[Opendnssec-develop] Problem with signing
Rick Zijlker
rick.zijlker at sidn.nl
Fri Oct 23 08:46:59 UTC 2009
Hey,
(First of all, I think we should decide where I should send these kinds
of issues in upcoming teleconf)
I am having troubles signing my own created zone. At first it seemed
creation in notepad (copy/paste) resulted in tabs and nonbreakable
spaces, but when opening it with vi and removing strange marks it looks
like the zone is signed, though it didn't get in
/var/opendnssec/signed/. I do see a signed zone in the
/var/opendnssec/tmp. I looks like the auditor fails to approve the zone
after signing.
This is the log:
Oct 23 10:17:18 OpenDNSSEC ods-signerd: Received command: 'sign rick.nl'
Oct 23 10:17:18 OpenDNSSEC ods-signerd: Scheduling task to sign zone
rick.nl at 1256222026.15 with resign time 7200
Oct 23 10:17:18 OpenDNSSEC ods-signerd: acquire cond
Oct 23 10:17:18 OpenDNSSEC ods-signerd: notify
Oct 23 10:17:18 OpenDNSSEC ods-signerd: release cond
Oct 23 10:17:18 OpenDNSSEC ods-signerd: Releasing lock on engine
Oct 23 10:17:18 OpenDNSSEC ods-signerd: Sending response: Zone scheduled
for immediate resign
Oct 23 10:17:18 OpenDNSSEC ods-signerd: Done handling command
Oct 23 10:17:18 OpenDNSSEC ods-signerd: worker 6 acquiring lock
Oct 23 10:17:18 OpenDNSSEC ods-signerd: worker 6 acquired lock
Oct 23 10:17:18 OpenDNSSEC ods-signerd: worker 6 released lock
Oct 23 10:17:18 OpenDNSSEC ods-signerd: Got task for worker 6
Oct 23 10:17:18 OpenDNSSEC ods-signerd: Worker 6 run task
Oct 23 10:17:18 OpenDNSSEC ods-signerd: Zone action to perform: 4
Oct 23 10:17:18 OpenDNSSEC ods-signerd: Run command:
'/home/rick/opendnssec-1.0.0b3/libexec/opendnssec/get_serial -f
/var/opendnssec/signed/rick.nl'
Oct 23 10:17:18 OpenDNSSEC ods-signerd: Connection closed by peer
Oct 23 10:17:18 OpenDNSSEC ods-signerd: Warning: get_serial returned 1
Oct 23 10:17:18 OpenDNSSEC ods-signerd: Run command:
'/home/rick/opendnssec-1.0.0b3/libexec/opendnssec/get_serial -f
/var/opendnssec/unsigned/rick.nl'
Oct 23 10:17:18 OpenDNSSEC ods-signerd: Sorting zone: rick.nl
Oct 23 10:17:18 OpenDNSSEC ods-signerd: Run command:
'/home/rick/opendnssec-1.0.0b3/libexec/opendnssec/sorter -o rick.nl -f
/var/opendnssec/unsigned/rick.nl -w /var/opendnssec/tmp/rick.nl.sorted'
Oct 23 10:17:18 OpenDNSSEC ods-signerd: Done sorting
Oct 23 10:17:18 OpenDNSSEC ods-signerd: Preprocessing zone: rick.nl
Oct 23 10:17:18 OpenDNSSEC ods-signerd: No information yet for key
2c304446329cfc61d44347a6190237da
Oct 23 10:17:18 OpenDNSSEC ods-signerd: Generating DNSKEY RR for
2c304446329cfc61d44347a6190237da
Oct 23 10:17:18 OpenDNSSEC ods-signerd: create_dnskey status: 0
Oct 23 10:17:18 OpenDNSSEC ods-signerd: equality: True
Oct 23 10:17:18 OpenDNSSEC ods-signerd: Found key
2c304446329cfc61d44347a6190237da
Oct 23 10:17:18 OpenDNSSEC ods-signerd: No information yet for key
3e0819dacb6ca862c203d9bae2af72e7
Oct 23 10:17:18 OpenDNSSEC ods-signerd: Generating DNSKEY RR for
3e0819dacb6ca862c203d9bae2af72e7
Oct 23 10:17:18 OpenDNSSEC ods-signerd: create_dnskey status: 0
