<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=utf-8" http-equiv=Content-Type>
<STYLE>
BLOCKQUOTE {
MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px; MARGIN-LEFT: 2em
}
OL {
MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px
}
UL {
MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px
}
P {
MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px
}
BODY {
LINE-HEIGHT: 1.5; FONT-FAMILY: 宋体; COLOR: #000080; FONT-SIZE: 10.5pt
}
</STYLE>
<META name=GENERATOR content="MSHTML 8.00.6001.18702"></HEAD>
<BODY style="MARGIN: 10px">
<DIV>>1.</DIV>
<DIV>>I have tried to sign your zone. This one indeed passed your validateZone</DIV>
<DIV>>script:</DIV>
<DIV> </DIV>
<DIV>>ns:630006 630008</DIV>
<DIV>>ds&rrsig:126001 126001 126001</DIV>
<DIV>>a:0 0</DIV>
<DIV>>nsec3&rrsig:126003 126003</DIV>
<DIV> </DIV>
<DIV>>Why is there a difference in ns?</DIV>
<DIV> </DIV>
<DIV>It's weird to see that the singed zone has more NS RRs than the unsigned
one,</DIV>
<DIV>in my test it's always the opposite, so the script thinks it's impossible
and</DIV>
<DIV>discard this condition.</DIV>
<DIV>if [ $rawNScount -gt $signedNScount ]<BR>then<BR> echo "$zonename ns
count not match"<BR> return 1<BR>fi</DIV>
<DIV> </DIV>
<DIV>>2.</DIV>
<DIV>>Is the unsigned file touched by any means? For example, if you edit the</DIV>
<DIV>>unsigned file during signing, the validateZone script is likely to fail.</DIV>
<DIV>>I created a diff between your signed zone file and mine, and noticed</DIV>
<DIV>>that all delegations from 091911657.test4 to 091911999.test4 are</DIV>
<DIV>>missing. Do they ring any bells?</DIV>
<DIV> </DIV>
<DIV>No, I have not edited the unsigned file, the file is generated by a
script which</DIV>
<DIV>loads zone RRs from database, after that I will call sign all command to
sign,</DIV>
<DIV>during that period, no one edited the unsigned file except for the next
10min round</DIV>
<DIV>to re-generate the new zone files, but I 'm sure that the signing work
will get done</DIV>
<DIV>before the next round. </DIV>
<DIV> </DIV>
<DIV>>3.</DIV>
<DIV>>You mentioned that you sign the zone every 10 minutes. Is this the</DIV>
<DIV>>resign value from the policy or are you calling ods-signer sign test4</DIV>
<DIV>>every 10 minutes (cron job?).</DIV>
<DIV> </DIV>
<DIV>The resign value from the policy is 2H, a script call ods-signer sign --all
every 10 mins.</DIV>
<DIV> </DIV>
<DIV>Best regards,</DIV>
<DIV>Stuart</DIV>
<DIV>
<DIV><SPAN></SPAN></DIV></DIV>
<DIV
style="BORDER-BOTTOM: medium none; BORDER-LEFT: medium none; PADDING-BOTTOM: 0cm; PADDING-LEFT: 0cm; PADDING-RIGHT: 0cm; BORDER-TOP: #b5c4df 1pt solid; BORDER-RIGHT: medium none; PADDING-TOP: 3pt">
<DIV
style="PADDING-BOTTOM: 8px; PADDING-LEFT: 8px; PADDING-RIGHT: 8px; BACKGROUND: #efefef; COLOR: #000000; FONT-SIZE: 12px; PADDING-TOP: 8px">
<DIV><B>From:</B> <A href="mailto:matthijs@nlnetlabs.nl">Matthijs
Mekking</A></DIV>
<DIV><B>Date:</B> 2012-09-20 20:58</DIV>
<DIV><B>To:</B> <A href="mailto:shuoleo@126.com">shuoleo</A></DIV>
<DIV><B>CC:</B> <A
href="mailto:opendnssec-user@lists.opendnssec.org">opendnssec-user</A></DIV>
<DIV><B>Subject:</B> Re: [Opendnssec-user]Signed zone file loses
RRs</DIV></DIV></DIV>
<DIV>
<DIV>Hi Stuart,</DIV>
<DIV> </DIV>
<DIV>1.</DIV>
<DIV>I have tried to sign your zone. This one indeed passed your validateZone</DIV>
<DIV>script:</DIV>
<DIV> </DIV>
<DIV>ns:630006 630008</DIV>
<DIV>ds&rrsig:126001 126001 126001</DIV>
<DIV>a:0 0</DIV>
<DIV>nsec3&rrsig:126003 126003</DIV>
<DIV> </DIV>
<DIV>Why is there a difference in ns?</DIV>
<DIV> </DIV>
<DIV>2.</DIV>
<DIV>Is the unsigned file touched by any means? For example, if you edit the</DIV>
<DIV>unsigned file during signing, the validateZone script is likely to fail.</DIV>
<DIV>I created a diff between your signed zone file and mine, and noticed</DIV>
<DIV>that all delegations from 091911657.test4 to 091911999.test4 are</DIV>
<DIV>missing. Do they ring any bells?</DIV>
<DIV> </DIV>
<DIV>3.</DIV>
<DIV>You mentioned that you sign the zone every 10 minutes. Is this the</DIV>
<DIV>resign value from the policy or are you calling ods-signer sign test4</DIV>
<DIV>every 10 minutes (cron job?).</DIV>
<DIV> </DIV>
<DIV>Best regards,</DIV>
<DIV> Matthijs</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>On 09/19/2012 08:26 AM, Áõ˶ wrote:</DIV>
<DIV>> Hi Matthijs,</DIV>
<DIV>> </DIV>
<DIV>> I'm using OpenDNSSEC1.3.10 for test purpose, and using <NotifyCommand></DIV>
<DIV>> with a script to do the afterwards work. And</DIV>
<DIV>> I'm not using Audit which is not recommended.</DIV>
<DIV>> </DIV>
<DIV>> But I have found out that sometimes the signed and raw zone file 's RRs</DIV>
<DIV>> do not match.</DIV>
<DIV>> </DIV>
<DIV>> The attachment called ods_call_by_opendnssec.sh is the script called by</DIV>
<DIV>> <NotifyCommand>, you can see clearly what we </DIV>
<DIV>> do after signing work ends, and when the validation failed, there seems</DIV>
<DIV>> nothing we can do to make up for it, I have</DIV>
<DIV>> tried to call 'ods-signer sign %zone' but somethings more weird occurs,</DIV>
<DIV>> it seems the processes are there, but no output</DIV>
<DIV>> generated, so I need your opinion.</DIV>
<DIV>> </DIV>
<DIV>> The attachment called validateZoneData.sh is the scripted used for</DIV>
<DIV>> compare signed file with the raw one in case it</DIV>
<DIV>> lacks RRs. Our raw zone file is lowercase and signed zone file is uppercase.</DIV>
<DIV>> </DIV>
<DIV>> The last file is a log generated by ods_call_by_opendnssec.sh, you can</DIV>
<DIV>> see that tld test4 's validation are failed</DIV>
<DIV>> because the NS RRs does not match with the unsigned file.</DIV>
<DIV>> </DIV>
<DIV>> I have found the same problem in OpenDNSSEC1.4.a2 and I would like to</DIV>
<DIV>> help if needed.</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>> </DIV>
<DIV>> Thanks.</DIV>
<DIV>> </DIV>
<DIV>> </DIV>
<DIV>> Best regards,</DIV>
<DIV>> Stuart</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV></DIV></BODY></HTML>