Re: [Opendnssec-user] ods-signerd not signing zone on schedule

Fri, 09 Dec 2011 04:21:29 -0800 

Hi Rickard,

On Wed, 7 Dec 2011 17:36:27 +0100
Rickard Bellgrim <[email protected]> wrote:

> The signer will not read the unsigned zone until you give the "sign"
> command. The scheduled time is only for checking for signatures that
> needs to be refreshed.
> 

Ah, thanks for clarifying.

> The logs says that the signatures are still valid. Do you have more
> information on the expired signatures?

Unfortunately not, I re-signed the zone manually to prevent it from
expiring.

I've left the signer running for a couple of days to observe it's
behavior. This morning it attempted to add an updated SOA RRSIG to the
zone, but this never made it into the output zonefile. However, I can
see the newly added RRSIG in the .backup file in /var/opendnssec/tmp
(attached).

According to the attached log snippets, ods-signerd isn't writing the
zone because it believes the serial hasn't changed. In fact the backup
file is showing the internal serial as the original serial from when I
manually signed the zone (2011120700).

When the problem first became apparent, I also replicated the KASP and
softhsm keystore to our backup signer which is running an identical
environment, signing has been proceeding normally here.

rg  

-- 
Rob Gallagher | Public Key: 0x1DD13A78

HEAnet Limited, Ireland's Education and Research Network
1st Floor, 5 George's Dock, IFSC, Dublin 1.
Registered in Ireland, no 275301
T: (+353-1) 6609040  F: (+353-1) 6603666 WWW: http://www.heanet.ie/


Dec  9 01:09:31 lightburn ods-signerd: +RRSIG 0.7.7.0.1.0.0.2.ip6.arpa. 3600 IN 
RRSIG SOA 8 10 3600 20111215191118 20111209000931 45295 
0.7.7.0.1.0.0.2.ip6.arpa. 
YfAH8uVvtfb8GSws5vUPlTrMquBsQtDfyCuiH6J+fAux9H/OlUzPFdEMBEZ34jLjqkUm6I0eXjx6Hj8C1uhNdgfKnsk2cjEUuXCofZqMzm9nOuVm6tLzQjd2VgJlFDQHBetpIv0J0fu01F5NwkcSa2EHg+OKcGSD7bDo5OU9kSU=
 ;{id = 45295}


Dec  9 01:09:31 lightburn ods-signerd: [worker[3]] sign zone 
0.7.7.0.1.0.0.2.ip6.arpa
Dec  9 01:09:31 lightburn ods-signerd: [worker[3]] write zone 
0.7.7.0.1.0.0.2.ip6.arpa
Dec  9 01:09:31 lightburn ods-signerd: [tools] skip write zone 
0.7.7.0.1.0.0.2.ip6.arpa serial 2011120900 (zone not changed)

Attachment: 0.7.7.0.1.0.0.2.ip6.arpa.backup
Description: Binary data

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Reply via email to