[Opendnssec-user] strange signatures

Patrik Wallström patrik.wallstrom at iis.se
Mon Jul 26 08:45:43 UTC 2010

On Jul 20, 2010, at 9:27 AM, Alex Dalitz wrote:

> Hi Patrik - 
>> What is wrong though, is that this key is not published in my zone! 
> Is the auditor not giving an error for this?

Haven't tested.

Me and Matthijs looked at the problem, and it was because there was old $INCLUDE statements left from running ZKT on tset.se, which made the signer to exclude most of the zonefile after the include statement.

When issuing the "ods-signer sign tset.se" command, all three keys were included in the signed zonefile, but it was still truncated.

This does not really explain all the issues, I also issued the "ods-signer sign tset.se" command after fixing the include, and now BIND loads the zonefile again. But what I was seeing before started fixing this was that BIND loaded a zone with signatures made from a key that was not in the zonefile. I am sure there was only to keys in the signed zone when I first looked at this bug, so this issue might just be another one from the problems mentioned above. So I guess we will have to keep looking at automatic ZSK rollovers without issuing the "sign tset.se" command. (Rickard mentioned he saw the same problem just before vacation.)

Patrik Wallström
Project Manager, R&D
.SE (Stiftelsen för Internetinfrastruktur)
E-mail: patrik.wallstrom at iis.se
Web: http://www.iis.se/

More information about the Opendnssec-user mailing list