[Opendnssec-user] Auditor Problem (ods 1.3.9)

Fri, 28 Jun 2013 06:07:06 -0700 

Hi!

For testing I created a policy with rather short intervals (see below).

I now have the problem, that I have to disable the auditor as it complains:
ods-auditor[2778]: test : Key (6670) has gone straight to active use without a prepublished phase
Of course this is not true. There was a publish phase, but it transits from "ready" to "active" without waiting (I think this should be allowed). 

I inspected the key events in the sqlite DB:

publish
'2013-06-28 14:43:12',
    ready
    '2013-06-28 14:44:52',
        active
        '2013-06-28 14:44:52',
           retire
           '2013-06-28 15:14:52',NULL
So, the key was in PUBLISH phase for 100 seconds. I use short TTLs (60s), thus this should be fine. 

Is this a bug in the auditor or do I miss something here?
Inspecting the zone I see that every RR in the zone has a TTL of 60, except the NSEC3PARAM and its RRSIG do have a TTL of 3600? 

Where is this TTL coming from? May this be the source of my problems?

Thanks
Klaus


Policy:
                <Signatures>
                        <Resign>PT5M</Resign>
                        <Refresh>PT30M</Refresh>
                        <Validity>
                                <Default>PT24H</Default>
                                <Denial>PT24H</Denial>
                        </Validity>
                        <Jitter>PT0M</Jitter>
                        <InceptionOffset>PT120S</InceptionOffset>
                </Signatures>

                <Denial>
                        <NSEC3>
                                <!-- <OptOut/> -->
                                <Resalt>P10D</Resalt>
                                <Hash>
                                        <Algorithm>1</Algorithm>
                                        <Iterations>5</Iterations>
                                        <Salt length="8"/>
                                </Hash>
                        </NSEC3>
                </Denial>
                <Keys>
                        <!-- Parameters for both KSK and ZSK -->
                        <TTL>PT60S</TTL>
                        <RetireSafety>PT30S</RetireSafety>
                        <PublishSafety>PT30S</PublishSafety>
                        <!-- <ShareKeys/> -->
                        <!-- <Purge>PT20M</Purge> -->

                        <!-- Parameters for KSK only -->
                        <KSK>
                                <Algorithm length="2048">8</Algorithm>
                                <Lifetime>PT45M</Lifetime>
                                <Repository>SoftHSM1</Repository>
                        </KSK>

                        <!-- Parameters for ZSK only -->
                        <ZSK>
                                <Algorithm length="1024">8</Algorithm>
                                <Lifetime>PT30M</Lifetime>
                                <Repository>SoftHSM1</Repository>
                                <!-- <ManualRollover/> -->
                        </ZSK>
                </Keys>
                <Zone>
                        <PropagationDelay>PT10S</PropagationDelay>
                        <SOA>
                                <TTL>PT60S</TTL>
                                <Minimum>PT3600S</Minimum>
                                <Serial>unixtime</Serial>
                        </SOA>
                </Zone>

                <Parent>
                        <PropagationDelay>PT5S</PropagationDelay>
                        <DS>
                                <TTL>PT60S</TTL>
                        </DS>
                        <SOA>
                                <TTL>PT60S</TTL>
                                <Minimum>PT60S</Minimum>
                        </SOA>
                </Parent>
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Reply via email to