-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
On 07/09/2012 02:22 PM, Stephane Bortzmeyer wrote: > On Mon, Jul 09, 2012 at 02:04:16PM +0200, Matthijs Mekking > <[email protected]> wrote a message of 162 lines which said: > >> So, OpenDNSSEC did not write out a new signed zone file, > > It did. But the zone was, IMHO, incorrect. Generating on 5 July a > zone file containing signatures valid from 2 to 9 July seems > wrong. If the signer would generate a new zone on the 5th of July, with a signature from 2 to 9 July, that is not wrong, according to your policy: Expiration time: 9 July 2012, 4:37:43. Refresh period: 3 days The signature is fresh until 6 July 2012, 4:37:43. Sign time is 5 July 2012, 11:47. Signature may be reused. But given that you have a resign period of two hours, I would expect a signed zone file written out later than the 5th of July. > >> Do the logs give any pointers? > > We have BIND logs showing <NotifyCommand> was executed > successfully: > > Jul 5 11:47:01 lilith named[26440]: received control channel > command 'reload' Jul 5 11:47:01 lilith named[26440]: loading > configuration from '/etc/bind/named.conf' Jul 5 11:47:01 lilith > named[26440]: /etc/bind/trust-anchors:22: trusted key > 'test.dnssec-tools.org.' has a weak exponent Jul 5 11:47:01 lilith > named[26440]: reading built-in trusted keys from file > '/etc/bind/bind.keys' Jul 5 11:47:01 lilith named[26440]: using > default UDP/IPv4 port range: [1024, 65535] Jul 5 11:47:01 lilith > named[26440]: using default UDP/IPv6 port range: [1024, 65535] Jul > 5 11:47:01 lilith named[26440]: /etc/bind/trust-anchors:22: trusted > key 'test.dnssec-tools.org.' has a weak exponent Jul 5 11:47:01 > lilith named[26440]: reloading configuration succeeded Jul 5 > 11:47:01 lilith named[26440]: db.office--enregistrement.fr:10: > signature has expired Jul 5 11:47:01 lilith named[26440]: zone > office--enregistrement.fr/IN/internal: loaded serial 2011022700 > (DNSSEC signed) Jul 5 11:47:01 lilith named[26440]: > db.office--enregistrement.fr:10: signature has expired Jul 5 > 11:47:01 lilith named[26440]: zone > office--enregistrement.fr/IN/external: loaded serial 2011022700 > (DNSSEC signed) Jul 5 11:47:01 lilith named[26440]: reloading > zones succeeded Jul 5 11:47:01 lilith named[26440]: zone > office--enregistrement.fr/IN/internal: expired Jul 5 11:47:01 > lilith named[26440]: zone office--enregistrement.fr/IN/external: > expired Jul 5 11:47:01 lilith named[26440]: zone > rd.nic.fr/IN/internal: loaded serial 2012070505 (DNSSEC signed) Jul > 5 11:47:01 lilith named[26440]: zone rd.nic.fr/IN/internal: sending > notifies (serial 2012070505) Jul 5 11:47:01 lilith named[26440]: > zone rd.nic.fr/IN/external: loaded serial 2012070505 (DNSSEC > signed) Jul 5 11:47:01 lilith named[26440]: zone > rd.nic.fr/IN/external: sending notifies (serial 2012070505) Jul 5 > 11:47:01 lilith named[26440]: client 192.134.0.49#51719: view > internal: transfer of 'rd.nic.fr/IN': AXFR-style IXFR started Jul > 5 11:47:01 lilith named[26440]: client 192.134.0.49#51719: view > internal: transfer of 'rd.nic.fr/IN': AXFR-style IXFR ended > > The enforcer seems happy: > > > Jul 5 10:47:11 lilith ods-enforcerd: Reading config > "/etc/opendnssec/conf.xml" Jul 5 10:47:11 lilith ods-enforcerd: > Reading config schema "/usr/share/opendnssec/conf.rng" Jul 5 > 10:47:11 lilith ods-enforcerd: Communication Interval: 3600 Jul 5 > 10:47:11 lilith ods-enforcerd: No DS Submit command supplied Jul 5 > 10:47:11 lilith ods-enforcerd: SQLite database set to: > /var/lib/opendnssec/db/kasp.db Jul 5 10:47:11 lilith > ods-enforcerd: Log User set to: daemon Jul 5 10:47:11 lilith > ods-enforcerd: Switched log facility to: daemon Jul 5 10:47:11 > lilith ods-enforcerd: Connecting to Database... Jul 5 10:47:11 > lilith ods-enforcerd: Policy default found. Jul 5 10:47:11 lilith > ods-enforcerd: Key sharing is Off. Jul 5 10:47:11 lilith > ods-enforcerd: Purging keys... Jul 5 10:47:11 lilith > ods-enforcerd: zonelist filename set to > /etc/opendnssec/zonelist.xml. Jul 5 10:47:11 lilith ods-enforcerd: > Zone rd.nic.fr found. Jul 5 10:47:11 lilith ods-enforcerd: Policy > for rd.nic.fr set to default. Jul 5 10:47:11 lilith ods-enforcerd: > Config will be output to > /var/lib/opendnssec/signconf/rd.nic.fr.xml. Jul 5 10:47:11 lilith > ods-enforcerd: WARNING: New KSK has reached the ready state; please > submit the DS for rd.nic.fr and use ods-ksmutil key ds-seen when > the DS appears in the DNS. Jul 5 10:47:11 lilith ods-enforcerd: No > change to: /var/lib/opendnssec/signconf/rd.nic.fr.xml Jul 5 > 10:47:11 lilith ods-enforcerd: Disconnecting from Database... Jul > 5 10:47:11 lilith ods-enforcerd: Sleeping for 3600 seconds. > > I cannot find logs from the signer. Strange. What is the verbosity output? Aren't there any logs of BIND/OpenDNSSEC after the 5th of July (after the last signed zone file was outputted)? > >> zone file created on 5th of July, an expiration time on the 9th >> of July looks okay to me. > > Not for me, with a validity period of 7 days. The validity period was about 7 days (+ some jitter). The expiration time minus refresh seems to be valid too. > >> Lots of things can happen that prevents OpenDNSSEC from writing a >> new signed zonefile: - - Auditor not happy > > Auditor was disabled. > >> - - HSM connection problems > > SoftHSM > >> - - Permission problems > > Nothing changed on the machine. And remember ods-signer sign > rd.nic.fr worked. Hm, yes. Too bad there aren't any logs. Best regards, Matthijs -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJP+tLzAAoJEA8yVCPsQCW5/AIIAIYjj7yxRZohCsr6ZXmVayeF aFC/nKfLiGzNPSUEdAOaEQfp7393IZfOn2diKAU/C4v7YI6XoeGN7Ih6uZHIUTrg 3Z10djkkQsq3CUL7yywGNG/1UcE3Ei+cwV0uO2pwzxIs3wveL929o9nRsIVmvf1C yA27UNejfUyJdCpYaECWVN98flETV645uYehDNKO5tgkH51FNcjXW621pymY8kX9 oD1qAMaz51FHugNC6cholhCmPgljgPYUouUXFyj6tX6Qaj+gfqDJPS/FnOWw9miC xFncS+j59i24x6MdHog/ws/Chnn9iczzkwSBx1Mh7qXjRrALPAf5nxU+1Zqk91g= =Ftry -----END PGP SIGNATURE----- _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
