Meetings/Minutes/2009-10-30

OpenDNSSEC > Meetings > Minutes > 2009-10-30

Present: Alex, Antoin (part), Matthijs, Rickard, Patrik, Sion, Stephen

0. Who will write minutes?

Stephen volunteered.

1. Agree on the agenda

The agenda was agreed.

2. Action items of last meeting

Patrik - include a guide on time durations and fixed points in time for rolling keys in the user documentation
Outstanding. Patrik has sent Rickard information about this, and Rickard will do the documentation.
Action: Rickard - include a guide on time durations and fixed points in time for rolling keys in the user documentation.

Patrik - add to the documentation a simple "how to" description about rolling keys on a specific date
Outstanding. Patrik has sent Rickard information about this, and Rickard will do the documentation.
Action: Rickard - add to the documentation a simple "how to" description about rolling keys on a specific date.

Patrik - Rearrange the web site and make it look good
In progress.
Action: Patrik - Rearrange the web site and make it look good.

Jakob - include a guide on how to do outbound AXFR in the user documentation
Withdrawn: the issue is now in pivotal tracker.

Roy - to set up separate mailing lists for testers
Withdrawn: given that a lot of testing is being carried out at the moment, all testing-related issues will now be discussed on developers list.

Matthijs - Document port master thing
Completed.

Matthijs - Check your code with the current documentation
Completed.

Matthijs - Look into loglevel restriction options
Withdrawn. This is being deferred to 1.1. Matthijs will put story into Pivotal covering it.
Action: Matthijs - add story to Pivotal Tracker concerning implementing a loglevel restriction, scheduling it for V1.1.

All - Look into the key rolling draft and check the algorithm for sanity. Perhaps provide test cases
Outstanding.
Action: All - Look into the key rolling draft and check the algorithm for sanity. Perhaps provide test cases.

All - Check if the default policy is sane for small-scale users
No feedback yet, so Rickard will start a thread on the mailing list for it.
Action: Rickard - start thread on mailing list about checking if the default policy is sane for small-scale users.

Anyone - Make sure the PDF user guide is removed
In progress.
Action: Patrik - withdraw PDF guide from wiki.

3. Release Status Update

Currently at 1.0b4. There were no comments.

4. Component status

Signer
Just bug fixing now. This has involved updating ldns - a new release of ldns is scheduled at the same time as a new release of Unbound, which should be within two weeks (before the release of OpenDNSSEC). The broken pipe problem has now been fixed but the vanishing records problem is more problematical. (This is described in more detail below.)

Enforcer
Little has happened apart from a few bug fixes concerning directory permissions. There is a need to ensure that the directories have the correct permissions at install time.

SoftHSM
Nothing new, waiting for Jakob to make a release.

Auditor
Largely complete, although correcting a bug inadvertently added a but to the 1.0b4 release.

There are problems in auditing very large zones; this seems to be due to the need to sort both the unsigned and signed zones which can take a very long time. Alex will be running the auditor over the weekend on a zone with two million names. It was agreed that a recommendation be added to the documentation to disable the auditor for very large zones. In the longer term (1.0 onwards) partial auditing (that does not require sorting) is needed.

Action: Alex - add a story to Pivotal Tracker for partial auditing in V1.1.
Action: Patrik - add a recommendation to the documentatyion to disable auditing on very large zones.

5. Features and Issues from Pivotal Tracker

The issues in Pivotal Tracker were discussed. Significant points are:

 hsmutil list segfaults after ods-control start with 10.000 zones
Waiting for Jakob to help out on this one.

 Wrong number of stand-By KSKs
Sion is unable to reproduce; Alex suggested that it may be an OS/X issue. There is really a need to do long-running tests to check this out.

 Auditor does not always return
Some combination of difficult to reproduce events can cause the auditor to terminate abnormally. (Should anyone encounter this, please send Alex the unsigned and signed files to help him track it down.) This is not a "show stopper", as the auditor can always be disabled; it will be sufficient to add it to the "known bug" list.

Action: Anyone - add this to the release notes as a known bug.

