[Opendnssec-user] Little Problems with OpenDNSSEC

Craig Whitmore lennon at orcon.net.nz
Tue Jun 21 23:17:58 UTC 2011 

I have used opendnssec for a week or so but still have some issues. I think
I am missing 1 thing  to get it all going..
* it doesn't fetch the zone when I add it.
* It doesn't make active KSK's
* Using default policy (as installed from apt-get install opendnsdec from
ppa's on opendnssec's website).
ods-ksmutil zone add --zone spam.co.nz
zonelist filename set to /etc/opendnssec/zonelist.xml.
SQLite database set to: /var/lib/opendnssec/db/kasp.db
Imported zone: spam.co.nz

# ods-ksmutil zone list
zonelist filename set to /etc/opendnssec/zonelist.xml.
SQLite database set to: /var/lib/opendnssec/db/kasp.db
Found Zone: spam.co.nz; on policy default

But the fetcher doesn't start up to fetch the file.

If I pdns_control notify-host spam.co.nz 114.23.20.4 opendnssec complains

Jun 22 10:54:45 opendnssec ods-signerd: zone fetcher notify received for
unknown zone: spam.co.nz.

# ods-ksmutil key list
SQLite database set to: /var/lib/opendnssec/db/kasp.db
Keys:
Zone:                           Keytype:      State:    Date of next
transition:

Now if I ods-control stop.; ods-control start

ods-ksmutil key list
SQLite database set to: /var/lib/opendnssec/db/kasp.db
Keys:
Zone:                           Keytype:      State:    Date of next
transition:
spam.co.nz                      KSK           publish   2011-06-23 00:58:28
spam.co.nz                      ZSK           active    2011-07-22 10:58:28

And there is a file called spam.co.nz in /var/lib/opendnssec/signed

And if I run the pdns_control again

Jun 22 11:00:49 opendnssec ods-signerd: zone fetcher received NOTIFY for
zone spam.co.nz
Jun 22 11:00:49 opendnssec ods-signerd: zone fetcher transferred zone
spam.co.nz serial 1308697239 successfully
Jun 22 11:00:49 opendnssec ods-signerd: cmdhandler: zone spam.co.nz
scheduled for immediate re-sign
Jun 22 11:00:49 opendnssec ods-auditor[23029]: Auditor started
Jun 22 11:00:49 opendnssec ods-auditor[23029]: Auditor starting on
spam.co.nz
Jun 22 11:00:49 opendnssec ods-auditor[23029]: SOA differs : from 1308697239
to 1308697249
Jun 22 11:00:49 opendnssec ods-auditor[23029]: Auditing spam.co.nz zone :
NSEC3 SIGNED
Jun 22 11:00:50 opendnssec ods-auditor[23029]: Finished auditing spam.co.nz
zone

It will sign ok.. And run
<NotifyCommand>/archives/reloadnamed.pl</NotifyCommand> ok

But the KSK is not active..

ods-ksmutil key list
SQLite database set to: /var/lib/opendnssec/db/kasp.db
Keys:
Zone:                           Keytype:      State:    Date of next
transition:
spam.co.nz                      KSK           publish   2011-06-23 00:58:28
spam.co.nz                      ZSK           active    2011-07-22 10:58:28

So no DS's show..

ods-ksmutil key export --zone spam.co.nz --ds
SQLite database set to: /var/lib/opendnssec/db/kasp.db

ods-ksmutil key list --verbose
SQLite database set to: /var/lib/opendnssec/db/kasp.db
Keys:
Zone:                           Keytype:      State:    Date of next
transition:  CKA_ID:                           Repository:
Keytag:
spam.co.nz                      KSK           publish   2011-06-23 00:58:28
8e27b9f2560825f70d8640017e091b06  SoftHSM                           54437
spam.co.nz                      ZSK           active    2011-07-22 10:58:28
0fbf4ec5ea8b25e772196946e46af700  SoftHSM                           8839


When running ksm-enforcer ­1

Jun 22 11:13:48 opendnssec ods-enforcerd: opendnssec starting...
Jun 22 11:13:48 opendnssec ods-enforcerd: opendnssec Parent exiting...
Jun 22 11:13:48 opendnssec ods-enforcerd: opendnssec forked OK...
Jun 22 11:13:48 opendnssec ods-enforcerd: group set to: opendnsec (0)
Jun 22 11:13:48 opendnssec ods-enforcerd: user set to: opendnsec (0)
Jun 22 11:13:48 opendnssec ods-enforcerd: opendnssec started (version
1.2.1), pid 23063
Jun 22 11:13:48 opendnssec ods-enforcerd: HSM opened successfully.
Jun 22 11:13:48 opendnssec ods-enforcerd: Reading config
"/etc/opendnssec/conf.xml"
Jun 22 11:13:48 opendnssec ods-enforcerd: Reading config schema
"/usr/share/opendnssec/conf.rng"
Jun 22 11:13:48 opendnssec ods-enforcerd: Communication Interval: 3600
Jun 22 11:13:48 opendnssec ods-enforcerd: No DS Submit command supplied
Jun 22 11:13:48 opendnssec ods-enforcerd: SQLite database set to:
/var/lib/opendnssec/db/kasp.db
Jun 22 11:13:48 opendnssec ods-enforcerd: Log User set to: local0
Jun 22 11:13:48 opendnssec ods-enforcerd: Switched log facility to: local0
Jun 22 11:13:48 opendnssec ods-enforcerd: Connecting to Database...
Jun 22 11:13:48 opendnssec ods-enforcerd: Policy default found.
Jun 22 11:13:48 opendnssec ods-enforcerd: Key sharing is Off.
Jun 22 11:13:48 opendnssec ods-enforcerd: Purging keys...
Jun 22 11:13:48 opendnssec ods-enforcerd: zonelist filename set to
/etc/opendnssec/zonelist.xml.
Jun 22 11:13:48 opendnssec ods-enforcerd: Zone spam.co.nz found.
Jun 22 11:13:48 opendnssec ods-enforcerd: Policy for spam.co.nz set to
default.
Jun 22 11:13:48 opendnssec ods-enforcerd: Config will be output to
/var/lib/opendnssec/signconf/spam.co.nz.xml.
Jun 22 11:13:48 opendnssec ods-enforcerd: WARNING: KSK rollover for zone
'spam.co.nz' not completed as there are no keys in the 'ready' state;
ods-enforcerd will try again when it runs next
Jun 22 11:13:48 opendnssec ods-enforcerd: No change to:
/var/lib/opendnssec/signconf/spam.co.nz.xml
Jun 22 11:13:48 opendnssec ods-enforcerd: Disconnecting from Database...
Jun 22 11:13:48 opendnssec ods-enforcerd: Running once only, exiting...
Jun 22 11:13:48 opendnssec ods-enforcerd: all done! hsm_close result: 0


Thanks















-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20110622/a935998a/attachment.htm>

More information about the Opendnssec-user mailing list