Hi!
With ODS 1.2 we use to sign our zones always twice. First with the
incoming SOA (unix timestamp) and a second time with a serial of
original+2weeks. The first signed zone was deployed in the public.
The second with the larger serial was archived and kept for emergency
when there would be an o
I have not used it yet, but it should be possible.
Use the same policy for all zones and in the policy set "ShareKeys".
See https://wiki.opendnssec.org/display/DOCS/kasp.xml and grep for
"ShareKeys".
regards
Klaus
On 13.10.2014 12:15, Jens Link wrote:
> Hi,
>
> a customer wants to use the same
On 06.10.2014 19:15, Kevin Thompson wrote:
> Howdy all,
>
> I was reading the release plan[1], and I saw mentioned 'Signer - Dynamic
> updates'. Could you elaborate on that?
>
> Currently, the best method I've found for integrating ODS with a dynamic
> zone on one server is the CentralNIC patte
At first I would start tcpdump on the ODS server and watch if there are
incoming NOTIFYs if you increase the serial and reload the master. Then
watch out if ODS makes a zone transfer (AXFR or IXFR). Further, the
incoming handler of ODS will write the received zone to disk somewhere.
Check if you ha
25.08.2014 11:40, Bas van den Dikkenberg wrote:
> I plan to have 2 standby keys as far as I onderstand I have to publish at
> least the active key and both the standby keys right ?
> Wat about the with status retired(not dead)
>
>
> -Oorspronkelijk bericht-
>
On 23.08.2014 17:16, Bas van den Dikkenberg wrote:
> Hi ,
>
>
>
> A question about the key states, I am the process of scripting the
> updating the KSK to my registerars.
>
>
>
> Does the output of ods-ksmutil key export –zone zome.tld provide me the
> keys I need to publish to the regist
ires.
>
> Regards
> Christoph
>
>
> -Ursprüngliche Nachricht-
> Von: Klaus Darilion [mailto:klaus.mailingli...@pernau.at]
> Gesendet: Dienstag, 15. Juli 2014 16:38
> An: Malin Christoph; opendnssec-user@lists.opendnssec.org
> Betreff: Re: [Opendnssec-user] KSK ro
On 15.07.2014 16:26, christoph.ma...@vtg.at wrote:
> Hi,
>
>
>
> I’m playing around with opendnssec. I added a zone to openddnssec and it
> was signed.
>
> Then I changed the date of the Server to (12.07.2015) a few dates
> before the KSK retires.
>
>
>
> In the log file:
>
> Rollover o
Hi Emil, comments inline.
On 26.06.2014 10:13, Emil Natan wrote:
> Hi Klaus and thank you for your response.
>
>
> On Thu, Jun 26, 2014 at 10:45 AM, Klaus Darilion
> mailto:klaus.mailingli...@pernau.at>> wrote:
>
>
>
> On 25.06.2014 15 :13
On 25.06.2014 15:13, Emil Natan wrote:
> Hello,
>
> My goal is to replicate the ODS configuration between two nodes, one is
> active with ODS running and one passive where ODS is not running.
>
> https://wiki.opendnssec.org/display/DOCS/High+availability
>
> ... states under the "What to copy"
Ours are quite old too:
$ ls -l /opt/nfast/toolkits/pkcs11/
total 11540
-rwxr-xr-x 1 root root32768 Nov 23 2012 ConfigPKCS11onCP
-rwxr-xr-x 1 root root 11780890 Nov 23 2012 libcknfast.so
We have added this to the ods init scripts:
CKNFAST_LOADSHARING=1
export CKNFAST_LOADSHARING
regards
K
I do not know about TRNG. We use haveged which feeds its entropy into
the Linux kernel (necessary on virtual servers to get entropy)
regards
Klaus
On 14.05.2014 14:05, Alex Omgovitskij wrote:
> Hi,
>
> The reason I'm looking into SoftHSM - it's free :). and SoftHSM in
> connection with TRNG is c
On 19.12.2013 14:07, Volker Janzen wrote:
PTS
PT3600S
PT172800S
PT10800S
And I think this does not match all TLD policies (found already DS
records that are valid for 86400 seconds at TLD level. I'll now check
the TLDs I want to use and use the maximum T
On 19.12.2013 13:25, Volker Janzen wrote:
I'm using the DelegationSignerCommand to get notified, if OpenDNSSEC
wants me to do an update on a domain. This currently triggers a domain
update (by a simple script) with my domain registrar. The command gets
exactly one DNSKEY (the new one). From thi
On 19.12.2013 10:16, Volker Janzen wrote:
Hi,
I'm currently working on automated KSK rollovers with my registrars API.
