Hi,
has somebody managed to export KSK/ZSK in bind format for zones in
OpenDNSSEC?
I am not sure how I get the information which zone uses which key in the
softhsm1.
Regards
Volker
___
Opendnssec-user mailing list
Opendnssec-user@lists.opendns
Hi Yuri,
I followed the discussion on the upgrade path of some users. Today I had
a look at my OpenDNSSEC version. It's 1.4.6 because it's the Debian
jessie package. When I look at the upcoming stretch release, there will
be 2.0.4. Are there any binary packages available for running the 2.1.x
you can repair it by
> resigning your zone:
>
> ods-signer clear voja.de
> ods-signer sign voja.de
>
> ///Yuri
>
>> On 19-07-16 14:36, Volker Janzen wrote:
>> Hi,
>>
>> my monitoring found one zone in OpenDNSSEC that was not properly signed.
>&
nd me those files.
>
> Regards,
> Hoda Rohani
>
>> On 19-07-16 16:06, Volker Janzen wrote:
>> Hi Jan-Piet,
>>
>> I have not saved the old tmp entry, I forgot about that. :-(
>>
>> But according to http://dnssec-debugger.verisignlabs.com/vo
Hello,
I'd like to see your key list (running 'ods-ksmutil key list -v
--all').
If the chain is still broken, the tmp and signed files might be
helpful. If it is possible please send me those files.
I sent you the files and key list off-list.
For the record: my AXFR problem to one slave is s
Hi Jan-Piet,
I have not saved the old tmp entry, I forgot about that. :-(
But according to http://dnssec-debugger.verisignlabs.com/voja.de my live zone
is still broken with the same error and available for further debugging.
The current signed file just have one NSEC3PARAM:
grep NSEC3PARAM voj
Hi,
my monitoring found one zone in OpenDNSSEC that was not properly signed.
It's the domain I'm sending from: voja.de.
I found that one of my slaves had a wrong serial for the zone, I forced
him to fetch the current zone, but that does not solve my issue.
I backed up the signed zone file t
Hi,
you will not receive an email on the initial signing. From the
OpenDNSSEC documentation:
"Configure the if you want to have a
program/script receiving the new KSK during a key rollover."
(https://wiki.opendnssec.org/display/DOCS/conf.xml)
A KSK rollover needs to take place to receive
Hi,
you're right, the DelegationSignerSubmitCommand can be used to publish keys to
a parent zone. But you need to script this yourself, because it depends on your
setup.
Regards
Volker
> Am 29.08.2014 um 18:09 schrieb Matthijs Mekking :
>
> DelegationSignerSubmitCommand
Hi Bas,
I'm using a script from Casper Gielen for this purpose.
One problem in general might be to know when your TLD nameservers have actually
published it on every nameserver, in case of anycast, because you can't query
all instances due to the nature of anycast.
If you're intrested in this
Hi,
I forgot to tell, that I did not find out when the serial got messed up.
I was able to reduce the serial in the unsigned file. I forced signing, this
repaired the signed zone on the (hidden) master. I deleted the zone file on all
slaves and restarted bind. All nodes loaded the correct zone
Hi,
no I wasn't aware of this. I can't remember a problem serving this SOA style.
Can I simply lower the SOA in the unsigned zone, or will this cause problems
with OpenDNSSEC?
Volker
> Am 16.07.2014 um 18:56 schrieb Rick van Rein :
>
> Hi,
>
>> OpenDNSSEC unsigned: 201406716002
>> Open
in the kasp.xml file?
>
> Emil
>
> On Wed, Jul 16, 2014 at 10:21 AM, Volker Janzen wrote:
> Hi,
>
> after some time I made an update to one of my signed zones today,
> resulting in this log entry:
>
> Jul 16 08:51:41 a named[14367]: zone EXAMPLE.COM/IN [2]: z
Hi,
after some time I made an update to one of my signed zones today,
resulting in this log entry:
Jul 16 08:51:41 a named[14367]: zone EXAMPLE.COM/IN: zone serial
(1405493501/2960748158) has gone backwards
How can this happen and how can I fix this? The slave DNS servers are
not picking u
Hi,
there is a guide in the OpenDNSSEC wiki:
https://wiki.opendnssec.org/display/DOCS/Migrating+between+supported+database+backends
I needed the MySQL root password on my machine to complete the migration.
