Re: Strange tiny time limit RRSIG

2009-08-14 Thread Evan Hunt
> I am still confused about the jitter window. I'm assuming the jitter > windows is spread between -s (now-1h) plus -i value up to -e value ? I have been corrected by my colleague Mark Andrews: I apparently misread both the code and the doc. Apologies for the confusion. I *thought* the jitter

named[749]: the working directory is not writable

2009-08-14 Thread joans4nz
Thanks for your answers Doug and Rick and please excuse my english. joans4nz ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users

Re: Strange tiny time limit RRSIG

2009-08-14 Thread Mark Andrews
In message , Paul Wou ters writes: > On Fri, 14 Aug 2009, Chris Thompson wrote: > > >> I'm running into a strange issue where when signing a zone with > >> re-using signatures, that sometimes 1 RRSIG record ends up with > >> a validity time of almost nothing. This happens for instance when > >> s

Re: named[749]: the working directory is not writable

2009-08-14 Thread Doug Barton
Rick Dicaire wrote: >> joans4nz wrote: >>> What is the working directory? > > Take a look at the ownership and perms on /var/named/etc/namedb/dump > >> Making that message go away (one way or another) is on my list, but >> since it's basically harmless it's not a high priority. > > It will be wh

Re: named[749]: the working directory is not writable

2009-08-14 Thread Rick Dicaire
> joans4nz wrote: >> What is the working directory? Take a look at the ownership and perms on /var/named/etc/namedb/dump > Making that message go away (one way or another) is on my list, but > since it's basically harmless it's not a high priority. It will be when you want to dump stats etc :)

Re: Strange tiny time limit RRSIG

2009-08-14 Thread Chris Thompson
On Aug 14 2009, Evan Hunt wrote: Your -j flag says, use a 30 day jitter window for the expiry times. So now it's 30 days in the future, plus or minus 15 days. Are you sure about this? The OP is talking about 9.6.1 and as I read the source of isc_random_jitter() in lib/isc/random.c, jitter onl

Re: Strange tiny time limit RRSIG

2009-08-14 Thread Paul Wouters
On Fri, 14 Aug 2009, Evan Hunt wrote: But I am getting the error that the signature is *expired*. Not that it is being replaced because its only valid for 15 days - 1 hour in the future. It would look that way. I think the message you're seeing comes from here: vbprintf(2, "\t

Re: named[749]: the working directory is not writable

2009-08-14 Thread Doug Barton
joans4nz wrote: > Hi, > > I am moving some physical machines in production to virtual machines. I > installed a virtual machine with FreeBSD-7.2 with default Bind and I > reveive the following message: > > What is the working directory? The directory that by default named dumps it's writable fil

Re: Strange tiny time limit RRSIG

2009-08-14 Thread Evan Hunt
> But I am getting the error that the signature is *expired*. Not that it is > being replaced because its only valid for 15 days - 1 hour in the future. It would look that way. I think the message you're seeing comes from here: vbprintf(2, "\trrsig by %s dropped - %s\n",

Re: Strange tiny time limit RRSIG

2009-08-14 Thread Paul Wouters
On Fri, 14 Aug 2009, Chris Thompson wrote: So as far as I can tell, I should always be more then fine on the lower time limit. That's why I'm suspecting a bug in the jitter code. I think you misunderstand what -i does (or else I do!). If a signature expires more than 15 days into the future

Re: Strange tiny time limit RRSIG

2009-08-14 Thread Paul Wouters
On Fri, 14 Aug 2009, Evan Hunt wrote: Im signing more or less hourly. My -i interval says "at least 1296000 seconds in the future" from start date "now - minus 1 hour" (because I don't use "-s") Your -i flag says: if you're re-signing a zone that's already signed, any RRSIGs whose expiry times

named[749]: the working directory is not writable

2009-08-14 Thread joans4nz
Hi, I am moving some physical machines in production to virtual machines. I installed a virtual machine with FreeBSD-7.2 with default Bind and I reveive the following message: What is the working directory? Is the bind user who must have write permission allowed? Thanks for your time, joans4nz

Re: Strange tiny time limit RRSIG

2009-08-14 Thread Evan Hunt
> Im signing more or less hourly. My -i interval says "at least 1296000 > seconds in the future" from start date "now - minus 1 hour" (because I > don't use "-s") Your -i flag says: if you're re-signing a zone that's already signed, any RRSIGs whose expiry times are less than 15 days in the future

Re: Strange tiny time limit RRSIG

2009-08-14 Thread Chris Thompson
On Aug 14 2009, Paul Wouters wrote: On Fri, 14 Aug 2009, Chris Thompson wrote: I'm running into a strange issue where when signing a zone with re-using signatures, that sometimes 1 RRSIG record ends up with a validity time of almost nothing. This happens for instance when signing (and re-using

Re: Strange tiny time limit RRSIG

2009-08-14 Thread Paul Wouters
On Fri, 14 Aug 2009, Chris Thompson wrote: I'm running into a strange issue where when signing a zone with re-using signatures, that sometimes 1 RRSIG record ends up with a validity time of almost nothing. This happens for instance when signing (and re-using sigs) using "-i 1296000 -e +2592000

Re: Strange tiny time limit RRSIG

2009-08-14 Thread Chris Thompson
On Aug 14 2009, Paul Wouters wrote: I'm running into a strange issue where when signing a zone with re-using signatures, that sometimes 1 RRSIG record ends up with a validity time of almost nothing. This happens for instance when signing (and re-using sigs) using "-i 1296000 -e +2592000 -j 2592

Re: Bind9.6 & Pkcs#11

2009-08-14 Thread Cathy Almond
徐东 wrote: > Hi all, > I installed the BIND 9.6 and saw the new features in Bind > 9.6. > I noticed that the Bind 9.6 gave a surpport for pkcs #11, but in the > file*README.pkcs11 > *,i found this festure was tested with the SUN Solaris, so i