Hello! Today we got this error, never seen it before: Oct 24 09:55:27 ns1 ods-signerd: error creating RRSIG for rrset[15] Oct 24 09:55:27 ns1 ods-signerd: failed to sign RRset[15] Oct 24 09:55:27 ns1 ods-signerd: unable to sign zone data: failed to sign domain Oct 24 09:55:27 ns1 ods-signerd: task [sign zone xxx.se] failed Oct 24 09:56:26 ns1 ods-signerd: signature set has no RRSIG record: drop signatures for RRset[15] Oct 24 09:56:26 ns1 ods-signerd: error creating RRSIG for rrset[15] Oct 24 09:56:26 ns1 ods-signerd: failed to sign RRset[15] Oct 24 09:56:26 ns1 ods-signerd: unable to sign zone data: failed to sign domain Oct 24 09:56:26 ns1 ods-signerd: task [sign zone xxx.se] failed
Problem is that our three signed zones seems to have been signed with retired keys for the last month. More info below, but I see that our signed zone xxx.se (real name hidden) is signed with key 64545, which was retired 18/9: < xxx.se ZSK ready next rollover 9295 < xxx.se ZSK active 2011-09-18 21:17:45 64545 --- > xxx.se ZSK active 2011-10-18 21:59:10 9295 > xxx.se ZSK retire 2011-10-09 23:29:10 64545 It is also the key 64545 that is entered as DNSKEY 256 in the zone xxx.se. Why hasn't it changed over to signing with the new active key? Old ZSK keys were automatically purged this night, which must be what is causing the signer failures now: Oct 24 00:57:06 ns1 ods-enforcerd: SoftHSM: C_DestroyObject: An object has been destroyed Oct 24 00:57:06 ns1 ods-enforcerd: SoftHSM: C_DestroyObject: An object has been destroyed Oct 24 00:57:06 ns1 ods-enforcerd: Key remove successful. Oct 24 00:57:06 ns1 ods-enforcerd: SoftHSM: C_DestroyObject: An object has been destroyed Oct 24 00:57:06 ns1 ods-enforcerd: SoftHSM: C_DestroyObject: An object has been destroyed Oct 24 00:57:06 ns1 ods-enforcerd: Key remove successful. Oct 24 00:57:06 ns1 ods-enforcerd: SoftHSM: C_DestroyObject: An object has been destroyed Oct 24 00:57:06 ns1 ods-enforcerd: SoftHSM: C_DestroyObject: An object has been destroyed Oct 24 00:57:06 ns1 ods-enforcerd: Key remove successful. Our ZSK keys have rolled at least 3-4 times before using exact same procedure, never had this problem. We have however twice had the problem "Key (xxx) has gone straight to active use without a prepublished phase", both probably because of server reboots that wiped the entire /usr/local/var, which was placed inside the chrooted named in FreeBSD. I have now moved /usr/local/var out of this chroot, and that seems to have got rid of the reboot/wipe- problem. Because of this I have ran with audit disabled the last month. The previous time this happened it seemed to work fine, but this time it seems that opendnssec hasn't started using the new ZSK even though it was rolled. $ ods-ksmutil key list -v SQLite database set to: /usr/local/var/opendnssec/kasp.db Keys: Zone: Keytype: State: Date of next transition: CKA_ID: Repository: Keytag: xxx.se ZSK retire 2011-11-09 00:27:25 xxx SoftHSM 9295 xxx.se ZSK active 2011-11-17 22:57:25 xxx SoftHSM 8578 xxx.se KSK active 2015-05-21 01:00:57 xxx SoftHSM 686 xxx2.se ZSK active 2011-11-17 22:57:25 xxx SoftHSM 17503 xxx2.se KSK active 2015-05-21 00:08:26 xxx SoftHSM 64697 xxx2.se ZSK retire 2011-11-09 00:27:25 xxx SoftHSM 54219 xxx3.se KSK active 2015-05-20 22:38:38 xxx SoftHSM 22460 xxx3.se ZSK retire 2011-11-09 00:27:25 xxx SoftHSM 31506 xxx3.se ZSK active 2011-11-17 22:57:25 xxx SoftHSM 8176 We run FreeBSD 8.1-RELEASE-p4 with opendnssec-1.2.1, softhsm-1.2.1 and sqlite3-3.7.6.3. Here is xxx.se.sc: ;ODSSE1 ;name: xxx.se ;filename: /usr/local/var/opendnssec/signconf/xxx.se.xml ;last_modified: 1315781548 ;sig_resign_interval: PT7200S ;sig_refresh_interval: PT259200S ;sig_validity_default: PT1814400S ;sig_validity_denial: PT1814400S ;sig_jitter: PT43200S ;sig_inception_offset: PT3600S ;nsec_type: 50 ;dnskey_ttl: PT3600S ;soa_ttl: PT3600S ;soa_min: PT3600S ;soa_serial: datecounter ;audit: 0 ;ODSSE1 xxx.se.state: ;ODSSE1 ;name: xxx.se ;class: 1 ;fetch: 0 ;default_ttl: 3600 ;inbound_serial: 2011101101 ;internal_serial: 2011102400 ;outbound_serial: 2011102001 ;ODSSE1 Thanks! -- Peter Olsson [email protected] _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