Oct 23 10:17:18 OpenDNSSEC ods-signerd: equality: True
Oct 23 10:17:18 OpenDNSSEC ods-signerd: Found key
3e0819dacb6ca862c203d9bae2af72e7
Oct 23 10:17:18 OpenDNSSEC ods-signerd: No information yet for key
e5f3d02beeffebfba63a936f5b398827
Oct 23 10:17:18 OpenDNSSEC ods-signerd: Generating DNSKEY RR for
e5f3d02beeffebfba63a936f5b398827
Oct 23 10:17:18 OpenDNSSEC ods-signerd: create_dnskey status: 0
Oct 23 10:17:18 OpenDNSSEC ods-signerd: equality: True
Oct 23 10:17:18 OpenDNSSEC ods-signerd: Found key
e5f3d02beeffebfba63a936f5b398827
Oct 23 10:17:18 OpenDNSSEC ods-signerd: No information yet for key
4317bef176ad00d35678f379139bd7be
Oct 23 10:17:18 OpenDNSSEC ods-signerd: Generating DNSKEY RR for
4317bef176ad00d35678f379139bd7be
Oct 23 10:17:18 OpenDNSSEC ods-signerd: create_dnskey status: 0
Oct 23 10:17:18 OpenDNSSEC ods-signerd: equality: True
Oct 23 10:17:18 OpenDNSSEC ods-signerd: Found key
4317bef176ad00d35678f379139bd7be
Oct 23 10:17:18 OpenDNSSEC ods-signerd: Run command:
'/home/rick/opendnssec-1.0.0b3/libexec/opendnssec/zone_reader -o rick.nl
-w /var/opendnssec/tmp/rick.nl.processed -n -t 5 -a 1 -s
966bdb757dda3254'
Oct 23 10:17:18 OpenDNSSEC ods-signerd: Writing file to zone_reader:
/var/opendnssec/tmp/rick.nl.sorted
Oct 23 10:17:18 OpenDNSSEC ods-signerd: Done preprocessing
Oct 23 10:17:18 OpenDNSSEC ods-signerd: NSEC(3)ing zone: rick.nl
Oct 23 10:17:18 OpenDNSSEC ods-signerd: Run command:
'/home/rick/opendnssec-1.0.0b3/libexec/opendnssec/nsec3er -o rick.nl -t
5 -a 1 -i /var/opendnssec/tmp/rick.nl.processed -w
/var/opendnssec/tmp/rick.nl.nsecced -m 3600 -s 966bdb757dda3254 -p'
Oct 23 10:17:18 OpenDNSSEC ods-signerd: stderr from nseccer: nsec3er: 2
NSEC3 records generated within a second
Oct 23 10:17:18 OpenDNSSEC ods-signerd: Run command:
'/home/rick/opendnssec-1.0.0b3/libexec/opendnssec/signer -c
/etc/opendnssec/conf.xml -p /var/opendnssec/tmp/rick.nl.signed -w
/var/opendnssec/tmp/rick.nl.signed2 -r'
Oct 23 10:17:18 OpenDNSSEC ods-signerd: write to subp:
Oct 23 10:17:18 OpenDNSSEC ods-signerd: write to subp: :origin rick.nl
Oct 23 10:17:18 OpenDNSSEC ods-signerd: write to subp: :soa_ttl 3600
Oct 23 10:17:18 OpenDNSSEC ods-signerd: write to subp: :soa_minimum 3600
Oct 23 10:17:18 OpenDNSSEC ods-signerd: Run command:
'/home/rick/opendnssec-1.0.0b3/libexec/opendnssec/get_serial -f
/var/opendnssec/signed/rick.nl'
Oct 23 10:17:18 OpenDNSSEC ods-signerd: Warning: get_serial returned 1
Oct 23 10:17:18 OpenDNSSEC ods-signerd: set serial to 1256285838
Oct 23 10:17:18 OpenDNSSEC ods-signerd: write to subp: :expiration
20091030081718
Oct 23 10:17:18 OpenDNSSEC ods-signerd: write to subp:
:expiration_denial 20091030081718
Oct 23 10:17:18 OpenDNSSEC ods-signerd: write to subp: :jitter 43200
Oct 23 10:17:18 OpenDNSSEC ods-signerd: write to subp: :inception
20091023081218
Oct 23 10:17:18 OpenDNSSEC ods-signerd: write to subp: :refresh
20091027081718
Oct 23 10:17:18 OpenDNSSEC ods-signerd: write to subp: :refresh_denial
20091027081718
Oct 23 10:17:18 OpenDNSSEC ods-signerd: use signature key:
2c304446329cfc61d44347a6190237da
