Uploaded image for project: 'Support'
  1. Support
  2. SUPPORT-252

Trouble with ods-enforcer policy import

    XMLWordPrintable

    Details

    • Type: Support
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: OpenDNSSEC 2.1
    • Fix Version/s: None
    • Component/s: Configuration
    • Labels:
      None
    • Environment:

      I am setting up a new installation of OpenDNSSEC 2.1.3 on Raspbian (Debian) 10 Buster. On this platform, the ODS daemons are managed by systemd.

      Description

      After editing the config files and removing the `prevent-startup` file, I initialized the database with `ods-enforcer-db-setup` and started the daemons with `systemctl start opendnssec-enforcer opendnssec-signer`. The startup is successful. Next, I ran `ods-enforcer policy import`:

       

      # ods-enforcer policy import
Unable to create policy default in the database!
Unable to create policy lab in the database!

The information in the database may have been changed during KASP
update and caused an update error, try rerunning policy import. If
the problem persists please check logs and database setup and after
correcting the problem rerun policy import.

      A re-run didn't help. I increased the verbosity to 7 and ran the command again. Here are the resulting logs:

      [cmdhandler] accept client 11
received command policy import
[cmdhandler] policy import command
[policy_import_cmd] policy import command
SELECT policy.id, policy.rev, policy.name, policy.description, policy.signaturesResign, policy.signaturesRefresh, policy.signaturesJitter, policy.signaturesInceptionOffset, policy.signaturesValidityDefault, policy.signaturesValidityDenial, policy.signaturesValidityKeyset, policy.signaturesMaxZoneTtl, policy.denialType, policy.denialOptout, policy.denialTtl, policy.denialResalt, policy.denialAlgorithm, policy.denialIterations, policy.denialSaltLength, policy.denialSalt, policy.denialSaltLastChange, policy.keysTtl, policy.keysRetireSafety, policy.keysPublishSafety, policy.keysShared, policy.keysPurgeAfter, policy.zonePropagationDelay, policy.zoneSoaTtl, policy.zoneSoaMinimum, policy.zoneSoaSerial, policy.parentRegistrationDelay, policy.parentPropagationDelay, policy.parentDsTtl, policy.parentSoaTtl, policy.parentSoaMinimum, policy.passthrough FROM policy
INFO: The XML in /etc/opendnssec/kasp.xml is valid
[policy_key_*_from_xml] KSK
[policy_key_*_from_xml] algorithm length 2048
[policy_key_*_from_xml] algorithm 8
[policy_key_*_from_xml] lifetime P365D
[policy_key_*_from_xml] repository smartcardhsm
[policy_key_*_from_xml] - standby
[policy_key_*_from_xml] - manual rollover
[policy_key_*_from_xml] - minimize default KskDoubleSignature
[policy_key_*_from_xml] - rfc5011
[policy_key_*_from_xml] ZSK
[policy_key_*_from_xml] algorithm length 2048
[policy_key_*_from_xml] algorithm 8
[policy_key_*_from_xml] lifetime P90D
[policy_key_*_from_xml] repository smartcardhsm
[policy_key_*_from_xml] - standby
[policy_key_*_from_xml] - manual rollover
[policy_key_*_from_xml] - minimize default ZskPrePublication
[policy_key_*_from_xml] ZSK
[policy_key_*_from_xml] algorithm length 2048
[policy_key_*_from_xml] algorithm 8
[policy_key_*_from_xml] lifetime P90D
[policy_key_*_from_xml] repository smartcardhsm
[policy_key_*_from_xml] - standby
[policy_key_*_from_xml] - manual rollover
[policy_key_*_from_xml] - minimize default ZskPrePublication
[policy_key_*_from_xml] KSK
[policy_key_*_from_xml] algorithm length 2048
[policy_key_*_from_xml] algorithm 8
[policy_key_*_from_xml] lifetime P365D
[policy_key_*_from_xml] repository smartcardhsm
[policy_key_*_from_xml] - standby
[policy_key_*_from_xml] - manual rollover
