-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Mathieu,
You mentioned that you had upgraded to 1.3.2, but it didn't fix your problem. However, in your first e-mail you listed several problems: I was wondering which of these issues are still there. Best regards, Matthijs > Yesterday morning was the time the enforcer choose to publish some ZSK for > some of my zones, that was a good idea at the time, and then, something > strange happened, which ended up with the signer doing a segfault. Signer crashes. > Then, this morning, the enforcer knew it was time to swap the two ZSK : > > Oct 19 00:09:44 ods-enforcerd: Zone aeroport.fr found. > Oct 19 00:09:44 ods-enforcerd: Policy for aeroport.fr set to OptOut. > Oct 19 00:09:44 ods-enforcerd: Policy OptOut found in DB. > Oct 19 00:09:44 ods-enforcerd: Config will be output to > /usr/local/var/opendnssec/signconf/aeroport.fr.xml. > Oct 19 00:09:44 ods-enforcerd: WARNING: Making non-backed up ZSK active, > PLEASE make sure that you know the potential problems of using keys which > are not recoverable > Oct 19 00:09:45 ods-enforcerd: INFO: ZSK has been rolled for aeroport.fr > Oct 19 00:09:45 ods-signerd: [signconf] zone aeroport.fr signconf: > RESIGN[PT14400S] REFRESH[PT259200S] VALIDITY[PT604800S] DENIAL[PT604800S] > JITTER[PT43200S] OFFSET[PT600S] NSEC[50] DNSKEYTTL[PT10800S] > SOATTL[PT43200S] MINIMUM[PT600S] SERIAL[counter] AUDIT[1] > Oct 19 00:09:46 ods-auditor[18301]: Auditor started > Oct 19 00:09:47 ods-auditor[18301]: Auditor starting on aeroport.fr > Oct 19 00:09:47 ods-auditor[18301]: SOA differs : from 1313509913 to > 1313510088 > Oct 19 00:09:47 ods-auditor[18301]: Auditing aeroport.fr zone : NSEC3 SIGNED > Oct 19 00:09:47 ods-auditor[18301]: RRSIGS should include algorithm > RSASHA1-NSEC3-SHA1 for aeroport.fr, DNSKEY, have : > Oct 19 00:09:47 ods-auditor[18301]: RRSet (aeroport.fr, DNSKEY) failed > verification : No signatures in the RRSet : aeroport.fr, DNSKEY, tag = none > Oct 19 00:09:47 ods-auditor[18301]: RRSIGS should include algorithm > RSASHA1-NSEC3-SHA1 for aeroport.fr, SOA, have : > Oct 19 00:09:47 ods-auditor[18301]: RRSet (aeroport.fr, SOA) failed > verification : No signatures in the RRSet : aeroport.fr, SOA, tag = none > Oct 19 00:09:48 ods-auditor[18301]: Finished auditing aeroport.fr zone > Oct 19 00:09:48 ods-signerd: [worker[1]] backoff task [read] for zone > aeroport.fr with 60 seconds Auditor complaining about missing signatures (after key rollover) > that looked bad, but I was sleeping at the time, and then : > > Oct 19 00:10:48 ods-auditor[18816]: Auditor started > Oct 19 00:10:48 ods-auditor[18816]: Auditor starting on aeroport.fr > Oct 19 00:10:49 ods-auditor[18816]: SOA differs : from 1313509913 to > 1313510089 > Oct 19 00:10:49 ods-auditor[18816]: Auditing aeroport.fr zone : NSEC3 SIGNED > Oct 19 00:10:49 ods-auditor[18816]: Key (6870) has gone straight to active > use without a prepublished phase > Oct 19 00:10:49 ods-auditor[18816]: Finished auditing aeroport.fr zone > Oct 19 00:10:49 ods-signerd: [worker[2]] backoff task [read] for zone > aeroport.fr with 120 seconds > > and since then, the backoff grew to 3600 seconds, and I can't seem to have > the zones signed again. Auditor complaing about key has gone straight to active. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJOpXcCAAoJEA8yVCPsQCW5GkQIAIbo41FZFm2+NGNHfOoKYWQ3 SN5Zx0mhox+7RoWmIPrXlDu0jAYOQG7p8oeAIvnszBKk+lckuV6LRCB7Olm6M2zb 3rMalboaYnqPlCsnvPev78XAtLQVaU7dgZUUlpGQD6qax6ysM09HBrCyZvjq//6F aK916D3DkNfc3i4+9lPiwPOj8cZGJli9+hEfPkMEH6UIKPg6fE4Wn6ZXEbChQIvy v2it3yyrpdkJwZoAHIKwUNMrKZ2D49Ci8AcXp+F172oyJxRzwG3066rpm/WkIdfx uI0ximz3OiyhaKwo1r0XeBRup776yvqf7aN6Lhw0i74cB829f1qraaZuSKkC854= =ZFzU -----END PGP SIGNATURE----- _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
