From berry at nlnetlabs.nl Mon Oct 5 02:10:00 2020 From: berry at nlnetlabs.nl (Berry A.W. van Halderen) Date: Mon, 5 Oct 2020 04:10:00 +0200 Subject: [Opendnssec-user] OpenDNSSEC 2.1.7 released Message-ID: <7f4b631d-ad3d-3b7c-61bd-bfb2152627db@nlnetlabs.nl> Dear all, OpenDNSSEC 2.1.7 has just been released. This release fixes a bug in the migration script to migrate from 1.4 to 2.1. Additionally a bug in creating unnecessary signatures during a ZSK roll was fixed. We also had some contributions regarding edward curves and exporting keys by CKA identifier and other corrections and improvements, see the NEWS file in the distribution. https://dist.opendnssec.org/source/opendnssec-2.1.7.tar.gz SHA256: 4cf3a797b8ff9fb0c02432187ef22adeb03d007074d70ec2b48b18ae6c1d09a4 Yours Truly, \OpenDNSSEC From randy at psg.com Thu Oct 22 16:47:41 2020 From: randy at psg.com (Randy Bush) Date: Thu, 22 Oct 2020 09:47:41 -0700 Subject: [Opendnssec-user] sign failure Message-ID: i am being blind here. could someone with better eyes find my error? adding new zones to config, and Oct 22 16:31:40 rip ods-signerd[18609]: [adapter] unable to add rr to zone: soa record has invalid owner name Oct 22 16:31:40 rip ods-signerd[18609]: [adapter] error adding RR at line 8: 15.28.147.in-addr.arpa. SOA rip.psg.com. hostmaster.psg.com. 202010220 86400 3600 2592000 14400 Oct 22 16:31:40 rip ods-signerd[18609]: [tools] unable to read zone 147.028.015: adapter failed (General error) Oct 22 16:31:40 rip ods-signerd[18609]: CRITICAL: failed to sign zone 147.028.015: General error this is the zone file $TTL 14400 ; 4 hours 15.28.147.in-addr.arpa. SOA rip.psg.com. hostmaster.psg.com. ( 202010220 ; serial 86400 ; refresh (1 day) 3600 ; retry (1 hour) 2592000 ; expire (4 weeks 2 days) 14400 ; minimum (4 hours) ) NS RIP.PSG.COM. NS NLNS.GLOBNIX.NET. the zonelist entry is default /usr/local/var/opendnssec/signconf/147.028.015.xml /usr/local/var/opendnssec/unsigned/147.028.015 /usr/home/dns/primary/147.028.015 and, i know this is not rigorous, but % named-checkzone 15.28.147.in-addr.arpa dns/147.028.015 zone 15.28.147.in-addr.arpa/IN: loaded serial 202010220 OK thanks randy From randy at psg.com Thu Oct 22 17:37:44 2020 From: randy at psg.com (Randy Bush) Date: Thu, 22 Oct 2020 10:37:44 -0700 Subject: [Opendnssec-user] sign failure In-Reply-To: References: Message-ID: hi > i don't know if this is the case, but others have reported[1] that > when the zone name doesn't match with the zonefile name, the error you > reported may occur. saw that when i searched. i am not exactly sure what it means, in the sense of which fields. zone name is pretty clear, which matches the name of the zone, 15.28.147.in-addr.arpa. SOA rip.psg.com. hostmaster.psg.com. ( and i have a dozen other reverses where the name of the file on disk is, e.g. 198.180.150 for the zone 150.180.198.in-addr.arpa. default /usr/local/var/opendnssec/signconf/198.180.150.xml /usr/local/var/opendnssec/unsigned/198.180.150 /usr/home/dns/primary/198.180.150 randy From randy at psg.com Fri Oct 23 18:32:05 2020 From: randy at psg.com (Randy Bush) Date: Fri, 23 Oct 2020 11:32:05 -0700 Subject: [Opendnssec-user] sign failure In-Reply-To: References: Message-ID: to be clear these, and 42 like them, work default /usr/local/var/opendnssec/signconf/203.158.071.xml /usr/local/var/opendnssec/unsigned/203.159.071 /usr/home/dns/primary/203.159.071 default /usr/local/var/opendnssec/signconf/147.028.xml /usr/local/var/opendnssec/unsigned/147.028 /usr/home/dns/primary/147.028 this does not default /usr/local/var/opendnssec/signconf/147.028.000.xml /usr/local/var/opendnssec/unsigned/147.028.000 /usr/home/dns/primary/147.028.000 so i am confused as to how the signer wants the supposed name confusion resolved. clue bat would be appreciated. randy From randy at psg.com Fri Oct 23 22:06:32 2020 From: randy at psg.com (Randy Bush) Date: Fri, 23 Oct 2020 15:06:32 -0700 Subject: [Opendnssec-user] sign failure In-Reply-To: References: Message-ID: > these, and 42 like them, work > > default > /usr/local/var/opendnssec/signconf/147.028.xml > > /usr/local/var/opendnssec/unsigned/147.028 > /usr/home/dns/primary/147.028 > > > > this does not > > default > /usr/local/var/opendnssec/signconf/147.028.000.xml > > /usr/local/var/opendnssec/unsigned/147.028.000 > /usr/home/dns/primary/147.028.000 > > and # ods-enforcer key list | grep 147 28.147.in-addr.arpa KSK active 2020-12-30 21:37:26 28.147.in-addr.arpa ZSK active 2020-12-30 21:37:26 147.028.000 KSK ready waiting for ds-seen 147.028.000 ZSK active 2021-01-20 16:14:23 147.028.001 KSK ready waiting for ds-seen 147.028.001 ZSK active 2021-01-20 16:14:41 147.028.002 KSK ready waiting for ds-seen 147.028.002 ZSK active 2021-01-20 16:15:44 ... so it is name confusion. i just do not know what i am supposed to do to unconfuse it. randy From randy at psg.com Fri Oct 23 23:15:59 2020 From: randy at psg.com (Randy Bush) Date: Fri, 23 Oct 2020 16:15:59 -0700 Subject: [Opendnssec-user] sign failure In-Reply-To: References: Message-ID: >> these, and 42 like them, work >> >> default >> /usr/local/var/opendnssec/signconf/147.028.xml >> >> /usr/local/var/opendnssec/unsigned/147.028 >> /usr/home/dns/primary/147.028 >> >> >> >> this does not >> >> default >> /usr/local/var/opendnssec/signconf/147.028.000.xml >> >> /usr/local/var/opendnssec/unsigned/147.028.000 >> /usr/home/dns/primary/147.028.000 >> >> > > and > > # ods-enforcer key list | grep 147 > 28.147.in-addr.arpa KSK active 2020-12-30 21:37:26 > 28.147.in-addr.arpa ZSK active 2020-12-30 21:37:26 > 147.028.000 KSK ready waiting for ds-seen > 147.028.000 ZSK active 2021-01-20 16:14:23 > 147.028.001 KSK ready waiting for ds-seen > 147.028.001 ZSK active 2021-01-20 16:14:41 > 147.028.002 KSK ready waiting for ds-seen > 147.028.002 ZSK active 2021-01-20 16:15:44 > ... > > so it is name confusion. i just do not know what i am supposed to do > to unconfuse it. solved ods-enforcer zone delete --zone 147.028.000 etc and ods-enforcer zonelist import and bob's your uncle 28.147.in-addr.arpa KSK active 2020-12-30 21:37:26 28.147.in-addr.arpa ZSK active 2020-12-30 21:37:26 0.28.147.in-addr.arpa KSK publish 2020-10-24 02:07:33 0.28.147.in-addr.arpa ZSK ready 2020-10-24 02:07:33 1.28.147.in-addr.arpa ZSK ready 2020-10-24 02:07:33 randy