-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
On 07/05/2012 10:27 AM, Sander Smeenk wrote: > Quoting Georg Sluyterman ([email protected]): > >> When i perform a 'softhsm --init-token' i get asked about the SO >> and User PIN, however it seems only possible to enter one PIN in >> conf.xml. As far as I have found out the only way to get it >> working is to set both PINs the same and enter that PIN in >> conf.xml. Is that the correct way (it seems a bit wrong..), if >> not, what PIN should be entered in conf.XML: SO or User? > > You can have different SO and User PINs. You should specify the > User PIN in conf.xml AFAIK the SO-pin isn't actively used by > SoftHSM anyways. > > >> When I have added a new zone and wish to let ods get on with >> generation keys and signing the zone right away instead of >> waiting e.g. up to an hour, what command should i be running? > > After 'ods-ksmutil zone add', run 'ods-ksmutil update zonelist'. > This will trigger the enforcer to generate keys and will place the > zone on the signer's queue. If you want, you could request an > immediate sign by calling 'ods-signer sign $zone' after the > update. Make sure the enforcer is done with generating keys or the > signer will 'fail' and retry later. > > >> Is it possible to have several seperate files for a given zone? >> (split horizon DNS) If yes, how is that managed? It seems the >> ods-ksmutil does not handle multiple file names for >> --input/--output > > AFAIK this is not implemented. Correct, but it is on our radar. >> Is it possible to create a policy that does not sign a zone at >> all, in order to have the flow of zones running through ods and >> not having to split it up? (In a scenario when only some zones >> are signed) > > AFAIK it is not possible to have a policy that does NOT sign > zones. I'm not sure why you would want that. Just don't add zones > that don't need signing? :) This is a feature that is intended to be in 2.0.0. I believe people want that, because they have a mixed collection of DNSSEC enabled and 'plain' zones and want them to have the same work flow. > > >> When i delete a zone that i have just added (ie. no signing has >> been performed yet) the zones still appear in zonelist.xml. Is >> there some delay that i should be aware of (i.e. cleaning key >> material etc. first, the next time enforcerd starts)? The command >> output is: # ods-ksmutil zone delete --zone example.org zonelist >> filename set to /etc/opendnssec/zonelist.xml. > > Again, run 'ods-ksmutil update zonelist' after removing a zone to > have it updated immediately. Also, there are (were?) some issues > with removing zones from ODS, breaking keystates etc. Refer to the > archives for more information on that. > > >> When i choose an algorithm type for NSEC3 it seems that only key >> type 1 is allowed and not e.g. 5 or 7, although key type 1 is >> deprecated according to IANA >> (http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.txt). >> >> Is this about to change, or is there some reason why this is the case? > > No idea. :) The number 1 refers to the NSEC3 hash algorithm type. Only SHA-1 is defined (1). I think you are confusing it with the DNSKEY algorithm numbers, which should be set in the <Keys> section. If you want to use NSEC3, you want to do 7. Best regards, Matthijs > > > -Sndr. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJP9VQgAAoJEA8yVCPsQCW5vY8IAMG//HcSAVGbvh5d2l9mgk1z J4LYUJlOYdB73fZKeOh5rS5uX3q6EltXoUmq0Cpn5ZLKjvrG7uBgK4ylnklhHqr3 DQF5KFa21kzYkReqV/Lhi25N/plKH8tePGJbX49fekJ0zWaVwsIpzPRS8ZfHn7TS UE3KJT5Y8Uex5wpUNo5mRmJmtxoyEFB5c8z3UFtJdDxs1PTdcT9xhoouR/bh4jyV y9iznbB83eNaYeDIqYpL+f2OKrXE77V19QrepwBOMjUZMdUI+ugNdfC9SOGuEP+i ITa6gqj4IAw+KguehYPIraepacda0kAy5NaWIJRX0Op7sP1/ZsuGx3FOZmtdu34= =oDNc -----END PGP SIGNATURE----- _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
