Re: [Opendnssec-user] Questions about ODS and SoftHSM

On 06/17/2015 04:24 PM, Jake Zack wrote: > Assuming 2048 KSK, 1024 ZSK… > Would SoftHSM function properly with KSK+ZSK+rollover for 100,000 > domains concurrently? Can it manage a few hundred thousand keys? > Is anyone using SoftHSM for doing mass-signing of tons of zones – all > using separate ke

Re: [Opendnssec-user] OpenDNSSEC v2 status?

On 09/18/2015 03:49 PM, Petr Spacek wrote: > could anyone comment on status of OpenDNSSEC v2? Is it still alive? Or > abandoned? Alive. Very much so, but still yet unreleased, but that should be upcoming. NLnetLabs has adopted the OpenDNSSEC and is pushing for the next version. > I'm not able

Re: [Opendnssec-user] ods-signerd: robustness & resource demands?

On 10/15/2015 04:20 PM, Havard Eidnes wrote: > today we observed another problem in our OpenDNSSEC installation. As > mentioned earlier, we run with an "axfr in, axfr out" configuration. > > For our signed zones, we add a "_original-serial" TXT record, which > contains the serial number from the

Re: [Opendnssec-user] two bug of opendnssec1.4.7

On 05/12/2015 08:11 AM, zhujin...@knet.cn wrote: > hi, > I'm zhujinjun,I want to feedback a problem when I use the > opendnssec1.4.7 and I think it's a bug of opendnssec1.4.7. > I keep in inserting data into inbind,the ods-signerd process works > properly at first.But when the data in inb

Re: [Opendnssec-user] About the lifetime for ZSK

On 12/01/2015 01:57 PM, gaolei wrote: > Hi,all > > Here is a question about the ZSK lifetime in OPENDNSSEC. > > A key in 'retire' status seems to still being used to sign new RR. > > But the 'active' key was not used to generate signature of RR. > > It seems a little strange to

Re: [Opendnssec-user] Problems adding largish # of zones

On 12/03/2015 11:04 PM, Havard Eidnes wrote: > In a somewhat desperate attempt to gather more information and > remove some of the internal stumbling-blocks in OpenDNSSEC, I > took a hatchet to the code. I started around that obnoxious > "transfer in progress" message and first created this patch:

Re: [Opendnssec-user] kaspConnect() causes ods-enforcer brittleness

On 12/09/2015 11:30 AM, Petr Spacek wrote: > On 8.12.2015 09:22, Havard Eidnes wrote: >> This makes ods-enforcer brittle, provides no automatic error >> recovery, and requires operator intervention to restart the >> now-dead enforcer. >> >> Again, this is with OpenDNSSEC 1.4.7, using sqlite3. > >

Re: [Opendnssec-user] Problems adding largish # of zones

On 12/23/2015 02:05 PM, Havard Eidnes wrote: > spoke too soon again, found another cut+paste error of mine. > We'll see how it fares how. Please let us know how you fare with the changes. Just to inform you also that we haven't dropped the issue. Although our tests indicate the fix was effective

Re: [Opendnssec-user] ERROR: database version number incompatible with software; require 4, found 3. Please run the migration scripts

On 12/28/2015 12:39 PM, Bas van den Dikkenberg wrote: > Where are migratrion scripts voor version 3 to version 4 of mysql DB of > opendnssec ? Within the distribution of OpenDNSSEC (the opendnssec-1.4.8.2.tar.gz) you should be able to find it as: opendnssec-1.4.8.2/enforcer/utils/migrate_1_4_8.m

Re: [Opendnssec-user] ods-enforcerd process crushed

On 01/12/2016 12:28 PM, yaohongyuan wrote: > Hi all, > > Today when I start the opendnssec's ods-enforcerd , but got below > error messages: > > System message: > Jan 12 15:44:49 pascal kernel: ods-enforcerd[18730]: > segfault at 0 ip 7f1a26c4b135 sp 7fffe0b71d00

Re: [Opendnssec-user] A question about keys and such

On 01/22/2016 07:37 AM, Gilles Massen wrote: > On 01/21/2016 10:53 PM, Jake Zack wrote: >> So…is it not possible to have a whack of domains use the same keys with >> OpenDNSSEC? > Yes, it is. You'd need the tag in the section of > your policy. > >> Question 2… >> When I ran the key generate, di

Re: [Opendnssec-user] Version 1.4.7 IXFR problems

On 03/08/2016 10:59 AM, Havard Eidnes wrote: > Me too. I think I discussed this already under the slightly > misleading subject "TTL clamped to minimum 3600". It turns out that > only change of TTL does not flag those records for inclusion in an > IXFR, and my last message on the subject of Janua

Re: [Opendnssec-user] Signature delay for one zone has one million domains

On 03/10/2016 08:14 AM, yaohongyuan wrote: > Hi all , >>I had one zone which has about more than one million domains . >>Recently noticed that when add a new domain under this zone almost >> cost 40 minutes . >>But the other zones were regular worked , just cost about 1 m

