Hi,
Unless I missed something, I do not think I got any comprehensive answer
for this question.
Am I overthinking it and should I just go with the "file" backend?
On Wed, Oct 09, 2019 at 04:23:53PM +0200, Mathieu Arnold wrote:
> Hi,
>
> I am currently running tests with So
ossibility is "db" which uses a SQLite3 database instead of the
filesystem, like SoftHSM1 used to do.
I am wondering what are the pro and cons of each, knowing that my
OpenDNSSEC installation has thousands of domains.
Kind regards,
--
Mathieu Arnold
signature.asc
Descri
thank you!
I've been trying to migrate for a while, but I have thousands of zones,
and each time I have a look, the script tells me there are rollovers
going on and that I should wait. I am wondering if there is something
that can be done about the rollovers...
--
Mathieu Arnold
signature.asc
Descr
file just contains the default TTL for each
> record.
>
> Had anybody else experienced this behaviour ?
I have, it was very annoying, and then, one day, after running
ods-signer clear on all our zones, because of some other issue, that
problem went away.
--
Mathieu Arnold
signature.asc
Le 10/10/2017 à 14:58, Berry A.W. van Halderen a écrit :
> On 10/10/2017 02:35 PM, Mathieu Arnold wrote:
>> Using OpenDNSSEC 1.4.14 (migrating to 2.1 on the todo list).
>>
>> Today, in preparation for a migration, I downed TTLs in a few zones, and
>> by chance, while lo
:23:57 ns1 ods-signerd: In zone file prepacolles.fr: TTL for
the record 'mail.prepacolles.fr. 600 IN A 79.143.244.130' set to 86400
I looked in the signer's source, I can't seem to find where and why it
is doing that, or where to disable it.
--
Mathieu Arnold
ago, I don't have
it on 1.4.3.
--
Mathieu Arnold
___
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
+--On 28 mars 2014 07:42:18 +0100 Rickard Bellgrim rick...@opendnssec.org
wrote:
| On Thu, Mar 27, 2014 at 5:45 PM, Mathieu Arnold m...@mat.cc wrote:
|
| I've browsed ODS's sources, and can't really figure out why it would
| happen, I can't see anywhere where umask is changed, or even where
+--On 28 mars 2014 12:04:33 +0100 Rickard Bellgrim rick...@opendnssec.org
wrote:
| On Fri, Mar 28, 2014 at 11:01 AM, Mathieu Arnold m...@mat.cc wrote:
|
|
|
| +--On 28 mars 2014 07:42:18 +0100 Rickard Bellgrim
| rick...@opendnssec.org
|
| wrote:
| | On Thu, Mar 27, 2014 at 5:45 PM, Mathieu
+--On 28 mars 2014 14:20:02 +0100 Rickard Bellgrim rick...@opendnssec.org
wrote:
| On Fri, Mar 28, 2014 at 2:00 PM, Mathieu Arnold m...@mat.cc wrote:
|
| | (It still is an issue that the main application (ods-signer) gets
| | affected.)
|
| That it is :-)
|
|
| Have created the following
://gist.github.com/mat813/8114791#file-makefile-L20
--
Mathieu Arnold
___
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
+--On 23 octobre 2013 09:32:06 -0400 wbr...@e1b.org wrote:
| From: Mathieu Arnold m...@mat.cc
|
| I could write a script iterating the zones and sleepping two
| months/number of zones between them, but it seems a bit counter
| productive to have a script running that long.
|
| Why not use cron
things, you will want to wait a bit for
notifying it. (And you may even want never notify the enforcer and have it
do its regular runs.)
--
Mathieu Arnold
___
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org
for all those to be done and notify the enforcer afterwards (or even wait
for it to do its regular run) than having it forcefuly HUPed.
--
Mathieu Arnold
___
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org
+--On 19 septembre 2013 09:06:16 +0200 Mathieu Arnold m...@mat.cc wrote:
| +--On 19 septembre 2013 08:16:25 +0200 Rickard Bellgrim
| rick...@opendnssec.org wrote:
|| Looking at the code (shared/hsm.c), it looks like hsm_find_key_by_id()
|| returns NULL, but libhsm does not provide an error. After
-associes.notaires.fr: General error
Sep 19 08:59:10 ns1 ods-signerd: [worker[4]] backoff task [sign] for zone
cathou-associes.notaires.fr with 60 seconds
it did not take it well... I'll have to restart it...
--
Mathieu Arnold
___
Opendnssec-user mailing list
| ulimit -c (its often disabled by default).
Nope, not on FreeBSD.
--
Mathieu Arnold
___
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
is not important ?
--
Mathieu Arnold
___
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
+--On 4 septembre 2013 11:02:54 +0100 Sara Dickinson s...@sinodun.com
wrote:
| A full 1.4.2 release is planned for Tuesday 10th September.
Oh, did I miss that ? Or did it slip somehow ?
Regards,
--
Mathieu Arnold
___
Opendnssec-user mailing list
Hi,
I just had signerd crash on sig11, from what I can gather in the logs
(attached) the enforcer woke up, purged some old keys from softhsm, and the
signer was *not* happy at all about it.
