Hi,
We've been testing OpenDNSSEC for a few months now, and recently started the
preparation to move into production. We're using SoftHSM and one of the things
we did in preperation was to rename our tokens in SoftHSM. Since we are still
in testing and were curious about what would happen, we simply re-initialized
the tokens OpenDNSSEC was already using with new labels and then changed the
config in ods. We wanted to know what would happen if you at anytime lost
access to our keys and had to start over with new keys.
It seemed to work pretty well for about a week, but then all of a sudden
validns started to complain that it could not verify the signatures for the SOA
RR and the DNSKEY RR. We could not find a reason for this but eventually we
tried to roll the KSK and that removed the error.
We'd very much like to know what exactly caused the error. It seems the
signatures are not expired, and they're generated with a key that's in the
zone. I've got the output from jdnssec-tools, if anybody can find a possible
reason for the error from that it'd be greatly appreciated.
Link to (shortened) dnssec-tools output:
http://pastebin.com/3WJMmCHd
.einar
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
