(This might all be because of upgrading Debian packages from 1.0 to 1.1. But it
still is strange.)
On my zone tset.se I have these keys:
Zone: Keytype: State: Date of next
transition: CKA_ID: Repository:
Keytag:
tset.se KSK active 2030-04-30 10:38:07
4e09b42a075aa8004b79e527859b3671 softHSM 7813
tset.se ZSK active 2010-08-03 11:25:21
84b868774434e8f4207a3a860af5361e softHSM 52212
tset.se ZSK ready next rollover
162f3ec727502c67f97d0c94842bf31c softHSM 30320
As you can see, most signatures in the zone should be made from the ZSK with
the keytag 52212. So indeed, there are a lot of signatures with that keytag.
What is wrong though, is that this key is not published in my zone! And they
should really be, this is from my signer config:
<Keys>
<TTL>PT3600S</TTL>
<Key>
<Flags>257</Flags>
<Algorithm>7</Algorithm>
<Locator>4e09b42a075aa8004b79e527859b3671</Locator>
<KSK />
<Publish />
</Key>
<Key>
<Flags>256</Flags>
<Algorithm>7</Algorithm>
<Locator>84b868774434e8f4207a3a860af5361e</Locator>
<ZSK />
<Publish />
</Key>
<Key>
<Flags>256</Flags>
<Algorithm>7</Algorithm>
<Locator>162f3ec727502c67f97d0c94842bf31c</Locator>
<Publish />
</Key>
Where do I look for problems?
You can see the published tset.se zone in DNS. Try this:
mask$~>dig a tset.se +dnssec
; <<>> DiG 9.7.0-P1 <<>> a tset.se +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 8744
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;tset.se. IN A
;; Query time: 29 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Jul 18 22:49:22 2010
;; MSG SIZE rcvd: 36
--
Patrik Wallström
Project Manager, R&D
.SE (Stiftelsen för Internetinfrastruktur)
E-mail: [email protected]
Web: http://www.iis.se/
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
