Hi Stuart, The RR does not exist is a warning message: The signer is signing an RRset, but there are RRs in memory that are not committed to the zone. This is a strange situation, hence I am printing a warning message.
It gives a clue that there is a bug. And there is: If Inbound Adapter is up to date or unchanged, also do a transfer transaction in order to correctly update the new DNSKEYs and NSEC3PARAM in case of a change in signconf.xml. Only the 1.4.0rc2 is affected. I fixed it in trunk r7011. Thanks for your report. Best regards, Matthijs On 02/04/2013 09:13 AM, Áõ˶ wrote: > Hi All, > > As I posted earlier, the 'RR Does Not Exist' and ods-signer would not > signs RRSIGs until it expires cause a lot of problems. > My test tlds here have their KSK rollovered every 4H and ZSK rollovered > every 2H, and after days of test you can see the amount of DNSKEYS > exist in the zone file and most of which are dead. > > [gtld@index zone]$ dig @202.173.9.4 dstest1 dnskey +edns=0|grep DNSKEY|wc -l > 75 > [gtld@index zone]$ dig @202.173.9.4 dstest2 dnskey +edns=0|grep DNSKEY|wc -l > 67 > > It's obvious opendnssec did not remove them in the zone, I will change > the <purge> to 1H which was 14D by default, I hope this will help. Purge removes keys from the database, not from the zone. > I wrote a script to do nsupdate soa to the INBOUND bind and this can > make opendnssec resign the expiring RRs,or the RRSIGs will keep expired, > but it can not solve the Lots-of-Dead-DNSKEYs problem. > > I need your help guys. > > > Best regards, > Stuart
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
