Hi Jerry, I think a have a good clue on what went wrong - just don't know how to prove... (see below)
> On fre, 2014-05-30 at 16:05 +0200, Gilles Massen wrote: >> I have an error with a zone, and I'm baffled were it comes from. >> The auditor (yes, still using it) complains about "Signature >> failed to cryptographically verify, tag = 54711" for about any >> signature for a given zone. > > If you could share the logs it would help, also if you can get the > logs with a high verbosity on the Signer. I'm currently remote with a crap internet connection - so not for the time being. This said, when running with "verbosity 5" the signer worked as expected, at least without an error or warning. >> I tries ods-signer clear, stopping opendnssec and removing all >> zone related temp files manually, replacing the entire ods-tree >> with a known good config from another server - same errors. > > What do you mean with "ods-tree" ? oh - that's actually related to my install. It's basically configure --prefix=/usr/local/opendnssec : so the main directories are etc/opendnssec and var/opendnssec. > Have you tried validating the zone with validns? Does it give an > error also? Yes, it does. The error was "wrong padding" or "wrong pad length" I think. >> BTW: opendnssec 1.3.14 > > Can you upgrade to the latest 1.3 version (1.3.17) and test? Maybe > on a test platform if you do not want to upgrade production right > away. Not immediately. But I will do as soon as possible. This said, what I figured our is that one specific key was creating the bad signatures. Our key material is stored in an HSM (Keyper), we have a production HSM (which is fine) and an identical setup (with copies of the keys) as backup. And on the backup the signatures failed. I have no errors in the Keyper's logs, so it really looks as if one specific keys was corrupted. All other signatures are fine, so the obvious fix was to roll the keys, and now both systems are fine. One question that remains: has someone seen this kind of error? Is that something to be expected? And does OpenDNSSEC has by any chance a rough tool to create a sig with a given key referenced by the kasp.db? best regards, Gilles _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
