Discussion:
[Opendnssec-user] *****SPAM***** Date of next transition in the past.
Fred.Zwarts
2016-08-11 13:55:10 UTC
Permalink
Spam detection software, running on the system "dicht.nlnetlabs.nl",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
The administrator of that system for details.

Content preview: Today I noticed something else on our test system with ods
2.0.1: # date Thu Aug 11 15:48:31 CEST 2016 # ods-enforcer key list --zone
37.125.129.in-addr.arpa Keys: Zone: Keytype: State: Date of next transition:
37.125.129.in-addr.arpa KSK retire 2016-08-11 04:53:24 37.125.129.in-addr.arpa
KSK active 2016-08-11 04:53:24 37.125.129.in-addr.arpa ZSK retire 2016-08-11
04:53:24 37.125.129.in-addr.arpa ZSK active 2016-08-11 04:53:24 37.125.129.in-addr.arpa
ZSK ready 2016-08-11 04:53:24 key list completed in 0 seconds. # [...]

Content analysis details: (5.8 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.2 STOX_REPLY_TYPE No description available.
1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
1.9 STOX_REPLY_TYPE_WITHOUT_QUOTES No description available.
2.5 TO_NO_BRKTS_MSFT To: lacks brackets and supposed Microsoft tool
Yuri Schaeffer
2016-08-11 14:49:56 UTC
Permalink
Post by Fred.Zwarts
# date
Thu Aug 11 15:48:31 CEST 2016
# ods-enforcer key list --zone 37.125.129.in-addr.arpa
37.125.129.in-addr.arpa KSK retire 2016-08-11 04:53:24
37.125.129.in-addr.arpa KSK active 2016-08-11 04:53:24
37.125.129.in-addr.arpa ZSK retire 2016-08-11 04:53:24
37.125.129.in-addr.arpa ZSK active 2016-08-11 04:53:24
37.125.129.in-addr.arpa ZSK ready 2016-08-11 04:53:24
key list completed in 0 seconds.
#
Should it worry me that all dates-times are in the past?
Not necessarily. That date of next transition is for displaying purposes
only. To be able to print something that is like ODS 1.4.

Though it is unexpected. Could you check the output of
ods-enforcer queue

It should be the time the zone is enforced again by the way. Not
specifically the key. So all having the same time is normal.

//Yuri
Fred.Zwarts
2016-08-12 07:18:50 UTC
Permalink
# ods-enforcer key list --zone 37.125.129.in-addr.arpa
Keys:
Zone: Keytype: State: Date of next transition:
37.125.129.in-addr.arpa KSK retire 2016-08-11 04:53:24
37.125.129.in-addr.arpa KSK active 2016-08-11 04:53:24
37.125.129.in-addr.arpa ZSK retire 2016-08-11 04:53:24
37.125.129.in-addr.arpa ZSK active 2016-08-11 04:53:24
37.125.129.in-addr.arpa ZSK ready 2016-08-11 04:53:24
key list completed in 0 seconds.
# ods-enforcer queue
There are 2 tasks scheduled.
It is now Fri Aug 12 09:13:24 2016 (1470986004 seconds since epoch)
Next task scheduled Fri Aug 12 16:33:10 2016 (1471012390 seconds since
epoch)
On Fri Aug 12 16:33:10 2016 I will [enforce] KVI.nl
On Fri Nov 18 11:10:04 2016 I will [resalt] policies
queue completed in 0 seconds.
# date
Fri Aug 12 09:14:01 CEST 2016
#

Is it normal that only KVI.nl is mentioned in the queues, not the other
domains?

Fred.Zwarts.
Post by Fred.Zwarts
# date
Thu Aug 11 15:48:31 CEST 2016
# ods-enforcer key list --zone 37.125.129.in-addr.arpa
37.125.129.in-addr.arpa KSK retire 2016-08-11 04:53:24
37.125.129.in-addr.arpa KSK active 2016-08-11 04:53:24
37.125.129.in-addr.arpa ZSK retire 2016-08-11 04:53:24
37.125.129.in-addr.arpa ZSK active 2016-08-11 04:53:24
37.125.129.in-addr.arpa ZSK ready 2016-08-11 04:53:24
key list completed in 0 seconds.
#
Should it worry me that all dates-times are in the past?
Not necessarily. That date of next transition is for displaying purposes
only. To be able to print something that is like ODS 1.4.