I've launched it back, waited 8 and a half minutes for it for read all the
confs, and am waiting for the
D6731A11F7F79A6E38757E0F48589A6887735E33BE2A2E6D033BE16A E969EDFE
Wondering if TLSA is not supported, or if the one I have is malformed... :-)
--
Mathieu Arnold
___
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
should link against
| ldns 1.6.16 if you want to do TLSA.
|
| Best regards,
|Matthijs
|
| On 12/04/2012 01:44 PM, Mathieu Arnold wrote:
| Hello,
|
| While having lunch, I discovered TLSA records, and I wanted to give it a
| spin, but...
|
| Dec 4 13:40:53 ns1 ods-signerd: [adapter] error
] for zone
242.143.79.in-addr.arpa with 60 seconds
And after that, it continued to backoff the signing process for all the
zones, I had to stop/start the signer to get it working again...
opendnssec 1.3.9
softhsm 1.3.3
freebsd 8.2
--
Mathieu Arnold
+--On 2 août 2012 08:58:00 -0700 Jerry Lundström je...@opendnssec.org
wrote:
| Hi Mathieu,
|
| On Aug 2, 2012, at 08:08 , Mathieu Arnold wrote:
| It had been running for a few weeks.
|
|
| Did you reload the Signer? (ods-signer reload)
Me, not, but I've had a few ksk rollovers earlier
).
|
| Yes, that is a drawback that you have to query the key list to get
| the CKA_ID of the key in the correct state when there are duplicate
| key tags.
It should be fairly rare to have a tag conflict for two keys on *one* zone,
no ?
--
Mathieu Arnold
. It has worked well ever since.
--
Mathieu Arnold
___
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
${i:T:S/_/\//}
/usr/local/sbin/ods-signer sign ${i:T:S/_/\//}
.endfor
I run make in my /etc/namedb and the Makefile takes care of regenerating
the zone passed to opendnssec and telling the signer to resign the zone.
--
Mathieu Arnold
not be
printed unless something like -v or -d is added :-)
--
Mathieu Arnold
___
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
in a screen.)
Here, the first does not do anything, and the second works :
# ods-signer update mat.cc /dev/null
# ods-signer update mat.cc
Zone mat.cc config being updated.
#
--
Mathieu Arnold
___
Opendnssec-user mailing list
Opendnssec-user
so that the new is used for
signing.
--
Mathieu Arnold
___
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
+--On 20 octobre 2011 09:49:20 +0200 Jerry Lundström
je...@opendnssec.org wrote:
| Hi Mathieu,
|
| On 2011-10-19 11.46, Mathieu Arnold m...@mat.cc wrote:
|
| running 1.3.0 right now (will update to 1.3.2 later today)
|
| Have you been able to try 1.3.2 yet?
Yes, I did, did not solve my
to 3600 seconds, and I can't seem to have
the zones signed again.
--
Mathieu Arnold
___
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
--keystate PUBLISH
But you should note that it's a bad idea to do so, and you should just wait
for it to be published (less than a day left now)
--
Mathieu Arnold
___
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https
+--On 18 mai 2011 14:25:57 +0200 Göran Bengtson goe...@chalmers.se wrote:
| On Wed, 18 May 2011, Mathieu Arnold wrote:
| Have I uncovered a bug, or is there something wrong I can't see ?
|
| Just for the record. I've seen this too with 1.2.1 for a zone wih 3
| RRs
| but I have not yet
+--On 18 mai 2011 14:49:04 +0200 Mathieu Arnold m...@mat.cc wrote:
| +--On 18 mai 2011 14:25:57 +0200 Göran Bengtson goe...@chalmers.se
| wrote:
|| On Wed, 18 May 2011, Mathieu Arnold wrote:
|| Have I uncovered a bug, or is there something wrong I can't see ?
||
|| Just for the record. I've
TTLP2D/TTL
/DS
SOA
TTLPT2H/TTL
MinimumPT6H/Minimum
/SOA
/Parent
!-- Audit/ --
--
Mathieu Arnold
nsec3
thingies, or the auditor has a bug :-)
--
Mathieu Arnold
___
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
where it's even worse :-)
--
Mathieu Arnold
___
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
can't add the weight of having to handle keys manually to my
co-workers.
I do get your point, but nobody forces you to use OpenDNSSEC's standby keys
capabilities :-)
--
Mathieu Arnold
___
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
is on,
or the small antique books store around the corner.
But my security needs are in no way the same of a tld.
I do agree with you that it'd be nice to be able to have separate HSM for
that kind of things, but I'd really be sad to see the feature go, even if
it's not perfect.
--
Mathieu Arnold
+--On 6 juillet 2010 17:39:15 +0200 Mathieu Arnold m...@mat.cc wrote:
| +--On 6 juillet 2010 17:31:07 +0200 Pierre Lebrech
| pierre.lebr...@laposte.net wrote:
|| OK, good idea. But some parent zones holders check to see if the
|| corresponding DNSKEY is present in the child zone before accepting
zone
I don't really understand, but I think that it generates NSEC3 records for way
too much things.
Attached are the temp files.
--
Mathieu Arnold
d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa. 86400 IN SOA
ns1.absolight.net. root.absolight.com. 2010030500 86400 3600 604800 3600
d.0.1.f.f
42 matches
Mail list logo