[Opendnssec-develop] Signed zone not recognized as signed

Rick Zijlker rick.zijlker at sidn.nl
Thu Dec 17 12:03:42 UTC 2009 

Hello all,

 

After signing the nl zone (NSEC3 opt-in) and copying the succesfully
signed zone from /var/opendnssec/signed to /var/opendnssec/unsigned and
performing a key rollover the logging tells me the zone is unsigned. It
is signing now.

 

At 12:20 I copied the signed zone to the /unsigned directory and after
that I issues the 'ods-control start' command.

 

You see a new ZSK is generated. During this log I entered the
'ods-ksmutil backup done' command to able OpenDNSSEC to rollover the
ZSK.

 

Dec 17 12:36:43 signer2 ods-enforcerd: Reading config
"/etc/opendnssec/conf.xml"

Dec 17 12:36:43 signer2 ods-enforcerd: Reading config schema
"/usr/local/share/opendnssec/conf.rng"

Dec 17 12:36:43 signer2 ods-enforcerd: Reading config
"/etc/opendnssec/conf.xml"

Dec 17 12:36:43 signer2 ods-enforcerd: Reading config schema
"/usr/local/share/opendnssec/conf.rng"

Dec 17 12:36:43 signer2 ods-enforcerd: Communication Interval: 3600

Dec 17 12:36:43 signer2 ods-enforcerd: SQLite database set to:
/var/opendnssec/kasp.db

Dec 17 12:36:43 signer2 ods-enforcerd: Log User set to: local0

Dec 17 12:36:43 signer2 ods-enforcerd: Switched log facility to: local0

Dec 17 12:36:43 signer2 ods-enforcerd: Connecting to Database...

Dec 17 12:36:43 signer2 ods-enforcerd: Reading config
"/etc/opendnssec/conf.xml"

Dec 17 12:36:43 signer2 ods-enforcerd: Reading config schema
"/usr/local/share/opendnssec/conf.rng"

Dec 17 12:36:43 signer2 ods-enforcerd: Communication Interval: 3600

Dec 17 12:36:43 signer2 ods-enforcerd: Policy default found.

Dec 17 12:36:43 signer2 ods-enforcerd: SQLite database set to:
/var/opendnssec/kasp.db

Dec 17 12:36:43 signer2 ods-enforcerd: Communication Interval: 3600

Dec 17 12:36:43 signer2 ods-enforcerd: Key sharing is Off.

Dec 17 12:36:43 signer2 ods-enforcerd: Log User set to: local0

Dec 17 12:36:43 signer2 ods-enforcerd: SQLite database set to:
/var/opendnssec/kasp.db

Dec 17 12:36:43 signer2 ods-enforcerd: Switched log facility to: local0

Dec 17 12:36:43 signer2 ods-enforcerd: Log User set to: local0

Dec 17 12:36:43 signer2 ods-enforcerd: /var/opendnssec/kasp.db.our_lock
already locked, sleep

Dec 17 12:36:43 signer2 ods-enforcerd: Switched log facility to: local0

Dec 17 12:36:43 signer2 ods-enforcerd: /var/opendnssec/kasp.db.our_lock
already locked, sleep

Dec 17 12:36:43 signer2 ods-enforcerd: Created ZSK size: 1024, alg: 7
with id: 20301656daf649d6fd31739a92a76f17 in repository: luna1 and
database.

Dec 17 12:36:43 signer2 ods-enforcerd: zonelist filename set to
/etc/opendnssec/zonelist.xml.

Dec 17 12:36:43 signer2 ods-enforcerd: Zone nl found.

Dec 17 12:36:43 signer2 ods-enforcerd: Policy for nl set to default.

Dec 17 12:36:43 signer2 ods-enforcerd: Config will be output to
/var/opendnssec/signconf/nl.xml.

Dec 17 12:36:43 signer2 ods-enforcerd: ERROR: Trying to make non-backed
up ZSK active when RequireBackup flag is set

Dec 17 12:36:43 signer2 ods-signerd: Received command: 'update nl'

Dec 17 12:36:43 signer2 ods-signerd: Scheduling task to sign zone nl at
1261047772.03 with resign time 7200

Dec 17 12:36:43 signer2 ods-enforcerd: Could not call signer engine

Dec 17 12:36:43 signer2 ods-enforcerd: Will continue: call 'ods-signer
update' to manually update zones

Dec 17 12:36:43 signer2 ods-enforcerd: Disconnecting from Database...

Dec 17 12:36:43 signer2 ods-signerd: Client socket shut down

Dec 17 12:36:43 signer2 ods-enforcerd: Sleeping for 3600 seconds.

Dec 17 12:36:43 signer2 ods-signerd: Zone action to perform: 3

Dec 17 12:36:43 signer2 ods-signerd: Resorting signed zone: nl

Dec 17 12:36:53 signer2 ods-enforcerd: Connecting to Database...

