Hello, I've got a bit of a problem with ZSKs that are not properly rotated. As I understand it OpenDNSSEC should automatically create and use new keys. This does not seem to happen for 5 of my zones (out of a total of 250). I've tried to extract the relevant bits about one of those zones from the logs. These logs are included at the end of this mail.
General information: - openddnssec version 1.1.3 - Debian version 5.0.7 - I do not use the zone fetcher but read the zones from disk. Everytime a zone changes ods-ksmutil update is used to notify opendnssec. - This is an internal test, not an internet-facing production system. - The zone is not really named example.net. - All zones share the same policy. - Keys are _not_ shared. - I left for vacation on Dec 24. Nobody touched the machine after that. The first thing that grabs my attention (in the Dec 21 logs) is that the zone gets scheduled for signing twice. Is this normal? In the Dec 26 logs the new bit is the line that says: "Scheduling task to sign zone lisspanel.net, zone in progress, scheduling as soon as possible" On Dec 28 the ZSK has expired On Dec 29 the DNSKEY expires On Dec 30 the entire RRSet fails According to ods-ksmutil the ZSK has been rotated. 'ps' reveals a signer process that has been running for over a week on one of the problematic domains. I think I can fix the problem so I'm more interested in what went wrong and how to prevent it than a ready-made solution. Any ideas? Dec 21 12:03:39 metagross ods-signerd: Zone example.net locked Dec 21 12:03:39 metagross ods-signerd: Scheduling task to sign zone example.net at 1292929419.6 with resign time 7200 Dec 21 12:03:39 metagross ods-signerd: acquire cond Dec 21 12:03:39 metagross ods-signerd: notify Dec 21 12:03:39 metagross ods-signerd: release cond Dec 21 12:03:39 metagross ods-signerd: Releasing lock on zone example.net Dec 21 12:03:39 metagross ods-signerd: scheduling resign of zone 'example.net' in 4477 seconds Dec 21 12:03:39 metagross ods-signerd: Scheduling task to sign zone example.net at 1292933896.82 with resign time 7200 Dec 21 12:03:39 metagross ods-signerd: acquire cond Dec 21 12:03:39 metagross ods-signerd: notify Dec 21 12:03:39 metagross ods-signerd: release cond Dec 21 12:03:39 metagross ods-signerd: Zone example.net added Dec 26 13:53:58 metagross ods-enforcerd: Zone example.net found. Dec 26 13:53:58 metagross ods-enforcerd: Policy for example.net set to default. Dec 26 13:53:58 metagross ods-enforcerd: Config will be output to /var/lib/opendnssec/signconf/example.net.xml. Dec 26 13:53:58 metagross ods-enforcerd: WARNING: Making non-backed up ZSK active, PLEASE make sure that you know the potential problems of using keys which are not recoverable Dec 26 13:53:58 metagross ods-enforcerd: INFO: ZSK has been rolled for example.net Dec 26 13:53:58 metagross ods-signerd: Received command: 'update example.net' Dec 26 13:53:58 metagross ods-signerd: Zone example.net locked Dec 26 13:53:58 metagross ods-signerd: Scheduling task to sign zone example.net, zone in progress, scheduling as soon as possible Dec 26 13:53:58 metagross ods-signerd: Releasing lock on zone example.net Dec 26 13:53:58 metagross ods-signerd: acquire cond Dec 26 13:53:58 metagross ods-signerd: notify Dec 26 13:53:58 metagross ods-signerd: release cond Dec 26 13:53:58 metagross ods-signerd: could not notify zone fetcher: pid file does not exist: /var/run/opendnssec/zone_fetcher.pid Dec 26 13:53:58 metagross ods-signerd: Releasing lock on engine Dec 26 13:53:58 metagross ods-signerd: Sending response: Zone config updated#012 Dec 26 13:53:58 metagross ods-signerd: Done handling command Dec 26 13:53:58 metagross ods-signerd: Client socket shut down Dec 28 07:00:43 metagross