Quoting Göran Bengtson ([email protected]): > 2 This is serious. Immediately after the ods-ksmutil update command > is given ODS gets seriously confused about the keys in ANOTHER, > remaining zone. A new ZSK key is generated, and the active ZSK > dissapears (is not used anymore). ods-ksmutil key list > only show the KSK key and the newly generated ZSK key (in publish > state).
This is (almost?) exactly what happend in my setup yesterday. According to logging, it must have happened after removing another test-zone from the config, a totaly unrelated zone lost it's keys and new ones were generated for that zone. I noticed this because the auditor suddenly barfed on the (unrelated) zone, which was perfectly signed and managed before. For each RR-type in the zone it logged: | May 23 15:05:32 ods1 ods-auditor[17522]: bit-dnssec-test.com : RRSIGS | should include algorithm RSASHA256 for bit-dnssec-test.com, NS, have : | May 23 15:05:32 ods1 ods-auditor[17522]: bit-dnssec-test.com : RRSet | (bit-dnssec-test.com, NS) failed verification : No signatures in the | RRSet : bit-dnssec-test.com, NS, tag = none Then it errored out: | May 23 15:05:32 ods1 ods-auditor[17522]: Unexpected error auditing files | (/var/lib/opendnssec/tmp/bit-dnssec-test.com.inbound and | /var/lib/opendnssec/tmp/bit-dnssec-test.com.finalized) : ERR private | method `split' called for nil:NilClass- moving on to next zone. Trace | for debugging : /usr/lib/opendnssec/kasp_auditor/auditor.rb:1279:in | `get_name_and_types'#012/usr/lib/opendnssec/kasp_auditor/auditor.rb:1231:in | `check_nsec3_types_and_opt_out'#012/usr/lib/opendnssec/kasp_auditor/auditor.rb:1188:in | `open'#012/usr/lib/opendnssec/kasp_auditor/auditor.rb:1188:in | `check_nsec3_types_and_opt_out'#012/usr/lib/opendnssec/kasp_auditor/auditor.rb:1186:in | `open'#012/usr/lib/opendnssec/kasp_auditor/auditor.rb:1186:in | `check_nsec3_types_and_opt_out'#012/usr/lib/opendnssec/kasp_auditor/auditor.rb:1184:in | `open'#012/usr/lib/opendnssec/kasp_auditor/auditor.rb:1184:in | `check_nsec3_types_and_opt_out'#012/usr/lib/opendnssec/kasp_auditor/auditor.rb:184:in | `check_zone'#012/usr/lib/opendnssec/kasp_auditor.rb:219:in | `full_audit'#012/usr/lib/opendnssec/kasp_auditor.rb:172:in | `run_with_syslog'#012/usr/lib/opendnssec/kasp_auditor.rb:146:in | `each'#012/usr/lib/opendnssec/kasp_auditor.rb:146:in | `run_with_syslog'#012/usr/lib/opendnssec/kasp_auditor.rb:119:in | `run'#012/usr/lib/opendnssec/kasp_auditor.rb:117:in | `open'#012/usr/lib/opendnssec/kasp_auditor.rb:117:in | `run'#012/usr/bin/ods-auditor:169 This was most probably caused by the missing keys. The only matching part is the name of the domains. I removed bit-dnssec-test.nl from OpenDNSSEC and bit-dnssec-test.com broke afterwards. Both were in a diferent policy although the policies are identical and use the same (Soft)HSM. With regards, -Sander. -- | How many weeks are there in a light year? | 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7 FBD6 F3A9 9442 20CC 6CD2 _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
