[Opendnssec-user] Questions regarding OpenBSD port
Patrik Lundin
patrik.lundin.swe at gmail.com
Sun Aug 24 22:27:15 UTC 2014
Hello Matthijs,
Thank you for looking at this, see my comments inline.
On Sun, Aug 24, 2014 at 05:33:13PM +0200, Matthijs Mekking wrote:
>
> My first guess would be that there are old signer configuration files
> and other files in `/var/opendnssec/signconf/` and
> `/var/opendnssec/tmp/` that cause this.
>
This is a fresh install. The tmp/ directory remains empty and signconf/
contains an example.com.xml file after running "ods-control enforcer notify":
===
# ls -la /var/opendnssec/signconf/
total 8
drwxr-xr-x 2 _opendnssec _opendnssec 512 Aug 24 23:59 .
drwxr-xr-x 8 root wheel 512 Aug 24 23:59 ..
# ls -la /var/opendnssec/tmp/
total 8
drwxr-xr-x 2 _opendnssec _opendnssec 512 Aug 24 23:59 .
drwxr-xr-x 8 root wheel 512 Aug 24 23:59 ..
# ods-control enforcer notify
Notifying enforcer of new database...
# ls -la /var/opendnssec/signconf/
total 12
drwxr-xr-x 2 _opendnssec _opendnssec 512 Aug 25 00:01 .
drwxr-xr-x 8 root wheel 512 Aug 24 23:59 ..
-rw-r--r-- 1 _opendnssec _opendnssec 962 Aug 25 00:01 example.com.xml
# ls -la /var/opendnssec/tmp/
total 8
drwxr-xr-x 2 _opendnssec _opendnssec 512 Aug 24 23:59 .
drwxr-xr-x 8 root wheel 512 Aug 24 23:59 ..
===
>
> Can you share the kasp.xml? It seems you don't use the default policy,
> because the core dump shows it is adding NSEC records, not NSEC3.
>
Interesting. I have not modified the kasp.xml from what the build produced.
This is how the file looks:
===
<?xml version="1.0" encoding="UTF-8"?>
<!--
NOTE: The default policy below is a TEMPLATE ONLY and should be reviewed
before used in any production environment. The administrator should
consult the OpenDNSSEC documentation before changing any parameters.
If you can read this message, it is likely that this file has not
been reviewed nor updated.
-->
<KASP>
<Policy name="default">
<Description>A default policy that will amaze you and your friends</Description>
<Signatures>
<Resign>PT2H</Resign>
<Refresh>P3D</Refresh>
<Validity>
<Default>P14D</Default>
<Denial>P14D</Denial>
</Validity>
<Jitter>PT12H</Jitter>
<InceptionOffset>PT3600S</InceptionOffset>
</Signatures>
<Denial>
<NSEC3>
<!-- <TTL>PT0S</TTL> -->
<!-- <OptOut/> -->
<Resalt>P100D</Resalt>
<Hash>
<Algorithm>1</Algorithm>
<Iterations>5</Iterations>
<Salt length="8"/>
</Hash>
</NSEC3>
</Denial>
<Keys>
<!-- Parameters for both KSK and ZSK -->
<TTL>PT3600S</TTL>
<RetireSafety>PT3600S</RetireSafety>
<PublishSafety>PT3600S</PublishSafety>
<!-- <ShareKeys/> -->
<Purge>P14D</Purge>
<!-- Parameters for KSK only -->
<KSK>
<Algorithm length="2048">8</Algorithm>
<Lifetime>P1Y</Lifetime>
<Repository>SoftHSM</Repository>
</KSK>
<!-- Parameters for ZSK only -->
<ZSK>
<Algorithm length="1024">8</Algorithm>
<Lifetime>P90D</Lifetime>
<Repository>SoftHSM</Repository>
