[Opendnssec-user] Auditor unhappy with zone during rollover?
sebastian at nzrs.net.nz
Wed Oct 20 22:17:17 UTC 2010
(Yes, it's me again)
While testing key rollovers, I've noticed the auditor is not completely
happy with the output zone.
The current status is:
- In the process of retiring a KSK due to rollover
/usr/local/opendnssec/bin/ods-ksmutil key list --zone pgp.net.nz --verbose
SQLite database set to: /var/opendnssec/kasp.db
Zone: Keytype: State: Date of next
transition: CKA_ID: Repository:
pgp.net.nz KSK dspublish 2010-10-20
11:46:35 8bf5895bbebf786687ebe2a1580e2c6d softHSM
pgp.net.nz KSK retire 2010-10-20
12:30:46 f1438c62e7ac88416948bc711cbd2d3c softHSM
pgp.net.nz ZSK retire 2010-10-20
14:39:16 3d292c1f905c4e790b721aa5b0c6f6f7 softHSM
pgp.net.nz KSK active 2010-10-21
10:20:46 ecc18af5d01c60346da30e1a0279a7bd softHSM
pgp.net.nz ZSK active 2010-10-20
15:38:16 6391a52f853b9c04c51145c35261e300 softHSM
pgp.net.nz ZSK ready next rollover
- The DNSKEY RRset has double signature with KSK 38055 and KSK 64098
Auditor complains with the following:
/usr/local/opendnssec/bin/ods-auditor -z pgp.net.nz
Auditor starting on pgp.net.nz
6: SOA differs : from 2920459816 to 30
6: Auditing pgp.net.nz zone : NSEC SIGNED
3: RRSet (pgp.net.nz, RRSIG) failed verification : No RRSet to verify,
tag = 38055
6: Finished auditing pgp.net.nz zone
Auditor found errors - check log for details
My understanding is the auditor is trying to verify the RRSIG, but I
might be wrong.
The zone validates using ldns-verify-zone 1.6.4 and named-checkzone, may
be it's a policy issue?
I've saved the files if needed for forensics.
I have the same issue with another zone in the same state. Additionally,
once the rollover is completed (the KSK being retired is removed from
the zone) the auditor is happy again.
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535
More information about the Opendnssec-user