Regards,
Volker
> Am 25.02.2014 um 17:13 schrieb Ramanou Biaou :
>
> Hello
> Ple
Hi,
I'm running 1.4.3 and have one test record with 60 seconds TTL. The
RRSIG has a TTL of 60, too. Seems to work in this version, too.
Volker
___
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/l
Hi Klaus,
> There is no need to have 2 DS in the parent zone. With
> double-signature it is fine to have only one DS in the parent zone.
> You just have to make sure that the old KSK is still in the zone and
> used to sign the DNSKEYs for TTL-of-DS +
> propagation-delay-parent-zone.
you're right.
Hi Klaus,
> Generally the expected DS propagation delay depends on the parent
> domain operator. If, like in your case, it is a TLD operator, I would
> suspect that these people try to have all there name servers in sync
> and can resolve issues quite fast. On the other hand, it does not harm
> to
Hi,
I'm currently working on automated KSK rollovers with my registrars
API. I remember a discussion that it's difficult to say if a DS record
can be assumed as seen, because with Anycast DNS you cannot check all
nameservers from your location (or even when using load-balanced
nameservers, yo
7.12.2013 um 12:16 schrieb Jerry Lundström :
>
> Hi,
>
>> On Dec 17, 2013, at 11:43 , Volker Janzen wrote:
>>
>> I'm currently switching over from sqllite to MySQL with my OpenDNSSEC,
>> because that's recommented for production use. I noticed, that the m
Hi,
I'm currently switching over from sqllite to MySQL with my OpenDNSSEC,
because that's recommented for production use. I noticed, that the
migration guide on
https://wiki.opendnssec.org/display/DOCS/Migrating+between+supported+database+backends
does not work this way:
enforcer/utils/conv
Hi,
> Dec 14 18:00:57 a ods-enforcerd: Error creating key in repository SoftHSM
> Dec 14 18:00:57 a ods-enforcerd: generate key pair: CKR_GENERAL_ERROR
I think I found the problem. The user opendnnsec is in the group
softhsm, but the group was not able write.
-> chmod g+w /var/lib/softhsm/slot0.
Hi,
I added a new zone. The enforcer exits now every time with this error:
Dec 14 18:00:56 a ods-enforcerd: opendnssec starting...
Dec 14 18:00:56 a ods-enforcerd: opendnssec Parent exiting...
Dec 14 18:00:56 a ods-enforcerd: opendnssec forked OK...
Dec 14 18:00:56 a ods-enforcerd: group set to:
Hi Matthijs,
> If you have a Refresh period of 3 days, a Resign period of 12 hours,
> and a Signature Validity of 14 days, then you should let nagios check
> that a signature does not expire within 10.5 days (14 - 3 - 0.5).
what I did today was setting Refresh to P13D. As far as I understand
the
Hi Matthijs,
this is from my current syslog:
Dec 12 09:57:20 a ods-signerd: [worker[4]] report for duty
Dec 12 09:57:20 a ods-signerd: [scheduler] pop task for zone dnssec.cc
Dec 12 09:57:20 a ods-signerd: [scheduler] unschedule task [sign] for
zone dnssec.cc
Dec 12 09:57:20 a ods-signerd: [worke
Hi Matthijs,
> If you set to 12 days, the signer will sign the zone every
> 12 days. That is not what you want I guess.
correct. I want it to happen more often.
