"Wytze van der Raay" schreef in bericht
news:aed42a16-7350-722a-eb6c-94656cc3c...@deboca.net...
Hi Fred,
On 03/02/2017 11:27 AM, Fred.Zwarts wrote:
...
Then there was a fatal error:
janitor.c:54:23: fatal error: libunwind.h: No such file or director
"Yuri Schaeffer" schreef in bericht
news:d59b046a-420e-9108-6191-112a28c33...@nlnetlabs.nl...
Dear Community,
No issues with the RC1 have come up in the last 1.5 weeks so hereby we
announce the OpenDNSSEC 2.1.0 release.
...
Due to holidays I could not try this new version earlier on our tes
On our test system we have been running ods 2.0.3 with softhsm 2.2.0 for a
few weeks without problems.
Last week we upgraded the system from
SUSE Linux Enterprise Server 12 (x86_64) SP1
to SP2.
After this upgrade the enforcer exits with a segfault a short time after
startup.
In the system log w
"Yuri Schaeffer" schreef in bericht
news:e95b9f64-9d20-62b2-feb9-aaa6e889f...@nlnetlabs.nl...
In opendnssec 1.4.x i had te option for a standby key I know it was
experimantal.
Is this option remove in 2.x?
Yes. This concept doesn't exist in 2.0.
For both KSK and ZSK? I had the impression
I have been on holidays, so I noticed this message only last week. I will
try the new version to check whether the problem with ZSK rollovers is
solved, when using more than one ZSK. This will take some time.
I already noticed that the output of "ods-enforcer backup list" has not yet
been change
are always present in the signed
zone.
So, I have now set standby to 0, hoping that this will avoid further
problems.
I wonder if you can reproduce this problem with standby ZSKs?
Regards,
Fred.Zwarts.
"Fred.Zwarts" schreef in bericht news:nsar1v$2af$1...@blaine.gmane.org...
H
?
We now have the situation with two retiring ZSKs and one ready ZSK.
How long do we have to wait, till the ready ZSK will become active?
Thanks, for your help,
Fred.Zwarts.
"Yuri Schaeffer" schreef in bericht
news:2c127074-c0c2-2132-6da0-0fe173054...@nlnetlabs.nl...
Hi Fred,
Thanks
Sorry, I forgot the database. See attachment.
kasp.db
Description: Binary data
___
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
I forced another ZSK roll-over on our test system and the same problem
popped up.
There are now two retiring ZSKs and one ready ZSK, but no active ZSK.
In the zone file, many records are still signed with the retiring ZSK.
However, this ZSK itself is no longer in the signed zone file.
Could it
ould it be that this problem was also caused by a migration problem, or is
it something else?
Regards,
Fred.Zwarts.
"Yuri Schaeffer" schreef in bericht
news:0bc2193f-292a-4952-5791-92ec713bc...@nlnetlabs.nl...
Hi Fred,
My colleague Hoda found the error. The SOA serial strategy is number
"Yuri Schaeffer" schreef in bericht
news:7b52287e-c6d9-7862-dcdc-3c9db8c8f...@nlnetlabs.nl...
We never had this problem with 1.4. From our /etc/opendnssec/kasp.xml:
PT15H
PT86400S
PT10800S
datecounter
The kasp.xml has not
"Yuri Schaeffer" schreef in bericht
news:46da313f-2c47-92b1-8c3d-cc1af1ec6...@nlnetlabs.nl...
Hi Fred,
The log message "If this is the result of a key rollover ..." suggests
(at least to me) that it is normal that a manual intervention is needed
during a roll-over, but we are not used to it.
"Yuri Schaeffer" schreef in bericht
news:46da313f-2c47-92b1-8c3d-cc1af1ec6...@nlnetlabs.nl...
Hi Fred,
The log message "If this is the result of a key rollover ..." suggests
(at least to me) that it is normal that a manual intervention is needed
during a roll-over, but we are not used to it.
Recently we upgraded to ods 2.01. from 1.4.10. During key roll-overs we
never needed to update our input zones as long as we used version 1.
This night ods was still in the process of retiring the backup keys, used in
version 1.4.10, when it started a ZSK key roll-over. After that the signer
ref
"Petr Spacek" schreef in bericht
news:2e3a5fd7-0746-c621-d15a-f95abe280...@redhat.com...
On 30.8.2016 10:12, Wytze van der Raay wrote:
On 08/30/2016 09:46 AM, Fred.Zwarts wrote:
ODS 2.0.1 has now been running satisfactory on our test system for
several
weeks. However, recently
Spam detection software, running on the system "dicht.nlnetlabs.nl",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
The administrator of that system for details.
assumed to increment the serial of the unsigned zone during a
rollover?
At the moment everything looks normal. The unsigned zone is still unchanged
and the signed zone is dated Aug 15 08:33 and shows a serial of 2016081504.
Regards,
Fred.Zwarts.
--- E
Thanks for the information. This was not really a problem, it was only
confusion me.
Fred.Zwarts.
"Yuri Schaeffer" schreef in bericht
news:dcd38baa-6595-ea86-74ae-0d7076fbc...@nlnetlabs.nl...
Is it normal that only KVI.nl is mentioned in the queues, not the other
domains?
queue completed in 0 seconds.
#
This suggests that the dates are only updated at startup.
Fred.Zwarts.
"Yuri Schaeffer" schreef in bericht
news:fa5bd541-5887-e339-3932-61dfc6b50...@nlnetlabs.nl...
Today I noticed something else on our test system with ods 2.0.1:
# date
Thu Aug 1
#
Is it normal that only KVI.nl is mentioned in the queues, not the other
domains?
Fred.Zwarts.
"Yuri Schaeffer" schreef in bericht
news:fa5bd541-5887-e339-3932-61dfc6b50...@nlnetlabs.nl...
Today I noticed something else on our test system with ods 2.0.1:
# date
Thu Aug 11 15:
Spam detection software, running on the system "dicht.nlnetlabs.nl",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
The administrator of that system for details.
ne"?
(These are the ones (with the -ds option) that are needed during roll-overs
to update the parent zone.)
Thanks for your patience.
Fred.Zwarts.
"Yuri Schaeffer" schreef in bericht
news:37170e1f-d553-1db6-545c-ac2fc7002...@nlnetlabs.nl...
So, to get the export the -
sult in "unknown keystate, Error parsing arguments".
Where can I find a list of acceptable keystates?
Fred.Zwarts.
"Fred.Zwarts" schreef in bericht news:noem06$4sl$1...@blaine.gmane.org...
# ods-enforcer key list --zone KVI.nl
Keys:
Zone:
"waiting for ds-seen"?
Fred.Zwarts.
"Yuri Schaeffer" schreef in bericht
news:7be600ce-153f-7c42-046e-5c4ce5ad5...@nlnetlabs.nl...
Hi Fred,
On 09-08-16 17:14, Fred.Zwarts wrote:
There are active and ready keys:
# ods-enforcer key list --zone KVI.nl
Keys:
Zone:
Rohani
Sent: Tuesday, August 9, 2016 4:50 PM
To: Fred.Zwarts ; opendnssec-user@lists.opendnssec.org
Subject: Re: [Opendnssec-user] key export in ods 2.0.1
Hello Fred,
key export command returns ready and active KSKs by default. It seems your
KSKs are not in those states.
If you want to export other
After the first impression, mentioned in my previous mail, I continued to
adapt some scripts.
I like very much the --parsable option of ods-enforcer.
There is something that I do not understand.
I was used to parse the output of "ods-ksmutil key export --zone KVI.nl",
but now the command "ods-e
orcer backup list -v" is very
different from what previously was shown with "ods-ksmutil backup list -v".
The latter listed the backups with a date/time, but now I see a list of
hexadecimal numbers. What does it mean?
Thanks for your attention,
Fred.Zwarts.
same enviroment as our production system.
Fred.Zwarts.
"Jaap Akkerhuis" schreef in bericht
news:20160109.u0bb9wsh020...@bela.nlnetlabs.nl...
"Fred.Zwarts" writes:
> Thanks for your response. So, I was at the right track, but the version
> of
> SoftHSM2 that is
?
Fred.Zwarts.
-Oorspronkelijk bericht-
From: Rickard Bellgrim
Sent: Sunday, January 10, 2016 8:07 AM
To: Fred Zwarts, KVI, Groningen
Cc: Rick van Rein ; Opendnssec-user@lists.opendnssec.org List
Subject: Re: [Opendnssec-user] Migrating to SoftHSM2
2015-12-23T09:27:09.152565+01:00
"Yuri Schaeffer" schreef in bericht news:56128ae3.9060...@nlnetlabs.nl...
