Hi - On 2 Aug 2011, at 16:45, Volker Janzen wrote:
today I noticed a problem in my OpenDNSSEC installation, which I don't understand. I had expired signatures for many domains in OpenDNSSEC. I was not able to figure out what might have caused this. I just found this strange log entries, which I do not understand: ods-auditor[7879]: Auditor started ods-auditor[7879]: Auditor starting on <domain1>.de ods-auditor[7882]: Auditor started ods-auditor[7882]: Auditor starting on <domain2>.de ods-auditor[7879]: SOA differs : from 2011080103 to 2011062380 ods-auditor[7879]: Auditing <domain1>.de zone : NSEC3 SIGNED ods-auditor[7879]: Key (20188) has gone straight to active use without a prepublished phase ods-auditor[7879]: Finished auditing <domain1>.de zone ods-auditor[7882]: SOA differs : from 2011080103 to 2011062378 ods-auditor[7882]: Auditing <domain2>.de zone : NSEC3 SIGNED ods-auditor[7882]: Key (40336) has gone straight to active use without a prepublished phase ods-auditor[7882]: Finished auditing <domain2>.de zone What might have cause this problem and how can I solve it now? The signatures are expired and I can't see any attempt of the signer to re-sign the zones. It sounds like the auditor has seen a key in active use with no prepublished phase. According to the specification (section 3.6.5) : http://trac.opendnssec.org/wiki/Signer/AuditorRequirements this should raise an error. The error has stopped the signer from publishing the zone, so the signatures have expired. HTH, Alex.
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
