC-420].
* OPENDNSSEC-247: Signer Engine: TTL on NSEC3 was not updated on SOA Minimum change.
* OPENDNSSEC-421: Signer Engine: Fix assertion error in case NSEC3 hash algorithm in signconf is not SHA1.
* OPENDNSSEC-421: ods-kaspcheck: Check whether NSEC3 hash algorithm in kasp is valid.
* Bugfix: The time when inbound serial is acquired was reset invalidly, could cause OpenDNSSEC wanting AXFR responses while requesting IXFR (thanks Stuart Lau).
* Bugfix: Fix malform in Outbound IXFR/TCP subsequent packet (thanks Stuart Lau).
* OPENDNSSEC-398: The ods-ksmutil key rollover command does not work correctly when rolling all keys using the --policy option

Documentation:

* http://wiki.opendnssec.org/display/DOCS

Download:

* http://dist.opendnssec.org/source/opendnssec-1.4.1.tar.gz
* http://dist.opendnssec.org/source/opendnssec-1.4.1.tar.gz.sig
* Checksum sha1: 90020d343456af0846b13c951a6a914109cb5d22
* Checksum sha256: 7795ba9f98f9c8292d5f9f9d6ffbf88352a6f77986f43acc1a30141f6027cc82


//OpenDNSSEC team