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Make sure you get 1.4.8.2 which actually includes said scripts...
//Yuri
On 05-10-15 15:36, Yuri Schaeffer wrote:
Hi Fred,
On 05-10-15 13:17, Fred.Zw
"Yuri Schaeffer" schreef in bericht news:56127ccf.8020...@nlnetlabs.nl...
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Fred,
On 05-10-15 13:17, Fred.Zwarts wrote:
Apparently, the upgrade from 1.4.7 to 1.4.8 is not as
straightforward as with previous versions. What is the corre
I noticed that opendnssec 1.4.8 has been released today.
I tried to use it on our test system, which has been running 1.4.7 for some
months now without problems.
Compilation and linking went without problems.
The installation seems to copy the files to the right directories.
Then I stopped the r
"Havard Eidnes" schreef in bericht
news:20141031.172405.489878262...@uninett.no...
It seems that the problem is that the SOA version number used in
the IXFR request is totally "off the wall"; I'm seeing
3180924024, which is way bigger than what's in the .xfrd-state
file (2014091709), but still
"Havard Eidnes" schreef in bericht
news:20141103.155748.216974214...@uninett.no...
Hi Havard,
-xfrd->soa.ttl = htonl(soa_ttl); +
xfrd->soa.ttl = soa_ttl;
Thanks for the analyses!
I suspect soa_ttl will fail now. xfrd.c:2100 contains
"(unsigned) ntohl(xfrd->soa.ttl));"
So t
We have 12 zones and we see this situation a few times per week. We have
developed a cron script which compares the serial of the unsigned DNS server
with the serial in the /var/opendns/tmp/.xfrd-state file. If a
mismatch is detected, the work-around is to stop OpenDNSSEC, delete this
file and
diagnose this problem, before yet another zone will pop up with a similar
problem.
Fred.Zwarts.
-Oorspronkelijk bericht-
From: Rick van Rein
Sent: Thursday, May 15, 2014 10:43 PM
To: Fred.Zwarts
Cc: opendnssec-user@lists.opendnssec.org
Subject: Re: [Opendnssec-user] Notify debuggin
available at higher verbosity?
Fred.Zwarts.
-Oorspronkelijk bericht-
From: Rick van Rein
Sent: Thursday, May 15, 2014 22:43
To: Fred.Zwarts
Cc: opendnssec-user@lists.opendnssec.org
Subject: Re: [Opendnssec-user] Notify debugging
Hi Fred,
The /var/opendnssec/tmp/rug.nl-xfrd-state file
name rug.nl ttl 2152792320 mname ns.RUG.NL. rname
hostmaster.nic.RUG.NL. serial 3002862456 refresh 14400 retry 3600 expire
1209600 minimum 600
;;Master: num 0 next -1 round -1 timeout 1400166392
;;Serial: xfr 2014051506 1400145700 notify 0 0 disk 2014051506 1400145700
;OpenDNSSEC-backup-v3
We use adapters in addns.xml to receive the unsigned zones via zone
transfers. This worked well. An update of the zone on the source server was
received and processed by opendnssec in a few seconds.
Recently I installed ods 1.4.5. I now have the impression that a notify from
the source system i
ge broke one of my scripts, so I used this work-around
to fix it, but I wonder whether there are other cases that may pop up
later.)
Fred.Zwarts.
Hi Fred,
An extension was made to the ‘key list’ command in 1.4.4 based on a number
of user requests (from the release notes):
* OPENDNSSEC-3
I installed opendnssec 1.4.5 over an opendnssec 1.4.3 installation.
Now when I use the " ods-ksmutil key list --verbose" command I see lines
that I did not see with the previous version:
NOT ALLOCATED KSK dsready When required
(keypub) 20488 310a8
On 25/03/14 13:06, Fred.Zwarts. wrote:
We are running ODS 1.4.3 for some weeks now. We have some zones for
which we use policies with shared keys. It has been running well. I
have seen a few zones that performed a ZSK roll-over at the wschedules
times. But now I discovered a zone for which the a
We are running ODS 1.4.3 for some weeks now. We have some zones for which we
use policies with shared keys. It has been running well. I have seen a few
zones that performed a ZSK roll-over at the wschedules times. But now I
discovered a zone for which the active ZSK has a transition time a few d
43 matches
Mail list logo
