Commit 744c659b authored by Ondrej Sury's avatar Ondrej Sury

Imported Upstream version 1.1.1

parents
$Id: KNOWN_ISSUES 3404 2010-05-05 14:10:15Z sion $
OpenDNSSEC 1.1.0 - Known Restrictions
The following are the known problems and/or restrictions of release 1.1.0 of
OpenDNSSEC.
KSK rollover requires manual timing
-----------------------------------
OpenDNSSEC rolls a key-signing key by the double-DS pre-publication method:
the DS record for the new zone is extracted from OpenDNSSEC and sent to the
parent zone. After a period of time, the KSK is changed and, after a further
interval, the DS record for the old KSK is removed from the parent.
The sending of the DS record to the parent zone necessarily involves manual
intervention on your part, but version 1.0.0 of OpenDNSSEC also requires that
you manually time two intervals:
* The time between introducing the new KSK into the zone and sending the DS
record to the parent.
* Seeing the DS record in the parent zone and informing OpenDNSSEC of its
presence.
Future versions of the software will remove the need for tracking the time
between these events.
The KSK rollover procedure is described in the OpenDNSSEC documentation.
Key rollover and reuse of signatures
------------------------------------
OpenDNSSEC makes use of reusing previously created signatures. A key that is
in active state will be used for signing. When rolling keys, keys may become
active or inactive. At these points in key rollover, all signatures that
correspond to a previously active key (which just became inactive) need to be
dropped and new signatures for the new, just activated key need to be created
from scratch. OpenDNSSEC cannot handle a smooth transition between these
states.
Limitations on Number of Zones
------------------------------
Owing to contention in the key management database, performance is degraded if
OpenDNSSEC is used to sign large numbers of zones that do not share common
keys. The problem is worse if SQLite is used for the key and signature manager
database.
As a workaround, we suggest that either the same key is used for all zones, or
that the number of zones be limited to about 5,000.
This will be addressed in a future release of the software.
Incompatibility in TSIG Key
---------------------------
When setting up a TSIG key for the zone fetcher component, it should be noted
that the SHA algorithm family used by OpenDNSSEC is incompatible with the
BIND-9, due to a problem in the latter's cryptographic library.
The problem is fixed in the upcoming BIND-9.7 release; in the meantime, avoid
using TSIG authentication between the zone fetcher and the upstream
nameserver.
Possible Issue between enforcer and signer
------------------------------------------
We have seen, but only on centOS, an issue where when the enforcer signals the
signer that a signer configuration file has changed the return value indicates
an error. This happens even when the signer is running and has correctly
processed the message.
The result is that the enforcer does not message the signer about any more
changes in that run. So, if any other zones change, they will not be seen
until the next time the signer runs.
If you are affected by this issue then you will see messages like this in your
log: ods-enforcerd: Could not call signer engine ods-enforcerd: Will continue:
call 'ods-signer update' to manually update zones
Issue with sharing keys and adding zones
----------------------------------------
Due to a limitation in the way we keep track of key states, adding zones to a
system that shares keys results in the new zone not getting copies of the
standby KSKs.
In general when sharing keys the user must be aware that any key will be in
the same state for all zones.
Issue with rolling from one algorithm to another
------------------------------------------------
The current version will handle key rollovers that also change algorithm just
the same as any other key rollover. This is not sufficient; and so rolling
between algorithms is broken and should not be done with the current system.
Quicksorter does not allow certain owner names
------------------------------------------------
If a RR owner name looks like a directive, e.g., \$ORIGIN or $TTLexample,
the quicksorter filters them away as being incorrect directives. It will crash
on owner names like \$ORIGIN.
Enforcer unit tests require environment variables
-------------------------------------------------
In order to run the unit tests for the enforcer the following environment
variables need to be set when configure is run:
For a sqlite build:
DB_NAME
points to the file to be used during the unit tests. N.B. it will be deleted and recreated during the tests.
For a mysql build:
DB_USERNAME
user to connect as
DB_PASSWORD
password for that user
DB_HOST
machine to connect to
DB_NAME
the schema to use, N.B. this schema will be torn down and recreated during the tests.
