Since Dec 26, we are suddenly experiencing a problem with the ods-auditor: it has started to reject the signed result for the cacert.org zone:
Dec 26 13:32:46 ns ods-auditor[13655]: Auditor started Dec 26 13:32:46 ns ods-auditor[13655]: Auditor starting on cacert.org Dec 26 13:32:47 ns ods-auditor[13655]: SOA differs : from 2011122301 to 2011122606 Dec 26 13:32:47 ns ods-auditor[13655]: Auditing cacert.org zone : NSEC3 SIGNED Dec 26 13:32:48 ns ods-auditor[13655]: Unexpected error auditing files (/var/opendnssec/tmp/cacert.org.inbound and /var/opendnssec/tmp/cacert.org.finalized) : ERR private method `split' called for nil:NilClass- moving on to next zone. Trace for debugging : /usr/local/lib/opendnssec/kasp_auditor/auditor.rb:1275:in `get_name_and_types' /usr/local/lib/opendnssec/kasp_auditor/auditor.rb:1227:in `check_nsec3_types_and_opt_out' /usr/local/lib/opendnssec/kasp_auditor/auditor.rb:1184:in `open' /usr/local/lib/opendnssec/kasp_auditor/auditor.rb:1184:in `check_nsec3_types_and_opt_out' /usr/local/lib/opendnssec/kasp_auditor/auditor.rb:1182:in `open' /usr/local/lib/opendnssec/kasp_auditor/auditor.rb:1182:in `check_nsec3_types_and_opt_out' /usr/local/lib/opendnssec/kasp_auditor/auditor.rb:1180:in `open' /usr/local/lib/opendnssec/kasp_auditor/auditor.rb:1180:in `check_nsec3_types_and_opt_out' /usr/local/lib/opendnssec/kasp_auditor/auditor.rb:184:in `check_zone' /usr/local/lib/opendnssec/kasp_auditor.rb:215:in `full_audit' /usr/local/lib/opendnssec/kasp_auditor.rb:168:in `run_with_syslog' /usr/local/lib/opendnssec/kasp_auditor.rb:142:in `each' /usr/local/lib/opendnssec/kasp_auditor.rb:142:in `run_with_syslog' /usr/local/lib/opendnssec/kasp_auditor.rb:115:in `run' /usr/local/lib/opendnssec/kasp_auditor.rb:113:in `open' /usr/local/lib/opendnssec/kasp_auditor.rb:113:in `run' /usr/local/bin/ods-auditor:169 Dec 26 13:32:48 ns ods-signerd: [worker[1]] backoff task [nsecify] for zone cacert.org with 60 seconds The same error was repeated on every new attempt to resign/audit the zone. As a result, the resigned zone does not get installed, and after a few days we ended up with expired signatures in the zone. This happened while running OpenDNSSEC 1.3.2. On Dec 30 I have upgraded our installation to 1.3.4, but this has not brought any improvement; the zone keeps getting rejected by ods-auditor. However, simply deploying the file "cacert.org.finalized" left in /var/opendnssec/tmp seems to work just fine, the zone runs with up-to-date signatures again now. Can someone please advise as to how to get rid of this "Unexpected error" in the ods-auditor, so the deployment of resigned zonefiles is automatic again as it should? Regards, Wytze van der Raay _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
