Am 19.08.19 um 11:17 schrieb Andrew Ivanov:
> On Sat, Aug 17, 2019 at 11:04:58AM +0200, Ulrich-Lorenz Schl??ter wrote:
>> Am 16.08.19 um 20:36 schrieb Berry A.W. van Halderen:
>>> On 8/16/19 6:21 PM, Ulrich-Lorenz Schl??ter wrote:
>>>> I checked perms as described.
>>>> Turned up logging verbosity.
>>>> "ods-ksmutil key list --verbose" does not spit out any keys.
>>>>
>>>
>>> Did you perform the upgrade steps to get to 1.4.14? Where there
>>> any anomalies?
>>> If ods-ksmutil does not list keys, but there are no errors either
>>> then I would suspect problems there. However if you increased logging
>>> level there should be more explanatory help in the logging. Perhaps
>>> in the syslog configuration these are repressed, or they end up in a
>>> different log file.
>>>
>>> You can also try the command "ods-hsmutil list" to list keys. The
>>> ods-ksmutil lists keys as known to OpenDNSSEc, ods-hsmutil lists keys
>>> as found in the HSM.
>> I migrated to fedora 30 aarch64 as upgrading on centos seemed to much of
>> a hassle.
>> By now ods-ksmutil and ods-hsmutil both list keys.
>> opendnssec is missing files in the /var/opendnssec/signed and
>> /var/opendnssec/unsigned folder.
>>
>> Aug 17 10:54:55 one ods-signerd[5550]: [xfrd] zone sycosys.de xfr packet
>> parsed (res 5)
>> Aug 17 10:54:55 one ods-signerd[5550]: [xfrd] xfr/newlease from 127.0.0.1
>> Aug 17 10:54:55 one ods-signerd[5550]: [xfrhandler] netio dispatch
>> Aug 17 10:55:59 one ods-signerd[5550]: [socket] incoming udp message
>> Aug 17 10:55:59 one ods-signerd[5550]: [tsig] parse: not TSIG or not ANY
>> Aug 17 10:55:59 one ods-signerd[5550]: [tsig] parse: not TSIG or not ANY
>> Aug 17 10:55:59 one ods-signerd[5550]: [query] too many additional rrs
>> Aug 17 10:55:59 one ods-signerd[5550]: [query] formerr
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> The problem is here. Check server TSIG-settings and adapters in addns.xml.
I created new keys, changed from hmac-md5 to hmac-sha512, now I get:
unable to sign request: tsig unknown algorithm hmac-sha512
I don't see any obvious error in my addns.xml. The opendnssec-in part
seemed working before, because there are files in /var/opendnssec/tmp
<?xml version="1.0" encoding="UTF-8"?>
<Adapter>
<DNS>
<TSIG>
<Name>opendnssec-in</Name>
<Algorithm>hmac-sha512</Algorithm>
<!-- base64 encoded secret -->
<Secret>****************</Secret>
</TSIG>
<TSIG>
<Name>opendnssec-out</Name>
<Algorithm>hmac-sha512</Algorithm>
<!-- base64 encoded secret -->
<Secret>****************</Secret>
</TSIG>
<Inbound>
<!-- Address of host to request XFR from -->
<RequestTransfer>
<!-- Send request to 127.0.0.1 on the default
port 53 -->
<Remote>
<Address>127.0.0.1</Address>
<Port>53</Port>
<Key>opendnssec-in</Key>
</Remote>
</RequestTransfer>
<!-- Allow NOTIFY messages from host -->
<AllowNotify>
<Peer>
<Prefix>127.0.0.1</Prefix>
</Peer>
</AllowNotify>
</Inbound>
<Outbound>
<!-- Provide XFR to host -->
<ProvideTransfer>
<Peer>
<Prefix>127.0.0.1</Prefix>
<Key>opendnssec-out</Key>
</Peer>
</ProvideTransfer>
<!-- Send NOTIFY messages to host -->
<Notify>
<Remote>
<Address>127.0.0.1</Address>
<Port>53</Port>
</Remote>
</Notify>
</Outbound>
</DNS>
</Adapter>
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
