[Opendnssec-user] Absent ZSK in zone signed with OpenDNSSEC

Sebastian Castro sebastian at nzrs.net.nz
Sun Apr 18 22:42:55 UTC 2010

Rickard Bellgrim wrote:
> Hi 


>> /usr/local/opendnssec/bin/ods-ksmutil key list --verbose
>> SQLite database set to: /var/opendnssec/kasp.db
>> Keys:
>> Zone:                           Keytype:      State:    Date of next
>> transition:  CKA_ID:                           Repository:
>> Keytag:
>> co.nz                           KSK           active    2010-04-15
>> 16:29:10      3996d43aca8dea21830a1c9299d693ef  softHSM          33249
>> co.nz                           KSK           ready     waiting for
>> ds-seen       b133bb8d3bb6664d73de0dcba5adc481  softHSM          33054
>> co.nz                           KSK           ready     waiting for
>> ds-seen       6d895ad0b98a1e3deb63eca7c985fae8  softHSM          34773
>> co.nz                           ZSK           active    2010-04-17
>> 16:29:10       a008c770853ff48e5db645e400e99e71  softHSM         35157
>> co.nz                           ZSK           ready     next rollover
>>          c92810080bea87634abd42cc7f3593ae  softHSM
>>   57504
>> But the output zone contains:
>> name    type   keytag   keytype         algorithm
>> co.nz	DNSKEY-23213	DNSKEY-ZSK	7
>> co.nz	DNSKEY-33054	DNSKEY-KSK	7
>> co.nz	DNSKEY-33249	DNSKEY-KSK	7
>> co.nz	DNSKEY-42044	DNSKEY-ZSK	7
>> co.nz	DNSKEY-47295	DNSKEY-ZSK	7
>> co.nz	DNSKEY-9516	DNSKEY-KSK	7
> Have you done anything special with the rollovers or introduction of new keys? It is a little bit odd that only two of the keytags matches. What keys do you have in the signconf? co.nz.xml?

I did a manual KSK rollover, but nothing else.

There are two files in signconf. One it's a .OLD file and the current.
Please find them attached.

>> but the signatures for the zone records are generated using key 35157,
>> which is consistent with ksmutil output. To verify is not a BIND issue,
>> I checked the output signed zone and effectively didn't include the ZSK
>> but included some old rolled over keys.
>> I proceeded to delete the signed zone and force the signing of the zone
>> using ods-signer sign co.nz. The result was the zone now contains the
>> right KSK/ZSK... Is OpenDNSSEC obtaining the DNSKEY for the existing
>> signed zone?
> Everything is done using the files in the working directory. So to clear the state of the Signer, then you should delete the files in the tmp-directory. 

Well, the curious thing was I deleted the output signed zone located in
/var/opendnssec/signed and then executed a 'ods-signer sign co.nz' and
the issue with the keys was solved.

> // Rickard

Sebastian Castro
DNS Specialist
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535
-------------- next part --------------
A non-text attachment was scrubbed...
Name: co.nz.xml
Type: text/xml
Size: 1409 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20100419/0be4d48f/attachment.xml>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: co.nz.xml.OLD
Type: application/x-trash
Size: 1553 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20100419/0be4d48f/attachment.bin>

More information about the Opendnssec-user mailing list