Just adding that I'm starting to see expired RRSIGs for some of my zones. Interestingly, the last ones were created on 5 July....
Might this be related to that leap second that got injected on the 1st of July? DIck On 9 July 2012 14:47, Matthijs Mekking <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > On 07/09/2012 02:22 PM, Stephane Bortzmeyer wrote: >> On Mon, Jul 09, 2012 at 02:04:16PM +0200, Matthijs Mekking >> <[email protected]> wrote a message of 162 lines which said: >> >>> So, OpenDNSSEC did not write out a new signed zone file, >> >> It did. But the zone was, IMHO, incorrect. Generating on 5 July a >> zone file containing signatures valid from 2 to 9 July seems >> wrong. > > If the signer would generate a new zone on the 5th of July, with a > signature from 2 to 9 July, that is not wrong, according to your policy: > > Expiration time: 9 July 2012, 4:37:43. > Refresh period: 3 days > > The signature is fresh until 6 July 2012, 4:37:43. Sign time is 5 July > 2012, 11:47. Signature may be reused. > > But given that you have a resign period of two hours, I would expect a > signed zone file written out later than the 5th of July. > > >> >>> Do the logs give any pointers? >> >> We have BIND logs showing <NotifyCommand> was executed >> successfully: >> >> Jul 5 11:47:01 lilith named[26440]: received control channel >> command 'reload' Jul 5 11:47:01 lilith named[26440]: loading >> configuration from '/etc/bind/named.conf' Jul 5 11:47:01 lilith >> named[26440]: /etc/bind/trust-anchors:22: trusted key >> 'test.dnssec-tools.org.' has a weak exponent Jul 5 11:47:01 lilith >> named[26440]: reading built-in trusted keys from file >> '/etc/bind/bind.keys' Jul 5 11:47:01 lilith named[26440]: using >> default UDP/IPv4 port range: [1024, 65535] Jul 5 11:47:01 lilith >> named[26440]: using default UDP/IPv6 port range: [1024, 65535] Jul >> 5 11:47:01 lilith named[26440]: /etc/bind/trust-anchors:22: trusted >> key 'test.dnssec-tools.org.' has a weak exponent Jul 5 11:47:01 >> lilith named[26440]: reloading configuration succeeded Jul 5 >> 11:47:01 lilith named[26440]: db.office--enregistrement.fr:10: >> signature has expired Jul 5 11:47:01 lilith named[26440]: zone >> office--enregistrement.fr/IN/internal: loaded serial 2011022700 >> (DNSSEC signed) Jul 5 11:47:01 lilith named[26440]: >> db.office--enregistrement.fr:10: signature has expired Jul 5 >> 11:47:01 lilith named[26440]: zone >> office--enregistrement.fr/IN/external: loaded serial 2011022700 >> (DNSSEC signed) Jul 5 11:47:01 lilith named[26440]: reloading >> zones succeeded Jul 5 11:47:01 lilith named[26440]: zone >> office--enregistrement.fr/IN/internal: expired Jul 5 11:47:01 >> lilith named[26440]: zone office--enregistrement.fr/IN/external: >> expired Jul 5 11:47:01 lilith named[26440]: zone >> rd.nic.fr/IN/internal: loaded serial 2012070505 (DNSSEC signed) Jul >> 5 11:47:01 lilith named[26440]: zone rd.nic.fr/IN/internal: sending >> notifies (serial 2012070505) Jul 5 11:47:01 lilith named[26440]: >> zone rd.nic.fr/IN/external: loaded serial 2012070505 (DNSSEC >> signed) Jul 5 11:47:01 lilith named[26440]: zone >> rd.nic.fr/IN/external: sending notifies (serial 2012070505) Jul 5 >> 11:47:01 lilith named[26440]: client 192.134.0.49#51719: view >> internal: transfer of 'rd.nic.fr/IN': AXFR-style IXFR started Jul >> 5 11:47:01 lilith