Hi Stuart, 1. I have tried to sign your zone. This one indeed passed your validateZone script:
ns:630006 630008 ds&rrsig:126001 126001 126001 a:0 0 nsec3&rrsig:126003 126003 Why is there a difference in ns? 2. Is the unsigned file touched by any means? For example, if you edit the unsigned file during signing, the validateZone script is likely to fail. I created a diff between your signed zone file and mine, and noticed that all delegations from 091911657.test4 to 091911999.test4 are missing. Do they ring any bells? 3. You mentioned that you sign the zone every 10 minutes. Is this the resign value from the policy or are you calling ods-signer sign test4 every 10 minutes (cron job?). Best regards, Matthijs On 09/19/2012 08:26 AM, Áõ˶ wrote: > Hi Matthijs, > > I'm using OpenDNSSEC1.3.10 for test purpose, and using <NotifyCommand> > with a script to do the afterwards work. And > I'm not using Audit which is not recommended. > > But I have found out that sometimes the signed and raw zone file 's RRs > do not match. > > The attachment called ods_call_by_opendnssec.sh is the script called by > <NotifyCommand>, you can see clearly what we > do after signing work ends, and when the validation failed, there seems > nothing we can do to make up for it, I have > tried to call 'ods-signer sign %zone' but somethings more weird occurs, > it seems the processes are there, but no output > generated, so I need your opinion. > > The attachment called validateZoneData.sh is the scripted used for > compare signed file with the raw one in case it > lacks RRs. Our raw zone file is lowercase and signed zone file is uppercase. > > The last file is a log generated by ods_call_by_opendnssec.sh, you can > see that tld test4 's validation are failed > because the NS RRs does not match with the unsigned file. > > I have found the same problem in OpenDNSSEC1.4.a2 and I would like to > help if needed. > > Thanks. > > > Best regards, > Stuart
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
