[Opendnssec-user] Number of non-DNSSEC resource records differs

Alex Dalitz AlexD at nominet.org.uk
Wed May 19 11:07:25 UTC 2010

Hi - 

> 1) Why is there a difference?

I don't currently know (but see below).

> 2) Why does the auditor return "ok" (0) so the zone is reloaded anyway
> (presuming I hit an error)?

It looks like you are running the partial auditor on a large zone. Whilst
the full auditor will give precise results (as it scans every record), the
partial auditor can also raise general concerns, which may not be actual
errors. In this case, it has detected that the number of non-DNSSEC records
in the unsigned zone appears to differ from that in the signed zone -
however, there are cases where this may be legitimate, so it has logged a
WARNING, but returned 0 to the signer.

If the partial auditor detects a situation which it knows to be an error, it
will return an error value to the signer.

> Should I worry?

If you are concerned that there may be an error in your zone, I would
recommend running the full auditor (something like : "ods-auditor -z dk -f"
). This will take some time to run, but it will give a definitive answer.
You can then decide whether or not you should be concerned with the partial
auditor output on this issue.



More information about the Opendnssec-user mailing list