[Opendnssec-develop] Fw: [Opendnssec-user] auditor and rollover
Alexd at nominet.org.uk
Alexd at nominet.org.uk
Wed Mar 24 11:24:57 UTC 2010
Hi -
Gilles is having problems because the auditor is complaining that RRSIGs
do not include those for the algorithm of a retired key. So, should :
a) the auditor not complain about missing RRSIGs for algorithms for which
all keys in the zone have been retired (although still published)? or
b) the zone not include keys with algorithms for which there are no
RRSIGs?
Thanks,
Alex.
> I tried an algorithm rollover (RSASHA1-NSEC3-SHA1 to RSASHA256) by
> simply changing the policy. It seemed to worked correctly in so far that
> the signer config file got updated correctly, and an appropriate DNSKEY
> appeared at the zone. However, the auditor complained vigorously that
> (for all RRs):
>
> ods-auditor[5146]: RRSIGS should include algorithm RSASHA256 for
> time.restena.lu, A, have : RSASHA1-NSEC3-SHA1
>
> which makes sense as the RSASHA256-key was not 'active' yet. So I rolled
> the ZSK, after which the auditor said:
>
> ods-auditor[5367]: RRSIGS should include algorithm RSASHA1-NSEC3-SHA1
> for time.restena.lu, A, have : RSASHA256
>
> which seems to make less sense, as the RSASHA1-NSEC3-SHA1 has deen
retired.
>
> Is that expected, and what is the correct approach: disable the auditor
> during this kind of operation? or wait more patiently and everything
> will settle?
>
> BTW: the auditor hang consistently after each of these runs and had to
> be killed maually.
>
> (ods 1.0.0)
>
> Best,
> Gilles
>
> --
> Fondation RESTENA - DNS-LU
> 6, rue Coudenhove-Kalergi
> L-1359 Luxembourg
> tel: (+352) 424409
> fax: (+352) 422473
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20100324/61c99134/attachment.htm>
More information about the Opendnssec-develop
mailing list