Hi HÃ¥vard, > Apr 1 02:50:06 hugin ods-signerd: [STATS] 255.39.128.in-addr.arpa 2016040100 > RR[count=0 time=0(sec)] NSEC3[count=0 time=0(sec)] RRSIG[new=2 reused=237 > time=0(sec) avg=0(sig/sec)] TOTAL[time=0(sec)] > Apr 1 04:50:07 hugin ods-signerd: [STATS] 255.39.128.in-addr.arpa 2016040101 > RR[count=0 time=0(sec)] NSEC3[count=0 time=0(sec)] RRSIG[new=5 reused=234 > time=1(sec) avg=5(sig/sec)] TOTAL[time=1(sec)] > Apr 1 06:50:06 hugin ods-signerd: [STATS] 255.39.128.in-addr.arpa 2016040102 > RR[count=0 time=0(sec)] NSEC3[count=0 time=0(sec)] RRSIG[new=5 reused=234 > time=0(sec) avg=0(sig/sec)] TOTAL[time=0(sec)] > > When I realized this was happening, I manually initiated a > signing via "ods-signer sign 255.39.128.in-addr.arpa", and this > has apparently cured the problem: > > Apr 1 07:41:47 hugin ods-signerd: [STATS] 255.39.128.in-addr.arpa 2016040103 > RR[count=0 time=0(sec)] NSEC3[count=0 time=0(sec)] RRSIG[new=2 reused=237 > time=0(sec) avg=0(sig/sec)] TOTAL[time=0(sec)] > > Now, manually verifying whether the NSEC3 records are OK is > currently above what I do... > > Does anyone have an idea what more needs to be done to zero in on > this problem?
Hmm. My first guess would be that it involves a resalt. Your log lines seem to indicate that no new NSECS are being generated. Yet a resign solves the problem. Could you compare the NSEC3PARAM from the failing zone to the one after the manual resign? //Yuri
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
