Re: Testing RFC 5011 key roll

2015-04-21 Thread Jan-Piet Mens
> My lesson is - besides just working out the configuration - testing > RFC5011 takes more patience than just about any other feature of > DNS/DNSSEC. RFC5011 is the most wall-clock driven mechanism we have. Yup. I learned that as well. As a side note: can you imagine my surprise when, after wai

Re: Testing RFC 5011 key roll

2015-04-21 Thread Evan Hunt
> By default it dumps its output to a file; you can use `rndc secroots -` > to get output on stdout. Using "-" to get it to dump the secroots output to stdout is a new feature added for 9.11. That hasn't been published yet, but if you build from the source tree at source.isc.org (like Tony does),

Re: Testing RFC 5011 key roll

2015-04-21 Thread Edward Lewis
On 4/21/15, 10:15, "Warren Kumari" wrote: > >From the ARM: Sigh, RTFM...(My, BIND's gotten a lot more complicated/feature-rich since I last read the docs.) Hey, it's there. smime.p7s Description: S/MIME cryptographic signature ___ Please visit https

Re: Testing RFC 5011 key roll

2015-04-21 Thread Warren Kumari
On Tue, Apr 21, 2015 at 9:55 AM, Edward Lewis wrote: > On 4/21/15, 9:45, "Tony Finch" wrote: >>rndc secroots >> >>You can also look in the .mkeys file. > > I tried secroots with my set up, I got nothing despite the mkeys file. > (Kind of asking - does that work?): > > (I had my rndc port bumped o

Re: Testing RFC 5011 key roll

2015-04-21 Thread Tony Finch
Edward Lewis wrote: > > I tried secroots with my set up, I got nothing despite the mkeys file. > (Kind of asking - does that work?): By default it dumps its output to a file; you can use `rndc secroots -` to get output on stdout. Tony. -- f.anthony.n.finchhttp://dotat.at/ Hebrides, Bailey:

Re: Testing RFC 5011 key roll

2015-04-21 Thread Edward Lewis
On 4/21/15, 9:45, "Tony Finch" wrote: >rndc secroots > >You can also look in the .mkeys file. I tried secroots with my set up, I got nothing despite the mkeys file. (Kind of asking - does that work?): (I had my rndc port bumped out of sudo-land, so it's overridden:) $ rndc -p 1953 -c rndc.conf

Re: Testing RFC 5011 key roll

2015-04-21 Thread Tony Finch
Edward Lewis wrote: > > I have a suggestion - is there a way to query a BIND server for it's trust > anchor key set? rndc secroots (though this only provides the key tags not the public key data) > I say perhaps unnecessary because the information may be available on > disk (which an administra

Re: Testing RFC 5011 key roll

2015-04-21 Thread Edward Lewis
Evan/et.al., I've updated to 9.10.2, adjusted the timers, etc., and have managed to follow the keyroll.systems test over night (a handful of key changes) plus still get the desired "AD" bit. With the timing in mind, I looked at my unbound (I realize this is BIND users ;)) which wasn't keeping up

Re: Testing RFC 5011 key roll

2015-04-20 Thread Warren Kumari
On Mon, Apr 20, 2015 at 4:33 PM, Evan Hunt wrote: > On Mon, Apr 20, 2015 at 04:17:57PM -0400, Warren Kumari wrote: >> That page says (for BIND): >> "Note: When using this config file you will probably need to delete >> /var/named/21ce078705d04ca6324c1d0313fc08ea99f3cef6389a6744d40bd2d9d0cd7816.mke

Re: Testing RFC 5011 key roll

2015-04-20 Thread Evan Hunt
On Mon, Apr 20, 2015 at 04:17:57PM -0400, Warren Kumari wrote: > That page says (for BIND): > "Note: When using this config file you will probably need to delete > /var/named/21ce078705d04ca6324c1d0313fc08ea99f3cef6389a6744d40bd2d9d0cd7816.mkeys* > every time you restart BIND after missing a keyrol

Re: Testing RFC 5011 key roll

2015-04-20 Thread Warren Kumari
On Mon, Apr 20, 2015 at 3:41 PM, Edward Lewis wrote: > Thanks. rm'd the file and added the timers. (I did that also after > sending, so it is the deleting the old file that did the trick.) The > start-up lines look good. > > Got an AD bit again too. > > (I may have a few more issues as I move t

Re: Testing RFC 5011 key roll

2015-04-20 Thread Edward Lewis
Thanks. rm'd the file and added the timers. (I did that also after sending, so it is the deleting the old file that did the trick.) The start-up lines look good. Got an AD bit again too. (I may have a few more issues as I move this off a laptop on to a regular machine. Right now it helps know

Re: Testing RFC 5011 key roll

2015-04-20 Thread Evan Hunt
On Mon, Apr 20, 2015 at 06:42:42PM +, Edward Lewis wrote: > Being that I'm working on a laptop (hence on on over the weekend) I've had > to recreate the environment today. I'm a bit more puzzled now. There's a separate file that named creates to keep the current managed keys state information

Re: Testing RFC 5011 key roll

2015-04-20 Thread Edward Lewis
Thanks to Evan for the last look and thanks to Jan-Piet for the suggestion to go to 9.10.2. Being that I'm working on a laptop (hence on on over the weekend) I've had to recreate the environment today. I'm a bit more puzzled now. I've built and installed BIND 9.10.2. Using http://keyroll.system

Re: Testing RFC 5011 key roll

2015-04-18 Thread Jan-Piet Mens
Edward, the subject of this message piqued my interest ;-) > 17-Apr-2015 10:17:02.083 starting BIND 9.10.0 -g -c rfc5011.conf Very ouch. Much pain. Lots frustration. Many hairpulls. Mucho crash. ;) Upgrade to 9.10.2 [1] in which Evan fixes the CVE we discovered on RFC5011 rolls and, thankfully,

Re: Testing RFC 5011 key roll

2015-04-17 Thread Edward Lewis
Thanks. Now have 'ad' bits via both BIND and unbound. Will let you know when I've shot myself in the foot. On 4/17/15, 12:45, "Evan Hunt" wrote: ... >instead of waiting a full 30 days. (This is, I hope obviously, *not* >something you want to run in production. :) ) smime.p7s Description: S

Re: Testing RFC 5011 key roll

2015-04-17 Thread Evan Hunt
On Fri, Apr 17, 2015 at 02:46:16PM +, Edward Lewis wrote: > I am building named and unbound recursive servers to follow a test of RFC > 5011 trust anchor updates, the experiment is documented at > http://keyroll.systems. One reason why I'm asking here is in > http://jpmens.net/2015/01/21/opend

Testing RFC 5011 key roll

2015-04-17 Thread Edward Lewis
I am building named and unbound recursive servers to follow a test of RFC 5011 trust anchor updates, the experiment is documented at http://keyroll.systems. One reason why I'm asking here is in http://jpmens.net/2015/01/21/opendnssec-rfc-5011-bind-and-unbound/ which mentions some issues with RFC 5