ods-auditor[6552]: Auditor starting on example.net Dec 28 07:00:43 metagross ods-auditor[6552]: SOA differs : from 2009012900 to 2010122414 Dec 28 07:00:43 metagross ods-auditor[6552]: Auditing example.net zone : NSEC3 SIGNED Dec 28 07:00:43 metagross ods-auditor[6552]: Signature expiration (1293683046) for example.net, NS should be later than (the refresh period (259200) - the resign period (7200)) from now (1293516043) Dec 28 07:00:43 metagross ods-auditor[6552]: Signature expiration (1293722949) for example.net, NSEC3PARAM should be later than (the refresh period (259200) - the resign period (7200)) from now (1293516043) Dec 28 07:00:43 metagross ods-auditor[6552]: Signature expiration (1293711846) for 52ffgfhc643hs0eqie7g4s93317ljd9h.example.net, NSEC3 should be later than (the refresh period (259200) - the resign period (7200)) from now (1293516043) Dec 28 07:00:43 metagross ods-auditor[6552]: Signature expiration (1293744549) for 7ocbpcj0npt5spm8qo90459t582e1fks.example.net, NSEC3 should be later than (the refresh period (259200) - the resign period (7200)) from now (1293516043) Dec 28 07:00:43 metagross ods-auditor[6552]: Signature expiration (1293751749) for nk3p2m9k03dndvfnqha8hcdjnkb32qgs.example.net, NSEC3 should be later than (the refresh period (259200) - the resign period (7200)) from now (1293516043) Dec 28 07:00:43 metagross ods-auditor[6552]: Signature expiration (1293755046) for www.example.net, A should be later than (the refresh period (259200) - the resign period (7200)) from now (1293516043) Dec 28 07:00:43 metagross ods-auditor[6552]: ZSK 53982 in use too long - should be max 2595600 seconds but has been 2741445 seconds Dec 28 07:00:43 metagross ods-auditor[6552]: Finished auditing example.net zone Dec 29 06:53:53 metagross ods-auditor[14969]: Auditor starting on example.net Dec 29 06:53:53 metagross ods-auditor[14969]: SOA differs : from 2009012900 to 2010122414 Dec 29 06:53:53 metagross ods-auditor[14969]: Auditing example.net zone : NSEC3 SIGNED Dec 29 06:53:53 metagross ods-auditor[14969]: Signature expiration (1293804042) for example.net, DNSKEY should be later than (the refresh period (259200) - the resign period (7200)) from now (1293602033) Dec 29 06:53:53 metagross ods-auditor[14969]: Signature expiration (1293683046) for example.net, NS should be later than (the refresh period (259200) - the resign period (7200)) from now (1293602033) Dec 29 06:53:53 metagross ods-auditor[14969]: Signature expiration (1293722949) for example.net, NSEC3PARAM should be later than (the refresh period (259200) - the resign period (7200)) from now (1293602033) Dec 29 06:53:53 metagross ods-auditor[14969]: Signature expiration (1293853234) for example.net, SOA should be later than (the refresh period (259200) - the resign period (7200)) from now (1293602033) Dec 29 06:53:53 metagross ods-auditor[14969]: Signature expiration (1293711846) for 52ffgfhc643hs0eqie7g4s93317ljd9h.example.net, NSEC3 should be later than (the refresh period (259200) - the resign period (7200)) from now ( Dec 29 06:53:53 metagross ods-auditor[14969]: Signature expiration (1293744549) for 7ocbpcj0npt5spm8qo90459t582e1fks.example.net, NSEC3 should be later than (the refresh period (259200) - the resign period (7200)) from now ( Dec 29 06:53:53 metagross ods-auditor[14969]: Signature expiration (1293782686) for localhost.example.net, A should be later than (the refresh period (259200) - the resign period (7200)) from now (1293602033) Dec 29 06:53:53 metagross ods-auditor[14969]: Signature expiration (1293751749) for nk3p2m9k03dndvfnqha8hcdjnkb32qgs.example.net, NSEC3 should be later than (the refresh period (259200) - the resign period (7200)) from now ( Dec 29 06:53:53 metagross