Hi all,
I'm using rc2 now and I met a weird problem.
The log complains:
Jan 30 14:50:01 index ods-signerd: [rrset] RR does not exist: dstest1. 300 IN
DNSKEY 256 3 8
AwEAAaEJGx4v9YA1f72qsL/xkRxlnBl16yd18NOfePwjELDzwGXhssoMYnxf0fpjKBun6XN7XZt3IhdjCTCsh9r+g3G6nh7I8QJos4UTDFF5tH86tnA2GHVthlL8MG9To9/f7HOlLaM+biW9GEjSKvEbkN3tnDKsHTNfOqrb8JTrtXbT
;{id = 64990 (zsk), size = 1024b}
Jan 30 14:50:01 index ods-signerd: [rrset] RR does not exist: dstest1. 300 IN
DNSKEY 256 3 8
AwEAAbp1warmQfva92fTH/wgzFSjC7o1IG/rrCXp+wL/7zKTP0xUPRZj0Fy2aBqTjrFLcRrZMSSmv3hP8Ir6EKfzvyh5NMzE1DIggYUhmjiyu+eO3bjmiapKlMw7jIvX0hM2EqJk/o890Oz8D6X1yRGN/uTacO7BNBNOCSpSXLJX7NTH
;{id = 16159 (zsk), size = 1024b}
And I get get DNSKEYS from ods-ksmutil by
[root@index test]# /home/gtld/software/OpenDNSSEC-1.4.0rc2/bin/ods-ksmutil key
export -z dstest1 --keytype ZSK
;active ZSK DNSKEY record:
dstest1. 300 IN DNSKEY 256 3 8
AwEAAaEJGx4v9YA1f72qsL/xkRxlnBl16yd18NOfePwjELDzwGXhssoMYnxf0fpjKBun6XN7XZt3IhdjCTCsh9r+g3G6nh7I8QJos4UTDFF5tH86tnA2GHVthlL8MG9To9/f7HOlLaM+biW9GEjSKvEbkN3tnDKsHTNfOqrb8JTrtXbT
;{id = 64990 (zsk), size = 1024b}
[root@index test]# /home/gtld/software/OpenDNSSEC-1.4.0rc2/bin/ods-ksmutil key
export -z dstest1 --keytype ZSK --keystate publish
;publish ZSK DNSKEY record:
dstest1. 300 IN DNSKEY 256 3 8
AwEAAbp1warmQfva92fTH/wgzFSjC7o1IG/rrCXp+wL/7zKTP0xUPRZj0Fy2aBqTjrFLcRrZMSSmv3hP8Ir6EKfzvyh5NMzE1DIggYUhmjiyu+eO3bjmiapKlMw7jIvX0hM2EqJk/o890Oz8D6X1yRGN/uTacO7BNBNOCSpSXLJX7NTH
;{id = 16159 (zsk), size = 1024b}
And you can get all the keys
[root@index test]# /home/gtld/software/OpenDNSSEC-1.4.0rc2/bin/ods-ksmutil key
list -v|grep dstest1
SQLite database set to:
/home/gtld/software/OpenDNSSEC-1.4.0rc2/var/opendnssec/kasp.db
dstest1 KSK retire 2013-01-30 18:12:40
(dead) 2048 8 46c930f600348227c2a62dfb051ceef1 SoftHSM
16837
dstest1 KSK active 2013-01-30 18:20:01
(retire) 2048 8 6e6b89655f5fdfc095391c85107e074a SoftHSM
28556
dstest1 ZSK active 2013-01-30 15:06:36
(retire) 1024 8 a086c93fae5c909096f3d8d085866409 SoftHSM
64990
dstest1 ZSK publish 2013-01-30 14:22:36
(ready) 1024 8 d4266d844cb7695aef6417c24eefced7 SoftHSM
16159
[root@index test]# dig @202.173.9.4 dstest1 axfr
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.6 <<>> @202.173.9.4 dstest1 axfr
; (1 server found)
;; global options: +cmd
dstest1. 300 IN SOA ns1.zdnscloud.net.
mail.knet.cn. 1359527401 10800 3600 604800 300
dstest1. 300 IN RRSIG NSEC 8 1 300 20130130072912
20130130053001 64990 dstest1.
