[Opendnssec-user] strange signatures
patrik.wallstrom at iis.se
Mon Jul 26 08:45:43 UTC 2010
On Jul 20, 2010, at 9:27 AM, Alex Dalitz wrote:
> Hi Patrik -
>> What is wrong though, is that this key is not published in my zone!
> Is the auditor not giving an error for this?
Me and Matthijs looked at the problem, and it was because there was old $INCLUDE statements left from running ZKT on tset.se, which made the signer to exclude most of the zonefile after the include statement.
When issuing the "ods-signer sign tset.se" command, all three keys were included in the signed zonefile, but it was still truncated.
This does not really explain all the issues, I also issued the "ods-signer sign tset.se" command after fixing the include, and now BIND loads the zonefile again. But what I was seeing before started fixing this was that BIND loaded a zone with signatures made from a key that was not in the zonefile. I am sure there was only to keys in the signed zone when I first looked at this bug, so this issue might just be another one from the problems mentioned above. So I guess we will have to keep looking at automatic ZSK rollovers without issuing the "sign tset.se" command. (Rickard mentioned he saw the same problem just before vacation.)
Project Manager, R&D
.SE (Stiftelsen för Internetinfrastruktur)
E-mail: patrik.wallstrom at iis.se
More information about the Opendnssec-user