From berry at nlnetlabs.nl  Mon Oct  5 02:10:00 2020
From: berry at nlnetlabs.nl (Berry A.W. van Halderen)
Date: Mon, 5 Oct 2020 04:10:00 +0200
Subject: [Opendnssec-user] OpenDNSSEC 2.1.7 released
Message-ID: <7f4b631d-ad3d-3b7c-61bd-bfb2152627db@nlnetlabs.nl>

Dear all,

OpenDNSSEC 2.1.7 has just been released. This release fixes a bug in
the migration script to migrate from 1.4 to 2.1.  Additionally a bug in
creating unnecessary signatures during a ZSK roll was fixed.  We also
had some contributions regarding edward curves and exporting keys by CKA
identifier and other corrections and improvements, see the NEWS file in
the distribution.

https://dist.opendnssec.org/source/opendnssec-2.1.7.tar.gz
SHA256: 4cf3a797b8ff9fb0c02432187ef22adeb03d007074d70ec2b48b18ae6c1d09a4

Yours Truly,
\OpenDNSSEC

From randy at psg.com  Thu Oct 22 16:47:41 2020
From: randy at psg.com (Randy Bush)
Date: Thu, 22 Oct 2020 09:47:41 -0700
Subject: [Opendnssec-user] sign failure
Message-ID: <m21rhqus0i.wl-randy@psg.com>

i am being blind here.  could someone with better eyes find my error?

adding new zones to config, and 

Oct 22 16:31:40 rip ods-signerd[18609]: [adapter] unable to add rr to zone: soa record has invalid owner name
Oct 22 16:31:40 rip ods-signerd[18609]: [adapter] error adding RR at line 8: 15.28.147.in-addr.arpa. SOA        rip.psg.com. hostmaster.psg.com.                        202010220                       86400                           3600                            2592000                         14400
Oct 22 16:31:40 rip ods-signerd[18609]: [tools] unable to read zone 147.028.015: adapter failed (General error)
Oct 22 16:31:40 rip ods-signerd[18609]: CRITICAL: failed to sign zone 147.028.015: General error

this is the zone file

$TTL 14400	; 4 hours
15.28.147.in-addr.arpa. SOA        rip.psg.com. hostmaster.psg.com. (
			202010220  ; serial
			86400      ; refresh (1 day)
			3600       ; retry (1 hour)
			2592000    ; expire (4 weeks 2 days)
			14400      ; minimum (4 hours)
			)

			NS	RIP.PSG.COM.
			NS	NLNS.GLOBNIX.NET.

the zonelist entry is

  <Zone name="15.28.147.in-addr.arpa">  <Policy>default</Policy>
    <SignerConfiguration>/usr/local/var/opendnssec/signconf/147.028.015.xml</SignerConfiguration>
    <Adapters>
      <Input> <File>/usr/local/var/opendnssec/unsigned/147.028.015</File> </Input>
      <Output> <File>/usr/home/dns/primary/147.028.015</File> </Output>
      </Adapters>
    </Zone>

and, i know this is not rigorous, but

% named-checkzone 15.28.147.in-addr.arpa dns/147.028.015 
zone 15.28.147.in-addr.arpa/IN: loaded serial 202010220
OK

thanks

randy

From randy at psg.com  Thu Oct 22 17:37:44 2020
From: randy at psg.com (Randy Bush)
Date: Thu, 22 Oct 2020 10:37:44 -0700
Subject: [Opendnssec-user] sign failure
In-Reply-To: <f27f03ca-8db0-8dcf-c4b3-96bfcef7f656@prado.it>
References: <m21rhqus0i.wl-randy@psg.com>
 <f27f03ca-8db0-8dcf-c4b3-96bfcef7f656@prado.it>
Message-ID: <m2wnzitb4n.wl-randy@psg.com>

hi

> i don't know if this is the case, but others have reported[1] that
> when the zone name doesn't match with the zonefile name, the error you
> reported may occur.

saw that when i searched.  i am not exactly sure what it means, in the
sense of which fields.  zone name is pretty clear,

   <Zone name="15.28.147.in-addr.arpa">

which matches the name of the zone,

   15.28.147.in-addr.arpa. SOA        rip.psg.com. hostmaster.psg.com. (

and i have a dozen other reverses where the name of the file on disk
is, e.g. 198.180.150 for the zone 150.180.198.in-addr.arpa.