Re: [Opendnssec-user] XFR with YADIFA: UNPROCESSABLE_MESSAGE

On 03/30/2016 01:46 AM, Djordje Antic wrote: > I have a DNS setup that looks like this: > > Hidden master (BIND) [xfr]-> DNSSEC signer (OpenDNSSEC) [xfr]-> 4x > Public slaves (NSD, BIND, YADIFA, KNOT). > > NSD, BIND and KNOT machines are receiving and serving zones without > problems, but YADIFA

Re: [Opendnssec-user] Critical issue: CKR_OBJECT_HANDLE_INVALID after ZSK rollover

On 04/07/2016 08:47 AM, Anne van Bemmelen wrote: > Dear listmembers, > > During a regular enforcerd wake up a new ZSK was created, according to > the regular scheme. > > Immediately after this wake up the critical issue > ‘CKR_OBJECT_HANDLE_INVALID’ was logged, see below this message. > > Signin

Re: [Opendnssec-user] Critical issue: CKR_OBJECT_HANDLE_INVALID after ZSK rollover

On 04/08/2016 11:15 AM, Anne van Bemmelen wrote: > Thanks Berry. > Can you tell us when the 1.4 version with the fix is likely to be released? It still needs to be back-ported, I think that will still take a few days at least, the change is quite extensive. Before making a release out of the chan

[Opendnssec-user] Announcing availability public beta-release of OpenDNSSEC 2.0

Dear OpenDNSSEC community, Today we enter the final steps towards the 2.0 release by handing out the first real beta. The development is complete, testing has completed and there are no bugs that would stop you replacing 1.4 with 2.0. Download it here: https://dist.opendnssec.org/source/testin

[Opendnssec-user] OpenDNSSEC 1.4.10 released

Version 1.4.10 of OpenDNSSEC has been released today. This release fix targets stability issues which have had a history and have been hard to reproduce. Issues that have been reported over the past half year have been fixed that may have even come up earlier as rare occasions. Stability should b

Re: [Opendnssec-user] Announcing availability public beta-release of OpenDNSSEC 2.0

On 05/03/2016 03:37 PM, Casper Gielen wrote: > Op 14-04-16 om 16:01 schreef Berry A.W. van Halderen: >> >> - Use ods-enforcer zone add and delete rather than modifying the >> zonelist.xml file yourself. This file is not kept up-to-date >> automatically anymore; >

Re: [Opendnssec-user] Key state not changing at "Date of next transition"

On 05/04/2016 08:59 AM, Arun N S wrote: > Hi, > > Trying to configure OpenDNSSEC with SoftHSM with automatic key > generation and roll over. > > While querying the database for keys: > Zone: Keytype: State:Date of next > transition (to): Size: Algorithm:

Re: [Opendnssec-user] OpenDNSSEC with SafeNet Luna HSM

xplicitly do so). > From the example kasp.xml, purge 14 days after rollover finished: > > P14D \Berry -- N: (Berry) A.W. van Halderen E: be...@nlnetlabs.nl O: NLnet Labs W: http://www.nlnetlabs.nl/ ___ Opendnssec-user mailing

Re: [Opendnssec-user] Can not start enforcer(1.4.10)

On 06/07/2016 05:22 AM, yaohongyuan wrote: > Hi all, > Today I found the opendnssec in my test environment's not work well. > When I start the enforcer and signer thread will get error as > below : > [gtld@p01-test-devops-9-81 sbin]$ ./ods-control start >

Re: [Opendnssec-user] Questions about compiling 1.4.8.2

On 06/09/2016 03:14 PM, Jake Zack wrote: > [root@qa-ftld-01 opendnssec-1.4.8.2]# ./configure > --with-database-backend=mysql --with-ldns=/usr |grep -i ldns > checking for ldns-config... /usr/bin/ldns-config > checking what are the ldns includes... -I/usr/include > checking what are the ldns libs..

Re: [Opendnssec-user] Questions about compiling 1.4.8.2

On 06/09/2016 03:41 PM, Jake Zack wrote: > [root@qa-ftld-01 opendnssec-1.4.8.2]# /usr/bin/ldns-config --version > 1.6.17 > [root@qa-ftld-01 opendnssec-1.4.8.2]# /usr/bin/ldns-config --libs > -L/usr/lib64 -lpython2.6 -L/usr/lib64 -lcrypto -lldns > > [root@qa-ftld-01 opendnssec-1.4.8.2]# ./confi

[Opendnssec-user] End-of-life OpenDNSSEC 1.3 on 2017-07-11

Dear community. With the release of OpenDNSSEC 2.0 we have reached the point to let go of the support of one of the older, not to say elderly, OpenDNSSEC. We will end the support on OpenDNSSEC 1.3 in accordance with our policy in one year from now. This historic release has long been replaced by

Re: [Opendnssec-user] Sudden failure related to NSEC3, Re: Sudden failure related to NSEC3

On 07/10/2016 11:10 AM, Havard Eidnes wrote: >>> I took a copy of the tmp/ directory in OpenDNSSEC (and then >>> removed the files there), and have a copy of the "bad" zones >>> which came out at the other end if someone wants to take a look >>> at it to possibly find out how this could happen. >>

Re: [Opendnssec-user] End-of-life OpenDNSSEC 1.3 on 2017-07-11

On 07/11/2016 04:40 PM, Wytze van der Raay wrote: > On 07/11/2016 03:52 PM, Berry A.W. van Halderen wrote: >> We will end the support on OpenDNSSEC 1.3 in accordance with our policy >> in one year from now. This historic release has long been replaced by >> most of not

Re: [Opendnssec-user] *****SPAM***** ODS 2.0.1 did not start after reboot.

