We are running ODS 1.4.3 for some weeks now. We have some zones for which we
use policies with shared keys. It has been running well. I have seen a few
zones that performed a ZSK roll-over at the wschedules times. But now I
discovered a zone for which the active ZSK has a transition time a few
, Fred.Zwarts. wrote:
We are running ODS 1.4.3 for some weeks now. We have some zones for
which we use policies with shared keys. It has been running well. I
have seen a few zones that performed a ZSK roll-over at the wschedules
times. But now I discovered a zone for which the active ZSK has
scripts, so I used this work-around
to fix it, but I wonder whether there are other cases that may pop up
later.)
Fred.Zwarts.
Hi Fred,
An extension was made to the ‘key list’ command in 1.4.4 based on a number
of user requests (from the release notes):
* OPENDNSSEC-358: ods-ksmutil
We use adapters in addns.xml to receive the unsigned zones via zone
transfers. This worked well. An update of the zone on the source server was
received and processed by opendnssec in a few seconds.
Recently I installed ods 1.4.5. I now have the impression that a notify from
the source system
this problem, before yet another zone will pop up with a similar
problem.
Fred.Zwarts.
-Oorspronkelijk bericht-
From: Rick van Rein
Sent: Thursday, May 15, 2014 10:43 PM
To: Fred.Zwarts
Cc: opendnssec-user@lists.opendnssec.org
Subject: Re: [Opendnssec-user] Notify debugging
Hi Fred
We have 12 zones and we see this situation a few times per week. We have
developed a cron script which compares the serial of the unsigned DNS server
with the serial in the /var/opendns/tmp/zone.xfrd-state file. If a
mismatch is detected, the work-around is to stop OpenDNSSEC, delete this
file
"Yuri Schaeffer" schreef in bericht news:56128ae3.9060...@nlnetlabs.nl...
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Make sure you get 1.4.8.2 which actually includes said scripts...
//Yuri
On 05-10-15 15:36, Yuri Schaeffer wrote:
Hi Fred,
On 05-10-15 13:17, Fred.Zw
I noticed that opendnssec 1.4.8 has been released today.
I tried to use it on our test system, which has been running 1.4.7 for some
months now without problems.
Compilation and linking went without problems.
The installation seems to copy the files to the right directories.
Then I stopped the
"Yuri Schaeffer" schreef in bericht news:56127ccf.8020...@nlnetlabs.nl...
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Fred,
On 05-10-15 13:17, Fred.Zwarts wrote:
Apparently, the upgrade from 1.4.7 to 1.4.8 is not as
straightforward as with previous versions. What is the corre
?
Fred.Zwarts.
-Oorspronkelijk bericht-
From: Rickard Bellgrim
Sent: Sunday, January 10, 2016 8:07 AM
To: Fred Zwarts, KVI, Groningen
Cc: Rick van Rein ; Opendnssec-user@lists.opendnssec.org List
Subject: Re: [Opendnssec-user] Migrating to SoftHSM2
2015-12-23T09:27:09.152565+01:00
in the same enviroment as our production system.
Fred.Zwarts.
"Jaap Akkerhuis" schreef in bericht
news:20160109.u0bb9wsh020...@bela.nlnetlabs.nl...
"Fred.Zwarts" writes:
> Thanks for your response. So, I was at the right track, but the version
> of
> SoftHSM2 tha
for ds-gone"?
(These are the ones (with the -ds option) that are needed during roll-overs
to update the parent zone.)
Thanks for your patience.
Fred.Zwarts.
"Yuri Schaeffer" schreef in bericht
news:37170e1f-d553-1db6-545c-ac2fc7002...@nlnetlabs.nl...
So, to get the expor
Spam detection software, running on the system "dicht.nlnetlabs.nl",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
The administrator of that system for details.
#
Is it normal that only KVI.nl is mentioned in the queues, not the other
domains?
Fred.Zwarts.
"Yuri Schaeffer" schreef in bericht
news:fa5bd541-5887-e339-3932-61dfc6b50...@nlnetlabs.nl...
Today I noticed something else on our test system with ods 2.0.1:
# date
Thu Aug 11 15:
Thanks for the information. This was not really a problem, it was only
confusion me.
Fred.Zwarts.
"Yuri Schaeffer" schreef in bericht
news:dcd38baa-6595-ea86-74ae-0d7076fbc...@nlnetlabs.nl...
Is it normal that only KVI.nl is mentioned in the queues, not the other
doma
we assumed to increment the serial of the unsigned zone during a
rollover?
At the moment everything looks normal. The unsigned zone is still unchanged
and the signed zone is dated Aug 15 08:33 and shows a serial of 2016081504.
Regards,
Fred.Zwarts.
--- E
sult in "unknown keystate, Error parsing arguments".
Where can I find a list of acceptable keystates?
Fred.Zwarts.
"Fred.Zwarts" schreef in bericht news:noem06$4sl$1...@blaine.gmane.org...
# ods-enforcer key list --zone KVI.nl
Keys:
Zone:
"Petr Spacek" schreef in bericht
news:2e3a5fd7-0746-c621-d15a-f95abe280...@redhat.com...
On 30.8.2016 10:12, Wytze van der Raay wrote:
On 08/30/2016 09:46 AM, Fred.Zwarts wrote:
ODS 2.0.1 has now been running satisfactory on our test system for
several
weeks. However, recently
Spam detection software, running on the system "dicht.nlnetlabs.nl",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
The administrator of that system for details.
"Yuri Schaeffer" schreef in bericht
news:46da313f-2c47-92b1-8c3d-cc1af1ec6...@nlnetlabs.nl...
Hi Fred,
The log message "If this is the result of a key rollover ..." suggests
(at least to me) that it is normal that a manual intervention is needed
during a roll-over, but we are not used to
Recently we upgraded to ods 2.01. from 1.4.10. During key roll-overs we
never needed to update our input zones as long as we used version 1.
This night ods was still in the process of retiring the backup keys, used in
version 1.4.10, when it started a ZSK key roll-over. After that the signer
"Yuri Schaeffer" schreef in bericht
news:7b52287e-c6d9-7862-dcdc-3c9db8c8f...@nlnetlabs.nl...
We never had this problem with 1.4. From our /etc/opendnssec/kasp.xml:
PT15H
PT86400S
PT10800S
datecounter
The kasp.xml has not
are always present in the signed
zone.
So, I have now set standby to 0, hoping that this will avoid further
problems.
I wonder if you can reproduce this problem with standby ZSKs?
Regards,
Fred.Zwarts.
"Fred.Zwarts" schreef in bericht news:nsar1v$2af$1...@blaine.gmane.org...
H
information.
Could it be that this problem was also caused by a migration problem, or is
it something else?
Regards,
Fred.Zwarts.
"Yuri Schaeffer" schreef in bericht
news:0bc2193f-292a-4952-5791-92ec713bc...@nlnetlabs.nl...
Hi Fred,
My colleague Hoda found the error. The SOA serial strategy is nu
I forced another ZSK roll-over on our test system and the same problem
popped up.
There are now two retiring ZSKs and one ready ZSK, but no active ZSK.
In the zone file, many records are still signed with the retiring ZSK.
However, this ZSK itself is no longer in the signed zone file.
Could it
Sorry, I forgot the database. See attachment.
kasp.db
Description: Binary data
___
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
I have been on holidays, so I noticed this message only last week. I will
try the new version to check whether the problem with ZSK rollovers is
solved, when using more than one ZSK. This will take some time.
I already noticed that the output of "ods-enforcer backup list" has not yet
been
On our test system we have been running ods 2.0.3 with softhsm 2.2.0 for a
few weeks without problems.
Last week we upgraded the system from
SUSE Linux Enterprise Server 12 (x86_64) SP1
to SP2.
After this upgrade the enforcer exits with a segfault a short time after
startup.
In the system log
28 matches
Mail list logo