[policy_key_*_from_xml] - minimize default KskDoubleSignature
[policy_key_*_from_xml] - rfc5011
[policy_key_*_from_xml] ZSK
[policy_key_*_from_xml] algorithm length 1024
[policy_key_*_from_xml] algorithm 8
[policy_key_*_from_xml] lifetime PT4H
[policy_key_*_from_xml] repository smartcardhsm
[policy_key_*_from_xml] - standby
[policy_key_*_from_xml] - manual rollover
[policy_key_*_from_xml] - minimize default ZskPrePublication
[policy_key_*_from_xml] ZSK
[policy_key_*_from_xml] algorithm length 1024
[policy_key_*_from_xml] algorithm 8
[policy_key_*_from_xml] lifetime PT4H
[policy_key_*_from_xml] repository smartcardhsm
[policy_key_*_from_xml] - standby
[policy_key_*_from_xml] - manual rollover
[policy_key_*_from_xml] - minimize default ZskPrePublication
SELECT policy.id, policy.rev, policy.name, policy.description, policy.signaturesResign, policy.signaturesRefresh, policy.signaturesJitter, policy.signaturesInceptionOffset, policy.signaturesValidityDefault, policy.signaturesValidityDenial, policy.signaturesValidityKeyset, policy.signaturesMaxZoneTtl, policy.denialType, policy.denialOptout, policy.denialTtl, policy.denialResalt, policy.denialAlgorithm, policy.denialIterations, policy.denialSaltLength, policy.denialSalt, policy.denialSaltLastChange, policy.keysTtl, policy.keysRetireSafety, policy.keysPublishSafety, policy.keysShared, policy.keysPurgeAfter, policy.zonePropagationDelay, policy.zoneSoaTtl, policy.zoneSoaMinimum, policy.zoneSoaSerial, policy.parentRegistrationDelay, policy.parentPropagationDelay, policy.parentDsTtl, policy.parentSoaTtl, policy.parentSoaMinimum, policy.passthrough FROM policy WHERE policy.name = ?
[policy_*_from_xml] policy default
[policy_*_from_xml] description A default policy that will amaze you and your friends
[policy_*_from_xml] signature resign PT2H
[policy_*_from_xml] signature refresh P3D
[policy_*_from_xml] signature validity default P14D
[policy_*_from_xml] signature validity denial P14D
[policy_*_from_xml] signature jitter PT12H
[policy_*_from_xml] signature inception offset PT3600S
[policy_*_from_xml] signature max zone ttl P1D
[policy_*_from_xml] denial nsec3
[policy_*_from_xml] denial ttl PT300S
[policy_*_from_xml] denial resalt P100D
[policy_*_from_xml] denial algorithm 1
[policy_*_from_xml] denial iterations 128
[policy_*_from_xml] denial salt length 15
[policy_*_from_xml] keys ttl PT3600S
[policy_*_from_xml] keys retire safety PT3600S
[policy_*_from_xml] keys publish safety PT3600S
[policy_*_from_xml] keys purge P14D
[policy_*_from_xml] zone propagation delay PT43200S
[policy_*_from_xml] zone soa ttl PT3600S
[policy_*_from_xml] zone soa minimum PT3600S
[policy_*_from_xml] zone soa serial unixtime
[policy_*_from_xml] parent propagation delay PT9999S
[policy_*_from_xml] parent ds ttl PT3600S
[policy_*_from_xml] parent soa ttl PT172800S
[policy_*_from_xml] parent soa minimum PT10800S
[policy_*_from_xml] - denial optout
[policy_*_from_xml] - keys shared keys
INSERT INTO policy ( name, description, signaturesResign, signaturesRefresh, signaturesJitter, signaturesInceptionOffset, signaturesValidityDefault, signaturesValidityDenial, signaturesValidityKeyset, signaturesMaxZoneTtl, denialType, denialOptout, denialTtl, denialResalt, denialAlgorithm, denialIterations, denialSaltLength, denialSalt, denialSaltLastChange, keysTtl, keysRetireSafety, keysPublishSafety, keysShared, keysPurgeAfter, zonePropagationDelay, zoneSoaTtl, zoneSoaMinimum, zoneSoaSerial, parentRegistrationDelay, parentPropagationDelay, parentDsTtl, parentSoaTtl, parentSoaMinimum, passthrough, rev ) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? )
