This is acknowledged as an operator error: > After comparing the unsigned file with the signed one, I have found > where the problem is, It's the unsigned zone files' fault, because > there is a bug in the script which generates the zone files, some of > the RRs doubles,so the signed file must contain less RRs than the > unsigned one.
Thanks Stuart for letting us know this has been resolved. Best regards, Matthijs On 09/20/2012 05:50 AM, 刘硕 wrote: >>1. >>I have tried to sign your zone. This one indeed passed your validateZone >>script: > >>ns:630006 630008 >>ds&rrsig:126001 126001 126001 >>a:0 0 >>nsec3&rrsig:126003 126003 > >>Why is there a difference in ns? > > It's weird to see that the singed zone has more NS RRs than the unsigned > one, > in my test it's always the opposite, so the script thinks it's > impossible and > discard this condition. > if [ $rawNScount -gt $signedNScount ] > then > echo "$zonename ns count not match" > return 1 > fi > >>2. >>Is the unsigned file touched by any means? For example, if you edit the >>unsigned file during signing, the validateZone script is likely to fail. >>I created a diff between your signed zone file and mine, and noticed >>that all delegations from 091911657.test4 to 091911999.test4 are >>missing. Do they ring any bells? > > No, I have not edited the unsigned file, the file is generated by a > script which > loads zone RRs from database, after that I will call sign all command to > sign, > during that period, no one edited the unsigned file except for the next > 10min round > to re-generate the new zone files, but I 'm sure that the signing work > will get done > before the next round. > >>3. >>You mentioned that you sign the zone every 10 minutes. Is this the >>resign value from the policy or are you calling ods-signer sign test4 >>every 10 minutes (cron job?). > > The resign value from the policy is 2H, a script call ods-signer sign > --all every 10 mins. > > Best regards, > Stuart > *From:* Matthijs Mekking <mailto:[email protected]> > *Date:* 2012-09-20 20:58 > *To:* shuoleo <mailto:[email protected]> > *CC:* opendnssec-user <mailto:[email protected]> > *Subject:* Re: [Opendnssec-user]Signed zone file loses RRs > Hi Stuart, > > 1. > I have tried to sign your zone. This one indeed passed your validateZone > script: > > ns:630006 630008 > ds&rrsig:126001 126001 126001 > a:0 0 > nsec3&rrsig:126003 126003 > > Why is there a difference in ns? > > 2. > Is the unsigned file touched by any means? For example, if you edit the > unsigned file during signing, the validateZone script is likely to fail. > I created a diff between your signed zone file and mine, and noticed > that all delegations from 091911657.test4 to 091911999.test4 are > missing. Do they ring any bells? > > 3. > You mentioned that you sign the zone every 10 minutes. Is this the > resign value from the policy or are you calling ods-signer sign test4 > every 10 minutes (cron job?). > > Best regards, > Matthijs > > > On 09/19/2012 08:26 AM, Áõ˶ wrote: >> Hi Matthijs, >> >> I'm using OpenDNSSEC1.3.10 for test purpose, and using <NotifyCommand> >> with a script to do the afterwards work. And >> I'm not using Audit which is not recommended. >> >> But I have found out that sometimes the signed and raw zone file 's RRs >> do not match. >> >> The attachment called ods_call_by_opendnssec.sh is the script called by >> <NotifyCommand>, you can see clearly what we >> do after signing work ends, and when the validation failed, there seems >> nothing we can do to make up for it, I have >> tried to call 'ods-signer sign %zone' but somethings more weird occurs, >> it seems the processes are there, but no output >> generated, so I need your opinion. >> >> The attachment called validateZoneData.sh is the scripted used for >> compare signed file with the raw one in case it >> lacks RRs. Our raw zone file is lowercase and signed zone file is uppercase. >> >> The last file is a log generated by ods_call_by_opendnssec.sh, you can >> see that tld test4 's validation are failed >> because the NS RRs does not match with the unsigned file. >> >> I have found the same problem in OpenDNSSEC1.4.a2 and I would like to >> help if needed. > > > > > >> >> Thanks. >> >> >> Best regards, >> Stuart > > >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
