<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div><div><span style="background-color: rgba(255, 255, 255, 0);">Hi Yuri,</span></div><div><span style="background-color: rgba(255, 255, 255, 0);"><br></span></div><div><span style="background-color: rgba(255, 255, 255, 0);">I can confirm that</span></div><div><span style="background-color: rgba(255, 255, 255, 0);"><br></span></div><div><span style="background-color: rgba(255, 255, 255, 0);">ods-signer clear <a dir="ltr" href="http://voja.de/" x-apple-data-detectors="true" x-apple-data-detectors-type="link" x-apple-data-detectors-result="1">voja.de</a><br>ods-signer sign <a dir="ltr" href="http://voja.de/" x-apple-data-detectors="true" x-apple-data-detectors-type="link" x-apple-data-detectors-result="2">voja.de</a></span></div><div><span style="background-color: rgba(255, 255, 255, 0);"><br></span></div><div><span style="background-color: rgba(255, 255, 255, 0);">fixes my problem.</span></div><div><span style="background-color: rgba(255, 255, 255, 0);"><br></span></div><div><span style="background-color: rgba(255, 255, 255, 0);">The 1.4.6 is the latest available version for Debian Jessie. The 1.4.10 package is available from testing/unstable only. I need to evaluate if I can upgrade the signer VM to Debian testing. Is there anything I need to look for when migrating from 1.4.6 to 1.4.10?</span></div><div><span style="background-color: rgba(255, 255, 255, 0);"><br><br>Regards,<br></span><div><span style="background-color: rgba(255, 255, 255, 0);"> Volker</span></div></div></div><div><br><div><div><br></div></div>Am 19.07.2016 um 20:54 schrieb Yuri Schaeffer <<a href="mailto:yuri@nlnetlabs.nl">yuri@nlnetlabs.nl</a>>:<br><br></div><blockquote type="cite"><div><span>Hi Volker,</span><br><span></span><br><span>Quite a bit of problems since 1.4.6 have surfaced regarding SOA serial</span><br><span>and XFR (bump-in-wire setups). We have worked very hard to resolve those</span><br><span>and the latest result of that is 1.4.10. Please consider upgrading, it</span><br><span>is very likely to fix whatever bug you are facing.</span><br><span></span><br><span>Your message doesn't contain much information so I have no idea why your</span><br><span>new ZSK is producing bad signatures. Hopefully you can repair it by</span><br><span>resigning your zone:</span><br><span></span><br><span>ods-signer clear <a href="http://voja.de">voja.de</a></span><br><span>ods-signer sign <a href="http://voja.de">voja.de</a></span><br><span></span><br><span>///Yuri</span><br><span></span><br><span>On 19-07-16 14:36, Volker Janzen wrote:</span><br><blockquote type="cite"><span>Hi,</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>my monitoring found one zone in OpenDNSSEC that was not properly signed.</span><br></blockquote><blockquote type="cite"><span>It's the domain I'm sending from: <a href="http://voja.de">voja.de</a>.</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>I found that one of my slaves had a wrong serial for the zone, I forced</span><br></blockquote><blockquote type="cite"><span>him to fetch the current zone, but that does not solve my issue.</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>I backed up the signed zone file that was broken. dnsviz has the error</span><br></blockquote><blockquote type="cite"><span>in it's history. This entry is the last that was working:</span><br></blockquote><blockquote type="cite"><span><a href="http://dnsviz.net/d/voja.de/V40wvQ/dnssec/">http://dnsviz.net/d/voja.de/V40wvQ/dnssec/</a></span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>As of it's an important domain I forced the domain to go insecure at the</span><br></blockquote><blockquote type="cite"><span>registry level, because I already found validating resolvers that are no</span><br></blockquote><blockquote type="cite"><span>longer able to resolve the zone.</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>What steps can I do to find out what might have gone wrong?</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>I'm running OpenDNSSEC 1.4.6 on Debian Jessie.</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>Regards,</span><br></blockquote><blockquote type="cite"><span> Volker</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>_______________________________________________</span><br></blockquote><blockquote type="cite"><span>Opendnssec-user mailing list</span><br></blockquote><blockquote type="cite"><span><a href="mailto:Opendnssec-user@lists.opendnssec.org">Opendnssec-user@lists.opendnssec.org</a></span><br></blockquote><blockquote type="cite"><span><a href="https://lists.opendnssec.org/mailman/listinfo/opendnssec-user">https://lists.opendnssec.org/mailman/listinfo/opendnssec-user</a></span><br></blockquote><span></span><br></div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>Opendnssec-user mailing list</span><br><span><a href="mailto:Opendnssec-user@lists.opendnssec.org">Opendnssec-user@lists.opendnssec.org</a></span><br><span><a href="https://lists.opendnssec.org/mailman/listinfo/opendnssec-user">https://lists.opendnssec.org/mailman/listinfo/opendnssec-user</a></span><br></div></blockquote></body></html>