[Opendnssec-user] ods-signerd not signing zone on schedule
Rob Gallagher
robert.gallagher at heanet.ie
Fri Dec 9 12:21:18 UTC 2011
Hi Rickard,
On Wed, 7 Dec 2011 17:36:27 +0100
Rickard Bellgrim <rickard at opendnssec.org> wrote:
> The signer will not read the unsigned zone until you give the "sign"
> command. The scheduled time is only for checking for signatures that
> needs to be refreshed.
>
Ah, thanks for clarifying.
> The logs says that the signatures are still valid. Do you have more
> information on the expired signatures?
Unfortunately not, I re-signed the zone manually to prevent it from
expiring.
I've left the signer running for a couple of days to observe it's
behavior. This morning it attempted to add an updated SOA RRSIG to the
zone, but this never made it into the output zonefile. However, I can
see the newly added RRSIG in the .backup file in /var/opendnssec/tmp
(attached).
According to the attached log snippets, ods-signerd isn't writing the
zone because it believes the serial hasn't changed. In fact the backup
file is showing the internal serial as the original serial from when I
manually signed the zone (2011120700).
When the problem first became apparent, I also replicated the KASP and
softhsm keystore to our backup signer which is running an identical
environment, signing has been proceeding normally here.
rg
--
Rob Gallagher | Public Key: 0x1DD13A78
HEAnet Limited, Ireland's Education and Research Network
1st Floor, 5 George's Dock, IFSC, Dublin 1.
Registered in Ireland, no 275301
T: (+353-1) 6609040 F: (+353-1) 6603666 WWW: http://www.heanet.ie/
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ods-rrsig-add-failed.txt
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20111209/9789f2d9/attachment.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0.7.7.0.1.0.0.2.ip6.arpa.backup
Type: application/octet-stream
Size: 19048 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20111209/9789f2d9/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20111209/9789f2d9/attachment.bin>
More information about the Opendnssec-user
mailing list