On 2021-06-15 14:19:09 (+0800), Stefan Ubbink wrote:
On Tue, 15 Jun 2021 13:47:37 +0800
Philip Paeps via Opendnssec-user
wrote:
On 2021-06-15 13:22:08 (+0800), Philip Paeps via Opendnssec-user
wrote:
This is a zone we used to have a long time ago. It was deleted
from zonelist.xml a long t
On 2021-06-15 13:22:08 (+0800), Philip Paeps via Opendnssec-user wrote:
I upgraded OpenDNSSEC for freebsd.org this morning. There were no
huge explosions. Yet. As far as I can tell.
However, we do get a lot of these in the logs:
Jun 15 05:18:57 ns-master ods-signerd[14648]: [hsm] unable to
On Tue, 15 Jun 2021 13:47:37 +0800
Philip Paeps via Opendnssec-user
wrote:
> On 2021-06-15 13:22:08 (+0800), Philip Paeps via Opendnssec-user
> wrote:
> > This is a zone we used to have a long time ago. It was deleted
> > from zonelist.xml a long time ago (years). 'ods-enforcer zone
> > list' d
On 2021-06-15 13:22:08 (+0800), Philip Paeps via Opendnssec-user wrote:
This is a zone we used to have a long time ago. It was deleted from
zonelist.xml a long time ago (years). 'ods-enforcer zone list' does
not know about this zone. So the database must have been updated.
However .. 'ods-s
I upgraded OpenDNSSEC for freebsd.org this morning. There were no huge
explosions. Yet. As far as I can tell.
However, we do get a lot of these in the logs:
Jun 15 05:18:57 ns-master ods-signerd[14648]: [hsm] unable to get key:
key d6c2bb972ef3cd75c57e234dfc8173b8 not found
Jun 15 05:18:57
Hi Rick,
Yes, no, yes, almost.
> The commands sent through ods-signer are not documented, right? So, did
> I guess this correctly?
Sparsely indeed:
https://wiki.opendnssec.org/display/DOCS/Command+Utilities#CommandUtilities-ods-signer
> ods-signer update
>
> notifies the ods-signerd of a (
Hi,
The commands sent through ods-signer are not documented, right? So, did
I guess this correctly?
ods-signer update
notifies the ods-signerd of a (possibly) updated .signconf file, and
request it to implement the ramifications of the new zone configuration
ods-signer clear
notifies t
Hi,
my struggles with OpenDNSSEC continues. I recently had to delete
9 zones from our OpenDNSSEC installation.
I did this via
ods-ksmutil zone delete --zone
It worked OK for the first 8 zones, but for the last one I got
"connection refused", and in the kernel log (where I've already
turned
Hi,
due to a local power issue, my OpenDNSSEC host had an unclean shutdown
today. This may have caused some temporary files' content either to
be corrupted or become empty, although the FS I run on is supposed to
maintain "metadata integrity", and I didn't find any empty "tmp" files
in OpenDNSSEC
On 04/03/2014 14:22, Matthijs Mekking wrote:
> /usr/local/bin/ods-auditor -c /usr/local/etc/opendnssec/conf.xml -u
> /usr/local/var/opendnssec/tmp/hirlimann.net.inbound -s
> /usr/local/var/opendnssec/tmp/hirlimann.net.finalized -z hirlimann.net
root@perso:~ # /usr/local/bin/ods-auditor -c
/usr/loc
So it looks like the signer is doing things, but not outputting the
signed zone. Is the auditor not happy perhaps? What does this command
tell you:
/usr/local/bin/ods-auditor -c /usr/local/etc/opendnssec/conf.xml -u
/usr/local/var/opendnssec/tmp/hirlimann.net.inbound -s
/usr/local/var/opendns
On 04/03/2014 12:14, Matthijs Mekking wrote:
> Hi,
>
> I would like to know some more so that I can delve into this:
>
> 1. Can you provide the version used?
root@perso:~ # pkg_info |grep dns
ldns-1.6.16 A library for programs conforming to DNS RFCs and drafts
opendnssec-1.3.13 Tool suite
Hi,
I would like to know some more so that I can delve into this:
1. Can you provide the version used?
2. Can you increase the verbosity to 5 and schedule a sign again and
provide those logs?
