Rickard Bellgrim wrote: > Hi Hi,
> >> /usr/local/opendnssec/bin/ods-ksmutil key list --verbose >> SQLite database set to: /var/opendnssec/kasp.db >> Keys: >> Zone: Keytype: State: Date of next >> transition: CKA_ID: Repository: >> Keytag: >> co.nz KSK active 2010-04-15 >> 16:29:10 3996d43aca8dea21830a1c9299d693ef softHSM 33249 >> co.nz KSK ready waiting for >> ds-seen b133bb8d3bb6664d73de0dcba5adc481 softHSM 33054 >> co.nz KSK ready waiting for >> ds-seen 6d895ad0b98a1e3deb63eca7c985fae8 softHSM 34773 >> co.nz ZSK active 2010-04-17 >> 16:29:10 a008c770853ff48e5db645e400e99e71 softHSM 35157 >> co.nz ZSK ready next rollover >> c92810080bea87634abd42cc7f3593ae softHSM >> 57504 >> >> >> But the output zone contains: >> >> name type keytag keytype algorithm >> co.nz DNSKEY-23213 DNSKEY-ZSK 7 >> co.nz DNSKEY-33054 DNSKEY-KSK 7 >> co.nz DNSKEY-33249 DNSKEY-KSK 7 >> co.nz DNSKEY-42044 DNSKEY-ZSK 7 >> co.nz DNSKEY-47295 DNSKEY-ZSK 7 >> co.nz DNSKEY-9516 DNSKEY-KSK 7 > > Have you done anything special with the rollovers or introduction of new > keys? It is a little bit odd that only two of the keytags matches. What keys > do you have in the signconf? co.nz.xml? I did a manual KSK rollover, but nothing else. There are two files in signconf. One it's a .OLD file and the current. Please find them attached. > >> but the signatures for the zone records are generated using key 35157, >> which is consistent with ksmutil output. To verify is not a BIND issue, >> I checked the output signed zone and effectively didn't include the ZSK >> but included some old rolled over keys. >> >> I proceeded to delete the signed zone and force the signing of the zone >> using ods-signer sign co.nz. The result was the zone now contains the >> right KSK/ZSK... Is OpenDNSSEC obtaining the DNSKEY for the existing >> signed zone? > > Everything is done using the files in the working directory. So to clear the > state of the Signer, then you should delete the files in the tmp-directory. Well, the curious thing was I deleted the output signed zone located in /var/opendnssec/signed and then executed a 'ods-signer sign co.nz' and the issue with the keys was solved. > > // Rickard -- Sebastian Castro DNS Specialist .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 495 2337 mobile: +64 21 400535
<SignerConfiguration> <Zone name="co.nz"> <Signatures> <Resign>PT3600S</Resign> <Refresh>PT21600S</Refresh> <Validity> <Default>PT43200S</Default> <Denial>PT86400S</Denial> </Validity> <Jitter>PT14400S</Jitter> <InceptionOffset>PT600S</InceptionOffset> </Signatures> <Denial> <NSEC3> <Hash> <Algorithm>1</Algorithm> <Iterations>5</Iterations> <Salt>f6a777684a9e39b5</Salt> </Hash> </NSEC3> </Denial> <Keys> <TTL>PT3600S</TTL> <Key> <Flags>257</Flags> <Algorithm>7</Algorithm> <Locator>3996d43aca8dea21830a1c9299d693ef</Locator> <KSK /> <Publish /> </Key> <Key> <Flags>257</Flags> <Algorithm>7</Algorithm> <Locator>b133bb8d3bb6664d73de0dcba5adc481</Locator> <KSK /> <Publish /> </Key> <Key> <Flags>257</Flags> <Algorithm>7</Algorithm> <Locator>6d895ad0b98a1e3deb63eca7c985fae8</Locator> <KSK /> <Publish /> </Key> <Key> <Flags>256</Flags> <Algorithm>7</Algorithm> <Locator>a008c770853ff48e5db645e400e99e71</Locator> <ZSK /> <Publish /> </Key> <Key> <Flags>256</Flags> <Algorithm>7</Algorithm> <Locator>c92810080bea87634abd42cc7f3593ae</Locator> <Publish /> </Key> </Keys> <SOA> <TTL>PT3600S</TTL> <Minimum>PT3600S</Minimum> <Serial>datecounter</Serial> </SOA> </Zone> </SignerConfiguration>
co.nz.xml.OLD
Description: application/trash
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
