[Opendnssec-user] Re: Migration from 1.3.8 to 1.4.01a

Matthijs Mekking matthijs at nlnetlabs.nl
Thu Jun 28 08:49:18 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Fred,

There is a known issue for reading backup files in the alpha 1, which
is fixed in the alpha 2. That's why you see those lines about unabling
to recover the zone from backup files. However, it should perform a
full resign, by reading in the signconf.xml and unsigned zonefile. I
am interested in the logfile lines at 13:31:48 and up: why is it
hanging at the task [configure]?

Best regards,
  Matthijs

On 06/26/2012 01:50 PM, Fred Zwarts (KVI) wrote:
> "Siôn Lloyd"  wrote in message
> news:4FE9959B.3080604 at nominet.org.uk...
>> 
>> On 26/06/12 11:42, Fred Zwarts (KVI) wrote:
>>> "Siôn Lloyd"  wrote in message
>>> news:4FE98B02.9090206 at nominet.org.uk...
>>>> 
>>>> On 26/06/12 10:45, Fred Zwarts (KVI) wrote:
>>>>> In a separate server we run OpenDNSSEC with a
>>>>> configuration mirroring the configuration of our master DNS
>>>>> server for testing purposes. In this system we tried to
>>>>> upgrade from version 1.3.8 to 1.4.01a. When we try to start
>>>>> OpenDNSSEC, we see the message:
>>>>> 
>>>>> ERROR: database version number incompatible with software;
>>>>> require 3, found 2. Please run the migration scripts
>>>>> 
>>>>> I was not able to find the documentation about migration
>>>>> scripts. Could someone help me to point to the
>>>>> documentation? Where are these migration scripts and how am
>>>>> I supposed to run them?
>>>>> 
>>>> 
>>>> Hi Fred.
>>>> 
>>>> In the root directory of the tarball there should be a file
>>>> called "MIGRATION" which has the instructions for changing
>>>> the database schema.
>>>> 
>>>> For the 1.3 to 1.4 migration the instructions are under the
>>>> section "Migrating trunk". In short you need to run one of
>>>> two scripts:
>>>> 
>>>> enforcer/utils/migrate_adapters_1.mysql or 
>>>> enforcer/utils/migrate_adapters_1.sqlite3
>>>> 
>>>> depending on your database choice.
>>>> 
>>>> They are just sql statements so can be run in many ways,
>>>> e.g.:
>>>> 
>>>> sqlite3 [PATH_TO_DB] <
>>>> enforcer/utils/migrate_adapters_1.sqlite3
>>>> 
>>>> Thank you.
>>>> 
>>>> Sion
>>> 
>>> Thanks, Siôn, for your reply.
>>> 
>>> I found the MIGRATION document, but there is no section 1.3 to
>>> 1.4. (There are only sections about the 1.1 to 1.2 and about
>>> 1.2 to 1.3 migration.) So I read, as you said, the section
>>> about migrationg trunk. But, in the enforcer/utils directory,
>>> there are no migrate_adapters_1 scripts. I see the following
>>> scripts:
>>> 
>>> migrate_id_mysql.pl migrate_keyshare_mysql.pl 
>>> migrate_keyshare_sqlite3.pl migrate_to_ng_mysql.pl 
>>> migrate_to_ng_sqlite.pl
>>> 
>>> I guess with database, you mean the kasp.db file and if I am
>>> correct this is a sqlite3 database file, not a mysql file, so
>>> three of the five scripts I do not need. Do I need both other
>>> scripts? In which order?
>> 
>> Ah, apologies... The required migration scripts were not included
>> in the "a1" tarball; they are in the "a2" which is what I was
>> looking at.
>> 
>> There are only 3 lines of SQL required to convert a v1.3 database
>> to 1.4; they are:
>> 
>> 
>> alter table zones add column in_type varchar(512) default
