Hi,
Unless I missed something, I do not think I got any comprehensive answer
for this question.
Am I overthinking it and should I just go with the "file" backend?
On Wed, Oct 09, 2019 at 04:23:53PM +0200, Mathieu Arnold wrote:
> Hi,
>
> I am currently running tests with So
ibility is "db" which uses a SQLite3 database instead of the
filesystem, like SoftHSM1 used to do.
I am wondering what are the pro and cons of each, knowing that my
OpenDNSSEC installation has thousands of domains.
Kind regards,
--
Mathieu Arnold
signature.asc
Descri
thank you!
I've been trying to migrate for a while, but I have thousands of zones,
and each time I have a look, the script tells me there are rollovers
going on and that I should wait. I am wondering if there is something
that can be done about the rollovers...
--
Mathieu Arnold
signature.asc
d zonefile just contains the default TTL for each
> record.
>
> Had anybody else experienced this behaviour ?
I have, it was very annoying, and then, one day, after running
ods-signer clear on all our zones, because of some other issue, that
problem went away.
--
Mathieu Arnold
sig
Le 10/10/2017 à 14:58, Berry A.W. van Halderen a écrit :
> On 10/10/2017 02:35 PM, Mathieu Arnold wrote:
>> Using OpenDNSSEC 1.4.14 (migrating to 2.1 on the todo list).
>>
>> Today, in preparation for a migration, I downed TTLs in a few zones, and
>> by chance, while lo
:23:57 ns1 ods-signerd: In zone file prepacolles.fr: TTL for
the record 'mail.prepacolles.fr. 600 IN A 79.143.244.130' set to 86400
I looked in the signer's source, I can't seem to find where and why it
is doing that, or where to disable it.
be a problem. It wasn't
> for me at the time and went undetected.
>
> //Yuri
>
>
>
> ___
> Opendnssec-user mailing list
> Opendnssec-user@lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
--
Mathieu Arnold
signature.as
"retire"
state are, indeed, removed from the parent zones.
Both cronned script run every four hour, with a RetireSafety = 1D, it's
never failed me :-)
--
Mathieu Arnold
___
Opendnssec-user mailing list
Opendnssec-user@lists.opend
on of the kasp database as
| specified in the conf.xml tag:
|
| https://wiki.opendnssec.org/display/DOCS/conf.xml#conf.xml-Enforcer
|
| The key state information that is listed in key list is held in this
| database.
Also, I think this output has been removed a few releases ago, I don't have
it on
+--On 28 mars 2014 14:20:02 +0100 Rickard Bellgrim
wrote:
| On Fri, Mar 28, 2014 at 2:00 PM, Mathieu Arnold wrote:
|
|> | (It still is an issue that the main application (ods-signer) gets
|> | affected.)
|>
|> That it is :-)
|
|
| Have created the following tick
+--On 28 mars 2014 12:04:33 +0100 Rickard Bellgrim
wrote:
| On Fri, Mar 28, 2014 at 11:01 AM, Mathieu Arnold wrote:
|
|>
|>
|> +--On 28 mars 2014 07:42:18 +0100 Rickard Bellgrim
|> >
|> wrote:
|> | On Thu, Mar 27, 2014 at 5:45 PM, Mathieu Arnold wrote:
|> |
+--On 28 mars 2014 07:42:18 +0100 Rickard Bellgrim
wrote:
| On Thu, Mar 27, 2014 at 5:45 PM, Mathieu Arnold wrote:
|
|> I've browsed ODS's sources, and can't really figure out why it would
|> happen, I can't see anywhere where umask is changed, or even where file
|&g
, and thus, changing it, even briefly, in one
thread would change it for the other too.
--
Mathieu Arnold
___
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
s://gist.github.com/mat813/8114791#file-makefile-L20>
--
Mathieu Arnold
___
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
e kind of limit on the number of zones, or keys, or
something, somewhere ?
