[Opendnssec-user] Old policies in database

Casper Gielen Fri, 18 Nov 2011 01:26:14 -0800

Hello,
I just discovered that there are a number of old policies in the database that 
are no longer in kasp.xml:



# grep name /etc/opendnssec/kasp.xml
        <Policy name="uvtonly">
        <Policy name="fulldnssec">
        <Policy name="testshort">

# ods-ksmutil policy list
Policies:
Name:           Description:
default         A default ...
fulldnssec      Policy voor ....
nostandby       Policy without...
nostandbykeys   Policy without...
testshort       Test policy for .... 
uvtonly         Zones that ...

I wanted to remove the 'default' policy to ensure that every zone has a 
purposefully
selected policy instead of the lazy default. But a test shows that the 
'default' policy
is still usable:

# ods-ksmutil zone list |grep default
Found Zone: uvttestexample.com; on policy default


Unfortunately the 'default' zone is still in the database and it will be used 
when asked to:
root@metagross:~# ods-ksmutil key list --zone uvttestexample.com
Keys:
Zone:                           Keytype:      State:    Date of next transition:
uvttestexample.com              ZSK           active    2011-12-18 10:05:19     
  
uvttestexample.com              KSK           publish   2011-11-18 12:35:19   

No other zone uses the "default" policy.


Here are some (slightly cleaned) logs:

Nov 18 10:05:19 metagross ods-enforcerd: Zone uvttestexample.com found.
Nov 18 10:05:19 metagross ods-enforcerd: Policy for uvttestexample.com set to 
default.
Nov 18 10:05:19 metagross ods-enforcerd: Policy default found in DB.
Nov 18 10:05:19 metagross ods-enforcerd: Config will be output to 
/var/lib/opendnssec/signconf/uvttestexample.com.xml.
Nov 18 10:05:19 metagross ods-enforcerd: INFO: Promoting ZSK from publish to 
active as this is the first pass for the zone
Nov 18 10:05:19 metagross ods-signerd: [cmdhandler] received command update 
uvttestexample.com[25]
Nov 18 10:05:19 metagross ods-signerd: [worker[4]] load signconf for zone 
uvttestexample.com
Nov 18 10:05:19 metagross ods-signerd: [signconf] zone uvttestexample.com 
signconf: RESIGN[PT7200S] REFRESH[PT259200S] VALIDITY[PT604800S] 
DENIAL[PT604800S] JITTER[PT43200S] OFFSET[PT3600S] NSEC[50] DNSKEYTTL[PT3600S] 
SOATTL[PT3600S] MINIMUM[PT3600S] SERIAL[datecounter] AUDIT[1]
Nov 18 10:05:19 metagross ods-signerd: [zone] zone uvttestexample.com set 
DNSKEY TTL to 3600
Nov 18 10:05:19 metagross ods-signerd: [zone] zone uvttestexample.com set 
DNSKEY TTL to 3600
Nov 18 10:05:20 metagross ods-signerd: [worker[4]] read zone uvttestexample.com
Nov 18 10:05:20 metagross ods-signerd: [adapter] read zone uvttestexample.com 
from file input adapter /var/lib/opendnssec/unsigned/uvttestexample.com
Nov 18 10:05:20 metagross ods-signerd: [zone] zone uvttestexample.com set SOA 
TTL to 3600
Nov 18 10:05:20 metagross ods-signerd: [zone] zone uvttestexample.com set SOA 
MINIMUM to 3600
Nov 18 10:05:20 metagross ods-signerd: [tools] commit updates for zone 
uvttestexample.com
Nov 18 10:05:20 metagross ods-signerd: [worker[4]] nsecify zone 
uvttestexample.com
Nov 18 10:05:20 metagross ods-signerd: [worker[4]] sign zone uvttestexample.com
Nov 18 10:05:20 metagross ods-signerd: [worker[4]] audit zone uvttestexample.com
Nov 18 10:05:20 metagross ods-auditor[27960]: Auditor started
Nov 18 10:05:20 metagross ods-auditor[27960]: Can't load uvttestexample.com 
SignerConfiguration file (/var/lib/opendnssec/signconf/uvttestexample.com.xml) 
: ERROR - Can't find KASP file : "/etc/opendnssec/kasp.xml" : ERROR - Can't 
find policy "default" in KASP Policy.
Nov 18 10:05:20 metagross ods-auditor[27960]: Can't find uvttestexample.com 
zone in zonelist
Nov 18 10:05:20 metagross ods-signerd: [worker[4]] backoff task [read] for zone 
uvttestexample.com with 60 seconds