# $Id: Makefile.am 2960 2010-03-05 09:15:20Z rb $
ACLOCAL_AMFLAGS = -I m4
MAINTAINERCLEANFILES = \
config.log config.status \
$(srcdir)/Makefile.in \
$(srcdir)/config.h.in $(srcdir)/config.h.in~ \
$(srcdir)/configure \
$(srcdir)/install-sh $(srcdir)/ltmain.sh $(srcdir)/missing \
$(srcdir)/depcomp $(srcdir)/aclocal.m4 $(srcdir)/compile \
$(srcdir)/config.guess $(srcdir)/config.sub
SUBDIRS = libhsm enforcer signer conf tools contrib
if ENABLE_AUDITOR
SUBDIRS += auditor
endif
if ENABLE_EPPCLIENT
SUBDIRS += plugins/eppclient
endif
EXTRA_DIST = $(srcdir)/KNOWN_ISSUES
This diff is collapsed.
This diff is collapsed.
$Id: README 2104 2009-10-06 15:02:04Z pawal $
INTRODUCTION
OpenDNSSEC was created as an open-source turn-key solution for DNSSEC.
It secures zone data just before it is published in an authoritative
name server.
MORE INFORMATION
More informnation can be found at the project website available at
http://www.opendnssec.org/ and on the development WIKI/TRAC at
http://trac.opendnssec.org/.
Information about announcements, bug reporting and mailing lists can
be found at http://www.opendnssec.org/support/.
DEPENDENCIES
OpenDNSSEC depends on a number of external packages:
- libmxl2 (including xmllint)
- LDNS
- SQLite3
- Python
- 4Suite Python XML Library
To run OpenDNSSEC, one must have at least one crypto module providing a
PKCS#11 library, e.g. SoftHSM (http://www.opendnssec.org/softHSM)
The Auditor has some additional dependencies:
- Ruby
- rubygems
* syslog
* openssl
* dnsruby
* xsd/datatypes
* rexml/document
When building from the subversion repository, the following dependencies
are also needed:
- A Java runtime environment (JRE/JDK)
This diff is collapsed.
# $Id: Makefile.am 1104 2009-06-24 07:28:23Z jakob $
ACLOCAL_AMFLAGS = -I m4
EXTRA_DIST = \
$(srcdir)/lib/*.rb \
$(srcdir)/lib/kasp_auditor/*.rb
MAINTAINERCLEANFILES = \
config.log config.status \
$(srcdir)/Makefile.in \
$(srcdir)/config.h.in $(srcdir)/config.h.in~ \
$(srcdir)/configure \
$(srcdir)/install-sh $(srcdir)/ltmain.sh $(srcdir)/missing \
$(srcdir)/depcomp $(srcdir)/aclocal.m4 $(srcdir)/compile \
$(srcdir)/config.guess $(srcdir)/config.sub
opendnsseclibdir = $(libdir)/opendnssec
bin_SCRIPTS = ods-auditor ods-kaspcheck
man1_MANS = ods-auditor.1 ods-kaspcheck.1
install-data-hook:
${INSTALL} -d -m 755 ${DESTDIR}$(opendnsseclibdir)
${INSTALL} -d -m 755 ${DESTDIR}$(opendnsseclibdir)/kasp_auditor
${INSTALL_DATA} $(srcdir)/lib/*.rb ${DESTDIR}$(opendnsseclibdir)
${INSTALL_DATA} $(srcdir)/lib/kasp_auditor/*.rb ${DESTDIR}$(opendnsseclibdir)/kasp_auditor
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
# $Id: configure.ac 3143 2010-04-07 11:22:16Z alex $
m4_sinclude([version.m4])
AC_PREREQ(2.61)
AC_INIT([opendnssec-auditor], OPENDNSSEC_VERSION)
AM_INIT_AUTOMAKE
AC_CONFIG_MACRO_DIR([m4])
AM_INIT_AUTOMAKE(foreign)
ACX_PREFIXHACK
OPENDNSSEC_COMMON
AM_PROG_RUBY
ACX_RUBY_LIBRARY([syslog openssl xsd/datatypes rexml/document])
ACX_DNSRUBY(1.46)
# check for xmllint
AC_PATH_PROG(XMLLINT, xmllint)
if test "x$XMLLINT" = "x"; then
AC_MSG_ERROR([xmllint required, but not found.])