WeKbdKL8B8exJ276oofh1Wy4zvlbBJ+2wh2NurhFjgJcsNfGLPgJElHU
MjSsR+DN+mXg6IlY/tFmAjJLDoUoDIjQYyDlhX9cIP8fgNi3D5prWU9O
aMY7SNYTiGVqRjden0Qb9sw9rJ8KtPNy2C5rAforuYHeJg1icZMsZTPC 0c0=
dstest1. 300 IN NSEC dnssec.dstest1. NS SOA RRSIG
NSEC DNSKEY
dstest1. 3600 IN RRSIG NS 8 1 3600 20130130073042
20130130053001 64990 dstest1.
XkaQhBg710CWMMEyhiX3byXHtk5VCiLIukYmBIlfAdln0PJSdrERwpoa
qqrqFo2WB3kS+1gCehOdh4ELackmC+9OUS5QFXE0FVRS6V9BkZwyDo41
QNzYIty5QSeLtUeiIXY030OQW3sCXwKqBycIk9tXCBZXCRHRE+/+v2WC 8F4=
dstest1. 3600 IN NS ns.gtld.
dstest1. 300 IN RRSIG DNSKEY 8 1 300 20130130070719
20130130050637 16837 dstest1.
yqVPkB+3PxfhU7RIhAHYw/jmnQlK64THmt2k9jags/N1ywH/FGOSBely
YTeoCQe8m+DtExdmBOVSss3dOsa5MbjNaQvsh006x5L3U8GttywIIR+d
ISlmkLp9NZIb5zQVN2L7p/omrDC34m640SJxsQWlrX/cS49OcZqEoP6j
ZE30ARNUZHB3O+XtR86JcwqDHDFuqjiM6y68y2QvL711Rg3rApWmO4sQ
KJgROaLiwDoKFeJOwQExJF5E+k3SVoNcYEEEfvHFjE8Guquf7lC5Xoah
DVaEI1PxDDNpBnenaGW7uTMJeS5h7X9bS6rXpe9Svtq8QdXaYj8iqc84 Kd6u3Q==
dstest1. 300 IN RRSIG DNSKEY 8 1 300 20130130070719
20130130050637 28556 dstest1.
NYKz+rUI1Vfoo+NCBctjL0hFaceUxzhJBAMqSnhbRgTfx1wb7/qARx/l
nwNRCJl3bl6wd9OCIbivpHRT32oQAQepIE+kZL8srW1UdeIUIHf7QxMW
rtkw4bos948y2PcpJU1yU7oX/bJul5IrYblQ839rGe7QOc4UPnBiRdYl
9wNL7Zx/fs69C9KLoNTvNDJJ2arOoEZO5MAoXpZjbFk3sWihhD5c47w3
kbvAOMhYWaKjH4NO3PbHab6SZ/QsMpLfbNQDurSKyqZYBFAgs1ycbQVU
DWVgOXOSGbMVeHElp4roSLPtkdPY38H8R+UOGm/nclM5dIAcPb5ioYKc UprL2w==
dstest1. 300 IN DNSKEY 256 3 8
AwEAAc7vXJO7uuEpwKyhiL9txOlxB3qc/zAekiXmAn5AluXe0yEiqVKf
pXZGZiYLS7GjfH8lvZ0urVeCrT2V5aov+FsxsjP0LVFKSsvcEcEZ9dD1
zj5ok/P5EPWusX2TygbYJ0oNGXQq/W4sUBpv87sY+qKND7gFdJrnUQp+ jJokE9s9
dstest1. 300 IN DNSKEY 256 3 8
AwEAAeDptC3E/Ll87hcl4TnETB7AFruBs1biUsgBEd81daiIYt2K13Vs
YLw/P33GchhAGHvN1Xz1z8dpwPB/Suut1hKwEU3hELoWFyijdvr1r1+J
6Xu/x/Of0gkOCA1g+PcryEaqvtQoN25pOulEXSuBMrA+InR429GBk4IG ZpuXfTI7
dstest1. 300 IN DNSKEY 257 3 8
