[Opendnssec-user] Key (xxx) has gone straight to active use without a prepublished phase

Peter Olsson pol at leissner.se
Wed Aug 3 12:06:21 UTC 2011


I also had this problem recently (version 1.2.1), with ZSK
for a couple of domains.

In my case I think the cause was that I had done a restore
of both kasp and softhsm when the entire /usr/local/var
directory was erased after a reboot. For some reason the
auditor didn't see the restored active ZSK:s as having been
prepublished, and so refused to sign the zones. Maybe I
missed something in the restore.

(I think this erase problem is because our /usr/local/var is
soft-linked to /var/named/usr/local/var (Bind chroot).
I haven't had time to investigate this further, but it has
happened twice now. Has anyone else seen this? We run Bind 9.7
in FreeBSD 8.1.)

Anyway, my workaround was to disable Audit in kasp.xml.
Since then those ZSK:s have rolled, and I have enabled Audit again.

Peter Olsson

On Tue, Aug 02, 2011 at 05:45:16PM +0200, Volker Janzen wrote:
> Hi all,
> today I noticed a problem in my OpenDNSSEC installation, which I
> don't understand. I had expired signatures for many domains in
> OpenDNSSEC. I was not able to figure out what might have caused
> this. I just found this strange log entries, which I do not
> understand:
> ods-auditor[7879]: Auditor started
> ods-auditor[7879]: Auditor starting on <domain1>.de
> ods-auditor[7882]: Auditor started
> ods-auditor[7882]: Auditor starting on <domain2>.de
> ods-auditor[7879]: SOA differs : from 2011080103 to 2011062380
> ods-auditor[7879]: Auditing <domain1>.de zone : NSEC3 SIGNED
> ods-auditor[7879]: Key (20188) has gone straight to active use
> without a prepublished phase
> ods-auditor[7879]: Finished auditing <domain1>.de zone
> ods-auditor[7882]: SOA differs : from 2011080103 to 2011062378
> ods-auditor[7882]: Auditing <domain2>.de zone : NSEC3 SIGNED
> ods-auditor[7882]: Key (40336) has gone straight to active use
> without a prepublished phase
> ods-auditor[7882]: Finished auditing <domain2>.de zone
> What might have cause this problem and how can I solve it now? The
> signatures are expired and I can't see any attempt of the signer to
> re-sign the zones.
> Kind regards
>   Volker Janzen
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

More information about the Opendnssec-user mailing list