[Opendnssec-user] ods-signerd not signing zone on schedule

Rob Gallagher robert.gallagher at heanet.ie
Fri Dec 9 12:21:18 UTC 2011

Hi Rickard,

On Wed, 7 Dec 2011 17:36:27 +0100
Rickard Bellgrim <rickard at opendnssec.org> wrote:

> The signer will not read the unsigned zone until you give the "sign"
> command. The scheduled time is only for checking for signatures that
> needs to be refreshed.

Ah, thanks for clarifying.

> The logs says that the signatures are still valid. Do you have more
> information on the expired signatures?

Unfortunately not, I re-signed the zone manually to prevent it from

I've left the signer running for a couple of days to observe it's
behavior. This morning it attempted to add an updated SOA RRSIG to the
zone, but this never made it into the output zonefile. However, I can
see the newly added RRSIG in the .backup file in /var/opendnssec/tmp

According to the attached log snippets, ods-signerd isn't writing the
zone because it believes the serial hasn't changed. In fact the backup
file is showing the internal serial as the original serial from when I
manually signed the zone (2011120700).

When the problem first became apparent, I also replicated the KASP and
softhsm keystore to our backup signer which is running an identical
environment, signing has been proceeding normally here.


Rob Gallagher | Public Key: 0x1DD13A78

HEAnet Limited, Ireland's Education and Research Network
1st Floor, 5 George's Dock, IFSC, Dublin 1.
Registered in Ireland, no 275301
T: (+353-1) 6609040  F: (+353-1) 6603666 WWW: http://www.heanet.ie/

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ods-rrsig-add-failed.txt
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20111209/9789f2d9/attachment.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Type: application/octet-stream
Size: 19048 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20111209/9789f2d9/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20111209/9789f2d9/attachment.bin>

More information about the Opendnssec-user mailing list