[Opendnssec-develop] Fw: [Opendnssec-user] auditor and rollover

Alexd at nominet.org.uk Alexd at nominet.org.uk
Wed Mar 24 11:24:57 UTC 2010

Hi - 

Gilles is having problems because the auditor is complaining that RRSIGs 
do not include those for the algorithm of a retired key. So, should :

a) the auditor not complain about missing RRSIGs for algorithms for which 
all keys in the zone have been retired (although still published)? or
b) the zone not include keys with algorithms for which there are no 



> I tried an algorithm rollover (RSASHA1-NSEC3-SHA1 to RSASHA256) by
> simply changing the policy. It seemed to worked correctly in so far that
> the signer config file got updated correctly, and an appropriate DNSKEY
> appeared at the zone. However, the auditor complained vigorously that
> (for all RRs):
> ods-auditor[5146]: RRSIGS should include algorithm RSASHA256 for
> time.restena.lu, A, have : RSASHA1-NSEC3-SHA1
> which makes sense as the RSASHA256-key was not 'active' yet. So I rolled
> the ZSK, after which the auditor said:
> ods-auditor[5367]: RRSIGS should include algorithm RSASHA1-NSEC3-SHA1
> for time.restena.lu, A, have : RSASHA256
> which seems to make less sense, as the RSASHA1-NSEC3-SHA1 has deen 
> Is that expected, and what is the correct approach: disable the auditor
> during this kind of operation? or wait more patiently and everything
> will settle?
> BTW: the auditor hang consistently after each of these runs and had to
> be killed maually.
> (ods 1.0.0)
> Best,
> Gilles
> -- 
> Fondation RESTENA - DNS-LU
> 6, rue Coudenhove-Kalergi
> L-1359 Luxembourg
> tel: (+352) 424409
> fax: (+352) 422473
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20100324/61c99134/attachment.htm>

More information about the Opendnssec-develop mailing list