SELECT policy.id, policy.rev, policy.name, policy.description, policy.signaturesResign, policy.signaturesRefresh, policy.signaturesJitter, policy.signaturesInceptionOffset, policy.signaturesValidityDefault, policy.signaturesValidityDenial, policy.signaturesValidityKeyset, policy.signaturesMaxZoneTtl, policy.denialType, policy.denialOptout, policy.denialTtl, policy.denialResalt, policy.denialAlgorithm, policy.denialIterations, policy.denialSaltLength, policy.denialSalt, policy.denialSaltLastChange, policy.keysTtl, policy.keysRetireSafety, policy.keysPublishSafety, policy.keysShared, policy.keysPurgeAfter, policy.zonePropagationDelay, policy.zoneSoaTtl, policy.zoneSoaMinimum, policy.zoneSoaSerial, policy.parentRegistrationDelay, policy.parentPropagationDelay, policy.parentDsTtl, policy.parentSoaTtl, policy.parentSoaMinimum, policy.passthrough FROM policy WHERE policy.name = ?
[policy_*_from_xml] policy lab
[policy_*_from_xml] description Quick turnaround policy for lab work
[policy_*_from_xml] signature resign PT10M
[policy_*_from_xml] signature refresh PT30M
[policy_*_from_xml] signature validity default PT1H
[policy_*_from_xml] signature validity denial PT1H
[policy_*_from_xml] signature jitter PT1M
[policy_*_from_xml] signature inception offset PT3600S
[policy_*_from_xml] signature max zone ttl PT300S
[policy_*_from_xml] denial nsec
[policy_*_from_xml] keys ttl PT300S
[policy_*_from_xml] keys retire safety PT360S
[policy_*_from_xml] keys publish safety PT360S
[policy_*_from_xml] keys purge P14D
[policy_*_from_xml] zone propagation delay PT300S
[policy_*_from_xml] zone soa ttl PT300S
[policy_*_from_xml] zone soa minimum PT300S
[policy_*_from_xml] zone soa serial unixtime
[policy_*_from_xml] parent propagation delay PT9999S
[policy_*_from_xml] parent ds ttl PT3600S
[policy_*_from_xml] parent soa ttl PT172800S
[policy_*_from_xml] parent soa minimum PT10800S
[policy_*_from_xml] - denial optout
[policy_*_from_xml] - keys shared keys
[policy_*_from_xml] - denial ttl
INSERT INTO policy ( name, description, signaturesResign, signaturesRefresh, signaturesJitter, signaturesInceptionOffset, signaturesValidityDefault, signaturesValidityDenial, signaturesValidityKeyset, signaturesMaxZoneTtl, denialType, denialOptout, denialTtl, denialResalt, denialAlgorithm, denialIterations, denialSaltLength, denialSalt, denialSaltLastChange, keysTtl, keysRetireSafety, keysPublishSafety, keysShared, keysPurgeAfter, zonePropagationDelay, zoneSoaTtl, zoneSoaMinimum, zoneSoaSerial, parentRegistrationDelay, parentPropagationDelay, parentDsTtl, parentSoaTtl, parentSoaMinimum, passthrough, rev ) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? )
SELECT zone.id, zone.rev, zone.policyId, zone.name, zone.signconfNeedsWriting, zone.signconfPath, zone.nextChange, zone.ttlEndDs, zone.ttlEndDk, zone.ttlEndRs, zone.rollKskNow, zone.rollZskNow, zone.rollCskNow, zone.inputAdapterType, zone.inputAdapterUri, zone.outputAdapterType, zone.outputAdapterUri, zone.nextKskRoll, zone.nextZskRoll, zone.nextCskRoll FROM zone
[cmdhandler] done handling command policy import

      You can see I've made some small changes from the default values in kasp.xml, but nothing major.

      I also tried running `ods-kaspcheck`:

      # ods-kaspcheck
INFO: The XML in /etc/opendnssec/conf.xml is valid
INFO: The XML in /etc/opendnssec/kasp.xml is valid
INFO: The XML in /etc/opendnssec/zonelist.xml is valid

      None of the logs or diagnostic tools that I know of for OpenDNSSEC are reporting any useful information other than "it didn't work."

      How can I figure out what is going wrong here? How can I import my policies?

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            scolby33 Scott Colby
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: