Re: PKCS#11 engine implementation
On 2010/03/03 23:41, Jeremy C. Reed wrote: > On Wed, 3 Mar 2010, Nikolay Elenkov wrote: > >> I've a few question about the PKCS#11 support in BIND 9.7, >> specifically the OpenSSL engine implementation. Is this the right >> place to ask? There appears to be no bind-dev mailing list. > > I see you already asked your question. This list is okay. OK, thanks. > > There is a developers list. It is called bind-workers. > > https://lists.isc.org/mailman/listinfo/bind-workers Maybe the list page needs a couple of words what the list is about. It's not exactly obvious. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: PKCS#11 engine implementation
On 2010/03/04 3:29, Evan Hunt wrote: > >> What version of the original OpenSolaris patch is the openssl-0.9.8l-patch in >> the 9.7.0 tarball based on? > > 2009-03-11. > > More specificaly, pkcs11_engine-0.9.8j.patch.2009-03-11, applied to 0.9.8k > as explained in http://blogs.sun.com/janp/entry/pkcs_11_engine_patch_for1. Thank you, that makes diff-ing a bit easier. > >> What has been changed/added? > > Principally: > > 1) ability to access key by reference I've been looking at the BIND 9.7 patch and the 'original' OpenSolaris patch. The Solaris one has pretty decent key by reference support, but unfortunately it doesn't currently work with BIND 9.7. I was able to generate keys, but dnssec-signzone fails to find the private key when signing. I haven't looked to it in detail (yet), but at least one problem is that opensslrsa_isprivate doesn't recognize the key as private (looks like RSA_FLAG_EXT_PKEY is not set?). So how is the key by reference implemented/used in the BIND version? I don't see a clear distinction between session and token keys. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: PKCS#11 engine implementation
>> There is a developers list. It is called bind-workers. >> >> https://lists.isc.org/mailman/listinfo/bind-workers > > Maybe the list page needs a couple of words what the list is about. It's not > exactly obvious. You know - it isn't exactly obvious is it - I looked at the likely web page routes someone would traverse to find bind-workers list and... well no. Anyone who has been around awhile most likely just *knows*, but anyone else coming along might easily be baffled. Good feedback - thanks. I'll add it to the TBC list. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Loopback alias
Hello everyone, When running "make test" on a BIND 9.7.0 installed on a x86 SUN Solaris 10 machine, I've got this message: I:NOTE: Many of the tests were skipped because they require that I: the IP addresses 10.53.0.1 through 10.53.0.5 are configured I: as alias addresses on the loopback interface. Please run I: "bin/tests/system/ifconfig.sh up" as root to configure them I: and rerun the tests. Is this alias request just for test purpose, or it affects the functionality and the performance of DNS Server as well after it goes live? It was the first time I saw this message when installing a BIND DNS Server from source file, and we never used these aliases on any of our machines before. Also, I couldn't find many references on google search for loopback alias addresses 10.53.0.1 through 10.53.0.5. Thank you for any insight! Julian___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Loopback alias
In message , "ic.nssip" writ es: > Hello everyone, > > When running "make test" on a BIND 9.7.0 installed on a x86 SUN Solaris = > 10 machine, I've got this message: > > I:NOTE: Many of the tests were skipped because they require that > I: the IP addresses 10.53.0.1 through 10.53.0.5 are configured > I: as alias addresses on the loopback interface. Please run > I: "bin/tests/system/ifconfig.sh up" as root to configure them > I: and rerun the tests. > > Is this alias request just for test purpose, or it affects the = > functionality and the performance of DNS Server as well after it goes = > live? They are just test addresses. The comment is also out of date. 10.53.0.1 through 10.53.0.7 are now used. > It was the first time I saw this message when installing a BIND DNS = > Server from source file, and we never used these aliases on any of our = > machines before. Also, I couldn't find many references on google search = > for loopback alias addresses 10.53.0.1 through 10.53.0.5. > > Thank you for any insight! > Julian -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Loopback alias
On 04/03/10 19:13, ic.nssip wrote: Hello everyone, When running "make test" on a BIND 9.7.0 installed on a x86 SUN Solaris 10 machine, I've got this message: I:NOTE: Many of the tests were skipped because they require that I: the IP addresses 10.53.0.1 through 10.53.0.5 are configured I: as alias addresses on the loopback interface. Please run I: "bin/tests/system/ifconfig.sh up" as root to configure them I: and rerun the tests. Is this alias request just for test purpose, Yes. The tests mentioned involve setting up a number of DNS clients and servers, each on its own address, and exercising various queries and responses. You opt out by not running the ifconfig.sh script. I seem to recall that the installation instructions advise you to read this script carefully before running it. In my experience, some more recent OS environments impose a restricted definition of PATH for root; this causes ifconfig.sh to fail unless some extra commands are used. These are trivial enough that I've never been minded to file a bug report. or it affects the functionality and the performance of DNS Server as well after it goes live? No. It was the first time I saw this message when installing a BIND DNS Server from source file, and we never used these aliases on any of our machines before. Also, I couldn't find many references on google search for loopback alias addresses 10.53.0.1 through 10.53.0.5. I'm not sure when this battery of tests was added, but our site-local documentation (last revised in August 2006) includes the following. To run the complete set of tests for BIND, the system must be temporarily configured with a number of additional local network interfaces. A script for setting these up is included with BIND; inspect it carefully before use, as it must be run as root. This script must be run once, before testing, to set up the interfaces, and again afterwards, to remove them. sudo bin/tests/system/ifconfig.sh up make test sudo bin/tests/system/ifconfig.sh down I hope this helps. Best regards, Niall O'Reilly University College Dublin IT Services ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Loopback alias
Hi Mark, Thank you for your prompt answer and for taking off my worries that I'm missing something there. Best Regards, Julian - Original Message - From: "Mark Andrews" To: "ic.nssip" Cc: Sent: Thursday, March 04, 2010 1:30 PM Subject: Re: Loopback alias In message , "ic.nssip" writ es: Hello everyone, When running "make test" on a BIND 9.7.0 installed on a x86 SUN Solaris = 10 machine, I've got this message: I:NOTE: Many of the tests were skipped because they require that I: the IP addresses 10.53.0.1 through 10.53.0.5 are configured I: as alias addresses on the loopback interface. Please run I: "bin/tests/system/ifconfig.sh up" as root to configure them I: and rerun the tests. Is this alias request just for test purpose, or it affects the = functionality and the performance of DNS Server as well after it goes = live? They are just test addresses. The comment is also out of date. 10.53.0.1 through 10.53.0.7 are now used. It was the first time I saw this message when installing a BIND DNS = Server from source file, and we never used these aliases on any of our = machines before. Also, I couldn't find many references on google search = for loopback alias addresses 10.53.0.1 through 10.53.0.5. Thank you for any insight! Julian -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