Nov 18 10:06:20 metagross ods-signerd: [worker[4]] read zone uvttestexample.com
Nov 18 10:06:20 metagross ods-signerd: [adapter] read zone uvttestexample.com 
from file input adapter /var/lib/opendnssec/unsigned/uvttestexample.com
Nov 18 10:06:20 metagross ods-signerd: [zone] zone uvttestexample.com set SOA 
TTL to 3600
Nov 18 10:06:20 metagross ods-signerd: [zone] zone uvttestexample.com set SOA 
MINIMUM to 3600
Nov 18 10:06:20 metagross ods-signerd: [tools] commit updates for zone 
uvttestexample.com
Nov 18 10:06:20 metagross ods-signerd: [worker[4]] nsecify zone 
uvttestexample.com
Nov 18 10:06:20 metagross ods-signerd: [worker[4]] sign zone uvttestexample.com
Nov 18 10:06:20 metagross ods-signerd: [worker[4]] audit zone uvttestexample.com
Nov 18 10:06:21 metagross ods-auditor[27994]: Auditor started
Nov 18 10:06:21 metagross ods-auditor[27994]: Can't load uvttestexample.com 
SignerConfiguration file (/var/lib/opendnssec/signconf/uvttestexample.com.xml) 
: ERROR - Can't find KASP file : "/etc/opendnssec/kasp.xml" : ERROR - Can't 
find policy "default" in KASP Policy.
Nov 18 10:06:21 metagross ods-auditor[27994]: Can't find uvttestexample.com 
zone in zonelist
Nov 18 10:06:21 metagross ods-signerd: [worker[4]] backoff task [read] for zone 
uvttestexample.com with 120 seconds
Nov 18 10:08:21 metagross ods-signerd: [worker[4]] read zone uvttestexample.com
Nov 18 10:08:21 metagross ods-signerd: [adapter] read zone uvttestexample.com 
from file input adapter /var/lib/opendnssec/unsigned/uvttestexample.com
Nov 18 10:08:21 metagross ods-signerd: [zone] zone uvttestexample.com set SOA 
TTL to 3600
Nov 18 10:08:21 metagross ods-signerd: [zone] zone uvttestexample.com set SOA 
MINIMUM to 3600
Nov 18 10:08:21 metagross ods-signerd: [tools] commit updates for zone 
uvttestexample.com
Nov 18 10:08:21 metagross ods-signerd: [worker[4]] nsecify zone 
uvttestexample.com
Nov 18 10:08:21 metagross ods-signerd: [worker[4]] sign zone uvttestexample.com
Nov 18 10:08:21 metagross ods-signerd: [worker[4]] audit zone uvttestexample.com
Nov 18 10:08:21 metagross ods-auditor[28402]: Auditor started
Nov 18 10:08:22 metagross ods-auditor[28402]: Can't load uvttestexample.com 
SignerConfiguration file (/var/lib/opendnssec/signconf/uvttestexample.com.xml) 
: ERROR - Can't find KASP file : "/etc/opendnssec/kasp.xml" : ERROR - Can't 
find policy "default" in KASP Policy.
Nov 18 10:08:22 metagross ods-auditor[28402]: Can't find uvttestexample.com 
zone in zonelist
Nov 18 10:08:22 metagross ods-signerd: [worker[4]] backoff task [read] for zone 
uvttestexample.com with 240 seconds

Nov 18 10:09:01 metagross ods-enforcerd: Zone uvttestexample.com found.
Nov 18 10:09:01 metagross ods-enforcerd: Policy for uvttestexample.com set to 
default.
Nov 18 10:09:01 metagross ods-enforcerd: Policy default found in DB.
Nov 18 10:09:01 metagross ods-enforcerd: Config will be output to 
/var/lib/opendnssec/signconf/uvttestexample.com.xml.
Nov 18 10:09:01 metagross ods-enforcerd: WARNING: KSK rollover for zone 
'uvttestexample.com' not completed as there are no keys in the 'ready' state; 
ods-enforcerd will try again when it runs next
Nov 18 10:09:01 metagross ods-enforcerd: No change to: 
/var/lib/opendnssec/signconf/uvttestexample.com.xml



-- 
Casper Gielen <[email protected]> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981  63B8 2214 083C F80E 4AF7

Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl


_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

[Opendnssec-user] Old policies in database

Reply via email to