  <Zone name="150.180.198.in-addr.arpa">  <Policy>default</Policy>
    <SignerConfiguration>/usr/local/var/opendnssec/signconf/198.180.150.xml</SignerConfiguration>
    <Adapters>
      <Input> <File>/usr/local/var/opendnssec/unsigned/198.180.150</File> </Input>
      <Output> <File>/usr/home/dns/primary/198.180.150</File> </Output>
      </Adapters>
    </Zone>

randy

From randy at psg.com  Fri Oct 23 18:32:05 2020
From: randy at psg.com (Randy Bush)
Date: Fri, 23 Oct 2020 11:32:05 -0700
Subject: [Opendnssec-user] sign failure
In-Reply-To: <m2wnzitb4n.wl-randy@psg.com>
References: <m21rhqus0i.wl-randy@psg.com>
 <f27f03ca-8db0-8dcf-c4b3-96bfcef7f656@prado.it>
 <m2wnzitb4n.wl-randy@psg.com>
Message-ID: <m2tuukssii.wl-randy@psg.com>

to be clear

these, and 42 like them, work

  <Zone name="71.159.203.in-addr.arpa">  <Policy>default</Policy>
    <SignerConfiguration>/usr/local/var/opendnssec/signconf/203.158.071.xml</SignerConfiguration>
    <Adapters>
      <Input> <File>/usr/local/var/opendnssec/unsigned/203.159.071</File> </Input>
      <Output> <File>/usr/home/dns/primary/203.159.071</File> </Output>
      </Adapters>
    </Zone>

  <Zone name="28.147.in-addr.arpa">  <Policy>default</Policy>
    <SignerConfiguration>/usr/local/var/opendnssec/signconf/147.028.xml</SignerConfiguration>
    <Adapters>
      <Input> <File>/usr/local/var/opendnssec/unsigned/147.028</File> </Input>
      <Output> <File>/usr/home/dns/primary/147.028</File> </Output>
      </Adapters>
    </Zone>

this does not

  <Zone name="0.28.147.in-addr.arpa">  <Policy>default</Policy>
    <SignerConfiguration>/usr/local/var/opendnssec/signconf/147.028.000.xml</SignerConfiguration>
    <Adapters>
      <Input> <File>/usr/local/var/opendnssec/unsigned/147.028.000</File> </Input>
      <Output> <File>/usr/home/dns/primary/147.028.000</File> </Output>
      </Adapters>
    </Zone>

so i am confused as to how the signer wants the supposed name confusion
resolved.  clue bat would be appreciated.

randy

From randy at psg.com  Fri Oct 23 22:06:32 2020
From: randy at psg.com (Randy Bush)
Date: Fri, 23 Oct 2020 15:06:32 -0700
Subject: [Opendnssec-user] sign failure
In-Reply-To: <m2tuukssii.wl-randy@psg.com>
References: <m21rhqus0i.wl-randy@psg.com>
 <f27f03ca-8db0-8dcf-c4b3-96bfcef7f656@prado.it>
 <m2wnzitb4n.wl-randy@psg.com> <m2tuukssii.wl-randy@psg.com>
Message-ID: <m2o8kssil3.wl-randy@psg.com>

> these, and 42 like them, work
> 
>   <Zone name="28.147.in-addr.arpa">  <Policy>default</Policy>
>     <SignerConfiguration>/usr/local/var/opendnssec/signconf/147.028.xml</SignerConfiguration>
>     <Adapters>
>       <Input> <File>/usr/local/var/opendnssec/unsigned/147.028</File> </Input>
>       <Output> <File>/usr/home/dns/primary/147.028</File> </Output>
>       </Adapters>
>     </Zone>
> 
> this does not
> 
>   <Zone name="0.28.147.in-addr.arpa">  <Policy>default</Policy>
>     <SignerConfiguration>/usr/local/var/opendnssec/signconf/147.028.000.xml</SignerConfiguration>
>     <Adapters>
>       <Input> <File>/usr/local/var/opendnssec/unsigned/147.028.000</File> </Input>
>       <Output> <File>/usr/home/dns/primary/147.028.000</File> </Output>
>       </Adapters>
>     </Zone>

