Fwd: Re: [Opendnssec-user] opendnssec signed zones

Matthijs Mekking matthijs at nlnetlabs.nl
Tue Dec 11 15:22:07 CET 2012


[Also to the list]

------- Original Message --------
Subject: Re: [Opendnssec-user] opendnssec signed zones
Date: Tue, 11 Dec 2012 14:36:27 +0100
From: Matthijs Mekking <matthijs at nlnetlabs.nl>
To: Anders.Larsson at tieto.com

Hi,

If you want to *not use* the auditor, you should disable it in the key
and signing policy file, kasp.xml: Remove <Audit/>. You can also remove
it from conf.xml. Run ods-ksmutil update all to commit the changes,
after you changed the files.

Are these logs below the high verbosity logs? I would expect more log
lines. Perhaps rsyslog moves them to a different file?

Best regards,
  Matthijs


On 12/11/2012 02:04 PM, Anders.Larsson at tieto.com wrote:
> Hi!
> 
> Im using the latest on the site not svn version..
> I did  disable the audit tool because I got some issue with ldns dependencies in debian stable..
> As I understand the audit is not obsolete so :) maybe I need to do some conf for not use it in conf ?
> 
> 
> 
> ns:~# tail -f /var/log/messages
> Dec 11 14:01:45 ns ods-signerd: [cmdhandler] zone jll.se scheduled for immediate re-sign
> Dec 11 14:01:45 ns ods-signerd: [worker[1]] read zone jll.se
> Dec 11 14:01:45 ns ods-signerd: [adapter] read zone jll.se from file input adapter /var/opendnssec/unsigned/zone.jll.se
> Dec 11 14:01:45 ns ods-signerd: [zone] zone jll.se set SOA TTL to 3600
> Dec 11 14:01:45 ns ods-signerd: [zone] zone jll.se set SOA MINIMUM to 3600
> Dec 11 14:01:45 ns ods-signerd: [tools] commit updates for zone jll.se
> Dec 11 14:01:45 ns ods-signerd: [worker[1]] nsecify zone jll.se
> Dec 11 14:01:45 ns ods-signerd: [worker[1]] sign zone jll.se
> Dec 11 14:01:45 ns ods-signerd: [worker[1]] audit zone jll.se
> Dec 11 14:01:45 ns ods-signerd: [worker[1]] backoff task [read] for zone jll.se with 3600 seconds
> 
> 
> 
> 
> Med vänliga hälsningar / Best regards / Ystävällisin terveisin / S pozdravem, 
> 
> //Anders Larsson
> Technical Security Specialist
> 
> * Tieto, Managed Services and Transformation, MDZ Datacenter Services, MDN 
> * Tredje Bassängvägen 2
> * SE-115 83 Stockholm
> 
> * Visitors address: Fjärde Bassängvägen 15 www.tieto.com
> 
> 
> * Tel:          +46 (0)10 481 02 20
> * Mobil:    +46 (0)70 656 42 64
> * Mail:         anders.larsson at tieto.com
> **********************************************
>   
>   ---- Debian is they way to salvation ----
>   
>   ---  How Hard Can It Be ---
> 
> 
> -----Original Message-----
> From: Matthijs Mekking [mailto:matthijs at nlnetlabs.nl] 
> Sent: den 11 december 2012 13:42
> To: Larsson Anders
> Subject: Re: [Opendnssec-user] opendnssec signed zones
> 
> On 12/11/2012 12:42 PM, Anders.Larsson at tieto.com wrote:
>> Yes its runnin :)
>>
>>
>> Dec 11 12:37:40 ns ods-signerd: [worker[4]] read zone jll.se Dec 11 
>> 12:37:40 ns ods-signerd: [adapter] read zone jll.se from file input 
>> adapter /var/opendnssec/unsigned/zone.jll.se
>> Dec 11 12:37:40 ns ods-signerd: [zone] zone jll.se set SOA TTL to 3600 
>> Dec 11 12:37:40 ns ods-signerd: [zone] zone jll.se set SOA MINIMUM to 
>> 3600 Dec 11 12:37:40 ns ods-signerd: [tools] commit updates for zone 
>> jll.se Dec 11 12:37:40 ns ods-signerd: [worker[4]] nsecify zone jll.se 
>> Dec 11 12:37:40 ns ods-signerd: [worker[4]] sign zone jll.se Dec 11 
>> 12:37:41 ns ods-signerd: [worker[4]] audit zone jll.se Dec 11 12:37:41 
>> ns ods-signerd: [worker[4]] backoff task [read] for zone jll.se with 
>> 3600 seconds
> 
> It is backing off the [read] task, after audit. So it looks like the audit has failed. I would have except an auditor error message, why it failed.
> 
> Which version is the opendnssec deb package?
> 
> Can you increase the verbosity and sign again?:
> 
> $ ods-signer verbosity 5
> $ ods-signer sign jll.se
> 
> And provide me the logs?
> 
> Best regards,
>   Matthijs
> 
> 
>> ^C
>> ns:~# ps -ef | grep signer
>> root     15599     1  0 Dec10 ?        00:00:02 /usr/local/sbin/ods-signerd
>>
>>
>>
>>
>> Med vänliga hälsningar / Best regards / Ystävällisin terveisin / S 
>> pozdravem,
>>