I remember a discussion that it's difficult to say if a DS record can be
assumed as seen, because with Anycast DNS you cannot check all
nameservers from your location (or even
r engine".
Obviously the signer re-reads the signconf not only on "update", but
also on restart. This makes sense, as the singer could have missed an
"update" while it was not running.
Thanks for the troubleshooting hints
Klaus
On 15.11.2013 13:42, Klaus Darilion wro
On 15.11.2013 13:02, Volker Janzen wrote:
Hi,
On Wed, 6 Nov 2013 16:28:53 +0100, Jerry Lundström
wrote:
You can monitor the ods-enforcerd and ods-signerd processes, use the
"ods-signer running" and there should be a pid file somewhere (depend
on the OS or if you compiled yourself).
accordi
On 14.11.2013 15:13, Matthijs Mekking wrote:
On 11/14/2013 02:26 PM, Klaus Darilion wrote:
Meanwhile I restarted the ods-signer daemon and after the next zone file
update, ods signed with the correct key. So for now it is fixed, but do
you have any ideas why the signer still used the old KSK
On 14.11.2013 09:57, Matthijs Mekking wrote:
Hi Klaus,
On 11/14/2013 09:37 AM, Klaus Darilion wrote:
Some more debugging:
# ods-hsmutil list| grep repo | grep 2048
repo 16fc0831b9e0738059c02291e0b0a140 RSA/2048 <-reported by ksmutil
repo ddc556f6df689c9801028b1c6db47ed7 RSA/2048 <
er the KSK
rollover?
Thanks
Klaus
On 14.11.2013 08:37, Klaus Darilion wrote:
Hi!
I have a strange problem. ODS 1.3.15 with nCipher HSM. The HSM is
splitted into respoitories, with every zone signed by ODS having their
own repository with keys. For some zones, everything works fine, but fo
Hi!
I have a strange problem. ODS 1.3.15 with nCipher HSM. The HSM is
splitted into respoitories, with every zone signed by ODS having their
own repository with keys. For some zones, everything works fine, but for
some zones, ODS uses a different key for signing than it reports with
ods-ksmut
Hi! Using ODS 1.3.15 and nCipher HSMs:
The key itself is identical, but the calculated tag differs when
calculated by ods-hsmutil: KSKs have an offset of 4 (and reported falsly
as ZSK), ZSKs have an offset of 3.
See output below.
Thanks
Klaus
# ods-ksmutil key list -v
SQLite database set to
On 03.10.2013 10:25, Havard Eidnes wrote:
For some zones I have multiple views with different content.
How can I configure this in OpenDNSSec in combination with SoftHSM?
My opinion: I think you are stretching the DNS model too far by
trying to do this.
But ... if you really want the associ
On 08.08.2013 14:46, Havard Eidnes wrote:
It seems to me that when you configure OpenDNSSEC to use DNS to
fetch an unsigned zone and provide a signed zone, it behaves
differently from a proper DNS server in one important aspect, namely
that it does not appear to do periodic SOA queries towards
On 18.07.2013 15:27, Sara Dickinson wrote:
On 17 Jul 2013, at 10:32, Klaus Darilion wrote:
Attached is the patch (against ods 1.3.9), feel free to use it (it would be
nice if this feature is added to ODS).