On 08/30/2016 09:46 AM, Fred.Zwarts wrote: > ODS 2.0.1 has now been running satisfactory on our test system >for several weeks. However, recently we noticed that each time we reboot > the system, ods does not startup properly. It turns out that after each > reboot, >the directory /var/r

Re: [Opendnssec-user] ODS 2.0.1 did not start after reboot.

I'm resending the message because it may have been missed by people on the user list as it was the subject contained the word spam. Unfortunately the original message was marked as spam because of high rating in bad To: address. \Berry On 08/30/2016 09:59 AM, Berry A.W. van Halderen

Re: [Opendnssec-user] OpenBSD porting questions regarding 2.x

On 09/04/2016 10:43 AM, Patrik Lundin wrote: > I have recently started looking at upgrading the OpenBSD port of > OpenDNSSEC to 2.x, currently 2.0.1. > > Some questions have turned up: > > * When compared to 1.4.10 I notice that the ods-getconf tool is missing, > and this is not mentioned in >

Re: [Opendnssec-user] OpenBSD porting questions regarding 2.x

On 09/04/2016 01:26 PM, Patrik Lundin wrote: > Hello again, > > Another question that popped up when digging around: I am not entirely > certain of the role of /var/opendnssec/enforcer/zones.xml. > >>From what I can tell from the migration steps it is used by the signer > and is supposed to be in

Re: [Opendnssec-user] Critical issue: CKR_OBJECT_HANDLE_INVALID after ZSK rollover

On 09/06/2016 02:15 PM, Juan Carlos Rodriguez wrote: > Dear Berry, > > I think we are suffering the same error at our tests using a RHEL 7, ODS > 1.4.7 and a HSM Luna SA7: > > Sep 6 09:16:47 dnshost ods-enforcerd: Created ZSK size: 2048, alg: 8 > with id: 812c8c298040dba470085f19bf038277 in repo

Re: [Opendnssec-user] ods-signerd 1.4.10 crash

On 09/15/2016 12:04 AM, Havard Eidnes wrote: >> stack trace: >> >> Core was generated by `ods-signerd'. >> Program terminated with signal 11, Segmentation fault. >> #0 0x0042a45a in netio_dispatch () >> (gdb) where >> #0 0x0042a45a in netio_dispatch () >> #1 0x0040df3e in

Re: [Opendnssec-user] OpenBSD porting questions regarding 2.x

On 09/06/2016 06:16 PM, Patrik Lundin wrote: > On Mon, Sep 05, 2016 at 02:08:13PM +0200, Berry A.W. van Halderen wrote: > >> [...] > > Thanks for taking the time to share information regarding the current > state off affairs :). > >>> If the goal is to not have tw

Re: [Opendnssec-user] OpenBSD porting questions regarding 2.x

On 09/14/2016 07:33 PM, Patrik Lundin wrote: > On Tue, Sep 06, 2016 at 06:16:06PM +0200, Patrik Lundin wrote: > Here is the error and warnings produced by the build and my attempts at > fixing them. > > First the error and warnings from building: > === > depbase=`echo ods-enforcerd.o | sed 's|[^/]*

Re: [Opendnssec-user] ods 2.0.1 ZSK roll-over problem

On 10/04/2016 11:06 AM, Fred.Zwarts wrote: > Hi Yuri, > > Is there any progress on this matter? I have a strong impression that > the problem is not (only) caused by migration problems. It seems to > happen always if a standby ZSK is configured. Yuri is out of the office for today, but we have so

Re: [Opendnssec-user] NULL signing with 2.0?

On 10/05/2016 01:00 PM, Rick van Rein wrote: > Hi, > > How can I inform the 2.0 signer that I'd like to apply a NULL signing > algorithm? > Did I correctly understand that this is now supported -- so that we can > just update the SOA serial but otherwise pass zones through even when > they are not

[Opendnssec-user] OpenDNSSEC 1.4.12 released

Dear community, Hereby we announce the OpenDNSSEC 1.4.12 release. This is a bug fix release targeting a memory leak in the signer when being used in the "bumb in the wire" model where the signer would send out notify messages and respond to IXFR requests for the signed zone. This typically would

Re: [Opendnssec-user] ods-ksmutil key export --all not exporting key's

> What am I doing wrong ? > > Bas > > ___ > Opendnssec-user mailing list > Opendnssec-user@lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user -- N: (Berry) A.W. van Halderen E: be...@nlne

Re: [Opendnssec-user] Relax-NG validity error : Extra element Host in interleave

ith kind regards, > > > Bas > > ___ > Opendnssec-user mailing list > Opendnssec-user@lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user -- N: (Berry) A.W. van Halderen E: be...@nlnetlabs

Re: [Opendnssec-user] ods2 AXFR request to nameserver fails , reports "bad packet: ... received error code NOTAUTH", but no traffic (tcpdump) seen ?