AwEAAcMlFdp1m1R0LUcAMGMPzM/vpynVUTI+442g4PgG3e3/XwUTFBSw
Xon297plY/3BnA1p1dtfVnqCnuUO4iK34d3RFTEav+HLFRlMiGtGJWPA
XSbpXdDxKoEma37MJ7HJJbu4i0VBdzygUdPOuEXOnOTrEceXdFPpqzNp
FAVJVL0GYUECqEcsBYe4pgI9jUzBSKzP5j7UErAVrCkl28Srd71EV8CG
NTf2zY/b2IkyNLsqN009gz6wnkLK7tZiBUXddLWSttYWTbWtgx57AYyw
iTwQUib8jW/JO5I9waQtU5MRHq0L/BU85eXjWaiNpRkN5evScG4JnLCf tzPWsY9wF1c=
dstest1. 300 IN DNSKEY 257 3 8
AwEAAcPr8tt2p+i/NX8jlf2HY1pHpqm53HXdunEsq56IdWhd6Q8eA/mU
q3CtRisN9SianLQo25G9oh8c4hHS83A1aT0TgcVas4kduiD8Vaqyvdm5
pEOEdqvQlvRDaHwPwTxn3QHOLYLG8dkMb99ny9rsIsxQoE6hyAjxGscV
Phg6Ncg4vPGH+Ql9dTW9g1bFgyzK6fNHUn4yUXfmnI23qd6U014DtOyG
d4degl8afJLCU7OIpHpHRHctEZjnSrMdJjJYs/L33r0HnTwffQ4hPHye
Wg17F2K58Yc+VUPwt9486pqPz78a1evKYzzQHWAlENC21BTwzca6zJys r/YYjNrEjeM=
dstest1. 300 IN DNSKEY 257 3 8
AwEAAdrbtNeZ/Iglnopd3hfS6YvrC+o4l9Z7pr/YDKzCm9bO7T1JaR6F
x3pqbRB9/5SouA5wVM5VGGyMXEhSc+zrr3adV/lj2BO7PqlZ8WMX3PDm
CuDw4aNjYIiBldKXPHm8PxIkwXTHqHl5FA+tNzWYVTnUSSnL24iKa8JK
VSQ4VjRExNy4tCk9h95mRNQCD9R6K1juoVsinF403eMggV4Ape1H8huT
lf6sDB/9fKMKkqF3bnuDmmtoto3u58w3xkN+CcAGSTZRT6NsdEKBJwCK
Nkkwl7qxu/t80E+gSlefnBxN0JKm4Ka/asN8JveCseHVVt+ZWAmkyowL +MSAqQ56nwU=
dstest1. 300 IN RRSIG SOA 8 1 300 20130130072905
20130130053001 64990 dstest1.
FSoB2daHR1k+DSj2LwMs/ZoPV4koP3Ec8sLiTSlj0TwR/dAJZMuk3NoR
frzQhUX7LyedZCrSSBanKp5Fy0H07HJR+EDWIf80x1CV8OaUaCbx/zAJ
Cz5I2E3/owAyPJg32ylOtFw9Dj6osIG6Aw56vuy2ldpnzghDVwkH5q7A F7k=
dnssec.dstest1. 300 IN RRSIG NSEC 8 2 300 20130130072057
20130130052001 64990 dstest1.
nn62L6URbTDX0Xn5oTaMtegSiSIL2uSBabJjnMxod7OBRHHVCZysenMu
TtoM3nDoV/0bp4yHE25XsVZ+WGOTqIbbwHYnvBHBNLbFG8sez0D5JC3y
8iMBU+auJVvk7Og8X9gybXESzlM9LAe6G8uLE3fsX3+1ZUd+57rtC4UZ WK0=
dnssec.dstest1. 300 IN NSEC dnssec0129.dstest1. NS DS RRSIG
NSEC
dnssec.dstest1. 3600 IN NS ns1.dnssec.dstest1.
dnssec.dstest1. 3600 IN RRSIG DS 8 2 3600 20130130070603
20130130050636 64990 dstest1.
