[Opendnssec-user] 1.4 to 2.1 migration

Stefan Ubbink via Opendnssec-user opendnssec-user at lists.opendnssec.org
Mon Jan 6 07:00:19 UTC 2020

On Sun, 5 Jan 2020 14:24:06 -0500 (EST)
Paul Wouters via Opendnssec-user <opendnssec-user at lists.opendnssec.org>

> Hi,


> I've created fedora31/rawhide RPMS as the first step in supporting
> migration from 1.4 to 2.1. I did encounter a number of issues trying
> to support this. Before I push this into rawhide, I would like to see
> if anyone is able to test this for me. It is important that this
> testing only be done on a COPY of your real 1.4 production system.
> Note that this only supports sqlite, not mysql, as that is the method
> used for the rpms shipped with fedora/RHEL that I need to support.
> RPMS, including SRPM if you want to recompile this for rhel/centos
> 7/8:
> https://nohats.ca/ftp/opendnssec/migration/
> The issues encountered:
> 1) ods-migrate segfaulting
> Not entirely sure when/how this occurs, probably with an xml file is
> not as it expceted it to be?

I found the same issue [1] when using MySQL.

> 4) find_problematic_zones issue ?
> I'm not sure why just migrating the database would lead to issues. It
> should just copy whatever real state is there? For me, this caused
> issues because I had a few zones waiting on ds-seen. Why can't they
> not be in the new databse in the same waiting on ds-seen state?
> Aborting the migration is the worst thing to do, as I cannot have the
> new rpm installed and the database reverted to the old one.

When we did the migration, we first checked the status of the keys and
fixed the keys that were waiting on ds-seen, but I understand that is
not a solution for your situation.

> 5) <Interval> barfing
> It would be REALLY useful to just ignore it and not blow up on this.
> Again, this creates a big problem as I now have to hack up the
> existing configuration files and automatic downgrading on failure
> becomes basically impossible. Why not just ignore it :(

I agree on this.

> 7) ods-ksmutil is gone
> It took me a bit to figure out this is now done by ods-enforcer. A
> stub man page or alias or something would have been nice.

It is a good thing that ods-enforcer accepts the same arguments.
Remember ods-ksmutil shows a date of next transition for every key,
but ods-enforcer shows only the first date of next transition and shows
it for every key.

[1] https://issues.opendnssec.org/browse/SUPPORT-244

Stefan Ubbink
DNS & Systems Engineer
Present: Mon, Tue, Wed, Fri
SIDN | Meander 501 | 6825 MD | ARNHEM | The Netherlands
T +31 (0)26 352 55 00
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20200106/7cfa848c/attachment-0002.bin>
-------------- next part --------------
Opendnssec-user mailing list
Opendnssec-user at lists.opendnssec.org

More information about the Opendnssec-user mailing list