-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Follow up.
I noticed that in the backup file there is: www.hippiesfromhell.org. 3600 IN RRSIG (null) ak8IpXpCo6a67RQbWNp2JTf3ZhmgP6psK40NaI8JB761TOfDkr6kLQQsGqhN35IrU4GnNEV/i31cnIODukEBwgIRbHaWfs4A2ve6NxGaC5L03/HGVVnizOhGbLCxu8mTh9ox57D33VPF9e2NrHX5ltpjE36plGffvKkyMzWSvgs= I am clueless how that is printed, other than that: * The signer got a malformed (ldns_rr*) signature from libhsm. The RRSIG is printed to the backup file with ldns_rr_print() and if there is an unknown or 'NONE' rdf, ldns prints out "(null)". Also strange is that the RRSIG in the signed output file only misses the Covered RRtype Field. Perhaps OpenDNSSEC should use the ldns_rr2buffer_str_fmt() function and check on the returned status to detect such errors. By the way, if the malformed backup file is read, the signer will complain that the backup cannot be recovered and performs a full resign. Best regards, Matthijs On 04/08/2012 06:46 PM, Paul Wouters wrote: > > I noticed ods-signerd was not running and nsdc rebuild failing to > load a signed zone. Here is the snippit of the zone (excuse the > linewraps) > > localhost.hippiesfromhell.org. 3600 IN RRSIG A 8 3 3600 > 20120415060133 20120408153531 14463 hippiesfromhell.org. > chfWGylwS0mXfHTgO2GE+eJDTKYjlKbXmeeSDC3b3T85IeFapUPeYWB6t9YW0EelmljxfFUArsQ2x4zTCLS4QCYqVF82b4S8b7HqcjCZOnu9cHtr5okBidvNUshpacAD8rjrvkUzN4DLhkUHsH9tWezJAc+YmmLaAYH0NnpaHxA= > > spjca3c5vaj3nu909q9dmehne80auahm.hippiesfromhell.org. 3600 > IN NSEC3 1 0 5 715e22f77cc2f0d7 ulf44lvfajc0jvc293v96s1k62p153lh > A RRSIG spjca3c5vaj3nu909q9dmehne80auahm.hippiesfromhell.org. > 3600 IN RRSIG NSEC3 8 3 3600 20120414033000 20120407103303 > 14463 hippiesfromhell.org. > isAxQLhvT8ctAbJU1unNnomwgzwqeaLt419G9ZET4afSC5mZojQ/Ohkb092+YD2O6gTZUWi0ZogqEtFHtBpD/CikoBNyxCvvBqaSB2c5kjNLjbSeUyMYZOl+bDyIkUNWaeVL/u+M1ZUM4MRblT1INobBfDyZS2CjfVVtUYBJU38= > > www.hippiesfromhell.org. 3600 IN A > 194.109.206.10 www.hippiesfromhell.org. 3600 IN > RRSIG A 8 3 3600 20120415132541 20120408153531 14463 > hippiesfromhell.org. > TnxW+5U59P2mrIH3aBeUmgc37YMTZTNLdD5G+R5YhHH6WUmVF3LCLG2WrR8NXxnITrFv/Wukle5219FHKFphROWaHsy4rjqaR/T7lLIl3rbO5Wv2WkMnRkPkPL+GbdkDSXpjn//6069ThayeuaEsJTWX6asAnY4hdwDcMM5HIBI= > > www.hippiesfromhell.org. 3600 IN AAAA > 2001:888:2127::2 www.hippiesfromhell.org. 3600 IN > RRSIG 3 3600 20120415160824 20120408153531 14463 > hippiesfromhell.org. > ak8IpXpCo6a67RQbWNp2JTf3ZhmgP6psK40NaI8JB761TOfDkr6kLQQsGqhN35IrU4GnNEV/i31cnIODukEBwgIRbHaWfs4A2ve6NxGaC5L03/HGVVnizOhGbLCxu8mTh9ox57D33VPF9e2NrHX5ltpjE36plGffvKkyMzWSvgs= > > ulf44lvfajc0jvc293v96s1k62p153lh.hippiesfromhell.org. 3600 > IN NSEC3 1 0 5 715e22f77cc2f0d7 id80573gdcb27rrljq5019grpmttnnib > A AAAA RRSIG > > Note the RRSIG record for www.hippiesfromhell.org has an RRSIG that > has "no records" as the list of records it is supposed to cover. > > This zone was generated by 1.4.0a1. > > A tarball of /etc/opendnssec and /var/opendnssec is available on > request (but not for public consumption in a bug tracker) > > deleting the signed zone file and resigning resolved the problem. > > Paul _______________________________________________ > Opendnssec-user mailing list [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPu2KvAAoJEA8yVCPsQCW5uFsIAL159P2UVrUyWlniwrD/kxcm cMUmnJh0efGnwIavMNEgkqBB3HLiSe7vVQln7lPxzwUAoBdXLURGMP4I7SRAVINk T6aWaQdgYqcGFqAOnrjPbRAd+Rw7q4vwfV1vvZdds0YnKLSUY7ePRbHcNBKYCw0O k94jLmRErgNX0edpyMp3q7UT13ghMg10mZxVGKnM5Uot1/ygSR9srCJtLgo6ls8o 4RmdSSwN/fnn6r4w5Ll/pJL3yD/+VK/OsoBeZ6VYdGARko+H6O1jcoCJYhsqTpfQ /Ob8rFzlMKR88ihS4Hz1LmKEXjGVstv60YuLf2VTyPH0XMqZk5dVU/cz5EN79PA= =VASu -----END PGP SIGNATURE----- _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