$ ods-signer verbosity
$ ods-signer sign hirlimann.net
3. Do the DNSKEY queries match the records i
Hi,
today I've discovered that ods-signer stopped working 10+ days ago on my
domain.
I don't understand why it doesn't sign anymore :
http://dnsviz.net/d/hirlimann.net/dnssec/
perso:~ # dig +dnssec hirlimann.net dnskey @127.0.0.1
; <<>> DiG 9.8.3-P4 <<>> +dnssec hirlimann.net dnskey @127.0.0.1
Hi Casper,
The reason why the signer cannot find the keys is that it cannot reopen
the libhsm connection:
> Mar 18 00:10:55 ramanujan ods-signerd: [hsm] hsm_get_slot_id():
> could not find token with the name LocalHSM
Did you perhaps change anything with respect to the HSM in the conf.xml?
On 0
Hello,
I've recently experienced three segfaults from ods-signer. In all three cases
the log contains errors about keys that can not be found. I initially assumed
they were erroneously deleted from the HSM but 'ods-hsmutil' is able to find
them. After restarting the signer it seems to work fine.
On 02/22/2013 03:51 AM, shuoleo@126 wrote:
> Hi All,
>
> I'm testing opendnssec-1.3.12 and I will sign a zone whose RRs will be
> added dynamiclly every 10 mins.
> But ods-signerd seems deline to work sometimes because I can not see
> any messages like:
> Feb 22 09:41:10 index ods-signerd: [STAT
Hi All,
I'm testing opendnssec-1.3.12 and I will sign a zone whose RRs will be added
dynamiclly every 10 mins.
But ods-signerd seems deline to work sometimes because I can not see any
messages like:
Feb 22 09:41:10 index ods-signerd: [STATS] 12test RR[count=984022 time=15(sec)]
NSEC3[count=100
Hi,
On Wed, Oct 17, 2012 at 1:30 PM, 刘硕 wrote:
> Due to high memory consuming, I decided to clear some of the zones' data by
> using
> 'ods-signer clear test2 ', but after an hour, it seemed that it did not work
> at
> all, the memory usage is still 55%.
Even if the Signer releases the memory it
Hi,
Due to high memory consuming, I decided to clear some of the zones' data by
using
'ods-signer clear test2 ', but after an hour, it seemed that it did not work at
all, the memory usage is still 55%.
Best regards,
Stuart___
Opendnssec-user mailing l
On Mon, 23 Jul 2012, Matthijs Mekking wrote:
When issuing a "sign zone" command, the signer will go to a couple of
locks:
- - zonelist lock (zl_lock): to look up the zone. zonelist unlock.
- - zone lock (zone_lock), schedule lock (schedule_lock): to reschedule
the zone task. schedule unlock, z
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Paul,
When issuing a "sign zone" command, the signer will go to a couple of
locks:
- - zonelist lock (zl_lock): to look up the zone. zonelist unlock.
- - zone lock (zone_lock), schedule lock (schedule_lock): to reschedule
the zone task. schedule
Hi Stuart,
On Wed, Jul 18, 2012 at 9:59 AM, 刘硕 wrote:
> Well,that's a good question.
> Once upon a time,ods-signerd is down,only ods-enforcerd remained,so I tried
> to start the ods-signerd process manully,maybe I type the command more than
> once, so I found the problem, and still don't know why
Hi Jerry,
>Why do you start a second ods-signerd ??
Well,that's a good question.
Once upon a time,ods-signerd is down,only ods-enforcerd remained,so I tried to
start the ods-signerd process manully,maybe I type the command more than once,
so I found the problem, and still don't know why .
Somet
On Wed, Jul 18, 2012 at 9:20 AM, 刘硕 wrote:
> [root@CST-BJ-103 opendnssec]# ods-signerd
> OpenDNSSEC signer engine version 1.4.0-trunk
> [root@CST-BJ-103 opendnssec]# ps -aux | grep ods
> Warning: bad syntax, perhaps a bogus '-'? See
> /usr/share/doc/procps-3.2.7/FAQ
> root 2828 0.1 0.1 402
.0 61192 764 pts/2S+ 15:17 0:00 grep ods
I'm puzzled, I know ods-signerd will bind to a port whose default value is 53,
so why can I setup more than one ods-signerd?
