[Also to the list] ------- Original Message -------- Subject: Re: [Opendnssec-user] opendnssec signed zones Date: Tue, 11 Dec 2012 14:36:27 +0100 From: Matthijs Mekking <[email protected]> To: [email protected]
Hi, If you want to *not use* the auditor, you should disable it in the key and signing policy file, kasp.xml: Remove <Audit/>. You can also remove it from conf.xml. Run ods-ksmutil update all to commit the changes, after you changed the files. Are these logs below the high verbosity logs? I would expect more log lines. Perhaps rsyslog moves them to a different file? Best regards, Matthijs On 12/11/2012 02:04 PM, [email protected] wrote: > Hi! > > Im using the latest on the site not svn version.. > I did disable the audit tool because I got some issue with ldns dependencies > in debian stable.. > As I understand the audit is not obsolete so :) maybe I need to do some conf > for not use it in conf ? > > > > ns:~# tail -f /var/log/messages > Dec 11 14:01:45 ns ods-signerd: [cmdhandler] zone jll.se scheduled for > immediate re-sign > Dec 11 14:01:45 ns ods-signerd: [worker[1]] read zone jll.se > Dec 11 14:01:45 ns ods-signerd: [adapter] read zone jll.se from file input > adapter /var/opendnssec/unsigned/zone.jll.se > Dec 11 14:01:45 ns ods-signerd: [zone] zone jll.se set SOA TTL to 3600 > Dec 11 14:01:45 ns ods-signerd: [zone] zone jll.se set SOA MINIMUM to 3600 > Dec 11 14:01:45 ns ods-signerd: [tools] commit updates for zone jll.se > Dec 11 14:01:45 ns ods-signerd: [worker[1]] nsecify zone jll.se > Dec 11 14:01:45 ns ods-signerd: [worker[1]] sign zone jll.se > Dec 11 14:01:45 ns ods-signerd: [worker[1]] audit zone jll.se > Dec 11 14:01:45 ns ods-signerd: [worker[1]] backoff task [read] for zone > jll.se with 3600 seconds > > > > > Med vänliga hälsningar / Best regards / Ystävällisin terveisin / S pozdravem, > > //Anders Larsson > Technical Security Specialist > > * Tieto, Managed Services and Transformation, MDZ Datacenter Services, MDN > * Tredje Bassängvägen 2 > * SE-115 83 Stockholm > > * Visitors address: Fjärde Bassängvägen 15 www.tieto.com > > > * Tel: +46 (0)10 481 02 20 > * Mobil: +46 (0)70 656 42 64 > * Mail: [email protected] > ********************************************** > > ---- Debian is they way to salvation ---- > > --- How Hard Can It Be --- > > > -----Original Message----- > From: Matthijs Mekking [mailto:[email protected]] > Sent: den 11 december 2012 13:42 > To: Larsson Anders > Subject: Re: [Opendnssec-user] opendnssec signed zones > > On 12/11/2012 12:42 PM, [email protected] wrote: >> Yes its runnin :) >> >> >> Dec 11 12:37:40 ns ods-signerd: [worker[4]] read zone jll.se Dec 11 >> 12:37:40 ns ods-signerd: [adapter] read zone jll.se from file input >> adapter /var/opendnssec/unsigned/zone.jll.se >> Dec 11 12:37:40 ns ods-signerd: [zone] zone jll.se set SOA TTL to 3600 >> Dec 11 12:37:40 ns ods-signerd: [zone] zone jll.se set SOA MINIMUM to >> 3600 Dec 11 12:37:40 ns ods-signerd: [tools] commit updates for zone >> jll.se Dec 11 12:37:40 ns ods-signerd: [worker[4]] nsecify zone jll.se >> Dec 11 12:37:40 ns ods-signerd: [worker[4]] sign zone jll.se Dec 11 >> 12:37:41 ns ods-signerd: [worker[4]] audit zone jll.se Dec 11 12:37:41 >> ns ods-signerd: [worker[4]] backoff task [read] for zone jll.se with >> 3600 seconds > > It is backing off the [read] task, after audit. So it looks like the audit > has failed. I would have except an auditor error message, why it failed. > > Which version is the opendnssec deb package? > > Can you increase the verbosity and sign again?: > > $ ods-signer verbosity 5 > $ ods-signer sign jll.se > > And provide me the logs? > > Best regards, > Matthijs > > >> ^C >> ns:~# ps -ef | grep signer >> root 15599 1 0 Dec10 ? 