fi
full_libdir=`eval eval eval eval eval echo "${libdir}" | sed "s#NONE#${prefix}#" | sed "s#NONE#${ac_default_prefix}#"`
full_datadir=`eval eval eval eval eval echo "${datadir}" | sed "s#NONE#${prefix}#" | sed "s#NONE#${ac_default_prefix}#"`
full_sysconfdir=`eval eval eval eval eval echo "${sysconfdir}" | sed "s#NONE#${prefix}#" | sed "s#NONE#${ac_default_prefix}#"`
AC_SUBST(TIMESHIFT, false)
AC_ARG_ENABLE(timeshift,
AC_HELP_STRING([--enable-timeshift], [Enable timeshift debug]),
[enable_timeshift="${enableval}"],
[enable_timeshift="no"])
if test "x${enable_timeshift}" = "xyes"; then
AC_SUBST(TIMESHIFT, true)
AC_MSG_CHECKING(if we should do timeshift debugging)
AC_MSG_RESULT(yes)
fi
AC_CONFIG_FILES([
Makefile
ods-auditor
ods-auditor.1
ods-kaspcheck
ods-kaspcheck.1
])
AC_OUTPUT
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
# $Id: parse.rb 2657 2009-12-29 14:42:55Z alex $
#
# Copyright (c) 2009 Nominet UK. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
# GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
# IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
require 'rexml/document'
include REXML
module KASPAuditor
class Parse
def self.parse(path, zonelist_filename, kasp_filename, syslog)
# We need to open [/etc/opendnssec/]conf.xml,
# [/etc/opendnssec/]kasp.xml,
# [/etc/opendnssec/]zonelist.xml
#
# The zonelist.xml specified the zones. It also specified the policy for
# the zone.
# The policy refers to a policy defined in kasp.xml, which specifies all
# except for the salt.
# The conf.xml specifies the signer working directory, as well as the syslog
# So, we parse zonelist.xml. We should read the policy from there.
# We should then read the kasp.xml file to find the policy of interest.
# We also need to read SignerConfiguration, just so we know the salt.
zones = []
File.open((zonelist_filename.to_s+"").untaint, 'r') {|file|
doc = REXML::Document.new(file)
doc.elements.each("ZoneList/Zone") {|z|
# First load the config files
zone_name = z.attributes['name']
policy = z.elements['Policy'].text
config_file_loc = z.elements["SignerConfiguration"].text
if (config_file_loc.index(File::SEPARATOR) != 0)
config_file_loc = path + config_file_loc
end
# Now parse the config file
begin
config = Config.new(zone_name, kasp_filename, policy,
config_file_loc, syslog)
output_file_loc = z.elements["Adapters"].elements['Output'].elements["File"].text
if (output_file_loc.index(File::SEPARATOR) != 0)
output_file_loc = path + output_file_loc
end
zones.push([config, output_file_loc])
rescue Config::ConfigLoadError => e
msg = "Can't load #{zone_name} SignerConfiguration file (#{config_file_loc}) : #{e}"
print msg+"\n"
syslog.log(LOG_ERR, msg)
end
}
}
return zones
end
end
end
\ No newline at end of file
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
#
# $Id: time_shift.rb 2695 2010-01-22 10:17:01Z rb $
#
# Copyright (c) 2009 Nominet UK. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
# GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
# IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
class Time
class << self
alias_method :original_now, :now
def now
if (!@start)
@start = original_now.to_i
end
return Runner.timeshift + (original_now.to_i - @start)
end
end
end
# $Id: acx_dnsruby.m4 2675 2010-01-08 15:10:19Z rb $
AC_DEFUN([ACX_DNSRUBY],[
AC_MSG_CHECKING([for dnsruby version $1 or greater])
have_ruby_dnsruby=`$RUBY -e '
begin
require "rubygems"
rescue Exception
end
begin
require "dnsruby"
rescue Exception => e
print "no"
end
begin
if (Dnsruby.version >= $1)
print "yes"
else
print "no"
end
rescue Exception => e
print "no"
end'`
if test "x$have_ruby_dnsruby" != "xyes"; then
AC_MSG_RESULT([not found])
AC_MSG_ERROR([Missing dnsruby version $1 or greater])
fi
AC_MSG_RESULT([ok])
])
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
# $Id: version.m4 3566 2010-07-08 14:25:01Z rb $
#
# this file contains the current OpenDNSSEC version
define([OPENDNSSEC_VERSION], [1.1.1])
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
# $Id: version.m4 3566 2010-07-08 14:25:01Z rb $
#
# this file contains the current OpenDNSSEC version
define([OPENDNSSEC_VERSION], [1.1.1])
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.
This diff is collapsed.