ods-auditor[14969]: Signature expiration (1293755046) for www.example.net, A should be later than (the refresh period (259200) - the resign period (7200)) from now (1293602033) Dec 29 06:53:53 metagross ods-auditor[14969]: ZSK 53982 in use too long - should be max 2595600 seconds but has been 2827435 seconds Dec 29 06:53:53 metagross ods-auditor[14969]: Finished auditing example.net zone Dec 30 06:37:11 metagross ods-auditor[9998]: Auditor starting on example.net Dec 30 06:37:11 metagross ods-auditor[9998]: SOA differs : from 2009012900 to 2010122414 Dec 30 06:37:11 metagross ods-auditor[9998]: Auditing example.net zone : NSEC3 SIGNED Dec 30 06:37:11 metagross ods-auditor[9998]: Signature expiration (1293804042) for example.net, DNSKEY should be later than (the refresh period (259200) - the resign period (7200)) from now (1293687431) Dec 30 06:37:11 metagross ods-auditor[9998]: RRSet (example.net, NS) failed verification : Signature record not in validity period, tag = 53982 Dec 30 06:37:11 metagross ods-auditor[9998]: Signature expiration (1293722949) for example.net, NSEC3PARAM should be later than (the refresh period (259200) - the resign period (7200)) from now (1293687431) Dec 30 06:37:11 metagross ods-auditor[9998]: Signature expiration (1293853234) for example.net, SOA should be later than (the refresh period (259200) - the resign period (7200)) from now (1293687431) Dec 30 06:37:11 metagross ods-auditor[9998]: Signature expiration (1293711846) for 52ffgfhc643hs0eqie7g4s93317ljd9h.example.net, NSEC3 should be later than (the refresh period (259200) - the resign period (7200)) from now ( 1293687431) Dec 30 06:37:11 metagross ods-auditor[9998]: Signature expiration (1293744549) for 7ocbpcj0npt5spm8qo90459t582e1fks.example.net, NSEC3 should be later than (the refresh period (259200) - the resign period (7200)) from now (1293687431) Dec 30 06:37:11 metagross ods-auditor[9998]: Signature expiration (1293782686) for localhost.example.net, A should be later than (the refresh period (259200) - the resign period (7200)) from now (1293687431) Dec 30 06:37:11 metagross ods-auditor[9998]: Signature expiration (1293751749) for nk3p2m9k03dndvfnqha8hcdjnkb32qgs.example.net, NSEC3 should be later than (the refresh period (259200) - the resign period (7200)) from now (1293687431) Dec 30 06:37:11 metagross ods-auditor[9998]: Signature expiration (1293755046) for www.example.net, A should be later than (the refresh period (259200) - the resign period (7200)) from now (1293687431) Dec 30 06:37:11 metagross ods-auditor[9998]: ZSK 53982 in use too long - should be max 2595600 seconds but has been 2912833 seconds # ods-ksmutil key list -v --zone example.net SQLite database set to: /var/lib/opendnssec/db/kasp.db Keys: Zone: Keytype: State: Date of next transition: CKA_ID: Repository: Keytag: example.net KSK active 2011-11-29 14:35:10 3c82d67b1b7b717055af9cbb3255e783 SoftHSM 15858 example.net KSK dsready When required 3838030dc7d49c11877a1b7c2aa36d6d SoftHSM 32658 example.net KSK dsready When required 8da6ed4b621792eab7d60a025be59e3b SoftHSM 55999 example.net ZSK active 2011-01-25 13:53:58 d7983d5faeeb636f944b318bcc7b1a72 SoftHSM 19023 example.net ZSK ready next rollover 854f62703e25a10588daa9ea95309f1f SoftHSM 51209 example.net ZSK ready next rollover ad263bf4b84ab2a51aa1e6d606aaace2 SoftHSM 21570 example.net ZSK ready next rollover c56ee4470e7b25ced6b46ebdce6e10e7 SoftHSM 44978 example.net ZSK ready next rollover c6a3075d2fbfb0e163fea75713127f15 SoftHSM 65129 -- Casper Gielen <[email protected]> | LIS UNIX PGP fingerprint = 16BD 2C9F 8156 C242 F981 63B8 2214 083C F80E 4AF7 Universiteit van Tilburg | Postbus 90153, 5000 LE Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
