[Opendnssec-user] Absent ZSK in zone signed with OpenDNSSEC
Rickard Bellgrim
rickard.bellgrim at iis.se
Fri Apr 16 07:20:10 UTC 2010
Hi
> /usr/local/opendnssec/bin/ods-ksmutil key list --verbose
> SQLite database set to: /var/opendnssec/kasp.db
> Keys:
> Zone: Keytype: State: Date of next
> transition: CKA_ID: Repository:
> Keytag:
> co.nz KSK active 2010-04-15
> 16:29:10 3996d43aca8dea21830a1c9299d693ef softHSM 33249
> co.nz KSK ready waiting for
> ds-seen b133bb8d3bb6664d73de0dcba5adc481 softHSM 33054
> co.nz KSK ready waiting for
> ds-seen 6d895ad0b98a1e3deb63eca7c985fae8 softHSM 34773
> co.nz ZSK active 2010-04-17
> 16:29:10 a008c770853ff48e5db645e400e99e71 softHSM 35157
> co.nz ZSK ready next rollover
> c92810080bea87634abd42cc7f3593ae softHSM
> 57504
>
>
> But the output zone contains:
>
> name type keytag keytype algorithm
> co.nz DNSKEY-23213 DNSKEY-ZSK 7
> co.nz DNSKEY-33054 DNSKEY-KSK 7
> co.nz DNSKEY-33249 DNSKEY-KSK 7
> co.nz DNSKEY-42044 DNSKEY-ZSK 7
> co.nz DNSKEY-47295 DNSKEY-ZSK 7
> co.nz DNSKEY-9516 DNSKEY-KSK 7
Have you done anything special with the rollovers or introduction of new keys? It is a little bit odd that only two of the keytags matches. What keys do you have in the signconf? co.nz.xml?
> but the signatures for the zone records are generated using key 35157,
> which is consistent with ksmutil output. To verify is not a BIND issue,
> I checked the output signed zone and effectively didn't include the ZSK
> but included some old rolled over keys.
>
> I proceeded to delete the signed zone and force the signing of the zone
> using ods-signer sign co.nz. The result was the zone now contains the
> right KSK/ZSK... Is OpenDNSSEC obtaining the DNSKEY for the existing
> signed zone?
Everything is done using the files in the working directory. So to clear the state of the Signer, then you should delete the files in the tmp-directory.
// Rickard
More information about the Opendnssec-user
mailing list