Dec 17 12:36:53 signer2 ods-enforcerd: Policy default found.

Dec 17 12:36:53 signer2 ods-enforcerd: Key sharing is Off.

Dec 17 12:36:53 signer2 ods-enforcerd: zonelist filename set to
/etc/opendnssec/zonelist.xml.

Dec 17 12:36:53 signer2 ods-enforcerd: Zone nl found.

Dec 17 12:36:53 signer2 ods-enforcerd: Policy for nl set to default.

Dec 17 12:36:53 signer2 ods-enforcerd: Config will be output to
/var/opendnssec/signconf/nl.xml.

Dec 17 12:36:53 signer2 ods-enforcerd: ERROR: Trying to make non-backed
up ZSK active when RequireBackup flag is set

Dec 17 12:36:53 signer2 ods-enforcerd: /var/opendnssec/kasp.db.our_lock
already locked, sleep

Dec 17 12:36:53 signer2 ods-enforcerd: No change to:
/var/opendnssec/signconf/nl.xml

Dec 17 12:36:53 signer2 ods-enforcerd: Disconnecting from Database...

Dec 17 12:36:53 signer2 ods-enforcerd: Sleeping for 3600 seconds.

Dec 17 12:37:03 signer2 ods-enforcerd: Connecting to Database...

Dec 17 12:37:03 signer2 ods-enforcerd: Policy default found.

Dec 17 12:37:03 signer2 ods-enforcerd: Key sharing is Off.

Dec 17 12:37:03 signer2 ods-enforcerd: zonelist filename set to
/etc/opendnssec/zonelist.xml.

Dec 17 12:37:03 signer2 ods-enforcerd: Zone nl found.

Dec 17 12:37:03 signer2 ods-enforcerd: Policy for nl set to default.

Dec 17 12:37:03 signer2 ods-enforcerd: Config will be output to
/var/opendnssec/signconf/nl.xml.

Dec 17 12:37:03 signer2 ods-enforcerd: ERROR: Trying to make non-backed
up ZSK active when RequireBackup flag is set

Dec 17 12:37:03 signer2 ods-enforcerd: No change to:
/var/opendnssec/signconf/nl.xml

Dec 17 12:37:03 signer2 ods-enforcerd: Disconnecting from Database...

Dec 17 12:37:03 signer2 ods-enforcerd: Sleeping for 3600 seconds.

Dec 17 12:44:21 signer2 ods-signerd: stderr from sorter: Number of
records sorted: 8421033

Dec 17 12:44:21 signer2 ods-signerd: Preprocessing signed zone: nl

Dec 17 12:44:21 signer2 ods-signerd: No signed zone yet

Dec 17 12:44:21 signer2 ods-signerd: Sorting zone: nl

 

 

Is there anything else I should do to let OpenDNSSEC know it's a signed
zone? Or did something not go as intended here?

 

This is my keylist prior to the rollover:

Keys:

Zone:                           Keytype:      State:    Date of next
transition:  CKA_ID:                           Repository:
Keytag:

nl                              KSK           active    2010-12-15
16:57:12       40526f58ceda729b8e20dcb8fa78b5d9  softHSM
27996

nl                              KSK           ready     next rollover
a60e3a9d993ec0baf2b58aae8cd2332c  softHSM
59425

nl                              ZSK           retire    2009-12-23
20:05:22       e1edaee7a2e4a5753e9e0b7ec699d2fb  softHSM
22607

nl                              ZSK           retire    2009-12-23
23:19:16       f32c8e8b144a01f7d23cba89b0cb94c1  softHSM
18500

nl                              ZSK           retire    2009-12-24
13:21:05       9ec98215a1ea0e6c22531299cac5f34a  luna1
5135

nl                              ZSK           active    2010-01-16
00:21:05       e0cb42739b2b9cc7cd62244753604bd0  luna1
25322

nl                              ZSK           ready     next rollover
cb700dd8b460928c1cf89c29ed8a6e87  luna1                             2723

 

This is my /tmp dir:

drwxr-xr-x 2 root root       4096 Dec 17 10:44 .

drwxr-xr-x 6 root root       4096 Dec 17 12:37 ..

-rw-r--r-- 1 root root  802188537 Dec 17 01:17 nl.nsecced

-rw-r--r-- 1 root root   39798162 Dec 17 13:00 nl.processed

-rw-r--r-- 1 root root         10 Dec 17 04:33 nl.serial

-rw-r--r-- 1 root root 1861768988 Dec 17 04:30 nl.signed

-rw-r--r-- 1 root root  395836542 Dec 17 12:44 nl.signed.sorted

-rw-r--r-- 1 root root  396952583 Dec 17 12:51 nl.sorted

-rw-r--r-- 1 root root 1861567228 Dec 17 12:44 nl.unsorted

 

 

Cheers,

Rick

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20091217/4c7959d3/attachment.htm>

More information about the Opendnssec-develop mailing list