and

# ods-enforcer key list | grep 147
28.147.in-addr.arpa             KSK      active    2020-12-30 21:37:26
28.147.in-addr.arpa             ZSK      active    2020-12-30 21:37:26
147.028.000                     KSK      ready     waiting for ds-seen
147.028.000                     ZSK      active    2021-01-20 16:14:23
147.028.001                     KSK      ready     waiting for ds-seen
147.028.001                     ZSK      active    2021-01-20 16:14:41
147.028.002                     KSK      ready     waiting for ds-seen
147.028.002                     ZSK      active    2021-01-20 16:15:44
...

so it is name confusion.  i just do not know what i am supposed to do
to unconfuse it.

randy

From randy at psg.com  Fri Oct 23 23:15:59 2020
From: randy at psg.com (Randy Bush)
Date: Fri, 23 Oct 2020 16:15:59 -0700
Subject: [Opendnssec-user] sign failure
In-Reply-To: <m2o8kssil3.wl-randy@psg.com>
References: <m21rhqus0i.wl-randy@psg.com>
 <f27f03ca-8db0-8dcf-c4b3-96bfcef7f656@prado.it>
 <m2wnzitb4n.wl-randy@psg.com> <m2tuukssii.wl-randy@psg.com>
 <m2o8kssil3.wl-randy@psg.com>
Message-ID: <m2a6wcsfdc.wl-randy@psg.com>

>> these, and 42 like them, work
>> 
>>   <Zone name="28.147.in-addr.arpa">  <Policy>default</Policy>
>>     <SignerConfiguration>/usr/local/var/opendnssec/signconf/147.028.xml</SignerConfiguration>
>>     <Adapters>
>>       <Input> <File>/usr/local/var/opendnssec/unsigned/147.028</File> </Input>
>>       <Output> <File>/usr/home/dns/primary/147.028</File> </Output>
>>       </Adapters>
>>     </Zone>
>> 
>> this does not
>> 
>>   <Zone name="0.28.147.in-addr.arpa">  <Policy>default</Policy>
>>     <SignerConfiguration>/usr/local/var/opendnssec/signconf/147.028.000.xml</SignerConfiguration>
>>     <Adapters>
>>       <Input> <File>/usr/local/var/opendnssec/unsigned/147.028.000</File> </Input>
>>       <Output> <File>/usr/home/dns/primary/147.028.000</File> </Output>
>>       </Adapters>
>>     </Zone>
> 
> and
> 
> # ods-enforcer key list | grep 147
> 28.147.in-addr.arpa             KSK      active    2020-12-30 21:37:26
> 28.147.in-addr.arpa             ZSK      active    2020-12-30 21:37:26
> 147.028.000                     KSK      ready     waiting for ds-seen
> 147.028.000                     ZSK      active    2021-01-20 16:14:23
> 147.028.001                     KSK      ready     waiting for ds-seen
> 147.028.001                     ZSK      active    2021-01-20 16:14:41
> 147.028.002                     KSK      ready     waiting for ds-seen
> 147.028.002                     ZSK      active    2021-01-20 16:15:44
> ...
> 
> so it is name confusion.  i just do not know what i am supposed to do
> to unconfuse it.

solved

    ods-enforcer zone delete --zone 147.028.000
    etc

and

    ods-enforcer zonelist import

and bob's your uncle

    28.147.in-addr.arpa             KSK      active    2020-12-30 21:37:26
    28.147.in-addr.arpa             ZSK      active    2020-12-30 21:37:26
    0.28.147.in-addr.arpa           KSK      publish   2020-10-24 02:07:33
    0.28.147.in-addr.arpa           ZSK      ready     2020-10-24 02:07:33
    1.28.147.in-addr.arpa           ZSK      ready     2020-10-24 02:07:33

randy