[Opendnssec-user] Auditor unhappy with zone during rollover?

Alex Dalitz AlexD at nominet.org.uk
Tue Oct 26 08:44:12 UTC 2010 

Hi - 

Thanks for the report! After investigating the files you sent, I can confirm that there is a bug in dnsruby which caused this issue. This bug is fixed in dnsruby svn r443, and will be available in the next dnsruby release (which will be required by the next OpenDNSSEC beta).

Thanks, and apologies,


Alex.

On 20 Oct 2010, at 23:17, Sebastian Castro wrote:

> Hi
> (Yes, it's me again)
> 
> While testing key rollovers, I've noticed the auditor is not completely
> happy with the output zone.
> 
> The current status is:
> 
> - In the process of retiring a KSK due to rollover
> 
> /usr/local/opendnssec/bin/ods-ksmutil key list --zone pgp.net.nz --verbose
> SQLite database set to: /var/opendnssec/kasp.db
> Keys:
> Zone:                           Keytype:      State:    Date of next
> transition:  CKA_ID:                           Repository:
>         Keytag:
> pgp.net.nz                      KSK           dspublish 2010-10-20
> 11:46:35       8bf5895bbebf786687ebe2a1580e2c6d  softHSM
>           15261
> pgp.net.nz                      KSK           retire    2010-10-20
> 12:30:46       f1438c62e7ac88416948bc711cbd2d3c  softHSM
>           38055
> pgp.net.nz                      ZSK           retire    2010-10-20
> 14:39:16       3d292c1f905c4e790b721aa5b0c6f6f7  softHSM
>           22349
> pgp.net.nz                      KSK           active    2010-10-21
> 10:20:46       ecc18af5d01c60346da30e1a0279a7bd  softHSM
>           64098
> pgp.net.nz                      ZSK           active    2010-10-20
> 15:38:16       6391a52f853b9c04c51145c35261e300  softHSM
>           33309
> pgp.net.nz                      ZSK           ready     next rollover
>          0628c7d9465098191279db67ec292aad  softHSM
>      54570
> 
> - The DNSKEY RRset has double signature with KSK 38055 and KSK 64098
> 
> Auditor complains with the following:
> 
> /usr/local/opendnssec/bin/ods-auditor -z pgp.net.nz
> Auditor started
> Auditor starting on pgp.net.nz
> 6: SOA differs : from 2920459816 to 30
> 6: Auditing pgp.net.nz zone : NSEC SIGNED
> 3: RRSet (pgp.net.nz, RRSIG) failed verification : No RRSet to verify,
> tag = 38055
> 6: Finished auditing pgp.net.nz zone
> Auditor found errors - check log for details
> 
> My understanding is the auditor is trying to verify the RRSIG, but I
> might be wrong.
> 
> The zone validates using ldns-verify-zone 1.6.4 and named-checkzone, may
> be it's a policy issue?
> 
> I've saved the files if needed for forensics.
> 
> I have the same issue with another zone in the same state. Additionally,
> once the rollover is completed (the KSK being retired is removed from
> the zone) the auditor is happy again.
> 
> cheers,
> -- 
> Sebastian Castro
> DNS Specialist
> .nz Registry Services (New Zealand Domain Name Registry Limited)
> desk: +64 4 495 2337
> mobile: +64 21 400535
> 
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

More information about the Opendnssec-user mailing list