Hi all,
In my previous mail I have posted an issue called "The RR does not exist Error"
and I hope some guy would check what the problem is.
Now I have tested 3 versions, they're 1.4.0b1,1.4.0rc1 and 1.4.0rc2 and all of
which would complain that error when using DNS Adapter as input, that is
using a BIND to send AXFR/IXFR to opendnssec to sign.
What the errors complain is that there is no ZSK/KSK found in the zone when
there are RRSIGs signed by it,like the following:
Feb 1 13:48:42 index ods-signerd: [rrset] RR does not exist: dstest1. 300 IN
DNSKEY 257 3 8
AwEAAcBikm8lzsk34G5CQmEJl33qr/oJ3nVRL/Nr7ZN9J4T38F0hEAqYPth656NqAx8QiGb1OREg35pLqyePIRdtcOKTvuXt4pqkLnlk5WYMq+CS2y9ApY5lC41ce2e93RVlJUPT2DYSXbxB5FC8zo8B/9rncaUYguUxXRPebarb/fF5q/CEbaUdv0Xsnxt9UI8YsjJYff2hB4iwWFCSVWA05vLW0xpcXeRVlojbo4Axd0ESL4h+o36PMccfrdpdgnvxr0PwWgZe7xJBr6/Ms25Y81H2E7VYIw/VCbd3y0dxCPsFf1ck2M8xYyZxuPSSevni0Tsm1Q61KkLvmUomDk9XfZc=
;{id = 35434 (ksk), size = 2048b}
Feb 1 13:48:42 index ods-signerd: [rrset] RR does not exist: dstest1. 300 IN
DNSKEY 256 3 8
AwEAAdRvlrx6v2krdsqteo89p6qwQZ3UE+qpzxMGZ+oHS2VA/BmV2GbmVDHWpw6CCysDG9Zde6pjEt4iwNtoZgUb+0m80C1ejOWduqhYMyMAp/MaBTv2Rhplft/bzhaSNTVILlgrtxmYkFuiewlS/eanYy6shspmd275tWobVZpxlQDZ
;{id = 49180 (zsk), size = 1024b}
And the trust chain will certainly broken because there are no such keys in the
signed zone file, and if possible signed zone would contains lots of
DNSKEY(256) but most of which are dead and could not be seen by ods-ksmutil key
list.
So I suppose there must be something wrong with opendnssec using AXFR/IXFR, and
I have tested File Adapter and it works fine.
BTW,in order to test trust chain, I have put KSK lifetime to 4H and ZSK to 2H
and purge is default 14D, do you think purge would affect that?
Best regards,
Stuart_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
