On Jul 20, 2010, at 9:27 AM, Alex Dalitz wrote: > Hi Patrik - > >> What is wrong though, is that this key is not published in my zone! > > Is the auditor not giving an error for this?
Haven't tested. Me and Matthijs looked at the problem, and it was because there was old $INCLUDE statements left from running ZKT on tset.se, which made the signer to exclude most of the zonefile after the include statement. When issuing the "ods-signer sign tset.se" command, all three keys were included in the signed zonefile, but it was still truncated. This does not really explain all the issues, I also issued the "ods-signer sign tset.se" command after fixing the include, and now BIND loads the zonefile again. But what I was seeing before started fixing this was that BIND loaded a zone with signatures made from a key that was not in the zonefile. I am sure there was only to keys in the signed zone when I first looked at this bug, so this issue might just be another one from the problems mentioned above. So I guess we will have to keep looking at automatic ZSK rollovers without issuing the "sign tset.se" command. (Rickard mentioned he saw the same problem just before vacation.) -- Patrik Wallström Project Manager, R&D .SE (Stiftelsen för Internetinfrastruktur) E-mail: [email protected] Web: http://www.iis.se/ _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
