[Opendnssec-user] strange signatures
Patrik Wallström
patrik.wallstrom at iis.se
Sun Jul 18 20:49:48 UTC 2010
(This might all be because of upgrading Debian packages from 1.0 to 1.1. But it still is strange.)
On my zone tset.se I have these keys:
Zone: Keytype: State: Date of next transition: CKA_ID: Repository: Keytag:
tset.se KSK active 2030-04-30 10:38:07 4e09b42a075aa8004b79e527859b3671 softHSM 7813
tset.se ZSK active 2010-08-03 11:25:21 84b868774434e8f4207a3a860af5361e softHSM 52212
tset.se ZSK ready next rollover 162f3ec727502c67f97d0c94842bf31c softHSM 30320
As you can see, most signatures in the zone should be made from the ZSK with the keytag 52212. So indeed, there are a lot of signatures with that keytag. What is wrong though, is that this key is not published in my zone! And they should really be, this is from my signer config:
<Keys>
<TTL>PT3600S</TTL>
<Key>
<Flags>257</Flags>
<Algorithm>7</Algorithm>
<Locator>4e09b42a075aa8004b79e527859b3671</Locator>
<KSK />
<Publish />
</Key>
<Key>
<Flags>256</Flags>
<Algorithm>7</Algorithm>
<Locator>84b868774434e8f4207a3a860af5361e</Locator>
<ZSK />
<Publish />
</Key>
<Key>
<Flags>256</Flags>
<Algorithm>7</Algorithm>
<Locator>162f3ec727502c67f97d0c94842bf31c</Locator>
<Publish />
</Key>
Where do I look for problems?
You can see the published tset.se zone in DNS. Try this:
mask$~>dig a tset.se +dnssec
; <<>> DiG 9.7.0-P1 <<>> a tset.se +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 8744
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;tset.se. IN A
;; Query time: 29 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Jul 18 22:49:22 2010
;; MSG SIZE rcvd: 36
--
Patrik Wallström
Project Manager, R&D
.SE (Stiftelsen för Internetinfrastruktur)
E-mail: patrik.wallstrom at iis.se
Web: http://www.iis.se/
More information about the Opendnssec-user
mailing list