Dear PGDev (???), et al, Let me respond first on a few items that already were partially mentioned and then reply to the real issue. Also I do need to mention I'm not absolutely certain on all items; Network monitoring on the loopback device doesn't work that nice for Linux. The kernel cuts sho

Re: [Opendnssec-user] ods2 AXFR request to nameserver fails , reports "bad packet: ... received error code NOTAUTH", but no traffic (tcpdump) seen ?

On 12/27/2016 03:32 PM, PGNet Dev wrote: > On 12/27/2016 01:36 AM, Berry A.W. van Halderen wrote: >> So I think that TSIG authorization isn't supported (yet) for >> OpenDNSSEC. There is a bit of rationale why for inbound xfers >> it is less used. Most of the times OpenD

Re: [Opendnssec-user] ods2 AXFR request to nameserver fails , reports "bad packet: ... received error code NOTAUTH", but no traffic (tcpdump) seen ?

On 12/27/2016 04:42 PM, PGNet Dev wrote: > On 12/27/2016 06:32 AM, PGNet Dev wrote: >> On 12/27/2016 01:36 AM, Berry A.W. van Halderen wrote: >>> So I think that TSIG authorization isn't supported (yet) for >>> OpenDNSSEC. There is a bit of rationale why for i

Re: [Opendnssec-user] ods2 AXFR request to nameserver fails , reports "bad packet: ... received error code NOTAUTH", but no traffic (tcpdump) seen ?

On 12/27/2016 01:52 AM, PGNet Dev wrote: > I'm losing track of all my own attempts :-/ So a quick summary: > since ODS2 is on the same box, it should be communicating for axfr only on > localhost. it is, with config > > cat conf.xml > ... > >

Re: [Opendnssec-user] ods2 AXFR request to nameserver fails , reports "bad packet: ... received error code NOTAUTH", but no traffic (tcpdump) seen ?

On 12/28/2016 02:54 PM, PGNet Dev wrote: > On 12/28/2016 02:27 AM, Berry A.W. van Halderen wrote: >> So the NOTIFY gets as source address 127.0.0.1 while is being >> sent to 10.2.2.53. That is an "invalid argument" to the operating >> system. If you reverse the

Re: [Opendnssec-user] DNSSEC problems in opendnssec.org ?

ade system. The same OpenDNSSEC software, just better monitoring, backup/restore in case of crashes. I don't know why the server crashed, it was one of the other virtual machines (jails in fact) that caused it. Also the other time this happened the cause/effect was the same. \Berry -- N: (

Re: [Opendnssec-user] segfault error 6 in libc-2.23.so

cerd: [hsm_key_factory_generate] > repository SoftHSM role ZSK > Jan 7 13:34:27 Scripting ods-enforcerd: SELECT COUNT(*) FROM hsmKey WHERE > hsmKey.policyId = ? AND hsmKey.state = ? AND hsmKey.bits = ? AND > hsmKey.algorithm = ? AND hsmKey.role = ? AND hsmKey.isRevoked = ? AND > hsmKey.keyType = ? AND hsmKey.repository = ? > Jan 7 13:34:27 Scripting ods-enforcerd: SELECT COUNT(*) FROM zone WHERE > zone.policyId = ? > Jan 7 13:34:27 Scripting ods-enforcerd: [hsm_key_factory_generate_all_task] > generate for all policies done > Jan 7 13:34:27 Scripting ods-enforcerd: [worker[2]] finished working > Jan 7 13:34:27 Scripting ods-enforcerd: [worker[2]]: report for duty > Jan 7 13:34:27 Scripting kernel: [ 4931.783357] ods-enforcerd[9433]: > segfault at 7f2b6c2c2ff8 ip 7f2b7046829c sp 7f2b6c2c2ff0 error 6 in > libc-2.23.so[7f2b703e7000+1bf000] > > Van: Bas van den Dikkenberg > Verzonden: zaterdag 7 januari 2017 12:21 > Aan: opendnssec-user@lists.opendnssec.org > Onderwerp: segfault error 6 in libc-2.23.so > > Hello, > > > >From today opendnsec enforcerd won't start all i get is : > [ 267.837057] ods-enforcerd[2414]: segfault at 7fa32a56dff8 ip > 7fa32ef1429c sp 7fa32a56dff0 error 6 in > libc-2.23.so[7fa32ee93000+1bf000] > > Any one an idee > ___ > Opendnssec-user mailing list > Opendnssec-user@lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user -- N: (Berry) A.W. van Halderen E: be...@nlnetlabs.nl O: NLnet Labs W: http://www.nlnetlabs.nl/ ___ Opendnssec-user mailing list Opendnssec-user@lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Re: [Opendnssec-user] segfault error 6 in libc-2.23.so

zzle also. You can remove it if you want, I've downloaded it. Unfortunately the executionable has been stripped of debugging information which makes it harder. \Berry > > Bas > > > -Oorspronkelijk bericht- > Van: (Berry) A.W. van Halderen [mailto:be...@nlnetlabs.nl

