[Opendnssec-user] strange signatures

Patrik Wallström patrik.wallstrom at iis.se
Mon Jul 26 10:45:43 CEST 2010


On Jul 20, 2010, at 9:27 AM, Alex Dalitz wrote:

> Hi Patrik - 
> 
>> What is wrong though, is that this key is not published in my zone! 
> 
> Is the auditor not giving an error for this?

Haven't tested.

Me and Matthijs looked at the problem, and it was because there was old $INCLUDE statements left from running ZKT on tset.se, which made the signer to exclude most of the zonefile after the include statement.

When issuing the "ods-signer sign tset.se" command, all three keys were included in the signed zonefile, but it was still truncated.

This does not really explain all the issues, I also issued the "ods-signer sign tset.se" command after fixing the include, and now BIND loads the zonefile again. But what I was seeing before started fixing this was that BIND loaded a zone with signatures made from a key that was not in the zonefile. I am sure there was only to keys in the signed zone when I first looked at this bug, so this issue might just be another one from the problems mentioned above. So I guess we will have to keep looking at automatic ZSK rollovers without issuing the "sign tset.se" command. (Rickard mentioned he saw the same problem just before vacation.)

-- 
Patrik Wallström
Project Manager, R&D
.SE (Stiftelsen för Internetinfrastruktur)
E-mail: patrik.wallstrom at iis.se
Web: http://www.iis.se/




More information about the Opendnssec-user mailing list