Thanks Klaus - this does look simple! We will review and try to include in an
In the end it seems that a feature request is necessary, e.g. an option
to ignore the the zonelist but specify the number of zones on the
command line, e.g.:
ods-ksmutil key generate --policy default \
--zonecount [number of zones to generate keys] \
--interval [PERIOD]
In the
On 17.07.2013 00:15, Sebastian Castro wrote:
On 17/07/13 02:26, Gavin Brown wrote:
Hi Klaus,
Hi Gavin,
On 16.07.2013 13:30, Gavin Brown wrote:
Hi there,
We are evaluating an HSM for use with OpenDNSSEC. The vendor has
suggested that we consider manually generating all the keys we are
l
On 16.07.2013 17:49, Gavin Brown wrote:
We are evaluating an HSM for use with OpenDNSSEC. The vendor has
suggested that we consider manually generating all the keys we are
likely to need up-front, so that we only ever need to do a single
backup.
Btw: What HSMs do you use? We use nCipher and t
On 16.07.2013 16:26, Gavin Brown wrote:
Hi Klaus,
On 16.07.2013 13:30, Gavin Brown wrote:
Hi there,
We are evaluating an HSM for use with OpenDNSSEC. The vendor has
suggested that we consider manually generating all the keys we are
likely to need up-front, so that we only ever need to do a
On 16.07.2013 13:30, Gavin Brown wrote:
Hi there,
We are evaluating an HSM for use with OpenDNSSEC. The vendor has
suggested that we consider manually generating all the keys we are
likely to need up-front, so that we only ever need to do a single backup.
We're using this command to generate
On 09.07.2013 21:26, Rick van Rein (OpenFortress) wrote:
These are coloured findings, I know; I had a nasty afternoon;-) Be sure to
counter me if you have had better experiences!
I tried the "apt-get install p11-kit" (v0.12) version. Installation was
fine, but I failed to configure it and
On 09.07.2013 17:27, Casper Gielen wrote:
Op 09-07-13 16:49, Klaus Darilion schreef:>
btw: I just found pkcs11-proxy and some basic testing works fine. Does
anybody have practical experience with pkcs11-proxy?
I once tried to built a network-HSM by combining softhsm, pkcs11-proxy
On 09.07.2013 16:49, Klaus Darilion wrote:
On 08.07.2013 17:53, Joe Abley wrote:
Hi Klaus,
On 2013-07-08, at 09:13, Klaus Darilion
wrote:
I want to sign a certain zone multiple times: 1x the original zone
+ 1x a modified "backup" zone (change SOA serial and maybe some
oth
On 08.07.2013 17:53, Joe Abley wrote:
Hi Klaus,
On 2013-07-08, at 09:13, Klaus Darilion
wrote:
I want to sign a certain zone multiple times: 1x the original zone
+ 1x a modified "backup" zone (change SOA serial and maybe some
other records)
CIRA's signing infrastructure wi
Hi!
I want to sign a certain zone multiple times: 1x the original zone + 1x
a modified "backup" zone (change SOA serial and maybe some other records)
As far as I see it is not possible to sign the same zone multiple times
within the same ODS instance. Thus, I thought of starting the signer
d
Hi!
For testing I created a policy with rather short intervals (see below).
I now have the problem, that I have to disable the auditor as it complains:
ods-auditor[2778]: test : Key (6670) has gone straight to active use
without a prepublished phase
Of course this is not true. There was a pu
On 28.06.2013 01:53, Sebastian Castro wrote:
On 28/06/13 03:15, Klaus Darilion wrote:
Hi!
Hi!,
When initiating a key rollover, OpenDNSSEC does not immediately use the
new key, but uses the PUBLISH state (at least for ksk) for some time
before activating the key (before "waiting f
Hi!
When initiating a key rollover, OpenDNSSEC does not immediately use the
new key, but uses the PUBLISH state (at least for ksk) for some time
before activating the key (before "waiting for DS"),
How can I force ODS to immediately activate a new KSK and ZSK, without
these "pre-activate" ph
Hi!
I want to use OpenDNSSEC for ~15 Zones. Each zone will use their own
keys (no key sharing) and the same policy for the beginning, but it
should be possible to change the policy for a certain zone later. Thus I
think it would be smart to start with 15 policies, although they all
look the s
Hi!
As an ODS newbie I try to understand the key usage of ODS in an existing
ODS deployment. "ods-hsmutil list" shows me plenty of keys. Some of
them are currently used, some of them are "removed", and some of them
will be used in the future. Unfortunately "ods-ksmutil key list -v" only
show
40 matches
Mail list logo
