[Opendnssec-user] ods-signerd not signing zone on schedule
Rickard Bellgrim
rickard at opendnssec.org
Fri Dec 9 12:54:49 UTC 2011
> I've left the signer running for a couple of days to observe it's
> behavior. This morning it attempted to add an updated SOA RRSIG to the
> zone, but this never made it into the output zonefile. However, I can
> see the newly added RRSIG in the .backup file in /var/opendnssec/tmp
> (attached).
You should not add the RRSIG yourself. These will be created by the
system. Could you perhaps explain what you were trying to achieve? So
that I can help you in the right way.
> According to the attached log snippets, ods-signerd isn't writing the
> zone because it believes the serial hasn't changed. In fact the backup
> file is showing the internal serial as the original serial from when I
> manually signed the zone (2011120700).
It does not increase the serial unless there is a change in the zone.
Maybe since the RRSIG was dropped, the zone is treated as unchanged.
> When the problem first became apparent, I also replicated the KASP and
> softhsm keystore to our backup signer which is running an identical
> environment, signing has been proceeding normally here.
Could you think of anything that would make them different?
// Rickard
More information about the Opendnssec-user
mailing list