Re: [Opendnssec-user] segfault error 6 in libc-2.23.so

On Sun, Jan 08, 2017 at 09:41:21PM +0100, (Berry) A.W. van Halderen wrote: > On Sun, Jan 08, 2017 at 06:24:43PM +, Bas van den Dikkenberg wrote: > > Oke i made output you requested, > > But the output file is big 2mb so you download it here: > > https://www.hobb

Re: [Opendnssec-user] CRITICAL: failed to sign zone example.com: General error

On 01/16/2017 07:49 PM, Michael Grimm wrote: > Hi -- > > This is opendnssec 1.4.12 and FreeBSD 11-STABLE. > > Today I found the following error message in my logs: > > | ods-signerd: [worker[4]] CRITICAL: failed to sign zone example.com: > General error > > After removing all files in /usr/loca

Re: [Opendnssec-user] CRITICAL: failed to sign zone example.com: General error

On 01/16/2017 09:07 PM, Michael Grimm wrote: > Berry A.W. van Halderen wrote: > >> On 01/16/2017 07:49 PM, Michael Grimm wrote: > >>> Hmm, what do I need to do in order to recover from that error? Any input >>> is highly appreciated. >> >> The enf

Re: [Opendnssec-user] CRITICAL: failed to sign zone example.com: General error

On 01/18/2017 10:12 PM, Yuri Schaeffer wrote: > Please note that Michael is running 1.4 which has an entirely different > enforcer than 2.0. It is clear now that the signer can't sign the zone > because you removed the signconf. And the enforcer isn't generating a > signconf because it is stuck gen

Re: [Opendnssec-user] CRITICAL: failed to sign zone example.com: General error

On 01/18/2017 11:08 PM, Michael Grimm wrote: > Yuri Schaeffer wrote: >> It is hard to imagine anything else than permissions to be the problem >> here. Please check if ods-signerd actually runs as root and doesn't drop >> permissions. > > dns> ps aux > USER PID %CPU %MEMVSZ RSS TT ST

Re: [Opendnssec-user] CRITICAL: failed to sign zone example.com: General error

On 01/19/2017 10:10 AM, Yuri Schaeffer wrote: >> @Yuri also: could there be a change in the policy/kasp which prevents >> generation of keys? > > Yes, you can set in the and sections. In > 1.4 for ZSK it will mean no ZSK will be generated at all. A KSK might be > generated but not rolled too un

Re: [Opendnssec-user] mysql migrate duplicate entry

On 02/28/2017 02:48 PM, Emil Natan wrote: > Testing migration from 1.4.13 to 2.0.4, convert_mysql fails with: > > Creating database TEST1 (as user kaspuser) > Creating tables in TEST1 (as user kaspuser) > Converting database > ERROR 1062 (23000) at line 474: Duplicate entry '81' for key 'PRIMARY'

Re: [Opendnssec-user] To MySQL or not?

On 02/28/2017 07:47 PM, Roman Serbski wrote: > OpenDNSSEC 1.4.x with SQLite under FreeBSD 10.3-STABLE serving ~50 > domains (potentially +30 this year). There are no more than 5 entries > per domain with the default ZSK/KSK roll-over (90 days/1 year). > > Although there are no issues with the perf

Re: [Opendnssec-user] OpenDNSSEC 2.1.0 released

On 03/02/2017 12:09 PM, Wytze van der Raay wrote: > Hi Fred, > > On 03/02/2017 11:27 AM, Fred.Zwarts wrote: >> ... >> Then there was a fatal error: >> janitor.c:54:23: fatal error: libunwind.h: No such file or directory >> #include Thanks for reporting it. Unwind is not necessary, for some reas

Re: [Opendnssec-user] mysql migrate duplicate entry

On 03/06/2017 10:19 AM, Emil Natan wrote: [deleted summary] Thanks for sharing. > The issue I now got into after switching to 2.1.0 is that the signconf > xml files for zones which use NSEC3 state that NSEC is in use. [deleted] > The zonefiles are still signed with NSEC3 though. Till now the sign

Re: [Opendnssec-user] Signer crash after restart.

On 05/02/2017 11:08 AM, David Peall wrote: > Hi > > I got the following message after starting up signer after a reboot: > ods-signerd: daemon/engine.c:894: engine_recover: assertion zone->zl_status > == ZONE_ZL_ADDED failed Judging from the reported line you are running some older 2.0.x versio

Re: [Opendnssec-user] zone signed with wrong key

On 07/18/2017 04:57 PM, Emil Natan wrote: > opendnssec version 1.4.13. Dear Emil, >From the output you've given, it looks like you have a policy where the signatures are valid for a month and the signatures are fresh. Hence they would be re-used by the signer, since the signatures are still vali

Re: [Opendnssec-user] zone signed with wrong key

On 07/19/2017 08:38 AM, Emil Natan wrote: > Hi Berry, > > Thank you very much for your response. > > I do not think it's a matter of preserving signatures. First (and sorry > for not bringing up this earlier) the policy in use has refresh interval > of zero (PT0S) so all signatures should be gene

Re: [Opendnssec-user] ods-ksmutil key ds-seen fails

On 07/23/2017 10:21 PM, Emil Natan wrote: > Hello, > > opendnssec version 1.4.14 with OpenHSM 2.2.0. > > OpenDNSSEC manages few zones and it seems it all works well, but: > > # ods-ksmutil key ds-seen -z 1715.test.net -k 18199 > ERROR: error executing SQL - Expression #3 of S

