On 13.3.2014 11:34, Yuri Schaeffer wrote:
Woops, my reply did not make it to the list. Take 2:
As a side-effect, I have found another bug (I guess):
I have terminated ods-enforcer from the previous example with SIGINT
(Ctrl+C) because I was impatient and not willing to wait for 2190 new
ZSKs.
I suppose you pulled it from our Git repository recently, can you tell
me what commit you are on? About a week ago some code was committed [0]
touching relevant code.
Copy&paste from the first message in this thread:
I have built enforcer-ng myself from git, HEAD
d7ba5fa96bcd8e6e6744e89d11fa2da88f7572c7.
I'm using SoftHSM v2 built from git, HEAD
c893d407b789e81e2d9fab5b112cc59648ba644a. It is configured with "db" backend.
I think what is happening is that on startup the enforcer-ng will
restart filling its pool of pregenerated keys. I suppose at that time
I didn't restart enforcer daemon, I just pressed Ctrl+C and then ran another
enforcer command.
you did not change the <AutomaticKeyGenerationPeriod> yet?
No, I'm using conf.xml from the repo - I have just configured SoftHSM and
commented out signer configuration because I don't plan to use it.
[0]
https://github.com/opendnssec/opendnssec/commit/20c4fa58c00b42d88c84a9ae4efcc23cd6c898ce
--
Petr Spacek @ Red Hat
<?xml version="1.0" encoding="UTF-8"?>
<Configuration>
<RepositoryList>
<Repository name="SoftHSM">
<Module>/usr/local/lib/softhsm/libsofthsm.so</Module>
<TokenLabel>OpenDNSSEC</TokenLabel>
<PIN>1234</PIN>
<SkipPublicKey/>
</Repository>
<!--
<Repository name="sca6000">
<Module>/usr/lib/libpkcs11.so</Module>
<TokenLabel>Sun Metaslot</TokenLabel>
<PIN>test:1234</PIN>
<Capacity>255</Capacity>
<RequireBackup/>
<SkipPublicKey/>
</Repository>
-->
</RepositoryList>
<Common>
<Logging>
<!-- Command line verbosity will overwrite configure file -->
<Verbosity>3</Verbosity>
<Syslog><Facility>local0</Facility></Syslog>
</Logging>
<PolicyFile>/etc/opendnssec/kasp.xml</PolicyFile>
<ZoneListFile>/etc/opendnssec/zonelist.xml</ZoneListFile>
</Common>
<Enforcer>
<!--
<Privileges>
<User>opendnssec</User>
<Group>opendnssec</Group>
</Privileges>
-->
<Datastore><SQLite>/var/opendnssec/kasp.db</SQLite></Datastore>
<!--The enforcer interval parameter is no long used in 2.0 and will be deprecated in 2.1 -->
<Interval>PT3600S</Interval>
<!-- <ManualKeyGeneration/> -->
<AutomaticKeyGenerationPeriod>P1Y</AutomaticKeyGenerationPeriod>
<!-- <RolloverNotification>P14D</RolloverNotification> -->
<!-- the <DelegationSignerSubmitCommand> will get all current
DNSKEYs (as a RRset) on standard input (with optional CKA_ID) -->
<!-- <DelegationSignerSubmitCommand>/usr/local/sbin/simple-dnskey-mailer.sh</DelegationSignerSubmitCommand> -->
<WorkingDirectory>/var/opendnssec/enforcer</WorkingDirectory>
<!--<WorkerThreads>4</WorkerThreads>-->
</Enforcer>
<!--
<Signer>
<Privileges>
<User>opendnssec</User>
<Group>opendnssec</Group>
</Privileges>
<WorkingDirectory>/var/opendnssec/signer</WorkingDirectory>
<WorkerThreads>4</WorkerThreads>
<SignerThreads>4</SignerThreads>
<Listener>
<Interface><Port>53</Port></Interface>
</Listener>
the <NotifyCommmand> will expand the following variables:
%zone the name of the zone that was signed
%zonefile the filename of the signed zone
<NotifyCommand>/usr/local/bin/my_nameserver_reload_command</NotifyCommand>
<NotifyCommand>/usr/sbin/rndc reload %zone</NotifyCommand>
</Signer>
-->
</Configuration>
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
