[Opendnssec-user] Auditor unhappy with zone during rollover?

Sebastian Castro sebastian at nzrs.net.nz
Wed Oct 20 22:17:17 UTC 2010 

Hi
(Yes, it's me again)

While testing key rollovers, I've noticed the auditor is not completely
happy with the output zone.

The current status is:

- In the process of retiring a KSK due to rollover

/usr/local/opendnssec/bin/ods-ksmutil key list --zone pgp.net.nz --verbose
SQLite database set to: /var/opendnssec/kasp.db
Keys:
Zone:                           Keytype:      State:    Date of next
transition:  CKA_ID:                           Repository:
         Keytag:
pgp.net.nz                      KSK           dspublish 2010-10-20
11:46:35       8bf5895bbebf786687ebe2a1580e2c6d  softHSM
           15261
pgp.net.nz                      KSK           retire    2010-10-20
12:30:46       f1438c62e7ac88416948bc711cbd2d3c  softHSM
           38055
pgp.net.nz                      ZSK           retire    2010-10-20
14:39:16       3d292c1f905c4e790b721aa5b0c6f6f7  softHSM
           22349
pgp.net.nz                      KSK           active    2010-10-21
10:20:46       ecc18af5d01c60346da30e1a0279a7bd  softHSM
           64098
pgp.net.nz                      ZSK           active    2010-10-20
15:38:16       6391a52f853b9c04c51145c35261e300  softHSM
           33309
pgp.net.nz                      ZSK           ready     next rollover
          0628c7d9465098191279db67ec292aad  softHSM
      54570

- The DNSKEY RRset has double signature with KSK 38055 and KSK 64098

Auditor complains with the following:

/usr/local/opendnssec/bin/ods-auditor -z pgp.net.nz
Auditor started
Auditor starting on pgp.net.nz
6: SOA differs : from 2920459816 to 30
6: Auditing pgp.net.nz zone : NSEC SIGNED
3: RRSet (pgp.net.nz, RRSIG) failed verification : No RRSet to verify,
tag = 38055
6: Finished auditing pgp.net.nz zone
Auditor found errors - check log for details

My understanding is the auditor is trying to verify the RRSIG, but I
might be wrong.

The zone validates using ldns-verify-zone 1.6.4 and named-checkzone, may
be it's a policy issue?

I've saved the files if needed for forensics.

I have the same issue with another zone in the same state. Additionally,
once the rollover is completed (the KSK being retired is removed from
the zone) the auditor is happy again.

cheers,
-- 
Sebastian Castro
DNS Specialist
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535

More information about the Opendnssec-user mailing list