Best regards,
Stuart
From: Jerry Lundstr鰉
Date: 2012-07-18 14:29
To: shuoleo
CC: opendnssec-user
Subject: Re: Re:
Hi Paul,
On Tue, Jul 17, 2012 at 5:10 PM, Paul Wouters wrote:
>
> I've been trying to figure out why at times, sending an "ods-signer
> sign zonename" command seems to just hang there for extremely long
> times. I can see why the ods-signerd takes some time, but just sending
> the command over th
Hi Stuart,
On Wed, Jul 18, 2012 at 8:08 AM, 刘硕 wrote:
> If ods-signerd is running, then I run ods-signerd seems do nothing at all,
> but sometimes there are more than one ods-signerd process at the same time!
> I don't this situation would affect opendnssec's signing work, because I
> think some
) failed: No such file or directory
But you see the ods-signerd is running!
Do you know what the problem is?
Best regards,
Stuart
From: Jerry Lundstr鰉
Date: 2012-07-17 14:44
To: shuoleo
CC: opendnssec-user
Subject: Re: Re: [Opendnssec-user]ods-signer failed when ods-signerd is running
Hi Stuart,
On
I've been trying to figure out why at times, sending an "ods-signer
sign zonename" command seems to just hang there for extremely long
times. I can see why the ods-signerd takes some time, but just sending
the command over the socket should not stall for like 20+ minutes, it
should take at most a
Hi Stuart,
On Tue, Jul 17, 2012 at 4:20 AM, 刘硕 wrote:
>>Are you sure one is not looking for the socket at the wrong place due to
>>mismatched install, eg /var/run/opendnssec/engine.sock versus
>>/local/var/run/opendnssec/engine.sock? Can you strace the ods-signer
>>command to see where it is tryi
>It's a little strange you have one started with full path and the other
>with no path. Are they from the same install?
I think the no path command is from /usr/local/sbin/, it's in the OS
environment.
>Are you sure one is not looking for the socket at the wrong place due to
>mismatched install,
On Tue, 17 Jul 2012, 刘硕 wrote:
I found an interesting thing that when the two processes is running, I mean
ods-signerd and ods-enforcerd. I can not use ods-signer to
sign zone manually, but the automatic signing seems works well.
Bellow are clues for you:
[root@CST-BJ-104:202.173.9.19 :/var/ope
Hi ,
I found an interesting thing that when the two processes is running, I mean
ods-signerd and ods-enforcerd. I can not use ods-signer to sign zone manually,
but the automatic signing seems works well.
Bellow are clues for you:
[root@CST-BJ-104:202.173.9.19 :/var/opendnssec/signed]$ps -aux|grep
> The issue here is that the zone name is used as an unique internal
> identifier. Created a feature request for this, OPENDNSSEC-232.
The Signer Engine has been fixed in r6244 for 1.3 branch and trunk.
(The Auditor still have this error)
// Rickard
___
Aha!
> I've imported keys into OpenDNSSEC that used to be rolled by ZSK.
I meant ZKT.
> It took a few attempts, but after manually cleaning the DB from
> the zone, keys and key references, the import went through fine.
>
> Now the signer is stuck in "I will [read] zone xyz" without any
> proble
Hello,
I've imported keys into OpenDNSSEC that used to be rolled by ZSK.
It took a few attempts, but after manually cleaning the DB from
the zone, keys and key references, the import went through fine.
Now the signer is stuck in "I will [read] zone xyz" without any
problem that I could find with
> This same issue got in my way when I tried to set up split-horizon DNS.
> In a split-horizon situation one would want to maintain two seperate
> zone-files that share a name.
The issue here is that the zone name is used as an unique internal
identifier. Created a feature request for this, OPENDN
Op 15-03-12 08:44, Rickard Bellgrim schreef:
> On Thu, Mar 15, 2012 at 8:43 AM, Rickard Bellgrim
> wrote:
>>> Mar 14 16:31:22 nohats ods-signerd: [tools] unable to copy zone input file
>>> 64/25.157.10.76.in-addr.arpa: Unable to open file
>>
>> The problem is that the forward slash is not allowed
>>> Mar 14 16:31:22 nohats ods-signerd: [tools] unable to copy zone input file
>>> 64/25.157.10.76.in-addr.arpa: Unable to open file
>>
>> The problem is that the forward slash is not allowed in a file name.
>
> And the Signer Engine uses the zone name directly.
