Hi, Since this morning my opendnssec (1.3.4) log file is filling up with many of these:
2011-12-22T20:37:49+01:00 christine ods-auditor[13676]: Auditor started 2011-12-22T20:37:49+01:00 christine ods-auditor[13676]: Auditor starting on tomhendrikx.nl 2011-12-22T20:37:49+01:00 christine ods-auditor[13676]: SOA differs : from 1 to 2011122200 2011-12-22T20:37:49+01:00 christine ods-auditor[13676]: Auditing tomhendrikx.nl zone : NSEC3 SIGNED 2011-12-22T20:37:49+01:00 christine ods-auditor[13676]: RRSet (tomhendrikx.nl, DNSKEY) failed verification : Signature failed to cryptographically verify, tag = 48325 2011-12-22T20:37:49+01:00 christine ods-auditor[13676]: Signature lifetime for tomhendrikx.nl, DNSKEY too long - should be at most 864000 but was 32400000 [... repeat previous 2 lines for each rr ..] 2011-12-22T20:37:50+01:00 christine ods-auditor[13676]: Finished auditing tomhendrikx.nl zone 2011-12-22T20:37:50+01:00 christine ods-signerd: [tools] audit failed for zone tomhendrikx.nl When checking the contents of the audited file (tomhendrikx.nl.finalized) in the tmp/ directory, I'm seeing all kinds of lines like this: tomhendrikx.nl. 3600 IN SOA a.ns.whyscream.net. admin.whyscream.net. 2011122200 86400 1800 202750 3600 tomhendrikx.nl. 3600 IN RRSIG SOA 8 2 3600 20121231193749 20111222193749 4528 tomhendrikx.nl. [,.key data..] Since signature lifetime in kasp.xml is at 10 days, it seems to me that calculation of the signature expiration fails due to the year change. Inception date is 20111222193749 (2011-12-22 19:37:49), so expiration should be around 20120101193749 (2012-01-01 19:37:49). But the signer decided to bring up 20121231193749 (2012-12-31 19:37:49), which is almost a year off. Or maybe I just screwed up, and fail to see my own mistake? -- Tom _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