> If you have a Refresh period of 3 days, a Resign period of 12 hours,
> and a Signature Validity of 14 days, then you should let nagi
Hi Matthijs,
> Because a pictures says more than a thousand words, I would like to
> point to:
>
> https://wiki.opendnssec.org/display/DOCS/kasp.xml
>
> Thus nagios should complain when the signature expires in less than 3
> days. Actually: less than 3 days minus the resign period so 3 day
Hi,
now I can see activity:
Dec 10 12:29:35 a ods-signerd: [worker[4]] report for duty
Dec 10 12:29:35 a ods-signerd: [scheduler] pop task for zone dnssec.cc
Dec 10 12:29:35 a ods-signerd: [scheduler] unschedule task [sign] for
zone dnssec.cc
Dec 10 12:29:35 a ods-signerd: [worker[4]] start worki
Hi Matthijs,
okay, there was an error in my init script.
ods-signer*d* is now running again.
root@a:~# ods-signer verbosity 5
Verbosity level set to 5.
Syslog reports:
Dec 10 12:22:27 a ods-signerd: [hsm] libhsm connection opened
succesfully
Dec 10 12:22:27 a ods-signerd: [engine] signer start
Hi Matthijs,
I stopped the signer, as Rick suggested, checked it is not running,
then restarting with increased verbosity as you suggest.
And now the ods-signer queue command (as of the stopped signer daemon?)
is not working anymore:
root@a:~# strace ods-signer queue
socket(PF_FILE, SOCK_STREAM,
Hi Matthijs,
> - Increase the verbosity of the signer (ods-signer verbosity 5) and see
> if there is something in the logs then
that's wired:
root@a:~# ods-signer verbosity 5
Unable to connect to engine: connect() failed: No such file or
directory
strace says:
socket(PF_FILE, SOCK_STREAM, 0)
Hi Rick,
> Okay, you are not running a very recent version.
you're right. I need to build new Debian packages later. Newest
existing package is 1.4.1.
> Hmm, it is still looking forward. Then it's not the sort of thing
> we've been seeing. Still, no activity from the signer looks odd to
> me.
Hi Matthijs,
> - Increase the verbosity of the signer (ods-signer verbosity 5) and see
> if there is something in the logs then
okay, tried to add this to the init script.
> - Get the queue: ods-signer queue
Still this output:
root@a:~# ods-signer queue
It is now Tue Dec 10 11:52:48 2013
I h
Hi Rick,
there is no output from the signer at all, just from the enforcer:
Dec 10 06:57:18 a ods-enforcerd: HSM connection open.
Dec 10 06:57:18 a ods-enforcerd: Reading config
"/etc/opendnssec/conf.xml"
Dec 10 06:57:18 a ods-enforcerd: Reading config schema
"/usr/share/opendnssec/conf.rng"
Dec
Hi,
I setup the dnssec_monitor.rb from OpenDNSSEC a few days ago. I got
the first alarm today.
Current Status: CRITICAL (for 0d 8h 42m 55s)
Status Information: (Return code of 4 is out of bounds)
Console output:
6 : Making resolver for : a.dnssecns.de, a.dnssecns.de
6 : Checking dnssec.cc zo
Hi,
On Wed, 6 Nov 2013 16:28:53 +0100, Jerry Lundström
wrote:
> You can monitor the ods-enforcerd and ods-signerd processes, use the
> "ods-signer running" and there should be a pid file somewhere (depend
> on the OS or if you compiled yourself).
according to some more research I decided not to
Hi,
I tried to install the Debian experimental package of OpenDNSSEC:
apt-get -t experimental install opendnssec softhsm
Reading package lists... Done
Building dependency tree
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossi
Hi,
I'm currently working on my new OpenDNSSEC setup. For my next bigger try
with OpenDNSSEC, I want to setup proper monitoring of the system. I use
Nagios for monitoring my servers and I want it to monitor the OpenDNSSEC
system and signed zones as well.
For the zones I know this tool from the pr
Hi Peter,
> Anyway, my workaround was to disable Audit in kasp.xml.
> Since then those ZSK:s have rolled, and I have enabled Audit again.
I'll wait if Matthijs can find anything out. When I'm not able to fix
this otherwhise, I'll try your tipp to diable auditing for a while.
Regards
Volker
_
Hi Matthijs,
I'll send you the information off-list soon.
Kind regards,
Volker
___
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
Hi Alex,
> It sounds like the auditor has seen a key in active use with no
> prepublished phase. According to the specification (section 3.6.5) :
>
> http://trac.opendnssec.org/wiki/Signer/AuditorRequirements [1]
>
> this should raise an error. The error has stopped the signer from
> publishing
phase
ods-auditor[7882]: Finished auditing .de zone
What might have cause this problem and how can I solve it now? The
signatures are expired and I can't see any attempt of the signer to
re-sign the zones.
Kind regards
Volker Janzen
___
Opend
g Whitmore schreef:
>>
>>
>> On 24/06/11 11:10 PM, "Volker Janzen" wrote:
>>
>>> Hi,
>>>
>>> that's what I want to do: pass DNSKEYs to my registrar.
>>>
>>> But I also need to write a cron that can check the DS r
tmore
wrote:
> On 22/06/11 10:33 PM, "Volker Janzen" wrote:
>
>>Hi,
>>
>>okay, but when I want a complete automation of the roll-over process,
>>I'd need something around OpenDNSSEC that manages:
>>
>>- send DNSKEY data that is supplied by Op
d, 22 Jun 2011 12:48:48 +0200, Casper Gielen
wrote:
> Op 22-06-11 12:33, Volker Janzen schreef:
>> Hi,
>>
>> okay, but when I want a complete automation of the roll-over process,
>> I'd need something around OpenDNSSEC that manages:
>>
>> - send DNSKEY
Hi all,
I added some zones yesterday to my OpenDNSSEC Installation. I have
still problems with adding zones to OpenDNSSEC and get them signed
without stop/start OpenDNSSEC more than once. I also noticed that there
was no call of the configured DelegationSignerSubmitCommand. All calls
to the c
Hi,
okay, but when I want a complete automation of the roll-over process,
I'd need something around OpenDNSSEC that manages:
- send DNSKEY data that is supplied by OpenDNSSEC to registrar
- wait the TTL of DS record to proceed
- send "ods-ksmutil key ds-seen -z -x ..." or all DS that are
visible
Hi,
I've some questions regarding the DelegationSignerSubmitCommand
option.
I get *ALL* DNSKEYs that should be set for domain? There are no
missing? If I get one DNSKEY, I'll set only this, if I get two, I'll
set them.
From the docs:
Remember that the ods-ksmutil key ds-seen must be given
Hi all,
was my fault: after purging and re-installing all the packages I forgot
to "ods-ksmutil setup" after install.
First zone is now managed, now I'll try to setup automated DNSKEY
updates.
Greetings
Volker
On Tue, 21 Jun 2011 18:48:37 +0200, Volker Janzen wrote:
&g
Hi,
that's wired, the problem is back again...
Jun 21 18:44:30 ods-enforcerd: opendnssec starting...
Jun 21 18:44:30 ods-enforcerd: opendnssec forked OK...
Jun 21 18:44:30 ods-enforcerd: opendnssec started (version 1.3.0rc3),
pid 16345
Jun 21 18:44:30 ods-enforcerd: opendnssec Parent exiting...
J
Hi all,
I found the error. I was mistaken when I said, that I had a "fresh"
system. I found files from an old installation of OpenDNSSEC in the
/usr/local folder. After removing all of these files, purge the Debian
setup and re-install everything, this error was gone.
Currently I'm looking after
Hi,
I've an addition, I found something in the old mailinglist archive from
2009.
"ods-ksmutil setup" was suggested, which returns:
*WARNING* This will erase all data in the database; are you sure? [y/N]
y
SQLite database set to: /usr/local/var/opendnssec/kasp.db
fixing permissions on file /usr/
Hi,
> What should I try best? Configure OpenDNSSEC to drop root privileges
> and "chown -R opendnssec" on the folders?
I just tried this option, but it does not work:
Jun 21 17:46:17 lvps83-169-44-108 ods-enforcerd: Connecting to
Database...
Jun 21 17:46:17 lvps83-169-44-108 ods-enforcerd: ERROR
Hi,
> Does the user opendnssec have read privileges in /etc/softhsm/ and
> read/write in /var/opendnssec/?
>
> (minor nit) It's /var/lib/opendnssec on Debian/Ubuntu
no, it has not, as of conf.xml has not configured OpenDNSSEC to drop
privileges.
These are the directory priviledges:
ls -ld /etc/
Hi,
when trying to setup OpenDNSSEC 1.3rc3 two problems occured:
ods-signerd: SoftHSM: C_Initialize: Could not open the config file:
/etc/softhsm/softhsm.conf
The default configuration has a drop of priviledges to
opendnssec:opendnssec. For some reason it does not help to add the user
opendnssec
ndřej Surý
wrote:
> On Tue, Jun 21, 2011 at 09:19, Volker Janzen wrote:
>> Hi Ondřej,
>>
>>> Maybe if you have logs of what failed? (Maybe a standard Debian
>>> bugreport?) It does not fail on my system and there's nothing in the
>>> supporting scripts (p
Hi Ondřej,
> Maybe if you have logs of what failed? (Maybe a standard Debian
> bugreport?) It does not fail on my system and there's nothing in the
> supporting scripts (postinst) which should make it fail (the softhsm
> group is created as a first part of softhsm-common
> (post)installation).
wh
Hi,
I don't know if this is a known issue, but when I installed OpenDNSSEC (1.2.1)
on Debian unstable (with no previous version installed before) the apt-get
install fails, because the group "softhsm" did not exist. I needed to create it
myself.
I'll try 1.3 rc3 from experimental tomorrow, nee
Hi,
> You should start the line with 'deb':
noticed that, too. I was able to install the softhsm package, but I
can't lookup any packages matching "opendnssec".
Regards,
Volker
___
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
Hi,
can anyone say when Debian packages will be available for OpenDNSSEC
v1.2.0 and SoftHSM v1.2.0? Especially the SoftHSM dependencies (Botan)
caused problems for me on my last attempt to install a v1.2.0 rc.
Regards,
Volker Janzen
ot seem to
be included in the 1.2.0rc2 package. Any hints where I can find it?
Regards,
Volker
Am 26.11.2010 18:45, schrieb Ondřej Surý:
> Use logcheck, Luke :-)
>
> Ondrej Sury
>
> On 26.11.2010, at 18:05, Volker Janzen wrote:
>
>> Hi all,
>>
>> is
Hi all,
is there an automated way to get syslog messages like this via email?
Including which DNSKEY/DS-Record should be send?
ods-enforcerd: WARNING: KSK Retirement reached; please submit the new
DS for and use ods-ksmutil key ksk-roll to roll the key.
Regards,
Volker
, then
restart all of OpenDNSSEC software and finally reload bind to send AXFR to
OpenDNSSEC or do I have to perform these steps in a different order? After
restarting everything and changing SOA again in bind and reload everything
works, but I don't know how to optimize (or script
string.
Why does this not work? Found it a bit confusing when using an example
from man page, which is not working.
Best regards,
Volker Janzen
___
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/
n.
I'm using a SoftHSM. Has anybody an idea what I need to do for getting
automated as much keys as needed?
Best regards,
Volker Janzen
___
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
Hi Matthijs,
> - - Is the zone fetcher actually running? (you can check with ps). If not,
> it might be that it could not open the socket for listening (perhaps due
> to privileges). The syslog should tell you why it failed.
now I was able to find the problem. During my setup I needed to disable
;s wrong?
Best regards,
Volker Janzen
___
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
uot;.axfr" extension. It appears that signerd
cannot find the AXFRed file.
So my question is: how can I fix this?
I'm using OpenDNSSEC 1.1.0.dfsg-1 on a Debian lenny (with backports).
Best regards,
Volker Janzen
___
Opendnssec-use
68 matches
Mail list logo