 Zone Fetcher Zombifies
Awaiting input from Jakob.

 Unable to cope with HIP RR
This is a relatively new resource record defined in  RFC 5205. It is not yet supported by ldns, as major changes to the parser are required to recognise it. For this reason, it was agreed that it would not be supported in OpenDNSSEC 1.0 and that a note to this effect would be added to the release notes.

Action: Anyone - note that the HIP RR is not supported in OpenDNSSEC 1.0.

 Incorrect parsing of CERT RR
In progress.

 Test binary names
There is a need to test OpenDNSSEC with all sorts of names, including binary ones. Alex will construct such a test file.

Action: Alex - construct test zone file containing binary names

 Unified control program
Jakob has written a wrapper around the various utility programs; however, it has not been fully tested and people are still using the utilities directly. For this reason, given that we now only a short time away from the release, the documentation will describe operation in terms of the various utilities.

6. Testing

Nominet: a developer is testing OpenDNSSEC full-time; the main concern is that of records disappearing.

.se: zone signing seems to be stable, although still to be done is a check on the contents of the signed zone. Initial tests suggest that it is rolling keys OK. The focus has been on testing resource records, although an area to be checked is that of testing with multiple zones; for that the MySQL version is needed. Patrik plans to write a tool to check the distribution of signature expiration dates over time in order to test the effect of jitter.

7. Support of RR

Decision made:

  • Obsolete records such as MD, MF, NXT, A6 will not be supported.
  • ATMA will not be supported.
  • Records not allowed in master file: NULL, OPT, TKEY, TSIG, IXFR, AXFR, MAILB, MAILA, * - will not be supported.
  • SINK, NINFO, RKEY, TA are still at draft status - this will not be supported until they reach standards status.
  • IANA-Reserved: UINFO, UID, GID, UNSPEC. Little information seems to be available on these, so they will not be supported.
  • Handling of Unknown DNS Resource Record (RR) Types: ( RFC 3597). The feeling is that this is already works - both ldns and DNSRuby have support. However, it should be tested.
  • NSAP-PTR - this seems to be obsolete and will not be supported.

Action: Anyone - check the handling of unknown RR types

8. Is OpenDNSSEC getting stable for V1.0?

Bugs are being fixed but bug report 46 (is there a Pivotal Tracker story for this?) - concerning vanishing records - is a major issue. It concerns the way that records are sorted when the NSEC3 salt changes. Certain salts always give the wrong answer, and this is challenging some of the assumptions on which the code is based. It was agreed that testing can continue - either with NSEC-protected zones, or with stable NSEC3 zones - which this is fixed.

9. Documentation

In progress.

10. Bring MySQL back?

MySQL is needed where there are a lot of zones that don't share keys, as SQLite has problems with locking. Sion thought that it was only a small amount of effort to add MySQL support back in. Unless it can be completed tested, it was suggested that it be marked as experimental in the release notes.

Action: Anyone - mark MySQL support as experimental unless sufficiently tested before OpenDNSSEC 1.0 Release.

11. What must be done before 1.0

  • Documentation must be completed.
  • The software must be stable and we must have (a) run all the tests and (b) run it continuously for a few days without problems before making a release.
  • Code reviews are needed when the code is stable.

Given these issues, and that a number of the team are away at the IETF in a couple of weeks, it was decided to defer the release of OpenDNSSEC 1.0 until 23 November 2009.

12. What to do after 1.0

Some talk about how to ensure that the software is upwards compatible and that the release process needs to be more controlled. However, this will be deferred until everyone is back.

13. Marketing

A product "flyer" has been produced. It was agreed that a copy of this will be placed on the web site when we are ready to release it.

Stephen is talking about OpenDNSSEC at the OARC meeting next week; he will see if there is a slot at the IEPG meeting on the Sunday before the IETF.

Action: Stephen - check about giving the OpenDNSSEC presentation to the IEPG.

14. Next meeting

This will be on 17 November 2009 at 10:00 GMT (11:00 CET).

15. AOB

None.