eGfC5GkTbSz57Yzl1zAg+lhLJMcdjU1yhdhyRrLkO+D1WaZa9okqcZh5
pyvoiWXcG0oTyYAUIl+DBbx31sCxYwD0LQ2oolWFCLPfGahbGiziySZO
G5VHM7HQ4w/FEEFVWysKGQl9/30/5crsDW2UYswpc7VaVSutgdtqJ6VY poo=
dnssec.dstest1. 3600 IN DS 29628 7 2
F7CA2F14C5FDE12D3C944403E1BAEA28F68969D44EF970642B4EA017 A56B13E8
ns1.dnssec.dstest1. 3600 IN A 202.173.9.46
dnssec0129.dstest1. 300 IN RRSIG NSEC 8 2 300 20130130070653
20130130050636 64990 dstest1.
nu0j99fy/3rOBq8HR2z0422SOBkoHvl8zMNz/gOPwEoY8BiV54Ebzx0e
RTgNOW2riZp4fKU3ZRelkDIvvxe9g00C1x9SKQQhcNiIMY3ybrCGuFrN
ex2AXCqYQuifN2uW/2PLNRinDD6ouMvGIr5jVX2sdyrZRe30jsl99ahU I8s=
dnssec0129.dstest1. 300 IN NSEC dnssec01291.dstest1. NS DS
RRSIG NSEC
dnssec0129.dstest1. 3600 IN NS ns1.dnssec0129.dstest1.
dnssec0129.dstest1. 3600 IN RRSIG DS 8 2 3600 20130130073056
20130130053001 64990 dstest1.
AHwPb9bQHyhn1vJfEHQkAH7MDMHpr1YmXsL3DA3XeAWOXptWNWwD8Sq+
bmc/mOvuYzuArj9Vckwv2/Kc0L3YlroApdU55ZOiAteofLwi257I8JXS
TQQqBXvdNtwkxK4PjNfoPIzLr7eRl8RgHVSL2dJq0lMc1m7DJoaA0Wer zNY=
dnssec0129.dstest1. 3600 IN DS 43341 7 2
67F7BDE98FC5495944FF1DF796FF97B3FE33E46CF088ABA36C3A0903 7BCD5E1D
ns1.dnssec0129.dstest1. 3600 IN A 202.173.9.46
dnssec01291.dstest1. 300 IN RRSIG NSEC 8 2 300 20130130073015
20130130053001 64990 dstest1.
LpSHpCjIk/3CzoWqJWz7QHwDh2LYPKZjV2cj3zDrZ//JsPPsXF48JOoa
NLyFFdf+vJlJrzNta+V9d2KPBRvqblY9DTUvBJndr9X4WRTiaFlaQa2U
XQbg8VluJxUZsZVUNOeFliJFIrC/vqU+GXP1eFfWRbK7mMhk52GHjj1Q ExQ=
dnssec01291.dstest1. 300 IN NSEC dnssec1.dstest1. NS DS RRSIG
NSEC
dnssec01291.dstest1. 3600 IN NS ns1.dnssec01291.dstest1.
dnssec01291.dstest1. 3600 IN RRSIG DS 8 2 3600 20130130070702
20130130050636 64990 dstest1.
h6pUbc4JVoS/m0XtDLjWo2gzKgUC60HwFnP/CAsXgNgQvgIs21hYu3jI
FTQKscn+6lSlWq22vPgq8pBJ6V5rsnqARhGx4R1iNGrhhF2H29k/OuDO
GW9Wr2/avkl/ClWC+6A1zhRN37jmO0egF+fGHLW77mc6iQZi1USSg9pP 110=
dnssec01291.dstest1. 3600 IN DS 53286 7 2
B38F5BFEE1519C8AE382C14203FD9B819DBE2B698EE6D99CCE6938A2 373D15D3
ns1.dnssec01291.dstest1. 3600 IN A 202.173.9.46
dnssec1.dstest1. 300 IN RRSIG NSEC 8 2 300 20130130070700
20130130050636 64990 dstest1.
