[Opendnssec-user] auditor and rollover

Gilles Massen gilles.massen at restena.lu
Wed Mar 24 10:37:46 UTC 2010


I tried an algorithm rollover (RSASHA1-NSEC3-SHA1 to RSASHA256) by
simply changing the policy. It seemed to worked correctly in so far that
the signer config file got updated correctly, and an appropriate DNSKEY
appeared at the zone. However, the auditor complained vigorously that
(for all RRs):

ods-auditor[5146]: RRSIGS should include algorithm RSASHA256 for
time.restena.lu, A, have : RSASHA1-NSEC3-SHA1

which makes sense as the RSASHA256-key was not 'active' yet. So I rolled
the ZSK, after which the auditor said:

ods-auditor[5367]: RRSIGS should include algorithm RSASHA1-NSEC3-SHA1
for time.restena.lu, A, have : RSASHA256

which seems to make less sense, as the RSASHA1-NSEC3-SHA1 has deen retired.

Is that expected, and what is the correct approach: disable the auditor
during this kind of operation? or wait more patiently and everything
will settle?

BTW: the auditor hang consistently after each of these runs and had to
be killed maually.

(ods 1.0.0)


Fondation RESTENA - DNS-LU
6, rue Coudenhove-Kalergi
L-1359 Luxembourg
tel: (+352) 424409
fax: (+352) 422473

More information about the Opendnssec-user mailing list