[Opendnssec-develop] Serial too large

Rick Zijlker rick.zijlker at sidn.nl
Wed Jun 2 11:45:22 UTC 2010


> The output serial is too large if it is equal or larger than the input
> serial.

This has never happened before when resigning with equal serial. Many tests exists of resigning the exact same zonefile. I expected the first message (serial not increased) but not the second message (serial too long) in between these 2 resigns nothing was changed in the zone or config. I would expect the first message (serial not increased) to continue showing every resign.

In my opinion at key rollover when serial set to 'keep', the zone should actually still sign the zone since the keys change, which means you need to resign the same zone. Even when it's the same zone serial. Some zones don't change for years but they do get rollovers.

Cheers,
Rick


-----Original Message-----
From: Matthijs Mekking [mailto:matthijs at NLnetLabs.nl] 
Sent: Tuesday, June 01, 2010 2:33 PM
To: Rick Zijlker
Cc: Opendnssec-develop at lists.opendnssec.org
Subject: Re: [Opendnssec-develop] Serial too large

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Rick,

I wrote my comments in between lines....

Rick Zijlker wrote:
> Hey,
> 
> When resigning a zone which has a serial of 1000 and policy for the
> serial is “keep”, and the zone still has that same serial, I get the
> following message:
> 
> Jun  1 11:22:15 signer1 ods-signerd: Cannot keep input serial 1000,
> output serial 1000 is too large. Aborting operation
> 
> How can an output serial be too large? On a sidenote, the zone was about
> to get a KSK rollover.

The output serial is too large if it is equal or larger than the input
serial.

However, if you are in a key rollover it will also look at the input
serial. Thus if you do not increase the serial value in the input file,
the key rollover will not be picked up by the signer (in the case of
serial keep). I am not sure if this is desired behavior.

Should we increase the serial when doing a rollover, even if the serial
is set to keep?

> At earlier signing I got this message which is correct and expected:
> 
> Jun  1 11:12:11 signer1 ods-signerd: Error: serial setting is set to
> 'keep', but input serial has not increased. Aborting sign operation for ods

This message can appear when the actual signing is going on
(adding/updating RRSIG records). If you for example re-sign every hour,
but don't update the serial in the input file in the mean time, you'll
see this error.

The other, previous message you'll see when you need to sort the zone,
because of a change in the signer configuration or a change in the input
file.