FNljqaWlbWb8vG2dDWmgqRtEziReAZNQIqdMMYPNIfMGI72g8ec7yFEK
JAcRfrkKtfhGQnLz78T7Al7sfn5xKGReTP+WRSB+H0Z+fP4c1XE/rjFL
TcheZeBh4zgG2jwyVmIpUT0wKlzZ/l+JoT5s0ZkO/38pPNalrgY0cMPr gBQ=
dnssec1.dstest1. 300 IN NSEC dnssec10292.dstest1. NS DS
RRSIG NSEC
dnssec1.dstest1. 3600 IN NS ns1.dnssec1.dstest1.
dnssec1.dstest1. 3600 IN RRSIG DS 8 2 3600 20130130071709
20130130051637 64990 dstest1.
ZFJ638zd4FkgtCymGK1CZmRbV0K1+lD56n0TtjU1X1WJKOcUgKVOgsx/
yRd8miuy79QedHQrrvlEQZXNVElSeJ/p7atgyktBRbps2x+cWapD5g74
ZoDfUxM9p3empan1iCa3zGvSuzdKIRzf51E1MUQ0P19QScbNc+Q2Kdr2 jYo=
dnssec1.dstest1. 3600 IN DS 57684 7 2
936C9C665AD8333294B55F4284CB77098CA1939DAE05A56B18F597C5 E25C92DD
ns1.dnssec1.dstest1. 3600 IN A 202.173.9.46
dnssec10292.dstest1. 300 IN RRSIG NSEC 8 2 300 20130130070555
20130130050636 64990 dstest1.
XP+qoQDJJlszCXHu18r1YwQnzRc7QFLgXU3qfXohpG+Qqtu9P/T2Qb5T
Prq3LgId9d3iZUSd84Oh5INcGiMVmjpRb3MEg30cwBX7VOWyZqq+P4Xa
PxjT1WS3INX6VDl3rkULz1Eq7kJGmWML406EDfUW7Pm8bGLocXjm3i+Y yMo=
dnssec10292.dstest1. 300 IN NSEC dnssec10293.dstest1. NS DS
RRSIG NSEC
dnssec10292.dstest1. 3600 IN NS ns1.dnssec10292.dstest1.
dnssec10292.dstest1. 3600 IN RRSIG DS 8 2 3600 20130130070723
20130130050636 64990 dstest1.
W6MgrGftxtv8tp8NON2T2JB/wspOAmyl9qGRhK9kCKvYRH+NM/RNMEQ4
mkkfwZWMZFpwFv8Sc0y1FzZMoN3HB7S/jcXQIbgYsBBljxKIiXBe7YG/
Gm7KDeDfkNmTx9zStR5mky06gpkqAsQ7m+Dq/BiYqdtzgHcoqucy1dF8 lrg=
dnssec10292.dstest1. 3600 IN DS 1035 7 2
9D4EB8B240DD2CFA2FF4AF8E035CAE05A1CE78FD05935A1C00590677 FBE4C190
ns1.dnssec10292.dstest1. 3600 IN A 202.173.9.46
dnssec10293.dstest1. 300 IN RRSIG NSEC 8 2 300 20130130070634
20130130050636 64990 dstest1.
j1ndpjzZ1XpbWCp+9Z8NLjKMqCw2m+1uN5ViYTogJpSTW6MPXrZ3fXMu
x5RYDb/4YUS71q0kD/7PcJk4jRcq+EvbRAj3whCqb1bwMefZqxZquYrE
l+AWEAcGxCaGe+uwT3dK/Um6Av2Qvgdu1HVwBlDGp4Ikn+fsuHT3FdDu sso=
dnssec10293.dstest1. 300 IN NSEC dnssec10301111.dstest1. NS DS
RRSIG NSEC
dnssec10293.dstest1. 3600 IN NS ns1.dnssec10293.dstest1.
dnssec10293.dstest1. 3600 IN RRSIG DS 8 2 3600 20130130072930
20130130053001 64990 dstest1.
