Meetings/Minutes/2009-12-16

OpenDNSSEC > Meetings > Minutes > 2009-12-16

Present: Alex, Jakob,John, Patrik, Matthijs, Rick van Rein (RickVR), Rick Zijlker (RickZ), Rickard, Roy, Sion, Stephen

0. Who will write minutes?

Stephen volunteered.

1. Agree on the agenda

The agenda was agreed

2. Action items of last meeting

Sion - Ask Tom to do new KSK roll over scheme test
Completed. The tests have now been modified to do the manual KSK rollover.

Rickard - create Pivotal story about backing up the SoftHSM database while the software is being used
Completed.

Matthijs - make sure that the error message recorded to syslog specifies what has happened and what action is being taken
Completed, although it does not print what action is being taken. It was agreed that something about this should be added to the documentation.
Action: Stephen - create a "known issues" list for the documentation.

Rickard - start thread on mailing list about the failing signature Completed - no response.
Roy mentioned that he has run SoftHSM at the rate of 400 signatures/second for seven days without problem. (This was without auto-verification enabled in SoftHSM.) Roy has now ceased testing, but RickZ said that he will continue with those tests.
Action: RickZ - continue to try to reproduce failing signature problem.

3. Release status update

Issues with rc1:

  • The auditor handling of unknown RRs. (This has been fixed - the auditor now skips RRs that it does not understand.)
  • Issues with handling threads.
  • Confusion about the KSK rollover process. (Additional documentation has been added to describe this.)
  • Confusing error messages. (Some have now been updated.)
  • Memory management issues. (Some have now been fixed.)
  • Lack of documentation - people are not easily able to find it. There is a view that the documentation should be included in the tarball; could we do this for 1.1?
  • Too many dependencies on other software.

Action: RickVR - write up a summary of what is missing from the documentation and post it to the list.

4. Component status

KASP Enforcer
Not a lot has happened recently, apart from some error messages being made clearer.

Signer

  • Problems with the zone fetcher interpretation of serial numbers has been fixed.
  • A patch has been made to ldns that fixes the wrong parsing of character strings in RR data,
  • TSIG: it has been found that dig and drill do different things. This is due to the key length being longer than maximum digest length. A fix is needed for ldns.

On this last point, it was agreed that the minimum version requirement for ldns would not be changed; instead, the problem would be noted (in the News file) and a comment made that if people wanted to fix the TSIG problem they should update their copy of ldns (and DNSRuby).

SoftHSM

  • Fixed a problem with building on 64-bit machines.
  • There is a restriction on the number of sessions because of a limit on the number of connections to the database. The limit has been set to 256.
  • Now working on documentation, including man pages.

Auditor

  • A change has been made to the zone serial number arithmetic.
  • It now handles unrecognised RRs
  • Due to text parsing changes in ldns, NAPTR records no longer verify - this needs a change to DNSRuby.

As with the TSIG problem in the signer, it was agreed that the NAPTR problem should not stop the next release. Instead this is being recorded as a known problem and people needing to sign NAPTR records will need to update DNSRuby.

libhsm/ksmutil

  • Old versions of the commands have been removed: the odds- form is now required.

5. Features and issues from Pivotal Tracker

The only two outstanding issues for 1.0.0 are:

  • TSIG - this will require updates to ldns and DNSRuby.
  • Parsing of text strings - this will require an update of DNSRuby.

Everything appears to have been done for rc2 (discussed below).

As fixes will need to be made to 1.0.0 (e.g. memory leaks), Jakob has added a Pivotal entry for 1.0.1. Within Subversion, 1.0.1 will be a branch, with the main trunk being reserved for 1.1 (to avoid problems of releasing not-yet-debugged 1.1 code when a fix to 1.0.0 is required).

6. Testing

SIDN
All systems are up and running OpenDNSSEC. SIDN are pushing RickZ to do performance tests. They have a zone of 3.6M records, and update it every two hours.

The current performance being achieved by RickZ is that OpenDNSSEC is taking 4 hours to sign all 3.6M records in .nl (this is with NSEC3 and not using opt-out or the auditor). Of this, sorting the zone only takes five minutes. Part of the limit seems to be that only one core (out of eight on the machine) is being used.

There was a discussion about performance, with a note being made of multi-threading in the signer being a feature for 1.1.

RickZ pointed out that signing all 3.6M records was a worst-case scenario. He would check how long it took to re-sign the zone (when signatures would be re-used). He would also check how long it took to sign a fraction of the zone with opt-out enabled.

Nominet
Functional tests have been run, including rolling from one HSM to another. No issues encountered, everything worked.

.SE
Everything is running without problems.

7. Code reviewing

Sion, Rickard and Alex are doing some code reviewing. Sion has been reviewing code in signer-tools; he is only looking for major issues (and not finding anything) and should finish today (16 December 2009).

Rickard is looking at auditor. Alex will start his review in the next few days.

8. KSK rollover logic

There has been confusion, but the KSK rollover has been sorted out for now by adding more documentation. Nevertheless, additional KSK rollover methods (and improvement on the current one) should be added to 1.1.

9. Can we do a RC2 today?

The consensus was that we can release RC2 today.

Action: Jakob - tag RC2.
Action: Alex/Matthijs - add known issues about lens and DNSRuby to the News file.

10. When should 1.0.0 be released?

With not many people working over Christmas, and the feeling that there should be some delay between rc2 and 1.0.0, it was agreed to postpone the release of 1.0.0 until mid-January.

11. What to do after 1.0.0

It was agreed to have a two-day planning meeting at NLNetLabs in Amsterdam in the last week of January, where we would plan for both 1.1 and 2.0. The 28th and 29th January were tentatively scheduled; this will be confirmed at the next teleconference. Everyone should give thought to a draft agenda.

12. Marketing

Both Nominet and .SE are getting together a press release.

13. Next meeting

Next teleconference will be on Thursday 7 January, at 13:00 GMT (14:00 CET).

14. AOB

  • .SE are looking at an EPP plug-in
  • Dependencies: everyone should check the dependencies of their package, and indicate the minimum version that can run with and any bug fixes needed. Such information should be put in the installation guide in the wiki.
  • RickVR reported that key generation on the Luna SA HSMs can interfere with signing performance. Although there OpenDNSSEC can cope with tends of thousands of keys, it was felt that big registrars are most likely to use a few keys shared between zones, so this would not be a problem.

Action: All - indicate package dependencies in the installation guide.