Am 19.08.19 um 14:05 schrieb Ulrich-Lorenz Schlüter: > Am 19.08.19 um 11:17 schrieb Andrew Ivanov: >> On Sat, Aug 17, 2019 at 11:04:58AM +0200, Ulrich-Lorenz Schl??ter wrote: >>> Am 16.08.19 um 20:36 schrieb Berry A.W. van Halderen: >>>> On 8/16/19 6:21 PM, Ulrich-Lorenz Schl??ter wrote: >>>>> I checked perms as described. >>>>> Turned up logging verbosity. >>>>> "ods-ksmutil key list --verbose" does not spit out any keys. >>>>> >>>> >>>> Did you perform the upgrade steps to get to 1.4.14? Where there >>>> any anomalies? >>>> If ods-ksmutil does not list keys, but there are no errors either >>>> then I would suspect problems there. However if you increased logging >>>> level there should be more explanatory help in the logging. Perhaps >>>> in the syslog configuration these are repressed, or they end up in a >>>> different log file. >>>> >>>> You can also try the command "ods-hsmutil list" to list keys. The >>>> ods-ksmutil lists keys as known to OpenDNSSEc, ods-hsmutil lists keys >>>> as found in the HSM. >>> I migrated to fedora 30 aarch64 as upgrading on centos seemed to much of >>> a hassle. >>> By now ods-ksmutil and ods-hsmutil both list keys. >>> opendnssec is missing files in the /var/opendnssec/signed and >>> /var/opendnssec/unsigned folder. >>> >>> Aug 17 10:54:55 one ods-signerd[5550]: [xfrd] zone sycosys.de xfr packet >>> parsed (res 5) >>> Aug 17 10:54:55 one ods-signerd[5550]: [xfrd] xfr/newlease from 127.0.0.1 >>> Aug 17 10:54:55 one ods-signerd[5550]: [xfrhandler] netio dispatch >>> Aug 17 10:55:59 one ods-signerd[5550]: [socket] incoming udp message >>> Aug 17 10:55:59 one ods-signerd[5550]: [tsig] parse: not TSIG or not ANY >>> Aug 17 10:55:59 one ods-signerd[5550]: [tsig] parse: not TSIG or not ANY >>> Aug 17 10:55:59 one ods-signerd[5550]: [query] too many additional rrs >>> Aug 17 10:55:59 one ods-signerd[5550]: [query] formerr >> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >> The problem is here. Check server TSIG-settings and adapters in addns.xml. > I created new keys, changed from hmac-md5 to hmac-sha512, now I get: > unable to sign request: tsig unknown algorithm hmac-sha512 > > I don't see any obvious error in my addns.xml. The opendnssec-in part > seemed working before, because there are files in /var/opendnssec/tmp > > <?xml version="1.0" encoding="UTF-8"?> > <Adapter> > <DNS> > <TSIG> > <Name>opendnssec-in</Name> > <Algorithm>hmac-sha512</Algorithm> > <!-- base64 encoded secret --> > <Secret>****************</Secret> > </TSIG> > <TSIG> > <Name>opendnssec-out</Name> > <Algorithm>hmac-sha512</Algorithm> > <!-- base64 encoded secret --> > <Secret>****************</Secret> > </TSIG> > > <Inbound> > <!-- Address of host to request XFR from --> > <RequestTransfer> > <!-- Send request to 127.0.0.1 on the default > port 53 --> > <Remote> > <Address>127.0.0.1</Address> > <Port>53</Port> > <Key>opendnssec-in</Key> > </Remote> > </RequestTransfer> > > <!-- Allow NOTIFY messages from host --> > <AllowNotify> > <Peer> > <Prefix>127.0.0.1</Prefix> > </Peer> > </AllowNotify> > </Inbound> > > <Outbound> > <!-- Provide XFR to host --> > <ProvideTransfer> > <Peer> > <Prefix>127.0.0.1</Prefix> > <Key>opendnssec-out</Key> > </Peer> > </ProvideTransfer> > > <!-- Send NOTIFY messages to host --> > <Notify> > <Remote> > <Address>127.0.0.1</Address> > <Port>53</Port> > </Remote> > </Notify> > </Outbound> > </DNS> > </Adapter> A restart resolved "tsig unknown algorithm hmac-sha512" I now get formerr again.
Regards _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