Jw7aPD0dmGlrILKcpZi+RjfKSfwz/d0dwdCkEptKjskwbw0X4dm5PMaT
BJXfEm8oj+/gJEQcJIvu+ZhQjZ65mQUHYQ+mtd/E0Bzb/7qXujGTOCl/
jFj/IGkYchy3/9nf4IBttw78YAf2aJRxexfnC85IYHt+Sygygc3VqXaw Njk=
dnssec10293.dstest1. 3600 IN DS 54360 7 2
879AAE7752540DC4E49232C62ABB7893930E78FC87BD5ED98FEC5619 FE15ED64
ns1.dnssec10293.dstest1. 3600 IN A 202.173.9.46
dnssec10301111.dstest1. 300 IN RRSIG NSEC 8 2 300 20130130071908
20130130052001 64990 dstest1.
QLA4xpAW0GJT+O8HCMpceNkTyrWAVaD1vPFmwgUK29aq1/E6axvBPu+F
AGVfK2NDBGeMCAix45kRh+8R2HJH5dZP8YkbaQ6VoqUZQ/yySlAMt1od
Q9+pD5zcphui22F3dfEVnFPIuZoHPyugagt5FNwayXsrZ1UsZDAS5d0h szM=
dnssec10301111.dstest1. 300 IN NSEC dnssec2.dstest1. NS DS RRSIG
NSEC
dnssec10301111.dstest1. 3600 IN RRSIG DS 8 2 3600 20130130071940
20130130052001 64990 dstest1.
M+HOpe4rSvAz/dv3b30dyelVw6EFR6swgNjIa8k4TODmQG7YyRymDnAD
IgBWziTbv+MeabkDWG4L7zxA1oJm5I0uwUKqDR/6+u6D0uvgnCuvcWtB
N5bOimBQtrGVS96KgNMvK5PEj93sX1Mz1P/VvItb4o2PkORZUKjuO4D8 eFY=
dnssec10301111.dstest1. 3600 IN DS 56454 7 2
D42DB18325D5F142150596FE75A7353B3D79BAC815058434AB761BAC 7EB95AFD
dnssec10301111.dstest1. 3600 IN NS ns1.dnssec10301111.dstest1.
ns1.dnssec10301111.dstest1. 3600 IN A 202.173.9.46
dnssec2.dstest1. 300 IN RRSIG NSEC 8 2 300 20130130072903
20130130053001 64990 dstest1.
fK20zMFQjYphQv6eSz+2sjEwUkgENMbRllkit7ggu/V3F3AF8/WX9ztC
D4KUJcbCj897a4i9pCPvONkkHssLT9N6ZGULtZU7BaAJEMYXjZN8+HHi
o5s8kjw535Tg8YyjMGgtTBvRx8gxIHcYKl3zA/1svoR0PeQzNZF5Arn+ RFI=
dnssec2.dstest1. 300 IN NSEC dstest1. NS DS RRSIG NSEC
dnssec2.dstest1. 3600 IN NS ns1.dnssec2.dstest1.
dnssec2.dstest1. 3600 IN RRSIG DS 8 2 3600 20130130073003
20130130053001 64990 dstest1.
MLbjkNX9z4BM/1keNK0JItdTvpVCnctTij+t0iuvc8JqGEUDhG+kYH5B
Jl3K8YoaNvReTuwJwDC8iNYA2u8UZZQqNSW2TziOtDrsHlk5HY1EJSza
GsVIVv0VtfsCIM7bgitZYhEySjBvAMIi1upG7uDXo+wdkqc7gxcVr78D K8Y=
dnssec2.dstest1. 3600 IN DS 61158 7 2
42FF4849E829F4C348E07152A11A6AA79FC118CE609C498369889758 23183752
ns1.dnssec2.dstest1. 3600 IN A 202.173.9.46
dstest1. 300 IN SOA ns1.zdnscloud.net.
mail.knet.cn. 1359527401 10800 3600 604800 300
You can see 64990 is indeed the actual active ZKS used for signing RRs, but I
find that the DNSKEY(64990) and DNSKEY(16159) exported by ods-ksmutil do not
match any of the DNSKEY in the zone, so I think 64990 and 16159 are not in the
zone!So the log compains "RR does not exist".And the trust chain is broken
because no correct DNSKEYs are found.
Has anybody ever met this before?
Best regards,
Stuart_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