<!-- <ManualRollover/> -->
</ZSK>
</Keys>
<Zone>
<PropagationDelay>PT43200S</PropagationDelay>
<SOA>
<TTL>PT3600S</TTL>
<Minimum>PT3600S</Minimum>
<Serial>unixtime</Serial>
</SOA>
</Zone>
<Parent>
<PropagationDelay>PT9999S</PropagationDelay>
<DS>
<TTL>PT3600S</TTL>
</DS>
<SOA>
<TTL>PT172800S</TTL>
<Minimum>PT10800S</Minimum>
</SOA>
</Parent>
</Policy>
<Policy name="lab">
<Description>Quick turnaround policy for lab work</Description>
<Signatures>
<Resign>PT10M</Resign>
<Refresh>PT30M</Refresh>
<Validity>
<Default>PT1H</Default>
<Denial>PT1H</Denial>
</Validity>
<Jitter>PT1M</Jitter>
<InceptionOffset>PT3600S</InceptionOffset>
</Signatures>
<Denial>
<NSEC/>
</Denial>
<Keys>
<!-- Parameters for both KSK and ZSK -->
<TTL>PT300S</TTL>
<RetireSafety>PT360S</RetireSafety>
<PublishSafety>PT360S</PublishSafety>
<!-- <ShareKeys/> -->
<Purge>P14D</Purge>
<!-- Parameters for KSK only -->
<KSK>
<Algorithm length="2048">8</Algorithm>
<Lifetime>P1Y</Lifetime>
<Repository>SoftHSM</Repository>
</KSK>
<!-- Parameters for ZSK only -->
<ZSK>
<Algorithm length="1024">8</Algorithm>
<Lifetime>PT4H</Lifetime>
<Repository>SoftHSM</Repository>
<!-- <ManualRollover/> -->
</ZSK>
</Keys>
<Zone>
<PropagationDelay>PT300S</PropagationDelay>
<SOA>
<TTL>PT300S</TTL>
<Minimum>PT300S</Minimum>
<Serial>unixtime</Serial>
</SOA>
</Zone>
<Parent>
<PropagationDelay>PT9999S</PropagationDelay>
<DS>
<TTL>PT3600S</TTL>
</DS>
<SOA>
<TTL>PT172800S</TTL>
<Minimum>PT10800S</Minimum>
</SOA>
</Parent>
</Policy>
</KASP>
===
>
> Also, if you can provide a debug log from the signer, this can help
> showing the code path taken.
>
This is very interesting. While running ods-signerd over and over again adding
-v flags, I noticed it would randomly not segfault, and when it managed to keep
running a file would turn up in the signed/ directory (with NSEC3 records):
===
# grep NSEC /var/opendnssec/signed/example.com
example.com. 0 IN NSEC3PARAM 1 0 5 72865fb39b97d514
example.com. 0 IN RRSIG NSEC3PARAM 8 2 0 20140908081316 20140824210920 11659 example.com. HEs5ldTPAThYPsVonxho5TFYp+Tu61CFG2uTMQ7D1C4tPRB8sfrGr5R+oLINhVO24rJbV6iaykQYw8IcgvzglwaNUbI2Rhh/V3mIoiPGRS3PFry1viQ7V9KlUMPFm40gOPTQi7BjyS0m5/m/dVWnNyojy97TLFXci5Q0i/4ZhUc=
skl184nds0ko65j4hnsm8jdh6b4qpumd.example.com. 3600 IN NSEC3 1 0 5 72865fb39b97d514 3jjn7mlkrh9eu4cif619n31a50eti7ln NS SOA RRSIG DNSKEY NSEC3PARAM
skl184nds0ko65j4hnsm8jdh6b4qpumd.example.com. 3600 IN RRSIG NSEC3 8 3 3600 20140907145533 20140824210920 11659 example.com. y/HeQufcpu6ZLpw/EqWPV/rvtGWBYq21/zTd/MOpptC0BI4aGo1KcVygJnnR7mV3KpdW/O4u5BMKcSD5IvAm1k6QdITgzBpYY3tn7M8/T6CmeV3oGej7kuWmzoBld4d0jV3GvgGA9F26uSoVipjzYhzVQRxGehqxrMlPaWUaW4o=
ke8gpauinacisej48v3kb64ob7cqougp.example.com. 3600 IN NSEC3 1 0 5 72865fb39b97d514 skl184nds0ko65j4hnsm8jdh6b4qpumd A RRSIG
ke8gpauinacisej48v3kb64ob7cqougp.example.com. 3600 IN RRSIG NSEC3 8 3 3600 20140907150732 20140824210920 11659 example.com. xrEYk5T5qdR/alz8yJe8/3rmgFDGXQQL6bzvPph4mwt2Gs1ZqNVce3Q+U9wNXrIt3KAV9EF50x/mdLa1CsMc9N9Oek5mfvGrJEs+ovR5Fp5AB4jl0XQFN2HY9F56JgYQPbkb96s2v/EjBXyMyTYTBDOEPpjDBSFrha6cYYNi1Dc=
3jjn7mlkrh9eu4cif619n31a50eti7ln.example.com. 3600 IN NSEC3 1 0 5 72865fb39b97d514 ke8gpauinacisej48v3kb64ob7cqougp A RRSIG
3jjn7mlkrh9eu4cif619n31a50eti7ln.example.com. 3600 IN RRSIG NSEC3 8 3 3600 20140908052134 20140824210920 11659 example.com. rmWESKFpYUBu+ItQ4ALQVPB+DJyx2+layDtr8P+VvZw53Ch+sozSTEyx/aD9cgQBcDbwQahhL+t8mXa0Xb0bYfwrSPEZSGh8ZE2l94bgaKy0TugRsKjmeWD3RoPkSqCdal9InlO315s0D2lFIgYPXHYq7ZRuQWWEN6hixsv2TnE=
===
This is the output from two consecutive runs where the prior failed and the
latter managed to run (after I had been spamming up-arrow and enter for a
while):
===
# /usr/local/sbin/ods-signerd -c /etc/opendnssec/conf.xml -d -vvvvvv
OpenDNSSEC signer engine version 1.4.6
[Mon Aug 25 00:24:23 2014] ods-signerd[6] verbose: [engine] starting signer
[Mon Aug 25 00:24:23 2014] ods-signerd[7] debug : [parser] check cfgfile /etc/opendnssec/conf.xml with rngfile /usr/local/share/opendnssec/conf.rng
[Mon Aug 25 00:24:23 2014] ods-signerd[7] debug : [file] open file file=/etc/opendnssec/conf.xml mode=reading
[Mon Aug 25 00:24:23 2014] ods-signerd[7] debug : [file] openfile /etc/opendnssec/conf.xml count 1
[Mon Aug 25 00:24:23 2014] ods-signerd[6] verbose: [config] read cfgfile: /etc/opendnssec/conf.xml
[Mon Aug 25 00:24:23 2014] ods-signerd[4] warning: [util] pidfile /var/run/opendnssec/signerd.pid already exists, but no process with pid 29430 is running. A previous instance didn't shutdown cleanly, this pidfile is stale.
[Mon Aug 25 00:24:23 2014] ods-signerd[6] verbose: [log] switching log to syslog verbosity 6 (log level 8)
Segmentation fault
# /usr/local/sbin/ods-signerd -c /etc/opendnssec/conf.xml -d -vvvvvv
OpenDNSSEC signer engine version 1.4.6
[Mon Aug 25 00:24:23 2014] ods-signerd[6] verbose: [engine] starting signer
[Mon Aug 25 00:24:23 2014] ods-signerd[7] debug : [parser] check cfgfile /etc/opendnssec/conf.xml with rngfile /usr/local/share/opendnssec/conf.rng
[Mon Aug 25 00:24:23 2014] ods-signerd[7] debug : [file] open file file=/etc/opendnssec/conf.xml mode=reading
[Mon Aug 25 00:24:23 2014] ods-signerd[7] debug : [file] openfile /etc/opendnssec/conf.xml count 1
[Mon Aug 25 00:24:23 2014] ods-signerd[6] verbose: [config] read cfgfile: /etc/opendnssec/conf.xml
[Mon Aug 25 00:24:23 2014] ods-signerd[4] warning: [util] pidfile /var/run/opendnssec/signerd.pid already exists, but no process with pid 23565 is running. A previous instance didn't shutdown cleanly, this pidfile is stale.
[Mon Aug 25 00:24:23 2014] ods-signerd[6] verbose: [log] switching log to syslog verbosity 6 (log level 8)
===
Regards,
Patrik Lundin
More information about the Opendnssec-user
mailing list