Re: [Opendnssec-user] AllowExtraction option is missing in 2.x

On 07/26/2017 03:59 PM, Tomas Krizek wrote: > Hi, > > in version 2.x we're missing the option "|AllowExtraction" in > OpenDNSSEC config file. This option was introduced in commit 672d2c7 > [1], which seems to be merged only in the 1.4 branch. > > Could you please check if that is the case? If so, w

Re: [Opendnssec-user] TTL for the record set to 86400

On 10/10/2017 02:35 PM, Mathieu Arnold wrote: > Using OpenDNSSEC 1.4.14 (migrating to 2.1 on the todo list). > > Today, in preparation for a migration, I downed TTLs in a few zones, and > by chance, while looking for something else, I found in the logs that > all the TTL I downed to 10 minutes (fr

Re: [Opendnssec-user] ods-signerd and job scheduling

On 10/19/2017 04:28 PM, Jake Zack wrote: > Can ods-signerd sign more than a single zone concurrently, or does the > job scheduler ensure that there is only one signing happening at a time? The signer will sign as many zones as specified by WorkingThreads in the conf.xml at the same time. These "t

Re: [Opendnssec-user] upgrade debian Jessie to Stretch: database trouble

On 11/02/2017 10:42 AM, Dennis Baaten wrote: > I upgraded my server from Debian Jessie (8) to Debian Stretch (9; the > newest Stable release). With this upgrade OpenDNSSEC is upgraded from > 1.4.6 to 2.0.3, while Mysql 5.5.58 is upgraded to MariaDB 10.1.26. My > current OpenDNSSEC implementation us

Re: [Opendnssec-user] Date of next transition: now

On 01/22/2018 02:39 PM, Gerhard Schmidt wrote: > Am 08.01.2018 um 15:57 schrieb Gerhard Schmidt: >> Am 08.01.2018 um 15:48 schrieb Yuri Schaeffer: All worker threads idle. There is 1 task scheduled. It is now Mon Jan 8 14:01:54 2018 (1515416514 seconds since epoch) Next task sc

Re: [Opendnssec-user] Same SOA#, different content?!?

On 03/22/2018 03:13 PM, Havard Eidnes wrote: > recently our ods-signerd crashed due to me removing a zone from > our setup -- the crash happened 5-10 minutes later, and has been > reported as a bug. (We're on OpenDNSSEC 1.4.13, with zone > transfers in and out.) > > Following this crash I had to

Re: [Opendnssec-user] opendnssec-1.4.14 signer ommits cistom TTL entries.

On 04/24/2018 04:37 PM, Maurice Mahieu wrote: > Hello Mathieu, > When running a "ods-signer clear" the TTL indeed gets updated. But I > have to run it every every time before I run a "ods-signer sign". This > looks like a bug. > On 24-04-18 16:07, Mathieu Arnold wrote: >> On Tue, Apr 24, 2018 at 11

Re: [Opendnssec-user] opendnssec-1.4.14 signer ommits cistom TTL entries.

irm it. \Berry > Regards, > > Maurice > > > > On 25-04-18 11:02, Berry A.W. van Halderen wrote: >> On 04/24/2018 04:37 PM, Maurice Mahieu wrote: >>> Hello Mathieu, >>> When running a "ods-signer clear" the TTL indeed gets updated. But I >>> h

Re: [Opendnssec-user] Export KSK/ZSK

On 04/26/2018 04:56 PM, Volker Janzen wrote: > has somebody managed to export KSK/ZSK in bind format for zones in > OpenDNSSEC? > I am not sure how I get the information which zone uses which key in the > softhsm1. It will depend on whether your using OpenDNSSEC version 1.x or version 2.x, because

Re: [Opendnssec-user] ods-signerd: adapter failed (Unable to open file)

On 06/01/2018 05:04 AM, Randy Bush wrote: > is it looking for system (math etc) libraries in /usr/local? > > 82235 ods-signerd NAMI "/usr/local/lib/libz.so.6" > 82235 ods-signerd RET access -1 errno 2 No such file or directory > 82235 ods-signerd CALL > openat(AT_FDCWD,0x8006732a9,0x10

Re: [Opendnssec-user] ods-signerd: adapter failed (Unable to open file)

Dear Randy, On 05/30/2018 08:03 PM, Randy Bush wrote: >> # grep File /etc/opendnssec/zonelist.xml >> /var/opendnssec/unsigned/ca >> /var/opendnssec/signed/ca > > # ls -l /usr/local/var/opendnssec/unsigned/2001.0418.3807 > -rw-r--r-- 1 opendnssec staff 2581 Sep 17 2017 > /usr/local/var/op

Re: [Opendnssec-user] KSK Rolloverdate in opendnssec2

On 06/11/2018 08:28 AM, Gerhard Schmidt wrote: > HI, > > I'm using opendnssec 1.4 at work and opendnssec 2 on a club site. > opendnssec reports the next transition date for each key separately > > x.deKSK active2020-01-26 12:04:17 > x.de

