Hi,
I have found lots of messages bellow and I don't know why:
Feb 4 20:26:52 index ods-signerd: [xfrd] bad packet: zone dstest received bad
xfr packet (bad rr)
Feb 4 20:26:52 index ods-signerd: [xfrd] bad packet: zone dstest received bad
xfr packet (bad rr)
Feb 4 20:26:52 index ods-signer
Hi all,
Have you guys ever met the script in not called by ods-signerd?
I have met this problem in many opendnssec versions, and still don't know why.
I'm testing 1.4.0rc2 with a BIND as INBOUND to transfer AXFR/IXFR to
opendnssec, and opendnssec would generate a signed zone file to ./signed d
Hi all,
I'm using rc2 now and I met a weird problem.
The log complains:
Jan 30 14:50:01 index ods-signerd: [rrset] RR does not exist: dstest1. 300 IN
DNSKEY 256 3 8
AwEAAaEJGx4v9YA1f72qsL/xkRxlnBl16yd18NOfePwjELDzwGXhssoMYnxf0fpjKBun6XN7XZt3IhdjCTCsh9r+g3G6nh7I8QJos4UTDFF5tH86tnA2GHVthlL8MG9To9
Hi Dave,
I'm testing opendnssec-1.4.0rc2 with AEP Keyper, I can start the service now,
ods-signerd and ods-enforcerd are running.
But when I use ods-ksmutil zone add -z dstest to add a new zone, I found no
keys with ods-ksmuitl key list
I get logs like:
Jan 30 10:03:06 CST-BJ-103 ods-signerd: [
Hi everybody
I'm testing AEP Keyper with opendnssec-1.4.0rc2.
What I have changed in conf.xml is as follows:
/opt/Keyper/PKCS11Provider/pkcs11.so
xxx
xxx
The and and a
Hi everyone,
We are thinking of purchasing AEP Keyper for DNSSEC deployment and I have seen
some integration test result from opendnssec.org and I have contacted its sales
serice and got the answer that 'AEP Keyper can work with OpenDNSSEC out of the
box'.
To seek help from you guys,If anyone of y
Hi everyone,
I'm using 1.4.0b1 for test, I use Adapter DNS and with OpenDNSSEC as an inbound
to a BIND server,
that means I do not use the Inbound in addns.xml.
I have noticed in BIND's log that BIND always received the same size of data if
there was no change to
the unsigned zone file, but I th
Hi Jakob,
Thanks for your information.
>You should be able to create the key on the HSM and then import it into
>OpenDNSSEC
I can generate keys using pkcs11-tool command with SoftHSM moduel,but I don't
think we can get
keys out of HSM to import into OpenDNSSEC by using 'ods-ksmutil key import',
Hi,
Due to high memory consuming, I decided to clear some of the zones' data by
using
'ods-signer clear test2 ', but after an hour, it seemed that it did not work at
all, the memory usage is still 55%.
Best regards,
Stuart___
Opendnssec-user mailing l
Hi,
We are testing managing a thousand zones with OpenDNSSEC1.4.0b1 with Mysql, but
SoftHSM can only connected with Sqlite,right?
Is it suitable for all the zones to share the same ZSK/KSK? Would this cause
some other some operation problems? Or should I just turn the
on? But I suppose a thou
Hi,
I'm using Mysql instead of Sqlite, I have imported 500 zones, when I tried to
delete all the zones using 'ods-ksmutil zone delete --all',
I got
'
ERROR: error executing SQL - Cannot delete or update a parent row: a foreign
key constraint fails (`KASP`.`dnsseckeys`, CONSTRAINT `dnsseckeys_ib
-10-08 14:55
To: shuoleo
CC: opendnssec-user; Patrik Wallstr鰉
Subject: Re: [Opendnssec-user]
On 8 okt 2012, at 08:30, 刘硕 wrote:
> We have been testing DNSSEC with OpenDNSSEC+SoftHSM, it has been working well.
> But recently we decided to buy a HSM to replace SoftHSM to do signing work and
1.
I think the vendor we have been talking to in our country abides the rules of
some
authorities, and we are afraid that foreign products may not pass the
authentication
of the security authority here.
Best regards,
Stuart
From: Miek Gieben
Date: 2012-10-08 14:40
To: 刘硕
CC: opendnssec-user
Subject:
Hi all,
We have been testing DNSSEC with OpenDNSSEC+SoftHSM, it has been working well.
