[Opendnssec-develop] Re: [OpenDNSSEC] #71: Auditor blocks domain signing entirely
Matthijs Mekking
matthijs at NLnetLabs.nl
Wed Jan 6 13:06:04 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Rick,
Rick van Rein wrote:
> Hi,
>
>> Works for me:
>>
>> I let one zone constantly fail, the others end up in the signed directory
>
> Are you talking about freshly added domains, or previously existing ones?
I started from scratch. I did not try to add new domains later on.
> I'm trying to think what was different in my case. Could the following
> perhaps be an explanation?
>
> I may have been adding more domains than I had keys ready. (Not sure how
> that works exactly, we only have howto documentation online.)
>
> A zone was signed with the last keys available. It had a problem and so
> failed to pass through to the signed state.
>
> The lack of further keys blocked the additional domains until more keys
> were made available.
Could be. Doesn't the log say why zones failed signing? Could you
provide the logs?
> If that sort of thing can happen, it's an understandable explanation
> to me. Otherwise, I might try adding yet another bunch of domains, with
> a "IN CNAME @" record in the first.
I don't think you can have an @ at the right side of a CNAME, correct me
if I'm wrong.
Matthijs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQEcBAEBAgAGBQJLRIq6AAoJEA8yVCPsQCW5gsIH/iErD4z9vUIk1tpiK1DCKE1l
E8RvoAq45vzxX5hCy1ZGIcZ/TsSofuKWvJcc2znU+fFAbP28E4wwEz0Xie9hKYrz
ZpXQy/OP9tNuMXWa3NtaaNucddyqF6+6hlCzvfqXNBsa/5l2SQD94TKhHU2UIzHR
PKxZWPzzpuKh2jQbgBPz3SmNWyyP0szulJJi72ejefZUv7FARaAxIYgltzT6zEpM
QdXCdWZm/qiKdHnTKr5xJXFrJfU3tlWsUN77v9cSVj6umYCy/wT2m0SQValuXA1Z
cr/STGcMjBmv7CnTl0ClhiadgNO1PuEFNKLDPxDBN4oThfweqX1Ms3aAhw/yuJU=
=C0gy
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop
mailing list