[Opendnssec-user] ods-signerd not signing zone on schedule

Rickard Bellgrim rickard at opendnssec.org
Fri Dec 9 12:54:49 UTC 2011

> I've left the signer running for a couple of days to observe it's
> behavior. This morning it attempted to add an updated SOA RRSIG to the
> zone, but this never made it into the output zonefile. However, I can
> see the newly added RRSIG in the .backup file in /var/opendnssec/tmp
> (attached).

You should not add the RRSIG yourself. These will be created by the
system. Could you perhaps explain what you were trying to achieve? So
that I can help you in the right way.

> According to the attached log snippets, ods-signerd isn't writing the
> zone because it believes the serial hasn't changed. In fact the backup
> file is showing the internal serial as the original serial from when I
> manually signed the zone (2011120700).

It does not increase the serial unless there is a change in the zone.
Maybe since the RRSIG was dropped, the zone is treated as unchanged.

> When the problem first became apparent, I also replicated the KASP and
> softhsm keystore to our backup signer which is running an identical
> environment, signing has been proceeding normally here.

Could you think of anything that would make them different?

// Rickard

More information about the Opendnssec-user mailing list