Re: [Opendnssec-user] Missing keys and various other problems on 2.0

On 06/22/2018 01:44 PM, Casper Gielen wrote: > My main problem is that zones lose DNSKEYs and get stuk with unverifiable > signatures. > > # ods-enforcer key list --zone wiskundeoptiu.nl -v > Keys: > Zone: Keytype: State:Date of next transition: Size: > Algorithm: CKA_ID:

Re: [Opendnssec-user] Missing keys and various other problems on 2.0

On 06/25/2018 03:05 PM, Casper Gielen wrote: > Op 25-06-18 om 11:49 schreef Casper Gielen: >> >> I've verified that everything under /var/lib/opendnssec is readable and >> writable by the opendnssec user. The configuration, under >> /etc/opendnssec, is readable but not writable. > > Minutes after

Re: [Opendnssec-user] Missing keys and various other problems on 2.0

On 06/28/2018 02:06 PM, Casper Gielen wrote: > 25-06-18 om 17:05 schreef Casper Gielen: >>> Are you using SoftHSM as HSM? If so, which version? >>> There is a known, resolved issue with certain versions. >> >> I just switched to SoftHSM 2.4.0, from Debian Unstable. >> I'll run it for a bit and see

Re: [Opendnssec-user] Status of OpenDNSSEC

On 9/25/18 1:39 PM, Gavin Brown wrote: > There hasn't been an update to OpenDNSSEC since 2.1.3 in August last > year (now over a year ago). There have been two updates to SoftHSM in > that time. The last commit to the public GitHub repository was in April > - five months ago. > > What is the statu

Re: [Opendnssec-user] Is KSK Lifetime 10Y too long to be accepted in OpenDNSSEC 2.1.3?

On 11/6/18 9:52 AM, list-opendnssec-u...@jyborn.se wrote: > On Mon, Nov 05, 2018 at 10:19:03PM +0100, Michael Grimm wrote: >> On 5. Nov 2018, at 21:43, list-opendnssec-u...@jyborn.se wrote: >>> On Mon, Nov 05, 2018 at 07:44:58PM +0100, Michael Grimm wrote: On 5. Nov 2018, at 15:45, list-opendn

Re: [Opendnssec-user] systemd scripts

On 11/13/18 5:23 PM, Bas van den Dikkenberg wrote: > I installed form source opendnssec  are standard systemd scripts so I > can enable opendnssec at boot or do need to make them my self? No, start/stop scripts should be part of the specific distribution. Such scripts include information about ch

Re: [Opendnssec-user] [hsm] unable to get key

On 2/12/19 11:09 AM, Stephane Bortzmeyer wrote: > One of my zones (I have several on the same OpenDNS instance, the > others seem to work) is no longer signed. The log says: > > Feb 12 11:00:47 server ods-signerd[472]: ObjectFile.cpp(122): The attribute > does not exist: 0x0002 > Feb 12 11:00

[Opendnssec-user] OpenDNSSEC 2.1.4 released

Dear Community, It has been a while after the previous release. The 2.1 release has been quite stable with a few corner case problems. However there is now a need for a release to fix an issue with zone signing that can potentially lead to missing signatures so definitely warrants a release. Th

Re: [Opendnssec-user] softhsm private key pin

On 6/18/19 3:26 PM, Alonso Mevaz wrote: > Do you know if it is possible in SoftHSM to configure a PIN for a > private key ? Pretty sure that is not supported at this time, nor any other kind of secondary authentication. Would be a nice feature that would fit SoftHSM, but given some design princi

Re: [Opendnssec-user] Deleting the zone

On 6/24/19 11:10 AM, Roman Serbski wrote: > Hello, > > [Hidden master:192.168.7.46] <---> [OpenDNSSEC:192.168.7.47] <---> > [Public slave] > > The OS is FreeBSD 11.1-RELEASE with NSD 4.1.24 and OpenDNSSEC 2.1.3 > both installed from ports. > > I occasionally see axfr failures on the hidden maste

Re: [Opendnssec-user] ods-signerd: ObjectFile.cpp(122): The attribute does not exist: 0x00000002

On 8/14/19 8:42 AM, Ulrich-Lorenz Schlüter wrote: > Hello list, > > I'm experiencing following errors: > > Aug 14 08:32:02 ns1 systemd: Started OpenDNSSEC signer daemon. > Aug 14 08:32:02 ns1 ods-signerd: [hsm] libhsm connection opened succesfully > Aug 14 08:32:02 ns1 ods-signerd: [engine] signe

Re: [Opendnssec-user] ods-signerd: ObjectFile.cpp(122): The attribute does not exist: 0x00000002

On 8/14/19 10:15 AM, Ulrich-Lorenz Schlüter wrote: > > > Am 14.08.19 um 09:54 schrieb Berry A.W. van Halderen: >> On 8/14/19 8:42 AM, Ulrich-Lorenz Schlüter wrote: >>> Hello list, >>> >>> I'm experiencing following errors: >>> >>&

Re: [Opendnssec-user] [EXT] CRITICAL: failed to sign zone

On 8/16/19 6:21 PM, Ulrich-Lorenz Schlüter wrote: > I checked perms as described. > Turned up logging verbosity. > "ods-ksmutil key list --verbose" does not spit out any keys. > Did you perform the upgrade steps to get to 1.4.14? Where there any anomalies? If ods-ksmutil does not list keys, but

