[Opendnssec-user] Absent ZSK in zone signed with OpenDNSSEC

Rickard Bellgrim rickard.bellgrim at iis.se
Fri Apr 16 07:20:10 UTC 2010


> /usr/local/opendnssec/bin/ods-ksmutil key list --verbose
> SQLite database set to: /var/opendnssec/kasp.db
> Keys:
> Zone:                           Keytype:      State:    Date of next
> transition:  CKA_ID:                           Repository:
> Keytag:
> co.nz                           KSK           active    2010-04-15
> 16:29:10      3996d43aca8dea21830a1c9299d693ef  softHSM          33249
> co.nz                           KSK           ready     waiting for
> ds-seen       b133bb8d3bb6664d73de0dcba5adc481  softHSM          33054
> co.nz                           KSK           ready     waiting for
> ds-seen       6d895ad0b98a1e3deb63eca7c985fae8  softHSM          34773
> co.nz                           ZSK           active    2010-04-17
> 16:29:10       a008c770853ff48e5db645e400e99e71  softHSM         35157
> co.nz                           ZSK           ready     next rollover
>          c92810080bea87634abd42cc7f3593ae  softHSM
>   57504
> But the output zone contains:
> name    type   keytag   keytype         algorithm
> co.nz	DNSKEY-23213	DNSKEY-ZSK	7
> co.nz	DNSKEY-33054	DNSKEY-KSK	7
> co.nz	DNSKEY-33249	DNSKEY-KSK	7
> co.nz	DNSKEY-42044	DNSKEY-ZSK	7
> co.nz	DNSKEY-47295	DNSKEY-ZSK	7
> co.nz	DNSKEY-9516	DNSKEY-KSK	7

Have you done anything special with the rollovers or introduction of new keys? It is a little bit odd that only two of the keytags matches. What keys do you have in the signconf? co.nz.xml?

> but the signatures for the zone records are generated using key 35157,
> which is consistent with ksmutil output. To verify is not a BIND issue,
> I checked the output signed zone and effectively didn't include the ZSK
> but included some old rolled over keys.
> I proceeded to delete the signed zone and force the signing of the zone
> using ods-signer sign co.nz. The result was the zone now contains the
> right KSK/ZSK... Is OpenDNSSEC obtaining the DNSKEY for the existing
> signed zone?

Everything is done using the files in the working directory. So to clear the state of the Signer, then you should delete the files in the tmp-directory. 

// Rickard

More information about the Opendnssec-user mailing list