[Opendnssec-user] Old policies in database

Fri Nov 18 09:26:07 UTC 2011

Hello,
I just discovered that there are a number of old policies in the database that are no longer in kasp.xml:

# grep name /etc/opendnssec/kasp.xml
        <Policy name="uvtonly">
        <Policy name="fulldnssec">
        <Policy name="testshort">

# ods-ksmutil policy list
Policies:
Name:           Description:
default         A default ...
fulldnssec      Policy voor ....
nostandby       Policy without...
nostandbykeys   Policy without...
testshort       Test policy for .... 
uvtonly         Zones that ...

I wanted to remove the 'default' policy to ensure that every zone has a purposefully
selected policy instead of the lazy default. But a test shows that the 'default' policy
is still usable:

# ods-ksmutil zone list |grep default
Found Zone: uvttestexample.com; on policy default

Unfortunately the 'default' zone is still in the database and it will be used when asked to:
root at metagross:~# ods-ksmutil key list --zone uvttestexample.com
Keys:
Zone:                           Keytype:      State:    Date of next transition:
uvttestexample.com              ZSK           active    2011-12-18 10:05:19       
uvttestexample.com              KSK           publish   2011-11-18 12:35:19   

No other zone uses the "default" policy.

Here are some (slightly cleaned) logs:

Nov 18 10:05:19 metagross ods-enforcerd: Zone uvttestexample.com found.
Nov 18 10:05:19 metagross ods-enforcerd: Policy for uvttestexample.com set to default.
Nov 18 10:05:19 metagross ods-enforcerd: Policy default found in DB.
Nov 18 10:05:19 metagross ods-enforcerd: Config will be output to /var/lib/opendnssec/signconf/uvttestexample.com.xml.
Nov 18 10:05:19 metagross ods-enforcerd: INFO: Promoting ZSK from publish to active as this is the first pass for the zone
Nov 18 10:05:19 metagross ods-signerd: [cmdhandler] received command update uvttestexample.com[25]
Nov 18 10:05:19 metagross ods-signerd: [worker[4]] load signconf for zone uvttestexample.com
Nov 18 10:05:19 metagross ods-signerd: [signconf] zone uvttestexample.com signconf: RESIGN[PT7200S] REFRESH[PT259200S] VALIDITY[PT604800S] DENIAL[PT604800S] JITTER[PT43200S] OFFSET[PT3600S] NSEC[50] DNSKEYTTL[PT3600S] SOATTL[PT3600S] MINIMUM[PT3600S] SERIAL[datecounter] AUDIT[1]
Nov 18 10:05:19 metagross ods-signerd: [zone] zone uvttestexample.com set DNSKEY TTL to 3600
Nov 18 10:05:19 metagross ods-signerd: [zone] zone uvttestexample.com set DNSKEY TTL to 3600
Nov 18 10:05:20 metagross ods-signerd: [worker[4]] read zone uvttestexample.com
Nov 18 10:05:20 metagross ods-signerd: [adapter] read zone uvttestexample.com from file input adapter /var/lib/opendnssec/unsigned/uvttestexample.com
Nov 18 10:05:20 metagross ods-signerd: [zone] zone uvttestexample.com set SOA TTL to 3600
Nov 18 10:05:20 metagross ods-signerd: [zone] zone uvttestexample.com set SOA MINIMUM to 3600
Nov 18 10:05:20 metagross ods-signerd: [tools] commit updates for zone uvttestexample.com
Nov 18 10:05:20 metagross ods-signerd: [worker[4]] nsecify zone uvttestexample.com
Nov 18 10:05:20 metagross ods-signerd: [worker[4]] sign zone uvttestexample.com
Nov 18 10:05:20 metagross ods-signerd: [worker[4]] audit zone uvttestexample.com
Nov 18 10:05:20 metagross ods-auditor[27960]: Auditor started
Nov 18 10:05:20 metagross ods-auditor[27960]: Can't load uvttestexample.com SignerConfiguration file (/var/lib/opendnssec/signconf/uvttestexample.com.xml) : ERROR - Can't find KASP file : "/etc/opendnssec/kasp.xml" : ERROR - Can't find policy "default" in KASP Policy.
Nov 18 10:05:20 metagross ods-auditor[27960]: Can't find uvttestexample.com zone in zonelist
Nov 18 10:05:20 metagross ods-signerd: [worker[4]] backoff task [read] for zone uvttestexample.com with 60 seconds