Re: [Opendnssec-user] flooded logs in opendnssec version 2.1.4

On 8/27/19 10:26 AM, Ulrich-Lorenz Schlüter wrote: > I have verbosity set to 3 but I get 100k+ debug messages in the log like: > Aug 27 10:13:07 one ods-enforcerd[12491]: > OSSLEVPSymmetricAlgorithm.cpp(477): Decrypt returned 16 bytes of data > Aug 27 10:13:07 one ods-enforcerd[12491]: OSToken.cpp(

[Opendnssec-user] OpenDNSSEC 1.4 end-of-life and future release availability

OpenDNSSEC 2.1 was released in February 2017, and in the past two-and-half year it has proven itself to be stable and viable upgrade of 1.4, and has additional features and improvements. Therefore we announce end-of-life of OpenDNSSEC 1.4. One of the steps towards future releases with better expe

Re: [Opendnssec-user] Migrating from SoftHSM1 to 2

On 10/9/19 4:23 PM, Mathieu Arnold wrote: > Hi, > > I am currently running tests with SoftHSM2 to make sure the migration > from 1 to 2 goes without any hitch. > > The documentation of SoftHSM is pretty sparse, and I am wondering about > objectstore.backend. > > The default is "file", which uses

[Opendnssec-user] OpenDNSSEC 2.1.5 released

Dear all, Version 2.1.5 of OpenDNSSEC has been released today. The previous release fixed an important issue, but unfortunately left in a memory leak, which this release fixes. This release of 2.1.5 fixes the memory issue, along with some additional issues primarily relating to minor migration im

Re: [Opendnssec-user] Export a specific key, for example by CKA_ID

On 10/29/19 3:49 PM, Casper Gielen wrote: > I want to get a specific key from OpenDNSSEC but this seems impossible > with version 2.1.3 (from the Debian repositories). Not sure what you mean with "get a key" List key active, export secret/public key, or get the information usable for DS records?

Re: [Opendnssec-user] ds-seen not working

On 11/10/19 7:01 PM, František Dvořák wrote: > Hi, > > the key 43156 is already active and in ds-seen state, so there were > zero keys to change and it's OK. > > The "waiting" key would look like this (output from version 2.1.4): > > example.com KSK ready waiting for ds-seen ... > >

Re: [Opendnssec-user] TTL values through to signed zone?

On 12/3/19 11:19 PM, Havard Eidnes wrote: > Dec 3 22:16:20 signer-host ods-signerd: In zone file eduvpn.uninett.no: TTL > for the record 'vpn.eduvpn.uninett.no. 600 IN A 158.38.2.19' set to 86400 > > > I suspect this is code which is supposed to ensure that all the RRs in > an RRset has the sa

Re: [Opendnssec-user] 1.4 to 2.1 migration

On 1/6/20 12:15 PM, Paul Duffy via Opendnssec-user wrote: > Are there any plans to support mysql backend in the future? Currently > working on a migration plan from 1.4 -> 2.1 (RHEL6 -> RHEL8 as well), > we’ve always used compiled versions of OpenDNSSEC given the lack of > builtin support for MySQL

Re: [Opendnssec-user] ODS 2.14, double signatures during ZSK rollover

On 1/13/20 2:54 PM, Erik P. Ostlyngen via Opendnssec-user wrote: > I'm doing some testing with OpenDNSSec version 2.1.4, and I'm seeing > what to me looks like some unexpected behaviour during ZSK rollover. > During the period of replacing the signatures from old to new keys, > the old signatures a

[Opendnssec-user] OpenDNSSEC 2.1.6 released

Dear all, Version 2.1.6 of OpenDNSSEC has been released a few hours ago. This release of 2.1.6 fixes some issues regarding the key list wrongfully displayed (a regression bug in 2.1.5) as well as a small leak in the enforcer (which can add up when you bang the enforcer with a lot of commands. An

Re: [Opendnssec-user] [centr-tech] Question about OpenDNSSEC and migration to version 2

>> I have a question to those of you who are using OpenDNSSEC for signing >> your registry zones. At Norid, we are currently in the process of >> testing OpenDNSSEC version 2 with a plan to migrate when we feel >> comfortable with that. However, we are now struggling with a problem >> related to ZS

Re: [Opendnssec-user] Puzzled with error messages

On 4/7/20 10:47 AM, PASZTOR Miklos via Opendnssec-user wrote: > I am using OpenDNSSEC 2.1.3 with debian buster. > > There are some error messages, which I really do not understand. The > following > two types of message sequences appear frequently: > > 1. > Mar 31 12:33:16 node ods-signerd[20149]

Re: [Opendnssec-user] Syncing keys to backup server

On 8/28/20 10:40 AM, Einar B. Halldórsson via Opendnssec-user wrote: > Hi, > > We are finally planning a migration from 1.4 to 2.1 and at the same time > looking > at having a proper backup signer setup. We're using SoftHSM, my question is > whether we have to pre-generate keys, copy them to the

  1   2   >