00:00:02 /usr/local/sbin/ods-signerd >> >> >> >> >> Med vänliga hälsningar / Best regards / Ystävällisin terveisin / S >> pozdravem, >> >> //Anders Larsson >> Technical Security Specialist >> >> * Tieto, Managed Services and Transformation, MDZ Datacenter Services, >> MDN >> * Tredje Bassängvägen 2 >> * SE-115 83 Stockholm >> >> * Visitors address: Fjärde Bassängvägen 15 www.tieto.com >> >> >> * Tel: +46 (0)10 481 02 20 >> * Mobil: +46 (0)70 656 42 64 >> * Mail: [email protected] >> ********************************************** >> >> ---- Debian is they way to salvation ---- >> >> --- How Hard Can It Be --- >> >> >> -----Original Message----- >> From: Matthijs Mekking [mailto:[email protected]] >> Sent: den 11 december 2012 12:33 >> To: Larsson Anders >> Cc: [email protected] >> Subject: Re: [Opendnssec-user] opendnssec signed zones >> >> Hi Anders, >> >> I don't see any signer logs. Is the signer daemon running? >> >> Best regards, >> Matthijs >> >> On 12/11/2012 11:55 AM, [email protected] wrote: >>> Hi List! >>> >>> I have tested the deb package but did get get it work.. so I installed the >>> src from the site and softhsm.. >>> >>> It starts and reads the zone but it don't sign the zone? Or creates the >>> file. I don't get any errors. >>> Tried with 2 different zone's >>> >>> ns:~# ods-ksmutil update zonelist >>> zonelist filename set to /etc/opendnssec/zonelist.xml. >>> kasp filename set to /etc/opendnssec/kasp.xml. >>> Zone jamten.se found >>> Policy set to default. >>> Zone jll.se found >>> Policy set to default. >>> Notifying enforcer of new database... >>> >>> >>> ns:~# tail -f /var/log/messages >>> Dec 11 11:48:18 ns ods-enforcerd: Config will be output to >>> /var/opendnssec/signconf/jamten.se.xml. >>> Dec 11 11:48:18 ns ods-enforcerd: WARNING: New KSK has reached the ready >>> state; please submit the DS for jamten.se and use ods-ksmutil key ds-seen >>> when the DS appears in the DNS. >>> Dec 11 11:48:18 ns ods-enforcerd: No change to: >>> /var/opendnssec/signconf/jamten.se.xml >>> Dec 11 11:48:18 ns ods-enforcerd: Zone jll.se found. >>> Dec 11 11:48:18 ns ods-enforcerd: Policy for jll.se set to default. >>> Dec 11 11:48:18 ns ods-enforcerd: Config will be output to >>> /var/opendnssec/signconf/jll.se.xml. >>> Dec 11 11:48:18 ns ods-enforcerd: WARNING: New KSK has reached the ready >>> state; please submit the DS for jll.se and use ods-ksmutil key ds-seen when >>> the DS appears in the DNS. >>> Dec 11 11:48:18 ns ods-enforcerd: No change to: >>> /var/opendnssec/signconf/jll.se.xml >>> Dec 11 11:48:18 ns ods-enforcerd: Disconnecting from Database... >>> Dec 11 11:48:18 ns ods-enforcerd: Sleeping for 3600 seconds. >>> >>> >>> ns:~# ods-ksmutil keys list >>> Keys: >>> Zone: Keytype: State: Date of next >>> transition: >>> jamten.se KSK ready waiting for ds-seen >>> >>> jamten.se ZSK active 2013-01-09 14:28:06 >>> >>> jll.se KSK ready waiting for ds-seen >>> >>> jll.se ZSK active 2013-01-09 14:48:00 >>> >>> >>> Med vänliga hälsningar / Best regards / Ystävällisin terveisin / S >>> pozdravem, >>> >>> //Anders Larsson >>> Technical Security Specialist >>> >>> * Tieto, Managed Services and Transformation, MDZ Datacenter >>> Services, MDN >>> * Tredje Bassängvägen 2 >>> * SE-115 83 Stockholm >>> >>> * Visitors address: Fjärde Bassängvägen 15 www.tieto.com >>> >>> >>> * Tel: +46 (0)10 481 02 20 >>> * Mobil: +46 (0)70 656 42 64 >>> * Mail: [email protected] >>> ********************************************** >>> >>> ---- Debian is they way to salvation ---- >>> >>> --- How Hard Can It Be --- >>> >>> >>> _______________________________________________ >>> Opendnssec-user mailing list >>> [email protected] >>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user >>> >> >> >> > > >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