Oct 23 10:17:18 OpenDNSSEC ods-signerd: write to subp: :add_ksk
2c304446329cfc61d44347a6190237da 7 257
Oct 23 10:17:18 OpenDNSSEC ods-signerd: use signature key:
e5f3d02beeffebfba63a936f5b398827
Oct 23 10:17:18 OpenDNSSEC ods-signerd: write to subp: :add_zsk
e5f3d02beeffebfba63a936f5b398827 7 256
Oct 23 10:17:19 OpenDNSSEC ods-signerd: signer stderr: Warning: unable
to open /var/opendnssec/tmp/rick.nl.signed: No such file or directory,
performing full zone sign
Oct 23 10:17:19 OpenDNSSEC ods-signerd: signer stderr: signer: number of
signatures created: 8 (8 rr/sec)
Oct 23 10:17:19 OpenDNSSEC ods-signerd: Created 8 new signatures
Oct 23 10:17:19 OpenDNSSEC ods-signerd: Run command:
'/home/rick/opendnssec-1.0.0b3/libexec/opendnssec/finalizer -f
/var/opendnssec/tmp/rick.nl.signed'
Oct 23 10:17:19 OpenDNSSEC ods-signerd: Running auditor on zone
Oct 23 10:17:19 OpenDNSSEC ods-signerd: Run command:
'/home/rick/opendnssec-1.0.0b3/bin/ods-auditor -c
/etc/opendnssec/conf.xml -s /var/opendnssec/tmp/rick.nl.finalized -z
rick.nl'
Oct 23 10:17:19 OpenDNSSEC ods-auditor[25215]: SOA differs : from
2002022401 to 1256285838
Oct 23 10:17:19 OpenDNSSEC ods-auditor[25215]: Auditing rick.nl zone :
NSEC3 SIGNED
Oct 23 10:17:19 OpenDNSSEC ods-auditor[25215]: non-DNSSEC RRSet MX
included in Output that was not present in Input :
rick.nl.^I3600^IIN^IMX^I10 mail.another.nl
Oct 23 10:17:19 OpenDNSSEC ods-auditor[25215]: non-DNSSEC RRSet NS
included in Output that was not present in Input :
rick.nl.^I3600^IIN^INS^Ins1.rick.nl
Oct 23 10:17:19 OpenDNSSEC ods-auditor[25215]: non-DNSSEC RRSet NS
included in Output that was not present in Input :
rick.nl.^I3600^IIN^INS^Ins2.smokeyjoe.nl
Oct 23 10:17:19 OpenDNSSEC ods-auditor[25215]: Output zone does not
contain non-DNSSEC RRSet : MX, IN.rick.nl.^I3600^IIN^IMX^I10
mail.another.nl
Oct 23 10:17:19 OpenDNSSEC ods-auditor[25215]: Output zone does not
contain non-DNSSEC RRSet : NS, IN.rick.nl.^I3600^IIN^INS^Ins1.rick.nl
Oct 23 10:17:19 OpenDNSSEC ods-auditor[25215]: Output zone does not
contain non-DNSSEC RRSet : NS,
IN.rick.nl.^I3600^IIN^INS^Ins2.smokeyjoe.nl
Oct 23 10:17:19 OpenDNSSEC ods-auditor[25215]: Finished auditing rick.nl
zone
Oct 23 10:17:19 OpenDNSSEC ods-signerd: Auditor result: 3
Oct 23 10:17:19 OpenDNSSEC ods-signerd: worker 6 acquiring lock
Oct 23 10:17:19 OpenDNSSEC ods-signerd: worker 6 acquired lock
Oct 23 10:17:19 OpenDNSSEC ods-signerd: no task for worker 6, sleep for
7199.10040998
Oct 23 10:17:19 OpenDNSSEC ods-signerd: worker 6 released lock by going
to wait (for ttime)
It looks like the auditor is still seeing those "unbreakable
spaces/tabs" but it did get signed in tmp directory:
rick.nl. 3600 IN NS ns1.rick.nl.
rick.nl. 3600 IN NS ns2.smokeyjoe.nl.
rick.nl. 3600 IN RRSIG NS 7 2 3600 20091030194701
20091023081218 27705 rick.nl.
eQiIdpoxOID2BXS+Xu0jWahVmNs0hv3MNByswPtlGWM2giM2vXUwRharE2IVk2m0hjwQg1On
kdnJadaOBrWu
HjZxKgeyjoKpm0goVtnCGIn0PROhISDsEDCo33rJ8M1QSsnchMdKIvqj7kTMJRJx0NGfTPiP
mqiAhK+WrvoAzL8= ;{id = 27705}
rick.nl. 3600 IN SOA ns1.rick.nl. testing.sidn.nl.