>> //Anders Larsson
>> Technical Security Specialist
>>
>> * Tieto, Managed Services and Transformation, MDZ Datacenter Services, 
>> MDN
>> * Tredje Bassängvägen 2
>> * SE-115 83 Stockholm
>>
>> * Visitors address: Fjärde Bassängvägen 15 www.tieto.com
>>
>>
>> * Tel:          +46 (0)10 481 02 20
>> * Mobil:    +46 (0)70 656 42 64
>> * Mail:         anders.larsson at tieto.com
>> **********************************************
>>   
>>   ---- Debian is they way to salvation ----
>>   
>>   ---  How Hard Can It Be ---
>>
>>
>> -----Original Message-----
>> From: Matthijs Mekking [mailto:matthijs at nlnetlabs.nl]
>> Sent: den 11 december 2012 12:33
>> To: Larsson Anders
>> Cc: opendnssec-user at lists.opendnssec.org
>> Subject: Re: [Opendnssec-user] opendnssec signed zones
>>
>> Hi Anders,
>>
>> I don't see any signer logs. Is the signer daemon running?
>>
>> Best regards,
>> Matthijs
>>
>> On 12/11/2012 11:55 AM, Anders.Larsson at tieto.com wrote:
>>> Hi List!
>>>
>>> I have  tested the deb package but did get get it work.. so I installed the src from the site and softhsm..
>>>
>>> It starts and reads the zone but it don't sign the zone? Or creates the file. I don't get any errors.
>>> Tried with 2 different zone's
>>>
>>> ns:~# ods-ksmutil update zonelist
>>> zonelist filename set to /etc/opendnssec/zonelist.xml.
>>> kasp filename set to /etc/opendnssec/kasp.xml.
>>> Zone jamten.se found
>>> Policy set to default.
>>> Zone jll.se found
>>> Policy set to default.
>>> Notifying enforcer of new database...
>>>
>>>
>>> ns:~# tail -f /var/log/messages
>>> Dec 11 11:48:18 ns ods-enforcerd: Config will be output to /var/opendnssec/signconf/jamten.se.xml.
>>> Dec 11 11:48:18 ns ods-enforcerd: WARNING: New KSK has reached the ready state; please submit the DS for jamten.se and use ods-ksmutil key ds-seen when the DS appears in the DNS.
>>> Dec 11 11:48:18 ns ods-enforcerd: No change to: 
>>> /var/opendnssec/signconf/jamten.se.xml
>>> Dec 11 11:48:18 ns ods-enforcerd: Zone jll.se found.
>>> Dec 11 11:48:18 ns ods-enforcerd: Policy for jll.se set to default.
>>> Dec 11 11:48:18 ns ods-enforcerd: Config will be output to /var/opendnssec/signconf/jll.se.xml.
>>> Dec 11 11:48:18 ns ods-enforcerd: WARNING: New KSK has reached the ready state; please submit the DS for jll.se and use ods-ksmutil key ds-seen when the DS appears in the DNS.
>>> Dec 11 11:48:18 ns ods-enforcerd: No change to: 
>>> /var/opendnssec/signconf/jll.se.xml
>>> Dec 11 11:48:18 ns ods-enforcerd: Disconnecting from Database...
>>> Dec 11 11:48:18 ns ods-enforcerd: Sleeping for 3600 seconds.
>>>
>>>
>>> ns:~# ods-ksmutil keys list
>>> Keys:
>>> Zone:                           Keytype:      State:    Date of next transition:
>>> jamten.se                       KSK           ready     waiting for ds-seen       
>>> jamten.se                       ZSK           active    2013-01-09 14:28:06       
>>> jll.se                          KSK           ready     waiting for ds-seen       
>>> jll.se                          ZSK           active    2013-01-09 14:48:00    
>>>
>>> Med vänliga hälsningar / Best regards / Ystävällisin terveisin / S 
>>> pozdravem,
>>>
>>> //Anders Larsson
>>> Technical Security Specialist
>>>
>>> * Tieto, Managed Services and Transformation, MDZ Datacenter 
>>> Services, MDN
>>> * Tredje Bassängvägen 2
>>> * SE-115 83 Stockholm
>>>
>>> * Visitors address: Fjärde Bassängvägen 15 www.tieto.com
>>>
>>>
>>> * Tel:          +46 (0)10 481 02 20
>>> * Mobil:    +46 (0)70 656 42 64
>>> * Mail:         anders.larsson at tieto.com
>>> **********************************************
>>>   
>>>   ---- Debian is they way to salvation ----
>>>   
>>>   ---  How Hard Can It Be ---
>>>
>>>
>>> _______________________________________________
>>> Opendnssec-user mailing list
>>> Opendnssec-user at lists.opendnssec.org
>>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>>>
>>
>>
>>
> 
> 
> 






-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <https://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20121211/8ffb78a5/attachment.sig>


More information about the Opendnssec-user mailing list