named[26440]: client 192.134.0.49#51719: view >> internal: transfer of 'rd.nic.fr/IN': AXFR-style IXFR ended >> >> The enforcer seems happy: >> >> >> Jul 5 10:47:11 lilith ods-enforcerd: Reading config >> "/etc/opendnssec/conf.xml" Jul 5 10:47:11 lilith ods-enforcerd: >> Reading config schema "/usr/share/opendnssec/conf.rng" Jul 5 >> 10:47:11 lilith ods-enforcerd: Communication Interval: 3600 Jul 5 >> 10:47:11 lilith ods-enforcerd: No DS Submit command supplied Jul 5 >> 10:47:11 lilith ods-enforcerd: SQLite database set to: >> /var/lib/opendnssec/db/kasp.db Jul 5 10:47:11 lilith >> ods-enforcerd: Log User set to: daemon Jul 5 10:47:11 lilith >> ods-enforcerd: Switched log facility to: daemon Jul 5 10:47:11 >> lilith ods-enforcerd: Connecting to Database... Jul 5 10:47:11 >> lilith ods-enforcerd: Policy default found. Jul 5 10:47:11 lilith >> ods-enforcerd: Key sharing is Off. Jul 5 10:47:11 lilith >> ods-enforcerd: Purging keys... Jul 5 10:47:11 lilith >> ods-enforcerd: zonelist filename set to >> /etc/opendnssec/zonelist.xml. Jul 5 10:47:11 lilith ods-enforcerd: >> Zone rd.nic.fr found. Jul 5 10:47:11 lilith ods-enforcerd: Policy >> for rd.nic.fr set to default. Jul 5 10:47:11 lilith ods-enforcerd: >> Config will be output to >> /var/lib/opendnssec/signconf/rd.nic.fr.xml. Jul 5 10:47:11 lilith >> ods-enforcerd: WARNING: New KSK has reached the ready state; please >> submit the DS for rd.nic.fr and use ods-ksmutil key ds-seen when >> the DS appears in the DNS. Jul 5 10:47:11 lilith ods-enforcerd: No >> change to: /var/lib/opendnssec/signconf/rd.nic.fr.xml Jul 5 >> 10:47:11 lilith ods-enforcerd: Disconnecting from Database... Jul >> 5 10:47:11 lilith ods-enforcerd: Sleeping for 3600 seconds. >> >> I cannot find logs from the signer. Strange. > > What is the verbosity output? Aren't there any logs of BIND/OpenDNSSEC > after the 5th of July (after the last signed zone file was outputted)? > >> >>> zone file created on 5th of July, an expiration time on the 9th >>> of July looks okay to me. >> >> Not for me, with a validity period of 7 days. > > The validity period was about 7 days (+ some jitter). The expiration > time minus refresh seems to be valid too. > >> >>> Lots of things can happen that prevents OpenDNSSEC from writing a >>> new signed zonefile: - - Auditor not happy >> >> Auditor was disabled. >> >>> - - HSM connection problems >> >> SoftHSM >> >>> - - Permission problems >> >> Nothing changed on the machine. And remember ods-signer sign >> rd.nic.fr worked. > > Hm, yes. Too bad there aren't any logs. > > > Best regards, > Matthijs > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.11 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iQEcBAEBAgAGBQJP+tLzAAoJEA8yVCPsQCW5/AIIAIYjj7yxRZohCsr6ZXmVayeF > aFC/nKfLiGzNPSUEdAOaEQfp7393IZfOn2diKAU/C4v7YI6XoeGN7Ih6uZHIUTrg > 3Z10djkkQsq3CUL7yywGNG/1UcE3Ei+cwV0uO2pwzxIs3wveL929o9nRsIVmvf1C > yA27UNejfUyJdCpYaECWVN98flETV645uYehDNKO5tgkH51FNcjXW621pymY8kX9 > oD1qAMaz51FHugNC6cholhCmPgljgPYUouUXFyj6tX6Qaj+gfqDJPS/FnOWw9miC > xFncS+j59i24x6MdHog/ws/Chnn9iczzkwSBx1Mh7qXjRrALPAf5nxU+1Zqk91g= > =Ftry > -----END PGP SIGNATURE----- > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user -- Dick Visser System & Networking Engineer TERENA Secretariat Singel 468 D, 1017 AW Amsterdam The Netherlands _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
