Hi,
I would like to know some more so that I can delve into this:
1. Can you provide the version used?
2. Can you increase the verbosity to 5 and schedule a sign again and
provide those logs?
$ ods-signer verbosity
$ ods-signer sign hirlimann.net
3. Do the DNSKEY queries match the records in the signed file that the
signer has produced?
4. What is the last time the signed file has been changed (fstat)?
Thanks,
Best regards,
Matthijs
On 04-03-14 12:08, Ludovic Hirlimann wrote:
Hi,
today I've discovered that ods-signer stopped working 10+ days ago on my
domain.
I don't understand why it doesn't sign anymore :
http://dnsviz.net/d/hirlimann.net/dnssec/
perso:~ # dig +dnssec hirlimann.net dnskey @127.0.0.1
; <<>> DiG 9.8.3-P4 <<>> +dnssec hirlimann.net dnskey @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44230
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;hirlimann.net. IN DNSKEY
;; ANSWER SECTION:
hirlimann.net. 3600 IN DNSKEY 257 3 8
AwEAAdGy0YLcGHD5R3Q9QY0aVV4BMjiS6Ev6m3rhkFsT1nFWkXhuLXit
bJ2bejtFX3ebKpSexpdMN9fv98nhLmaSva0iaH0jMcCaGNqky6bDjlvi
dWGVmXsINaH8rYqzAC2AgvUaOeDgTPUB74KMngtA36qT9+U0ruFWbwwu
FoUSB42axWWmnd4pcKjBsXqn9OvcS/9WiiG0B59Pmegje/P8Qebjg+ps
8IoN44HPVfxjlcBjYzwvi1hujOiDeAyBcNcrI5Ql+PW1eFWejU6idXdD
4xgH0zBBrQu16WoVahIGc5e+PRH+FqJa2S10svfKMF9Vu4VgoybLeV7g EimuonuydD8=
hirlimann.net. 3600 IN DNSKEY 256 3 8
AwEAAcOIAzr5Pzuyc6Hisw15I7KK2RjmDGnB7fQB55CDnJJdW0iPNwxa
E4vOUGjkB/hosFra+JDDxoGoyhDWQGzhTcIHqUC24PngxxFxjpFAoE6r
6YpGYl2Lu+/inqykpkd59d4Ur7GLmLGqatHerqpg73sd009lhZ2+HYXf nGyEms5d
hirlimann.net. 3600 IN RRSIG DNSKEY 8 2 3600
20140221061642 20140213221414 49361 hirlimann.net.
V/gvWUkRvnTOYb3ujYiB9TJZ90UFS4KAus8PrcYoc08FllkW7hihzofO
FaGBuQSyF5pyV+M3x7Gs+u9hERfYsqnRngkzAX6gP8ri/mHllCuacmEx
CF0f/mH4azjsY9Xj2kU0g6ofzIVxIRkHCh0ET4yhlNuOTIHhcfV96R08
ykqJ0DOvTI0OAqbJ0c9yMY3/GcVCu7pvBEUZPCeww7T6M6N/U2vzzsLs
DO0IDkD7bIi3VYTrq3J8oAGa3g1K+niLk1ybT7v6Z/kO79LcLsYaoLs4
2Tws3KPpGTGASK4AS928lzMNLoGaK8mzkLeSTGiz/47ppcpIzPe1/7u1 aHG+DA==
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Mar 4 12:03:05 2014
;; MSG SIZE rcvd: 767
root@perso:~ # date
Tue Mar 4 12:03:20 CET 2014
root@perso:~ # ods-signer sign hirlimann.net
Zone hirlimann.net scheduled for immediate re-sign.
root@perso:~ # rndc reload
server reload successful
root@perso:~ # dig +dnssec hirlimann.net dnskey @127.0.0.1
; <<>> DiG 9.8.3-P4 <<>> +dnssec hirlimann.net dnskey @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61871
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;hirlimann.net. IN DNSKEY
;; ANSWER SECTION:
hirlimann.net. 3600 IN DNSKEY 256 3 8
AwEAAcOIAzr5Pzuyc6Hisw15I7KK2RjmDGnB7fQB55CDnJJdW0iPNwxa
E4vOUGjkB/hosFra+JDDxoGoyhDWQGzhTcIHqUC24PngxxFxjpFAoE6r
6YpGYl2Lu+/inqykpkd59d4Ur7GLmLGqatHerqpg73sd009lhZ2+HYXf nGyEms5d
hirlimann.net. 3600 IN DNSKEY 257 3 8
AwEAAdGy0YLcGHD5R3Q9QY0aVV4BMjiS6Ev6m3rhkFsT1nFWkXhuLXit
bJ2bejtFX3ebKpSexpdMN9fv98nhLmaSva0iaH0jMcCaGNqky6bDjlvi
dWGVmXsINaH8rYqzAC2AgvUaOeDgTPUB74KMngtA36qT9+U0ruFWbwwu
FoUSB42axWWmnd4pcKjBsXqn9OvcS/9WiiG0B59Pmegje/P8Qebjg+ps
8IoN44HPVfxjlcBjYzwvi1hujOiDeAyBcNcrI5Ql+PW1eFWejU6idXdD
4xgH0zBBrQu16WoVahIGc5e+PRH+FqJa2S10svfKMF9Vu4VgoybLeV7g EimuonuydD8=
hirlimann.net. 3600 IN RRSIG DNSKEY 8 2 3600
20140221061642 20140213221414 49361 hirlimann.net.
V/gvWUkRvnTOYb3ujYiB9TJZ90UFS4KAus8PrcYoc08FllkW7hihzofO
FaGBuQSyF5pyV+M3x7Gs+u9hERfYsqnRngkzAX6gP8ri/mHllCuacmEx
CF0f/mH4azjsY9Xj2kU0g6ofzIVxIRkHCh0ET4yhlNuOTIHhcfV96R08
ykqJ0DOvTI0OAqbJ0c9yMY3/GcVCu7pvBEUZPCeww7T6M6N/U2vzzsLs
DO0IDkD7bIi3VYTrq3J8oAGa3g1K+niLk1ybT7v6Z/kO79LcLsYaoLs4
2Tws3KPpGTGASK4AS928lzMNLoGaK8mzkLeSTGiz/47ppcpIzPe1/7u1 aHG+DA==
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Mar 4 12:03:56 2014
;; MSG SIZE rcvd: 767
root@perso:~ # ods-ksmutil key list --zone hirlimann.net
Keys:
Zone: Keytype: State: Date of next
transition:
hirlimann.net KSK active 2014-07-12
08:59:24
hirlimann.net ZSK active 2014-03-08 10:23:21
I'm wondering if the issue is related to my ZSK key expiring soon. I've
seen nothing in logs. Shall I start doing KSK and ZSK rollovers ? (eg
I'd happilly RTFM on the subject)
Ludo
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