>> "File"; alter table zones add column out_type varchar(512)
>> default "File"; update dbadmin set version = 3;
>> 
>> 
>> The easiest thing might be to run: "sqlite3 [PATH_TO_KASP.DB]" 
>> then cut and paste the above into the terminal.
>> 
>> The scripts that you list above are for earlier versions, or 
>> preparation for v2.0.
>> 
>> Sorry about that.
>> 
>> Sion
> 
> Thanks. That worked, I think. Most zones now run as before. For one
> zone I see strange messages:
> 
> Jun 26 13:31:47 KVIVS13 ods-signerd: [engine] signer started Jun 26
> 13:31:47 KVIVS13 ods-signerd: [hsm] unable to get key: key 
> c6cbe2b255ddd91b7d9ebb613eedb0dc not found Jun 26 13:31:47 KVIVS13
> ods-signerd: [zone] unable to publish dnskeys for zone
> 0.6.0.0.8.0.a.1.0.1.6.0.1.0.0.2.ip6.arpa: error creating dnskey Jun
> 26 13:31:47 KVIVS13 ods-signerd: [zone] unable to recover zone 
> 0.6.0.0.8.0.a.1.0.1.6.0.1.0.0.2.ip6.arpa: corrupted file Jun 26
> 13:31:47 KVIVS13 ods-signerd: [engine] unable to recover zone 
> 0.6.0.0.8.0.a.1.0.1.6.0.1.0.0.2.ip6.arpa from backup, performing
> full sign Jun 26 13:31:48 KVIVS13 ods-signerd: [signconf] zone 
> 0.6.0.0.8.0.a.1.0.1.6.0.1.0.0.2.ip6.arpa signconf: RESIGN[PT7200S] 
> REFRESH[PT259200S] VALIDITY[PT1209600S] DENIAL[PT1209600S] 
> JITTER[PT86400S] OFFSET[PT3600S] NSEC[50] DNSKEYTTL[PT3600S] 
> SOATTL[PT86400S] MINIMUM[PT10800S] SERIAL[datecounter]
> 
> In the signer queue, I see this zone still in the configure state:
> 
> On Tue Jun 26 13:46:53 2012 I will [configure] zone 
> 0.6.0.0.8.0.a.1.0.1.6.0.1.0.0.2.ip6.arpa
> 
> I'm worried about the "key ... not found" message and the "unable
> to publish dnskeys" message. In the list shown with "ods-ksmutil
> key list --verbose" I do not see c6cbe2b255ddd91b7d9ebb613eedb0dc:
> 
> 0.6.0.0.8.0.a.1.0.1.6.0.1.0.0.2.ip6.arpa KSK           dsready
> When required       (keypub)   2048    8
> 6bdf2e906c11612ef6aa969a331db5b1 SoftHSM
> 21061 0.6.0.0.8.0.a.1.0.1.6.0.1.0.0.2.ip6.arpa ZSK           ready
> next rollover       (active)   1024    8
> 78c7dd05b98cff9b31bc90d5cb784ec6 SoftHSM
> 56050 0.6.0.0.8.0.a.1.0.1.6.0.1.0.0.2.ip6.arpa ZSK           active
>  2012-08-22 17:02:12 (retire)   1024    8 
> 8ac106af8e85056bbef28ca6f8106b95 SoftHSM
> 52464 0.6.0.0.8.0.a.1.0.1.6.0.1.0.0.2.ip6.arpa KSK           active
>  2012-11-14 10:41:23 (retire)   2048    8 
> 96c8b52a476c2c254c42b6b73320ee1c SoftHSM
> 23881
> 
> (Also the other zones do not show this
> c6cbe2b255ddd91b7d9ebb613eedb0dc.) In fact, apart from the messages
> in the log and the [configure] in the queue list, everything looks
> normal. I wonder whether something is really wrong and how it can
> be repaired.
> 
> _______________________________________________ Opendnssec-user
> mailing list Opendnssec-user at lists.opendnssec.org 
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJP7BqOAAoJEA8yVCPsQCW5mEgH/j4FXXSHv98vhhh5a9EiNRdz
kC2ZHS3pZ4ZEoRLexx1c2yPuuXUogXdgDsp3lwdkOUiZF7bArAvSijPSegRnimO+
YbjvOhSY2nBDVf8XQoHVBxUEfScypZ5xXR9IdQ1aBTj1a66aN5SvpsQFtdRNQWqO
U4WpndJcoZlzK9p66N9V3ak17VLQ2fbpIQt3fQQdDcJKVckr8i3F9IwyBRzXsdZg
Jn2gkaIS/A2p4taIOwTO2MbMUKwVPOlKmvVcZVf+yIEhjqk3PwJ5/7EwNUW847bC
rcPDEcJNZQeiM6hbadGTcsasTpaPpJV6xbOJS3uRDApW27elYHYffNoZ6J29vAM=
=NARv
-----END PGP SIGNATURE-----

More information about the Opendnssec-user mailing list