I have created OPENDNSSEC-231 in th
On Thu, Mar 15, 2012 at 8:43 AM, Rickard Bellgrim
wrote:
>> Mar 14 16:31:22 nohats ods-signerd: [tools] unable to copy zone input file
>> 64/25.157.10.76.in-addr.arpa: Unable to open file
>
> The problem is that the forward slash is not allowed in a file name.
And the Signer Engine uses the zone
> Mar 14 16:31:22 nohats ods-signerd: [tools] unable to copy zone input file
> 64/25.157.10.76.in-addr.arpa: Unable to open file
The problem is that the forward slash is not allowed in a file name.
// Rickard
___
Opendnssec-user mailing list
Opendnssec-
+--On 14 mars 2012 16:32:55 -0400 Paul Wouters wrote:
|
| I wanted to sign my reverse classless delegation. This is a delegation
| for 64/25.157.10.76.in-addr.arpa.
I've had the problem like for ever with ODS, so early, I switched to doing,
say, 32-47.201.174.217.in-addr.arpa. It has worked well
I wanted to sign my reverse classless delegation. This is a delegation
for 64/25.157.10.76.in-addr.arpa.
I expected this to break, but it got a little further then I expected :)
Mar 14 16:15:49 nohats ods-enforcerd: Config will be output to
/var/opendnssec/signconf/64/25.157.10.76.in-addr.arpa
Also If I add
ods-signer sign me.ne.mm
only in crontab it does not work either
This smells to a crontab issue, not opendnssec.
The default PATH in crontab is limited (/bin:/usr/bin normally)
Use an abslute path to where ods-signer lives or add
PATH=$PATH:/path-to
Hi,
Try running it like this in cron:
bash -x >>/tmp/ods-cron.log 2>&1
Then check the logfile in tmp, dmesg and syslog.
There can be lots of things blocking it in cron, special
SELinux/AppArmor/etc restrictions, access to the command pipe or file
access issues.
All this should be solvable witho
[ Quoting Bryton at 10:42 on January 2 in "[Opendnssec-user] ods-signer"... ]
> ods-signer sign me.ne.mm
> ods-ksmutil key export --zone me.ne.mm --ds --keystate active >
> /home/mylaptop/me.ne.mm.ds
> cat /home/mylaptop/me.ne.mm.ds >> /var/lib/opendnssec/unsigned
Also If I add
ods-signer sign me.ne.mm
only in crontab it does not work either
Hi,
I am having one strange problem,
I created a script that signs and update the ds to the parent zone as
follows...
ods-signer sign me.ne.mm
ods-ksmutil key export --zone me.ne.mm --ds --keystate active >
/
Hi,
I am having one strange problem,
I created a script that signs and update the ds to the parent zone as
follows...
ods-signer sign me.ne.mm
ods-ksmutil key export --zone me.ne.mm --ds --keystate active >
/home/mylaptop/me.ne.mm.ds
cat /home/mylaptop/me.ne.mm.ds >> /var/lib/opendnssec/unsigne
On 05/11/2010 12:53, Rickard Bellgrim wrote:
> Yes, in order to use SoftHSM, you need to have read/write privileges to
> the directory/file where it stores the token. You can find the
> location of directory/file in /etc/softhsm.conf
>
> Then you need to run both the Enforcer and the Signer with
On 5 nov 2010, at 10.11, Sion Lloyd wrote:
> Do both processes run as the same user? I've had problems in the past running
> as two different users and so getting different environments for each
> process...
Yes, in order to use SoftHSM, you need to have read/write privileges to the
directory
Hi, there is a quick thing to check.
Do both processes run as the same user? I've had problems in the past running
as two different users and so getting different environments for each process...
Sion
___
Opendnssec-user mailing list
Opendnssec-user@li
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Laurent,
It appears that the create_dnskey tool failed because the call to
hsm_open failed. Sadly enough, the error message does not really tell
you why. Would it be possible for you to try out the svn branch
OpenDNSSEC-1.1 (r4170)? I made the erro
Hello,
I am getting started with opendnssec (version 1.1.0) with the default setup.
I initialized SoftHSM, configured the token label and PIN in conf.xml,
copied a test zone file in /var/lib/opendnssec/unsigned/, added the zone
with "ods-ksmutil zone -z demo-serveur.fr -p default", started
54 matches
Mail list logo