1256285838 10800 15 604800 3600
rick.nl. 3600 IN RRSIG SOA 7 2 3600 20091030185204
20091023081218 27705 rick.nl.
WMibcrk9lSPnBVRC6gnfGozqGJsnLm9GNQmW8rfY0aH/11Xj8fUNiiqBakWAybqVBjemsV+L
BOz7CzwIr9I
ArlfComR71dfgsp98EF3DXH7gwrp/Vllm7LuDaGRfQwzjeWN28ZWOfHenE4WcCLrVFwoOFbr
bQalSwELyT8giwO0= ;{id = 27705}
rick.nl. 3600 IN MX 10 mail.another.nl.
rick.nl. 3600 IN RRSIG MX 7 2 3600 20091030091015
20091023081218 27705 rick.nl.
jjeOA5048MnjinIx6tZ+GLYbC5KAX1+Sbr0RCVcLIrhxzvweq9Lvb7RfO0lXfKp6WNdeL9cb
pftvXgmhTqiw
5PJM9W6aNyBFbBQkxg4j4frbgm/12RALgjQICWwai23BZoc/zWspjXqTIU5Y3FA5MlTd97pw
i0sINsUIUiBQ1ZY= ;{id = 27705}
rick.nl. 3600 IN DNSKEY 256 3 7
AwEAAcN9OF8aaiCh2NfFARLR/DxMDub3uOYUUztWK5NCbOTVCfTksSQt9rPa3qBL4xb2JJAt
IjDNRaG488MX6zHf4VwlaRUmgxVYjdhJc3PfHj9wrTjHXfQSDHkOF7CSDy8yC
H24nJuvUbWEvSrMiD0cjDNAwz0UNW8y70eEeviWsBdN ;{id = 13785 (zsk), size =
1024b}
rick.nl. 3600 IN DNSKEY 256 3 7
AwEAAcXPdaCJluJEwT3S8zngMpyfFP6+JXcnDrvtsc+NmyUiXWgN+ogzgtQqmVWqFIAmoMjy
xqjCQ5/rN7xXT493datGVZZHC/wPuJPOKewb15kUZqafVwaIo7TvnsvdLKUkt
aQOegAtDKAypoxcO9hdLmxZl3pq7kgqEQfNK0Fmile9 ;{id = 27705 (zsk), size =
1024b}
rick.nl. 3600 IN DNSKEY 257 3 7
AwEAAcQb6HcoPFuIv8Y+SoBeFiZOScraHpfjPNP0IN3RQCtbMZRr9hx53KY6wFkDRlt8NDfc
8DyTN2szESFD+JdKl48eTyesfr6EkZeKJL66VK1BVLGQXuLPl93YI7SlULLf9
ywnvnfvTZm3IptxHdkMFMQpKO4scyAHBR6znxAyth/sv1d+HXm/hRW3CCHE1mtNzkDph7SJQ
duvvvLvf1orX25u2m97Jt17L4n/TyyCokCJMbNWRv9/KeyivkQGRubYZ4Blqupp410TrW9IS
lqA+zFFOLwcIfxqMxI/LkGnaFfeYAF6qO4Tga
RiTvTe4gDQiHsjdOcIU+tk7XIgWA01r+M= ;{id = 16924 (ksk), size = 2048b}
rick.nl. 3600 IN DNSKEY 257 3 7
AwEAAeAJE+WLsnpbFqn0W7ibmN/zdYNZIbOM+yQrhYKNCpeZDlmszF91V43gJceqiQEUGd++
WOpw6WRIYmomiCdeONaiDmfcqMqf9UXDspvvNFEm7mmQDD5nKJOwuNdnSr/gC
ldtobDKDDHxox/arCE2orRU2j3Vj75RLfb55P5/xSrpiK7WCCm3Qc1O7z/Hjh1MktcYYQm+n
Gahb33gRpO8x/Ggg5XFQmTH05nSghX4EW0NFYCinzr3+EqpocXu/kHC/kGO0/52ApqoGUFUx
I8abx09xn7OioNlwREjFN59u3qCrQmZKxMAeT
IbtbioUUOS7ElYZ0pH/xTy0KxNnuMKZAU= ;{id = 51688 (ksk), size = 2048b}
rick.nl. 3600 IN RRSIG DNSKEY 7 2 3600 20091030161913
20091023081218 51688 rick.nl.