--
Mathieu Arnold
___
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
+--On 23 octobre 2013 14:45:48 +0100 Siôn Lloyd
wrote:
| On 23/10/13 08:40, Mathieu Arnold wrote:
|> Hi,
|>
|> I'd like to have the ZSK rollovers spread along the two months period
|> that they last so that I don't get 1500 new keys at once.
|> I could write a scrip
+--On 23 octobre 2013 09:32:06 -0400 wbr...@e1b.org wrote:
|> From: Mathieu Arnold
|
|> I could write a script iterating the zones and sleepping months>/ between them, but it seems a bit counter
|> productive to have a script running that long.
|
| Why not use cron to call a
fore I go on and all hell breaks loose, am I missing something ?
--
Mathieu Arnold
___
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
will want to wait a bit for
notifying it. (And you may even want never notify the enforcer and have it
do its regular runs.)
--
Mathieu Arnold
___
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/lis
nd I'd rather wait
for all those to be done and notify the enforcer afterwards (or even wait
for it to do its regular run) than having it forcefuly HUPed.
--
Mathieu Arnold
___
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https
+--On 19 septembre 2013 09:06:16 +0200 Mathieu Arnold wrote:
| +--On 19 septembre 2013 08:16:25 +0200 Rickard Bellgrim
| wrote:
||> Looking at the code (shared/hsm.c), it looks like hsm_find_key_by_id()
||> returns NULL, but libhsm does not provide an error. After a couple of
||> t
any more is not important ?
--
Mathieu Arnold
___
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
ulimit -c (its often disabled by default).
Nope, not on FreeBSD.
--
Mathieu Arnold
___
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
ns1 kernel: pid 6480 (something), uid 0: exited on signal 6
(core dumped)
| We could mitigate against the preventing itself from launching again by
| setting the SO_REUSEADDR option in the socket.
That we could, yes.
--
Mathieu Arnold
___
Opendnssec-us
cathou-associes.notaires.fr: General error
Sep 19 08:59:10 ns1 ods-signerd: [worker[4]] backoff task [sign] for zone
cathou-associes.notaires.fr with 60 seconds
it did not take it well... I'll have to restart it...
--
Mathieu Arnold
___
Opendnssec-u
8 e460a1aa5d1b4ebbde1abc4d4db48b3c
SoftHSM-ZSK 59416
Then the signer crashed (btw, can't find a core file, should be in the tmp
directory, right ?, how do I get one ?) leaving its control socket around,
and, preventing itself from launching again...
--
Mathieu Arnold
log.txt
Description: B
+--On 4 septembre 2013 11:02:54 +0100 Sara Dickinson
wrote:
| A full 1.4.2 release is planned for Tuesday 10th September.
Oh, did I miss that ? Or did it slip somehow ?
Regards,
--
Mathieu Arnold
___
Opendnssec-user mailing list
Opendnssec-user
1.4.2 release is planned for Tuesday 10th September.
I'll wait for the release, with the number of zones I have, if it's not
fixed with the update, I'll see it soon :-)
Thanks,
--
Mathieu Arnold
___
Opendnssec-user mailing list
Opendnss
Hi,
I just had signerd crash on sig11, from what I can gather in the logs
(attached) the enforcer woke up, purged some old keys from softhsm, and the
signer was *not* happy at all about it.
I've launched it back, waited 8 and a half minutes for it for read all the
confs, and am waiting for the ef
(sig/sec)] TOTAL[time=1(sec)]
8'12" to boot up, I admit I do have 1266 zones in there right now, and it's
a bit more than 2.5 zones loaded per second, but I do feel it's a bit slow.
Anyone experiences this kind of behavior ?
Regards,
.
