Hello Einar, Probably why you see issues only after a week is that because then new signatures were being generated (pointing out the obvious).
Unfortunately, I have no clue of what caused this error. I am wondering if this is reproducible. Could you elaborate a bit more on your environment and what actions you have done (how exactly did you reinitialize the tokens? Did you do a restart of OpenDNSSEC? Did you clean up working directory files or not? Did you do a new ods-ksmutil setup?) and what versions you are using (of OpenDNSSEC and softHSM). Thanks! Also, you may want to create a SUPPORT ticket at https://issues.opendnssec.org, so we can keep track of this. Best regards, Matthijs On 05/28/2013 01:56 PM, Einar Bjarni Halldórsson wrote: > Hi, > > We've been testing OpenDNSSEC for a few months now, and recently started > the preparation to move into production. We're using SoftHSM and one of > the things we did in preperation was to rename our tokens in SoftHSM. > Since we are still in testing and were curious about what would happen, > we simply re-initialized the tokens OpenDNSSEC was already using with > new labels and then changed the config in ods. We wanted to know what > would happen if you at anytime lost access to our keys and had to start > over with new keys. > > It seemed to work pretty well for about a week, but then all of a sudden > validns started to complain that it could not verify the signatures for > the SOA RR and the DNSKEY RR. We could not find a reason for this but > eventually we tried to roll the KSK and that removed the error. > > We'd very much like to know what exactly caused the error. It seems the > signatures are not expired, and they're generated with a key that's in > the zone. I've got the output from jdnssec-tools, if anybody can find a > possible reason for the error from that it'd be greatly appreciated. > > Link to (shortened) dnssec-tools output: > http://pastebin.com/3WJMmCHd > > .einar > > > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
