On Mon, Jul 09, 2012 at 02:04:16PM +0200, Matthijs Mekking <[email protected]> wrote a message of 162 lines which said:
> So, OpenDNSSEC did not write out a new signed zone file, It did. But the zone was, IMHO, incorrect. Generating on 5 July a zone file containing signatures valid from 2 to 9 July seems wrong. > Do the logs give any pointers? We have BIND logs showing <NotifyCommand> was executed successfully: Jul 5 11:47:01 lilith named[26440]: received control channel command 'reload' Jul 5 11:47:01 lilith named[26440]: loading configuration from '/etc/bind/named.conf' Jul 5 11:47:01 lilith named[26440]: /etc/bind/trust-anchors:22: trusted key 'test.dnssec-tools.org.' has a weak exponent Jul 5 11:47:01 lilith named[26440]: reading built-in trusted keys from file '/etc/bind/bind.keys' Jul 5 11:47:01 lilith named[26440]: using default UDP/IPv4 port range: [1024, 65535] Jul 5 11:47:01 lilith named[26440]: using default UDP/IPv6 port range: [1024, 65535] Jul 5 11:47:01 lilith named[26440]: /etc/bind/trust-anchors:22: trusted key 'test.dnssec-tools.org.' has a weak exponent Jul 5 11:47:01 lilith named[26440]: reloading configuration succeeded Jul 5 11:47:01 lilith named[26440]: db.office--enregistrement.fr:10: signature has expired Jul 5 11:47:01 lilith named[26440]: zone office--enregistrement.fr/IN/internal: loaded serial 2011022700 (DNSSEC signed) Jul 5 11:47:01 lilith named[26440]: db.office--enregistrement.fr:10: signature has expired Jul 5 11:47:01 lilith named[26440]: zone office--enregistrement.fr/IN/external: loaded serial 2011022700 (DNSSEC signed) Jul 5 11:47:01 lilith named[26440]: reloading zones succeeded Jul 5 11:47:01 lilith named[26440]: zone office--enregistrement.fr/IN/internal: expired Jul 5 11:47:01 lilith named[26440]: zone office--enregistrement.fr/IN/external: expired Jul 5 11:47:01 lilith named[26440]: zone rd.nic.fr/IN/internal: loaded serial 2012070505 (DNSSEC signed) Jul 5 11:47:01 lilith named[26440]: zone rd.nic.fr/IN/internal: sending notifies (serial 2012070505) Jul 5 11:47:01 lilith named[26440]: zone rd.nic.fr/IN/external: loaded serial 2012070505 (DNSSEC signed) Jul 5 11:47:01 lilith named[26440]: zone rd.nic.fr/IN/external: sending notifies (serial 2012070505) Jul 5 11:47:01 lilith named[26440]: client 192.134.0.49#51719: view internal: transfer of 'rd.nic.fr/IN': AXFR-style IXFR started Jul 5 11:47:01 lilith named[26440]: client 192.134.0.49#51719: view internal: transfer of 'rd.nic.fr/IN': AXFR-style IXFR ended The enforcer seems happy: Jul 5 10:47:11 lilith ods-enforcerd: Reading config "/etc/opendnssec/conf.xml" Jul 5 10:47:11 lilith ods-enforcerd: Reading config schema "/usr/share/opendnssec/conf.rng" Jul 5 10:47:11 lilith ods-enforcerd: Communication Interval: 3600 Jul 5 10:47:11 lilith ods-enforcerd: No DS Submit command supplied Jul 5 10:47:11 lilith ods-enforcerd: SQLite database set to: /var/lib/opendnssec/db/kasp.db Jul 5 10:47:11 lilith ods-enforcerd: Log User set to: daemon Jul 5 10:47:11 lilith ods-enforcerd: Switched log facility to: daemon Jul 5 10:47:11 lilith ods-enforcerd: Connecting to Database... Jul 5 10:47:11 lilith ods-enforcerd: Policy default found. Jul 5 10:47:11 lilith ods-enforcerd: Key sharing is Off. Jul 5 10:47:11 lilith ods-enforcerd: Purging keys... Jul 5 10:47:11 lilith ods-enforcerd: zonelist filename set to /etc/opendnssec/zonelist.xml. Jul 5 10:47:11 lilith ods-enforcerd: Zone rd.nic.fr found. Jul 5 10:47:11 lilith ods-enforcerd: Policy for rd.nic.fr set to default. Jul 5 10:47:11 lilith ods-enforcerd: Config will be output to /var/lib/opendnssec/signconf/rd.nic.fr.xml. Jul 5 10:47:11 lilith ods-enforcerd: WARNING: New KSK has reached the ready state; please submit the DS for rd.nic.fr and use ods-ksmutil key ds-seen when the DS appears in the DNS. Jul 5 10:47:11 lilith ods-enforcerd: No change to: /var/lib/opendnssec/signconf/rd.nic.fr.xml Jul 5 10:47:11 lilith ods-enforcerd: Disconnecting from Database... Jul 5 10:47:11 lilith ods-enforcerd: Sleeping for 3600 seconds. I cannot find logs from the signer. Strange. > zone file created on 5th of July, an expiration time on the 9th of > July looks okay to me. Not for me, with a validity period of 7 days. > Lots of things can happen that prevents OpenDNSSEC from writing a new > signed zonefile: > - - Auditor not happy Auditor was disabled. > - - HSM connection problems SoftHSM > - - Permission problems Nothing changed on the machine. And remember ods-signer sign rd.nic.fr worked. _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