But recently we decided to buy a HSM to replace SoftHSM to do signing work and
keys storage. After consulting with some of the HSM vendors here, we found out
that almost no devices can cooperate with OpenDNSSEC
Hi all,
I have been testing opendnssec-1.4.0a3, using adapter DNS to transfer signed
data to a BIND server.
But it turned out that sometimes the ods-signerd would crash when signing not
very large zones.
Logs from hidden master(BIND9.8)
30-Aug-2012 17:14:45.496 xfer-in: info: transfer of 'exam
Hi Jerry,
>The CPU usage you see is normal since the Signer is threaded it will use more
>then 100% CPU (this really depends on how the OS reports CPU usage).
>If you wish to lower the CPU usage you can configure the number of Worker and
>Signer threads in conf.xml for the Signer but then the s
Hi Matthijs,
>Note that the inception and expiration times are in UTC, see RFC 4034:
Thanks, I forgot the time zone issue.
>So if you sign at 20/8/2012 17:08 P.M. and the inception is at
>20/8/2012 08:08 A.M,
>you are in UTC+8 (17 minus 8 for the UTC minus 1 for the offset = 8),
>is that righ
>The signature inception time is a function of the current time and the
>inception offset. Is your InceptionOffset in the kasp.xml policy 9 hours?
No, the InceptionOffset it 3600S, but the point is the signature inception time
is earlier not later than the current time,it the opposite.
I signed
+ccsFR5tXmXcDVkBzm2yJblhGJ+ffsUQcopLmkehtQePRLOw/hzlFSObH2+MzEDvwHJTi5B7NIGK+1SKNxc6tO9MdNOA+hwTs/xaIAVqTVizBMT2dsQDHQBAwX0Kp4WjzxudFInZEkUlx8o84ZlMlDWB2Ce1QTq8=
Perhaps something else is going on? Could you provide me the unsigned
zone that causes this problem?
Best regards,
Matthijs
On 08/16/2012 02:15 PM, 刘硕 wrote
Hi all,
I have added a new zone and signed it with ods-signer, but I found that the
signature validity and expiration time in the signed zone file was not the time
when I signed,there are hours delay.
The time I ran ods-signer was 20/8/2012 17:08 P.M.,but the signature period
actually began fro
Hi,
Does OpenDNSSEC support IDN ?
I got the error bellow when signing a zone with host names containing Chinese
characters which have been processed by IDN.
Aug 16 20:09:04 CST-BJ-104 ods-signerd: [adapter] error reading RR at line 3076
(Syntax error, could not parse the RR's rdata): xn--300-xy9d
>If you have added new RRs to the unsigned zonefile, you should run
>$ ods-signer sign
>to tell OpenDNSSEC there is a new version of the unsigned zone.
If the zones are newly created at a fixed period, I have to run "$ods-signer
sign --all",right? If I run the command manually, will the automa
Hi all,
I'm signing a zone using Adapter DNS, when I added some new RR to the unsigned
zone file in /unsigned directory, I assumed that after the next resigning
period, I could dig the data out, but after 3 resigning period, I still could
not get them from BIND, but the syslog recorded every re
Hi all,
When I use sign --all command and use top command to monitor the process's
behavior, I find that the ods-signerd comsumes very large amount of CUP and
memeory useage. The server has 4 CPUs and 4G memory. The CUP usage can
sometimes as high as 368% and as low as less than 50%, but the me
Hi,
I'm signing a 200Mb zone example4 and I find that the avg of signing speed
varies , and I did nothing to the zone file from 14:15 to 15:02.
BTW,is the signing speed on my server slower than expected?
Jul 25 14:15:18 CST-BJ-104 ods-signerd: [STATS] example4 RR[count=3420001
time=526(sec)] N
Hi Dave,
>I presented on something similar at OARC a couple of years ago:
>https://www.dns-oarc.net/files/workshop-201005/ha-opendnssec-oarc.pdf
Thanks Dave,I have read that pdf file carefully and I have some questions:
1. "Add a new zone on the active signer, create 2 years of keys in advance"
Th
Hi all,
I find that when signing large zone and with adapter DNS, the hidden master
BIND could not receive the zone completely, the ods-signerd may sometimes crash
quietly ,but the engine.sock and signerd.pid are still in
/var/run/opendnssec,but actually the pid does not exist yet.
abstract fr
] Signing large zone and .tmp file issue
Hi Stuart,
On Fri, Jul 20, 2012 at 7:31 AM, 刘硕 wrote:
> Jul 20 11:44:51 CST-BJ-104 ods-signerd: [adapter] read zone example4 from
> file input adapter /var/opendnsse
This log line looks strange, was it cut off?