Best regards,

Matthijs

> Full log:
> 
> Jun  1 11:22:14 signer1 ods-signerd: Scheduling task to sign zone ods at
> 1275384134.71 with resign time 180
> 
> Jun  1 11:22:14 signer1 ods-signerd: Scheduling task to sign zone ods at
> 1275384134.71 with resign time 180
> 
> Jun  1 11:22:14 signer1 ods-signerd: Zone ods added
> 
> Jun  1 11:22:14 signer1 ods-signerd: opening socket:
> /var/run/opendnssec/engine.sock
> 
> Jun  1 11:22:14 signer1 ods-signerd: Engine running
> 
> Jun  1 11:22:14 signer1 ods-enforcerd: opendnssec-enforcer starting...
> 
> Jun  1 11:22:14 signer1 ods-enforcerd: opendnssec-enforcer Parent exiting...
> 
> Jun  1 11:22:14 signer1 ods-enforcerd: opendnssec-enforcer forked OK...
> 
> Jun  1 11:22:14 signer1 ods-enforcerd: opendnssec-enforcer started
> (version 1.1.0rc3), pid 13521
> 
> Jun  1 11:22:14 signer1 ods-enforcerd: HSM opened successfully.
> 
> Jun  1 11:22:14 signer1 ods-enforcerd: Reading config
> "/etc/opendnssec/conf.xml"
> 
> Jun  1 11:22:14 signer1 ods-enforcerd: Reading config schema
> "/usr/local/share/opendnssec/conf.rng"
> 
> Jun  1 11:22:14 signer1 ods-enforcerd: Communication Interval: 1800
> 
> Jun  1 11:22:14 signer1 ods-enforcerd: No DS Submit command supplied
> 
> Jun  1 11:22:14 signer1 ods-enforcerd: SQLite database set to:
> /var/opendnssec/kasp.db
> 
> Jun  1 11:22:14 signer1 ods-enforcerd: Log User set to: local0
> 
> Jun  1 11:22:14 signer1 ods-enforcerd: Switched log facility to: local0
> 
> Jun  1 11:22:14 signer1 ods-enforcerd: Connecting to Database...
> 
> Jun  1 11:22:14 signer1 ods-enforcerd: Policy default found.
> 
> Jun  1 11:22:14 signer1 ods-enforcerd: Key sharing is Off.
> 
> Jun  1 11:22:14 signer1 ods-enforcerd: Policy gradual1 found.
> 
> Jun  1 11:22:14 signer1 ods-enforcerd: Key sharing is Off.
> 
> Jun  1 11:22:14 signer1 ods-enforcerd: zonelist filename set to
> /etc/opendnssec/zonelist.xml.
> 
> Jun  1 11:22:14 signer1 ods-enforcerd: Zone ods found.
> 
> Jun  1 11:22:14 signer1 ods-enforcerd: Policy for ods set to gradual1.
> 
> Jun  1 11:22:14 signer1 ods-enforcerd: Config will be output to
> /var/opendnssec/signconf/ods.xml.
> 
> Jun  1 11:22:15 signer1 ods-enforcerd: INFO: New DS records needed for
> the zone ods; details will follow
> 
> Jun  1 11:22:15 signer1 ods-enforcerd: WARNING: KSK Retirement reached;
> please submit the new DS for ods and use ods-ksmutil key ksk-roll to
> roll the key.
> 
> Jun  1 11:22:15 signer1 ods-enforcerd: No change to:
> /var/opendnssec/signconf/ods.xml
> 
> Jun  1 11:22:15 signer1 ods-enforcerd: DSChanged
> 
> Jun  1 11:22:15 signer1 ods-enforcerd: DS Record set has changed, the
> current set looks like:
> 
> Jun  1 11:22:15 signer1 ods-enforcerd: ods.     3600    IN      DNSKEY 
> 257 3 7
> AwEAAdipHfA+phxY3scDd7Go/ncAJm1WDfarQAz2jjmCFgSlG9SHvDzxpXIlO/ThDMU+IXC/LRyW9tMhedDA/ZKJ9fHjd+0MCa66o7SMSS4/ATozbzLwy/ENaFjtb6jAho3w/R9MPwajiKZQ2XtXO8DwjdglFklDHJKSbXeleaMRfDLzPRpx4DZxnE1sMgTSh2j707MrCm8vjZcrZDbR53vQfHztu/VHD9vv29ji426NYg5wqC1toUUHMMBCR70jZ1KO15Ubkpwf/FXRySxCuiZuO5KUpUWYWxh342l4ZGUwsLQ+fWZ04rhwAplXrvxRrq5NEMif9csFdZJyxxibOOGWlCE=
> ;{id = 45856 (ksk), size = 2048b}
> 
> Jun  1 11:22:15 signer1 ods-enforcerd: ods.     3600    IN      DNSKEY 
> 257 3 7
> AwEAAcNcbkEd+NhwfWk0WgVuUWJyfgBWLMwSF5ZRHD+9Sru5kRkKNXDl7IMpdiSjp/wSCFWjr2IR5/KMZe0Cf4laV63I8sJy6OWRpCF/Kk8EuDaE1T0MOP6GQkif9Fn+JUzwz/SESAMv/knY5+xwwGm4cMNuS8egmlsmUuNqnw3PqChJbLKKpDbzzBI5P98KY51kbVIdfLqMkf8X8B3y/5rc8xmBc0xhTY4ZbpP2dgm65dFeK8lCOF1FSSWwItc2qRT2jdG/60226CufjXnEeS7oChFKF0cP46ZXFRql6/3qOkfACwdVxAizWoraMU4JHp2rVvla2WmMBvhXJyDEl+xP/Qc=
> ;{id = 16581 (ksk), size = 2048b}
> 
> Jun  1 11:22:15 signer1 ods-enforcerd: Once the new DS records are seen
> in DNS please issue the ds-seen command for zone ods with the following
> cka_ids, b48cfc3c80e11ed41eb21ab49d7666df, 12306205b8e5aa46abb276d57544680c
> 
> Jun  1 11:22:15 signer1 ods-enforcerd: Disconnecting from Database...
> 
> Jun  1 11:22:15 signer1 ods-enforcerd: Sleeping for 1800 seconds.
> 
> Jun  1 11:22:15 signer1 ods-signerd: Zone action to perform: 3
> 
> Jun  1 11:22:15 signer1 ods-signerd: Cannot keep input serial 1000,
> output serial 1000 is too large. Aborting operation
> 
> Jun  1 11:22:25 signer1 ods-enforcerd: Received SIGTERM, exiting...
> 
> Jun  1 11:22:25 signer1 ods-enforcerd: all done! hsm_close result: 0
> 
> Jun  1 11:22:25 signer1 ods-signerd: Received command: 'stop'
> 
> Jun  1 11:22:25 signer1 ods-signerd: close syslog
> 
> Jun  1 11:22:25 signer1 python: Connection closed by peer
> 
>  
> 
> Cheers,
> 
> Rick
> 
>  
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBAgAGBQJMBP4DAAoJEA8yVCPsQCW5tdUIAJ5WjXi/Fn//31/hJetm1EfX
RbAOzrTUm14qQYsfOVSGHSQbogKgFyu2715T6Uur2w96bf0OQ60eFScKAPxDquWp
gCO8LNMxn+5A5ybhQFJTjc2DnJu5MtdOUYUjY7UGi44sMtz+RtDkEd61W8narfTP
dP5r11P+ub/b+SYyuIH548NYkjUbqV/JijnUg8nKgjScgsg/EkE11ZclElkW70fB
nl7i4ymoB1Q7ppQBDBcbNSvvUN/NWyzQ+rPIfFgFLsZ3TOlj3uvYPeEdJk80zhl8
CcWK8mVWww3URqKcG1k6587A2dZKvoNg5X/6ZXMaoJtzO2gzw9t83zwW/1I0onM=
=jkP+
-----END PGP SIGNATURE-----


More information about the Opendnssec-develop mailing list