Though it is unexpected. Could you check the output of
ods-enforcer queue

It should be the time the zone is enforced again by the way. Not
specifically the key. So all having the same time is normal.

//Yuri
Yuri Schaeffer
2016-08-12 08:03:44 UTC
Permalink
Post by Fred.Zwarts
Is it normal that only KVI.nl is mentioned in the queues, not the other
domains?
Yes it is. There is one enforce task that will enforce all zones (that
need it). KVI.nl happens to be the first one. The future ods2.1 will
address this and schedule a task for each zone.
Post by Fred.Zwarts
This suggests that the dates are only updated at startup.
The times are actually updated when the enforce task runs (which also
happens on startup). Next time try a explicit enforce. See: ods-enforcer
help enforce

Your output of the queue command reassures me that this was only a
display problem. The enforce task was scheduled properly. Not sure at
this point why but we'll sort it out for the next release.

//Yuri
Fred.Zwarts
2016-08-12 08:50:09 UTC
Permalink
Thanks for the information. This was not really a problem, it was only
confusion me.


Fred.Zwarts.
Post by Fred.Zwarts
Is it normal that only KVI.nl is mentioned in the queues, not the other
domains?
Yes it is. There is one enforce task that will enforce all zones (that
need it). KVI.nl happens to be the first one. The future ods2.1 will
address this and schedule a task for each zone.
Post by Fred.Zwarts
This suggests that the dates are only updated at startup.
The times are actually updated when the enforce task runs (which also
happens on startup). Next time try a explicit enforce. See: ods-enforcer
help enforce

Your output of the queue command reassures me that this was only a
display problem. The enforce task was scheduled properly. Not sure at
this point why but we'll sort it out for the next release.

//Yuri

Fred.Zwarts
2016-08-12 07:33:19 UTC
Permalink
Bij stopping en starting ods, the dates shown are now in the future:

# ods-enforcer key list --zone 37.125.129.in-addr.arpa
Keys:
Zone: Keytype: State: Date of next transition:
37.125.129.in-addr.arpa KSK retire 2016-08-13 14:33:34
37.125.129.in-addr.arpa KSK active 2016-08-13 14:33:34
37.125.129.in-addr.arpa ZSK retire 2016-08-13 14:33:34
37.125.129.in-addr.arpa ZSK active 2016-08-13 14:33:34
37.125.129.in-addr.arpa ZSK ready 2016-08-13 14:33:34
key list completed in 0 seconds.
# ods-enforcer queue
There are 2 tasks scheduled.
It is now Fri Aug 12 09:31:01 2016 (1470987061 seconds since epoch)
Next task scheduled Fri Aug 12 16:33:10 2016 (1471012390 seconds since
epoch)
On Fri Aug 12 16:33:10 2016 I will [enforce] KVI.nl
On Fri Nov 18 11:10:04 2016 I will [resalt] policies
queue completed in 0 seconds.
#

This suggests that the dates are only updated at startup.

Fred.Zwarts.
Post by Fred.Zwarts
# date
Thu Aug 11 15:48:31 CEST 2016
# ods-enforcer key list --zone 37.125.129.in-addr.arpa
37.125.129.in-addr.arpa KSK retire 2016-08-11 04:53:24
37.125.129.in-addr.arpa KSK active 2016-08-11 04:53:24
37.125.129.in-addr.arpa ZSK retire 2016-08-11 04:53:24
37.125.129.in-addr.arpa ZSK active 2016-08-11 04:53:24
37.125.129.in-addr.arpa ZSK ready 2016-08-11 04:53:24
key list completed in 0 seconds.
#
Should it worry me that all dates-times are in the past?
Not necessarily. That date of next transition is for displaying purposes
only. To be able to print something that is like ODS 1.4.

Though it is unexpected. Could you check the output of
ods-enforcer queue

It should be the time the zone is enforced again by the way. Not
specifically the key. So all having the same time is normal.

//Yuri
Loading...