> And When I run ods-signer sign
Hi all,
I'm trying to maintain multiple zones with the same keys, I configured the
policy with ShareKeys valid.
Zone example, example2 and example3 share the keys correctly,but when I tried
to add the large zone example4 again, some interesting hint came up:
[root@CST-BJ-104:/var/opendnssec/unsig
Hi all,
I'm using 1.4.0a2, when I configured a zone to use adapter DNS and ran update
all command, the log showed:
Jul 20 11:44:51 CST-BJ-104 ods-signerd: [adapter] read zone example4 from file
input adapter /var/opendnsse
And When I run ods-signer sign --all command, the other three small zone
Hi,
I am testing with 1.4.0a2, and many weird things have been seen, the release
plan says in Q2 2012 the 1.4 will be released.
OpenDNSSEC 1.4 (Q2 2012)
Input and output adapters for AXFR and IXFR
PIN daemon
Auditor is deprecated (dependency on Ruby is removed)
Can you guys tell me when exactly w
Hi all,
I'm planning to setup a salve opendnssec server to backup the configuration
files and .db files of the master, this will help when the master meets
disastrous incident, like power-off.
The method I have figured is as follows:
1.scp master's configuration files and .db files to slave at a
Hi Jerry,
>Why do you start a second ods-signerd ??
Well,that's a good question.
Once upon a time,ods-signerd is down,only ods-enforcerd remained,so I tried to
start the ods-signerd process manully,maybe I type the command more than once,
so I found the problem, and still don't know why .
Somet
[Opendnssec-user]ods-signer failed when ods-signerd is running
Hi Stuart,
On Wed, Jul 18, 2012 at 8:08 AM, 刘硕 wrote:
> If ods-signerd is running, then I run ods-signerd seems do nothing at all,
> but sometimes there are more than one ods-signerd process at the same time!
> I don't
Hi Matthijs,
I'm testing signing large zone(20Mb) with trunk and the signed zone in /signed
directory is always has a .tmp suffix, say example4.tmp, and the example4.tmp
is signed. And in the syslog I can get some information like :
Jul 13 10:00:32 CST-BJ-104 ods-signerd: [tools] unable to write
) failed: No such file or directory
But you see the ods-signerd is running!
Do you know what the problem is?
Best regards,
Stuart
From: Jerry Lundstr鰉
Date: 2012-07-17 14:44
To: shuoleo
CC: opendnssec-user
Subject: Re: Re: [Opendnssec-user]ods-signer failed when ods-signerd is running
Hi Stuart,
On
>It's a little strange you have one started with full path and the other
>with no path. Are they from the same install?
I think the no path command is from /usr/local/sbin/, it's in the OS
environment.
>Are you sure one is not looking for the socket at the wrong place due to
>mismatched install,
Hi ,
I found an interesting thing that when the two processes is running, I mean
ods-signerd and ods-enforcerd. I can not use ods-signer to sign zone manually,
but the automatic signing seems works well.
Bellow are clues for you:
[root@CST-BJ-104:202.173.9.19 :/var/opendnssec/signed]$ps -aux|grep
Hi all,
After I signed a zone and I noticed there were something wrong in the log:
Jul 4 10:21:34 CST-BJ-104 ods-signerd: *** glibc detected ***
/usr/local/sbin/ods-signerd: double free or corruption (!prev):
0x7f006132f020 ***
I knew the ods-signerd process was down, because I met this kind
Hi Matthijs,
I have a zone with "lab" policy in kasp.xml, and its default Resign period is
"PT10M", but I find the log shows the signing is not continuous,bellow is a
brief of the log:
$ cat /var/log/messages | grep "STATS"
Jul 4 05:13:05 CST-BJ-104 ods-signerd: [STATS] example RR[count=0 time=
Hi all,
There is something wrong when I signed a zone named examplex, and I can see the
signed file in /signed dir, but the log shows something wrong and I can't see
the details of the signature result. Does anybody know what's the problem?
Jul 3 15:55:14 CST-BJ-103 ods-signerd: [tools] unable t
in conf.xml, maybe a new documentation should be released,: ).
刘硕___
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
42 matches
Mail list logo
