[Opendnssec-develop] Re: [OpenDNSSEC] #71: Auditor blocks domain signing entirely

Matthijs Mekking matthijs at NLnetLabs.nl
Wed Jan 6 13:06:04 UTC 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Rick,

Rick van Rein wrote:
> Hi,
> 
>>  Works for me:
>>
>>  I let one zone constantly fail, the others end up in the signed directory
> 
> Are you talking about freshly added domains, or previously existing ones?

I started from scratch. I did not try to add new domains later on.

> I'm trying to think what was different in my case.  Could the following
> perhaps be an explanation?
> 
> I may have been adding more domains than I had keys ready.  (Not sure how
> that works exactly, we only have howto documentation online.)
> 
> A zone was signed with the last keys available.  It had a problem and so
> failed to pass through to the signed state.
> 
> The lack of further keys blocked the additional domains until more keys
> were made available.

Could be. Doesn't the log say why zones failed signing? Could you
provide the logs?

> If that sort of thing can happen, it's an understandable explanation
> to me.  Otherwise, I might try adding yet another bunch of domains, with
> a "IN CNAME @" record in the first.

I don't think you can have an @ at the right side of a CNAME, correct me
if I'm wrong.


Matthijs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBAgAGBQJLRIq6AAoJEA8yVCPsQCW5gsIH/iErD4z9vUIk1tpiK1DCKE1l
E8RvoAq45vzxX5hCy1ZGIcZ/TsSofuKWvJcc2znU+fFAbP28E4wwEz0Xie9hKYrz
ZpXQy/OP9tNuMXWa3NtaaNucddyqF6+6hlCzvfqXNBsa/5l2SQD94TKhHU2UIzHR
PKxZWPzzpuKh2jQbgBPz3SmNWyyP0szulJJi72ejefZUv7FARaAxIYgltzT6zEpM
QdXCdWZm/qiKdHnTKr5xJXFrJfU3tlWsUN77v9cSVj6umYCy/wT2m0SQValuXA1Z
cr/STGcMjBmv7CnTl0ClhiadgNO1PuEFNKLDPxDBN4oThfweqX1Ms3aAhw/yuJU=
=C0gy
-----END PGP SIGNATURE-----



More information about the Opendnssec-develop mailing list