Regards,
--
Mathieu Arnold
1-wire.fr.signed
Description: Binary data
___
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
| ldns 1.6.16 if you want to do TLSA.
|
| Best regards,
|Matthijs
|
| On 12/04/2012 01:44 PM, Mathieu Arnold wrote:
|> Hello,
|>
|> While having lunch, I discovered TLSA records, and I wanted to give it a
|> spin, but...
|>
|> Dec 4 13:40:53 ns1 ods-signerd: [adapter] error
3 0 1
D6731A11F7F79A6E38757E0F48589A6887735E33BE2A2E6D033BE16A E969EDFE
Wondering if TLSA is not supported, or if the one I have is malformed... :-)
--
Mathieu Arnold
___
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
+--On 2 août 2012 08:58:00 -0700 Jerry Lundström
wrote:
| Hi Mathieu,
|
| On Aug 2, 2012, at 08:08 , Mathieu Arnold wrote:
|> It had been running for a few weeks.
|
|
| Did you reload the Signer? (ods-signer reload)
Me, not, but I've had a few ksk rollovers earlier this month.
Oh,
+--On 2 août 2012 07:58:25 -0700 Jerry Lundström
wrote:
| Hi Mathieu,
|
| On Aug 2, 2012, at 06:55 , Mathieu Arnold wrote:
|> And after that, it continued to backoff the signing process for all the
|> zones, I had to stop/start the signer to get it working again...
|
|
| Was this at st
zone
242.143.79.in-addr.arpa with 60 seconds
And after that, it continued to backoff the signing process for all the
zones, I had to stop/start the signer to get it working again...
opendnssec 1.3.9
softhsm 1.3.3
freebsd 8.2
--
Mathieu Arnold
ation).
|
| Yes, that is a drawback that you have to query the "key list" to get
| the CKA_ID of the key in the correct state when there are duplicate
| key tags.
It should be fairly rare to have a tag conflict for two keys on *one* zone,
no ?
--
Mathieu Arnold
_
orked well ever since.
--
Mathieu Arnold
___
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
d this to be done now that the
| auditor has left the building.
|
| jakob
But, hum, how can a tool like validns know things the auditor did, like
what keys should be in the zone, if it's not too soon to be used, or if the
NSEC3PARAM seed is the right one, or things
use NSEC and not NSEC3 for reverse zones, no point
of hiding 0, 1, 2, 3, 4... :-)
--
Mathieu Arnold
___
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
ds-signer clear ${i:T:S/_/\//}
/usr/local/sbin/ods-signer sign ${i:T:S/_/\//}
.endfor
I run make in my /etc/namedb and the Makefile takes care of regenerating
the zone passed to opendnssec and telling the signer to resign the zone.
--
Mathieu Arnold
something like -v or -d is added :-)
--
Mathieu Arnold
___
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
the new is used for
signing.
--
Mathieu Arnold
___
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
sion of opendnssec do you run?
| I run 1.2.1, just wondering if upgrading to 1.3.2 might solve
| this update problem.
No, I'm running 1.3.2 and I've had this problem since 1.2.0, I did report
the problem at the time (beginning of June this year, I think), but I don't
think th
your answer, but I
think the former has longer TTL than the second. (It was the case for me,
and was simpler to for a complete resign of the zone and wait for the storm
to pass.)
--
Mathieu Arnold
___
Opendnssec-user mailing list
Opendnssec
ing in a screen.)
Here, the first does not do anything, and the second works :
# ods-signer update mat.cc < /dev/null
# ods-signer update mat.cc
Zone mat.cc config being updated.
#
--
Mathieu Arnold
___
Opendnssec-user mailing list
Opendnssec-user@
+--On 20 octobre 2011 09:49:20 +0200 Jerry Lundström
wrote:
| Hi Mathieu,
|
| On 2011-10-19 11.46, Mathieu Arnold wrote:
|
|> running 1.3.0 right now (will update to 1.3.2 later today)
|
| Have you been able to try 1.3.2 yet?
Yes, I did, did not solve my problem though :-)
|> Oct 18
3600 seconds, and I can't seem to have
the zones signed again.
--
Mathieu Arnold
___
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
you should note that it's a bad idea to do so, and you should just wait
for it to be published (less than a day left now)
--
Mathieu Arnold
___
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/lis
+--On 16 juin 2011 13:59:13 +0100 Siôn Lloyd wrote:
| On 13/06/11 16:23, Mathieu Arnold wrote:
|> So, I went back to the database, and updated the keypairs' policy_id (and
|> the dnsseckeys' retire while I was at it.) and there I was, the enforcer
|> was nice enough to publis
KSK.
