[Opendnssec-user] Key (xxx) has gone straight to active use without a prepublished phase
Alex Dalitz
AlexD at nominet.org.uk
Wed Aug 3 06:33:57 UTC 2011
Hi -
On 2 Aug 2011, at 16:45, Volker Janzen wrote:
today I noticed a problem in my OpenDNSSEC installation, which I don't understand. I had expired signatures for many domains in OpenDNSSEC. I was not able to figure out what might have caused this. I just found this strange log entries, which I do not understand:
ods-auditor[7879]: Auditor started
ods-auditor[7879]: Auditor starting on <domain1>.de
ods-auditor[7882]: Auditor started
ods-auditor[7882]: Auditor starting on <domain2>.de
ods-auditor[7879]: SOA differs : from 2011080103 to 2011062380
ods-auditor[7879]: Auditing <domain1>.de zone : NSEC3 SIGNED
ods-auditor[7879]: Key (20188) has gone straight to active use without a prepublished phase
ods-auditor[7879]: Finished auditing <domain1>.de zone
ods-auditor[7882]: SOA differs : from 2011080103 to 2011062378
ods-auditor[7882]: Auditing <domain2>.de zone : NSEC3 SIGNED
ods-auditor[7882]: Key (40336) has gone straight to active use without a prepublished phase
ods-auditor[7882]: Finished auditing <domain2>.de zone
What might have cause this problem and how can I solve it now? The signatures are expired and I can't see any attempt of the signer to re-sign the zones.
It sounds like the auditor has seen a key in active use with no prepublished phase. According to the specification (section 3.6.5) :
http://trac.opendnssec.org/wiki/Signer/AuditorRequirements
this should raise an error. The error has stopped the signer from publishing the zone, so the signatures have expired.
HTH,
Alex.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20110803/4dbb956e/attachment.htm>
More information about the Opendnssec-user
mailing list