vVsxCOHP/lXXK8fgg7W2iu9Op7vmAPVCDhC6Wa0PFEBefdPg1/qQgPqawbZHhz21+gpa+PaP
YYjLN2Nl
nO9YTrmK56KFoLy3PQyLs7yoTO1yJplgv6Tf2W+NWchGyLfpYebVT1oIrqgZYM0uWdhyQhvc
5qwz+byqz5628L7YahcPoPzpT7tZiBWe3rzDLa6YhZeW1Xy1Wb3mgjtd8+K6hqmboX8/KPsb
7Gi7VFR7YitxyX0WUC56hsL0+4FRxk+VGX19m
q3ggKuoiqf/HikAM80xUmS2Yl9fIk055seZ6of7lqT8X4tz3b1wPRZzOItG/rWAJkaf515bp
Jrd9sIPBA== ;{id = 51688}
rick.nl. 3600 IN NSEC3PARAM 1 0 5 966bdb757dda3254
rick.nl. 3600 IN RRSIG NSEC3PARAM 7 2 3600
20091030110711 20091023081218 27705 rick.nl.
A+zexK2G5SvdryBlbNPjGTHCxkZ5boC4SxV4Dd6QjSAGFT9Z+6TCXrL2bbGCID5plTG1me7b
9R9j
ew77v5Z7wsUa8yD2FQZvELNXiIdy2lFIwkOZsGOxuWVsqa4BiEbev0l8prgrbZZA8W1v/h+A
PV6OU1CylQ4/QxB003OqSvg= ;{id = 27705}
11eqbeh2s0vuilhit39dlbbsjo0v2hsi.rick.nl. 3600 IN NSEC3
1 1 5 966bdb757dda3254 j2cg9d4i1bppja2qffn1qp5ndv64hvpa NS SOA MX RRSIG
DNSKEY NSEC3PARAM ; flags: optout
11eqbeh2s0vuilhit39dlbbsjo0v2hsi.rick.nl. 3600 IN RRSIG
NSEC3 7 3 3600 20091030121613 20091023081218 27705 rick.nl.
CXsJKFty2SEnmLgvSpj0aWiPFk1PUPieA/8UzqEFD7Z/3YFjM
OnuAhGDjhuSShIHlBtf+736EXFcxF6PBEYftSPXaqUUkPxIei/BHfbpP/HIqULrw+viNcDg3
0zqyJ28GlWP1e8a28gVdP/5Lupgjk3N6QLlLCRkUSBWNIsw9F8= ;{id = 27705}
www.rick.nl. 3600 IN A 192.168.0.2
www.rick.nl. 3600 IN RRSIG A 7 3 3600 20091030082704
20091023081218 27705 rick.nl.
uIKQ0BMPqRzBFXDqIoKyXKf8mMeTenPPXWgqz4WRhXdsXu95rP2+aZeiXXPl2FoVqu0cqTLs
Q//TKr6/U7uET
tjbM56V6AH468MCYSGTf1KVcKAKSV5pzivu+oAcPEgZJxuts8dSl2Q1Rgq3BSw41QnCpxnyA
3kN/TtNXQmBe8Q= ;{id = 27705}
j2cg9d4i1bppja2qffn1qp5ndv64hvpa.rick.nl. 3600 IN NSEC3
1 1 5 966bdb757dda3254 11eqbeh2s0vuilhit39dlbbsjo0v2hsi A RRSIG ;
flags: optout
j2cg9d4i1bppja2qffn1qp5ndv64hvpa.rick.nl. 3600 IN RRSIG
NSEC3 7 3 3600 20091030190530 20091023081218 27705 rick.nl.
sjTlrI5xL0xJAJsxn+pT0PleMIZ4/aH9WfVNR+66AOQJMYtOO
7otlMX3sjTQEI+ffxVTxoocXxozUAQ+X0dikUhsn0gSQ16kDusnqAWg80+PBp0ZqmkRXgKLu
ruk2G949ssJS4aQ52nZl1JzFiP3GT6Se0FJSkqTLykGnbawepw= ;{id = 27705}
; Last refresh stats: existing: 0, removed 0, created 8
Although this signed zone doesn't seem right to me. Haven't checked it
right now. I feel like there is missing entries.
Cheers,
Rick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20091023/3817f05b/attachment.htm>
More information about the Opendnssec-develop
mailing list