[Opendnssec-user] strange signatures

Patrik Wallström patrik.wallstrom at iis.se
Sun Jul 18 20:49:48 UTC 2010

(This might all be because of upgrading Debian packages from 1.0 to 1.1. But it still is strange.)

On my zone tset.se I have these keys:

Zone:                           Keytype:      State:    Date of next transition:  CKA_ID:                           Repository:                       Keytag:
tset.se                         KSK           active    2030-04-30 10:38:07       4e09b42a075aa8004b79e527859b3671  softHSM                           7813
tset.se                         ZSK           active    2010-08-03 11:25:21       84b868774434e8f4207a3a860af5361e  softHSM                           52212
tset.se                         ZSK           ready     next rollover             162f3ec727502c67f97d0c94842bf31c  softHSM                           30320

As you can see, most signatures in the zone should be made from the ZSK with the keytag 52212. So indeed, there are a lot of signatures with that keytag. What is wrong though, is that this key is not published in my zone! And they should really be, this is from my signer config:

                                <KSK />
                                <Publish />

                                <ZSK />
                                <Publish />

                                <Publish />

Where do I look for problems?

You can see the published tset.se zone in DNS. Try this:

mask$~>dig a tset.se +dnssec

; <<>> DiG 9.7.0-P1 <<>> a tset.se +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 8744
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags: do; udp: 4096
;tset.se.                       IN      A

;; Query time: 29 msec
;; WHEN: Sun Jul 18 22:49:22 2010
;; MSG SIZE  rcvd: 36

Patrik Wallström
Project Manager, R&D
.SE (Stiftelsen för Internetinfrastruktur)
E-mail: patrik.wallstrom at iis.se
Web: http://www.iis.se/

More information about the Opendnssec-user mailing list