I guess changing a zone's policy is not something that's done often, and
I'm not sure of what should be done to it's keys when it happens, but, it
would be nice to be able to have everything just work if it's the case.
--
Mathieu Arnold
know if anything like this was logged at the time that the
| enforcer ran?
I've checked the logs, and no, it never said that. It's buggering me
because the ZSK rollovers do happen just fine.
Maybe the codepath is a bit different when it&#
y understand why the enforcer doesn't kick the signer as I
guess it should.
--
Mathieu Arnold
___
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
+--On 20 mai 2011 09:08:56 + Alex Dalitz wrote:
| Can you please try svn r5144?
That stopped the auditor from complaining with that zone, and it did not
start complaining with the hundred+ other zones that I have, so, good for
me :-)
--
Mathieu Arnold
+--On 18 mai 2011 14:49:04 +0200 Mathieu Arnold wrote:
| +--On 18 mai 2011 14:25:57 +0200 Göran Bengtson
| wrote:
|| On Wed, 18 May 2011, Mathieu Arnold wrote:
||> Have I uncovered a bug, or is there something wrong I can't see ?
||
|| Just for the record. I've seen this too wit
+--On 18 mai 2011 14:25:57 +0200 Göran Bengtson wrote:
| On Wed, 18 May 2011, Mathieu Arnold wrote:
|> Have I uncovered a bug, or is there something wrong I can't see ?
|
| Just for the record. I've seen this too with 1.2.1 for a zone wih >3
| RRs
| but I have not yet
considered bad as they are not the only A under
paris.notaires.fr.
Have I uncovered a bug, or is there something wrong I can't see ?
Regards,
--
Mathieu Arnold
___
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists
auditor has a bug :-)
--
Mathieu Arnold
___
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
counter
PT6H
P2D
PT2H
PT6H
--
Math
even worse :-)
--
Mathieu Arnold
___
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
main my blog is on,
or the small antique books store around the corner.
But my security needs are in no way the same of a tld.
I do agree with you that it'd be nice to be able to have separate HSM for
that kind of things, but I'd really be sad to see the feature
weight of having to handle keys manually to my
co-workers.
I do get your point, but nobody forces you to use OpenDNSSEC's standby keys
capabilities :-)
--
Mathieu Arnold
___
Opendnssec-user mailing list
Opendnssec-user@lists.opend
+--On 7 juillet 2010 15:36:44 +0200 Mathieu Arnold wrote:
| I don't really understand, but I think that it generates NSEC3 records
| for way too much things.
Well, in fact, it already did that before, only, the auditor did not think
it was a bad thing.
--
Mathieu A
shed domain which couldn't be found in the zone
(qerso7o14hqe3hp1i58ne8lkd49o332f.d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa)
6: Finished auditing d.0.1.f.f.8.f.4.2.0.0.2.ip6.arpa zone
I don't really understand, but I think that it generates NSEC3 records for way
too much things.
Attached are
+--On 6 juillet 2010 17:39:15 +0200 Mathieu Arnold wrote:
| +--On 6 juillet 2010 17:31:07 +0200 Pierre Lebrech
| wrote:
|| OK, good idea. But some parent zones holders check to see if the
|| corresponding DNSKEY is present in the child zone before accepting
|| DS records. I have DLV in mind
NCC has the same kind of prerequisites for reverse delegations.
--
Mathieu Arnold
___
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
ms, it occurs every 4 hours, and if the enforcer thinks
it should be resigned, it's mostly right :-)
I tried to use the keep setting, but it became really impractical, and I
switched to counter without touching my scripts, it increments the serial
monotonically when it needs to, a
really see a reason to add a jitter for ZSK rollover, unless
you're looking to spread the cpu load across the time.
As for the KSK, for now, it still needs a manual intervention, which could
be used as a jitter.
--
Mathieu Arnold
___
Opendnssec
the number of zones you have, may take a while.
--
Mathieu Arnold
___
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
69 matches
Mail list logo
