Yesterday and today my testing environment running OpenDNSSEC 1.3.0-trunk produced a couple of signed zones that don't verify using ldns-verify-zone.
The zones end up with some signatures using the active ZSK, some signatures using the retired key ZSK and the retired key not being included in the zone. This causes to some records to fail validation, according to ldns-verify-zone and a couple of validating resolvers pointing to the signed zones. The auditor also complains, but it's not enabled by default, I run it manually. This issue started before a ZSK rollover, so I'm not clear the cause. ZSK rollover was executed on Fri Feb 25 12:33:02 2011 The signed zone with problems was created the same day at 11:57 (36 minutes before the rollover) The missing key has tag 31548 The output from ods-ksmutil key list at 11:20 for that zone looks like Date: Fri Feb 25 11:20:01 2011 Keys: Zone: Keytype: State: Date of next transition: CKA_ID: Repository: Keytag: nz KSK active 2011-03-01 09:21:41 c3aa5eb4625a7a84b1ac00573ae658a4 softHSM 3532 nz ZSK retire 2011-02-25 13:12:05 16487fb4f1ffa788a55bb8d69eda1fc8 softHSM 30880 nz ZSK retire 2011-02-27 13:43:44 f5140d550dbc50bfb4965a14f4803ae4 softHSM 53800 nz ZSK retire 2011-02-28 21:43:30 1d45132c894ea7fa6288176f2522daba softHSM 42723 nz ZSK retire 2011-03-01 13:05:38 b861277486d76b8350eed6b30433763d softHSM 20646 nz ZSK active 2011-02-25 09:45:01 e11a88c384b1cc8ad2aa4991c72cd026 softHSM 31548 nz ZSK publish 2011-02-25 12:25:37 c9f0b73965d46877e3ef374431e05b4a softHSM 4579 The DNSKEY RRset is signed with key 3532 and 53284, zone records are signed with key 31548. No error messages were written in the log files, and the missing key can be read using ods-hsmutil. Any clues about this? Is not the first case, on a third level zone we had the same issue. In the "other issues" area, OpenDNSSEC sometimes complains with things like: 1. ods-signerd: [hsm] unable to get key: key 2fcd5073b81c04d1c3988f92ccbbb4e6 not found ods-signerd: [zone] unable to publish dnskeys zone 1408-nz: error creating DNSKEY for key 2fcd5073b81c04d1c3988f92ccbbb4e6 but the key is present in the HSM, so you can get the DNSKEY using ods-hsmutil 2. ods-signerd: [worker[2]]: sign zone geek.nz failed: 985 of 5 signatures failed 3. ods-signerd: [drudger[2]]: unable to drudge: no zone reference ods-signerd: last message repeated 105 times 4. ods-signerd: [STATS] pgp.net.nz RR[count=0 time=0(sec)] NSEC[count=0 time=0(sec)] RRSIG[new=2 reused=78 time=0(sec) avg=0(sig/sec)] AUDIT[time=0(sec)] TOTAL[time=1298607785(sec)] where the TOTAL time taken don't make any sense (like missing start_time) or ods-signerd: [STATS] net.nz RR[count=0 time=3(sec)] NSEC3[count=0 time=0(sec)] RRSIG[new=14958 reused=7728 time=0(sec) avg=0(sig/sec)] AUDIT[time=0(sec)] TOTAL[time=1646(sec)] where TOTAL_TIME doesn't sum up the RR_TIME+NSEC_TIME+RRSIG_TIME+AUDIT_TIME Cheers, -- Sebastian Castro DNS Specialist .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 495 2337 mobile: +64 21 400535 _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