Nov 18 10:06:20 metagross ods-signerd: [worker[4]] read zone uvttestexample.com
Nov 18 10:06:20 metagross ods-signerd: [adapter] read zone uvttestexample.com from file input adapter /var/lib/opendnssec/unsigned/uvttestexample.com
Nov 18 10:06:20 metagross ods-signerd: [zone] zone uvttestexample.com set SOA TTL to 3600
Nov 18 10:06:20 metagross ods-signerd: [zone] zone uvttestexample.com set SOA MINIMUM to 3600
Nov 18 10:06:20 metagross ods-signerd: [tools] commit updates for zone uvttestexample.com
Nov 18 10:06:20 metagross ods-signerd: [worker[4]] nsecify zone uvttestexample.com
Nov 18 10:06:20 metagross ods-signerd: [worker[4]] sign zone uvttestexample.com
Nov 18 10:06:20 metagross ods-signerd: [worker[4]] audit zone uvttestexample.com
Nov 18 10:06:21 metagross ods-auditor[27994]: Auditor started
Nov 18 10:06:21 metagross ods-auditor[27994]: Can't load uvttestexample.com SignerConfiguration file (/var/lib/opendnssec/signconf/uvttestexample.com.xml) : ERROR - Can't find KASP file : "/etc/opendnssec/kasp.xml" : ERROR - Can't find policy "default" in KASP Policy.
Nov 18 10:06:21 metagross ods-auditor[27994]: Can't find uvttestexample.com zone in zonelist
Nov 18 10:06:21 metagross ods-signerd: [worker[4]] backoff task [read] for zone uvttestexample.com with 120 seconds
Nov 18 10:08:21 metagross ods-signerd: [worker[4]] read zone uvttestexample.com
Nov 18 10:08:21 metagross ods-signerd: [adapter] read zone uvttestexample.com from file input adapter /var/lib/opendnssec/unsigned/uvttestexample.com
Nov 18 10:08:21 metagross ods-signerd: [zone] zone uvttestexample.com set SOA TTL to 3600
Nov 18 10:08:21 metagross ods-signerd: [zone] zone uvttestexample.com set SOA MINIMUM to 3600
Nov 18 10:08:21 metagross ods-signerd: [tools] commit updates for zone uvttestexample.com
Nov 18 10:08:21 metagross ods-signerd: [worker[4]] nsecify zone uvttestexample.com
Nov 18 10:08:21 metagross ods-signerd: [worker[4]] sign zone uvttestexample.com
Nov 18 10:08:21 metagross ods-signerd: [worker[4]] audit zone uvttestexample.com
Nov 18 10:08:21 metagross ods-auditor[28402]: Auditor started
Nov 18 10:08:22 metagross ods-auditor[28402]: Can't load uvttestexample.com SignerConfiguration file (/var/lib/opendnssec/signconf/uvttestexample.com.xml) : ERROR - Can't find KASP file : "/etc/opendnssec/kasp.xml" : ERROR - Can't find policy "default" in KASP Policy.
Nov 18 10:08:22 metagross ods-auditor[28402]: Can't find uvttestexample.com zone in zonelist
Nov 18 10:08:22 metagross ods-signerd: [worker[4]] backoff task [read] for zone uvttestexample.com with 240 seconds

Nov 18 10:09:01 metagross ods-enforcerd: Zone uvttestexample.com found.
Nov 18 10:09:01 metagross ods-enforcerd: Policy for uvttestexample.com set to default.
Nov 18 10:09:01 metagross ods-enforcerd: Policy default found in DB.
Nov 18 10:09:01 metagross ods-enforcerd: Config will be output to /var/lib/opendnssec/signconf/uvttestexample.com.xml.
Nov 18 10:09:01 metagross ods-enforcerd: WARNING: KSK rollover for zone 'uvttestexample.com' not completed as there are no keys in the 'ready' state; ods-enforcerd will try again when it runs next
Nov 18 10:09:01 metagross ods-enforcerd: No change to: /var/lib/opendnssec/signconf/uvttestexample.com.xml

-- 
Casper Gielen <cgielen at uvt.nl> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981  63B8 2214 083C F80E 4AF7

Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl