[Opendnssec-user] Questions regarding OpenBSD port

Patrik Lundin patrik.lundin.swe at gmail.com
Sun Aug 24 22:27:15 UTC 2014


Hello Matthijs,

Thank you for looking at this, see my comments inline.

On Sun, Aug 24, 2014 at 05:33:13PM +0200, Matthijs Mekking wrote:
> 
> My first guess would be that there are old signer configuration files
> and other files in `/var/opendnssec/signconf/` and
> `/var/opendnssec/tmp/` that cause this.
> 

This is a fresh install. The tmp/ directory remains empty and signconf/
contains an example.com.xml file after running "ods-control enforcer notify":
===
# ls -la /var/opendnssec/signconf/ 
total 8
drwxr-xr-x  2 _opendnssec  _opendnssec  512 Aug 24 23:59 .
drwxr-xr-x  8 root         wheel        512 Aug 24 23:59 ..
# ls -la /var/opendnssec/tmp/
total 8
drwxr-xr-x  2 _opendnssec  _opendnssec  512 Aug 24 23:59 .
drwxr-xr-x  8 root         wheel        512 Aug 24 23:59 ..

# ods-control enforcer notify 
Notifying enforcer of new database...

# ls -la /var/opendnssec/signconf/ 
total 12
drwxr-xr-x  2 _opendnssec  _opendnssec  512 Aug 25 00:01 .
drwxr-xr-x  8 root         wheel        512 Aug 24 23:59 ..
-rw-r--r--  1 _opendnssec  _opendnssec  962 Aug 25 00:01 example.com.xml
# ls -la /var/opendnssec/tmp/      
total 8
drwxr-xr-x  2 _opendnssec  _opendnssec  512 Aug 24 23:59 .
drwxr-xr-x  8 root         wheel        512 Aug 24 23:59 ..
===

>
> Can you share the kasp.xml? It seems you don't use the default policy,
> because the core dump shows it is adding NSEC records, not NSEC3.
> 

Interesting. I have not modified the kasp.xml from what the build produced.
This is how the file looks:
===
<?xml version="1.0" encoding="UTF-8"?>

<!--
  
  NOTE:  The default policy below is a TEMPLATE ONLY and should be reviewed
         before used in any production environment. The administrator should
         consult the OpenDNSSEC documentation before changing any parameters.
         
         If you can read this message, it is likely that this file has not
         been reviewed nor updated.

  -->

<KASP>

	<Policy name="default">
		<Description>A default policy that will amaze you and your friends</Description>
		<Signatures>
			<Resign>PT2H</Resign>
			<Refresh>P3D</Refresh>
			<Validity>
				<Default>P14D</Default>
				<Denial>P14D</Denial>
			</Validity>
			<Jitter>PT12H</Jitter>
			<InceptionOffset>PT3600S</InceptionOffset>
		</Signatures>

		<Denial>
			<NSEC3>
				<!-- <TTL>PT0S</TTL> -->
				<!-- <OptOut/> -->
				<Resalt>P100D</Resalt>
				<Hash>
					<Algorithm>1</Algorithm>
					<Iterations>5</Iterations>
					<Salt length="8"/>
				</Hash>
			</NSEC3>
		</Denial>

		<Keys>
			<!-- Parameters for both KSK and ZSK -->
			<TTL>PT3600S</TTL>
			<RetireSafety>PT3600S</RetireSafety>
			<PublishSafety>PT3600S</PublishSafety>
			<!-- <ShareKeys/> -->
			<Purge>P14D</Purge>

			<!-- Parameters for KSK only -->
			<KSK>
				<Algorithm length="2048">8</Algorithm>
				<Lifetime>P1Y</Lifetime>
				<Repository>SoftHSM</Repository>
			</KSK>

			<!-- Parameters for ZSK only -->
			<ZSK>
				<Algorithm length="1024">8</Algorithm>
				<Lifetime>P90D</Lifetime>
				<Repository>SoftHSM</Repository>
				<!-- <ManualRollover/> -->
			</ZSK>
		</Keys>

		<Zone>
			<PropagationDelay>PT43200S</PropagationDelay>
			<SOA>
				<TTL>PT3600S</TTL>
				<Minimum>PT3600S</Minimum>
				<Serial>unixtime</Serial>
			</SOA>
		</Zone>

		<Parent>
			<PropagationDelay>PT9999S</PropagationDelay>
			<DS>
				<TTL>PT3600S</TTL>
			</DS>
			<SOA>
				<TTL>PT172800S</TTL>
				<Minimum>PT10800S</Minimum>
			</SOA>
		</Parent>

	</Policy>

	<Policy name="lab">
		<Description>Quick turnaround policy for lab work</Description>
		<Signatures>
			<Resign>PT10M</Resign>
			<Refresh>PT30M</Refresh>
			<Validity>
				<Default>PT1H</Default>
				<Denial>PT1H</Denial>
			</Validity>
			<Jitter>PT1M</Jitter>
			<InceptionOffset>PT3600S</InceptionOffset>
		</Signatures>

		<Denial>
			<NSEC/>
		</Denial>

		<Keys>
			<!-- Parameters for both KSK and ZSK -->
			<TTL>PT300S</TTL>
			<RetireSafety>PT360S</RetireSafety>
			<PublishSafety>PT360S</PublishSafety>
			<!-- <ShareKeys/> -->
			<Purge>P14D</Purge>

			<!-- Parameters for KSK only -->
			<KSK>
				<Algorithm length="2048">8</Algorithm>
				<Lifetime>P1Y</Lifetime>
				<Repository>SoftHSM</Repository>
			</KSK>

			<!-- Parameters for ZSK only -->
			<ZSK>
				<Algorithm length="1024">8</Algorithm>
				<Lifetime>PT4H</Lifetime>
				<Repository>SoftHSM</Repository>
				<!-- <ManualRollover/> -->
			</ZSK>
		</Keys>

		<Zone>
			<PropagationDelay>PT300S</PropagationDelay>
			<SOA>
				<TTL>PT300S</TTL>
				<Minimum>PT300S</Minimum>
				<Serial>unixtime</Serial>
			</SOA>
		</Zone>

		<Parent>
			<PropagationDelay>PT9999S</PropagationDelay>
			<DS>
				<TTL>PT3600S</TTL>
			</DS>
			<SOA>
				<TTL>PT172800S</TTL>
				<Minimum>PT10800S</Minimum>
			</SOA>
		</Parent>

	</Policy>	
</KASP>
===

>
> Also, if you can provide a debug log from the signer, this can help
> showing the code path taken.
> 

This is very interesting. While running ods-signerd over and over again adding
-v flags, I noticed it would randomly not segfault, and when it managed to keep
running a file would turn up in the signed/ directory (with NSEC3 records):
===
# grep NSEC /var/opendnssec/signed/example.com  
example.com.    0       IN      NSEC3PARAM      1 0 5 72865fb39b97d514 
example.com.    0       IN      RRSIG   NSEC3PARAM 8 2 0 20140908081316 20140824210920 11659 example.com. HEs5ldTPAThYPsVonxho5TFYp+Tu61CFG2uTMQ7D1C4tPRB8sfrGr5R+oLINhVO24rJbV6iaykQYw8IcgvzglwaNUbI2Rhh/V3mIoiPGRS3PFry1viQ7V9KlUMPFm40gOPTQi7BjyS0m5/m/dVWnNyojy97TLFXci5Q0i/4ZhUc=
skl184nds0ko65j4hnsm8jdh6b4qpumd.example.com.   3600    IN      NSEC3   1 0 5 72865fb39b97d514  3jjn7mlkrh9eu4cif619n31a50eti7ln NS SOA RRSIG DNSKEY NSEC3PARAM 
skl184nds0ko65j4hnsm8jdh6b4qpumd.example.com.   3600    IN      RRSIG   NSEC3 8 3 3600 20140907145533 20140824210920 11659 example.com. y/HeQufcpu6ZLpw/EqWPV/rvtGWBYq21/zTd/MOpptC0BI4aGo1KcVygJnnR7mV3KpdW/O4u5BMKcSD5IvAm1k6QdITgzBpYY3tn7M8/T6CmeV3oGej7kuWmzoBld4d0jV3GvgGA9F26uSoVipjzYhzVQRxGehqxrMlPaWUaW4o=
ke8gpauinacisej48v3kb64ob7cqougp.example.com.   3600    IN      NSEC3   1 0 5 72865fb39b97d514  skl184nds0ko65j4hnsm8jdh6b4qpumd A RRSIG 
ke8gpauinacisej48v3kb64ob7cqougp.example.com.   3600    IN      RRSIG   NSEC3 8 3 3600 20140907150732 20140824210920 11659 example.com. xrEYk5T5qdR/alz8yJe8/3rmgFDGXQQL6bzvPph4mwt2Gs1ZqNVce3Q+U9wNXrIt3KAV9EF50x/mdLa1CsMc9N9Oek5mfvGrJEs+ovR5Fp5AB4jl0XQFN2HY9F56JgYQPbkb96s2v/EjBXyMyTYTBDOEPpjDBSFrha6cYYNi1Dc=
3jjn7mlkrh9eu4cif619n31a50eti7ln.example.com.   3600    IN      NSEC3   1 0 5 72865fb39b97d514  ke8gpauinacisej48v3kb64ob7cqougp A RRSIG 
3jjn7mlkrh9eu4cif619n31a50eti7ln.example.com.   3600    IN      RRSIG   NSEC3 8 3 3600 20140908052134 20140824210920 11659 example.com. rmWESKFpYUBu+ItQ4ALQVPB+DJyx2+layDtr8P+VvZw53Ch+sozSTEyx/aD9cgQBcDbwQahhL+t8mXa0Xb0bYfwrSPEZSGh8ZE2l94bgaKy0TugRsKjmeWD3RoPkSqCdal9InlO315s0D2lFIgYPXHYq7ZRuQWWEN6hixsv2TnE=
===

This is the output from two consecutive runs where the prior failed and the
latter managed to run (after I had been spamming up-arrow and enter for a
while):
===
# /usr/local/sbin/ods-signerd -c /etc/opendnssec/conf.xml -d -vvvvvv 
OpenDNSSEC signer engine version 1.4.6
[Mon Aug 25 00:24:23 2014] ods-signerd[6] verbose: [engine] starting signer
[Mon Aug 25 00:24:23 2014] ods-signerd[7] debug  : [parser] check cfgfile /etc/opendnssec/conf.xml with rngfile /usr/local/share/opendnssec/conf.rng
[Mon Aug 25 00:24:23 2014] ods-signerd[7] debug  : [file] open file  file=/etc/opendnssec/conf.xml mode=reading
[Mon Aug 25 00:24:23 2014] ods-signerd[7] debug  : [file] openfile /etc/opendnssec/conf.xml count 1
[Mon Aug 25 00:24:23 2014] ods-signerd[6] verbose: [config] read cfgfile: /etc/opendnssec/conf.xml
[Mon Aug 25 00:24:23 2014] ods-signerd[4] warning: [util] pidfile /var/run/opendnssec/signerd.pid already exists, but no process with pid 29430 is running. A previous instance didn't shutdown cleanly, this pidfile is stale.
[Mon Aug 25 00:24:23 2014] ods-signerd[6] verbose: [log] switching log to syslog verbosity 6 (log level 8)
Segmentation fault 
# /usr/local/sbin/ods-signerd -c /etc/opendnssec/conf.xml -d -vvvvvv 
OpenDNSSEC signer engine version 1.4.6
[Mon Aug 25 00:24:23 2014] ods-signerd[6] verbose: [engine] starting signer
[Mon Aug 25 00:24:23 2014] ods-signerd[7] debug  : [parser] check cfgfile /etc/opendnssec/conf.xml with rngfile /usr/local/share/opendnssec/conf.rng
[Mon Aug 25 00:24:23 2014] ods-signerd[7] debug  : [file] open file  file=/etc/opendnssec/conf.xml mode=reading
[Mon Aug 25 00:24:23 2014] ods-signerd[7] debug  : [file] openfile /etc/opendnssec/conf.xml count 1
[Mon Aug 25 00:24:23 2014] ods-signerd[6] verbose: [config] read cfgfile: /etc/opendnssec/conf.xml
[Mon Aug 25 00:24:23 2014] ods-signerd[4] warning: [util] pidfile /var/run/opendnssec/signerd.pid already exists, but no process with pid 23565 is running. A previous instance didn't shutdown cleanly, this pidfile is stale.
[Mon Aug 25 00:24:23 2014] ods-signerd[6] verbose: [log] switching log to syslog verbosity 6 (log level 8)
===

Regards,
Patrik Lundin



More information about the Opendnssec-user mailing list