[Opendnssec-user] ods-auditor problem

Wytze van der Raay wytze at deboca.net
Sat Dec 31 14:42:41 UTC 2011 

Since Dec 26, we are suddenly experiencing a problem with the ods-auditor:
it has started to reject the signed result for the cacert.org zone:

Dec 26 13:32:46 ns ods-auditor[13655]: Auditor started
Dec 26 13:32:46 ns ods-auditor[13655]: Auditor starting on cacert.org
Dec 26 13:32:47 ns ods-auditor[13655]: SOA differs : from 2011122301 to 2011122606
Dec 26 13:32:47 ns ods-auditor[13655]: Auditing cacert.org zone : NSEC3 SIGNED
Dec 26 13:32:48 ns ods-auditor[13655]: Unexpected error auditing files
(/var/opendnssec/tmp/cacert.org.inbound and
/var/opendnssec/tmp/cacert.org.finalized) : ERR private method `split' called
for nil:NilClass- moving on to next zone. Trace for debugging :
/usr/local/lib/opendnssec/kasp_auditor/auditor.rb:1275:in `get_name_and_types'
/usr/local/lib/opendnssec/kasp_auditor/auditor.rb:1227:in
`check_nsec3_types_and_opt_out'
/usr/local/lib/opendnssec/kasp_auditor/auditor.rb:1184:in `open'
/usr/local/lib/opendnssec/kasp_auditor/auditor.rb:1184:in
`check_nsec3_types_and_opt_out'
/usr/local/lib/opendnssec/kasp_auditor/auditor.rb:1182:in `open'
/usr/local/lib/opendnssec/kasp_auditor/auditor.rb:1182:in
`check_nsec3_types_and_opt_out'
/usr/local/lib/opendnssec/kasp_auditor/auditor.rb:1180:in `open'
/usr/local/lib/opendnssec/kasp_auditor/auditor.rb:1180:in
`check_nsec3_types_and_opt_out'
/usr/local/lib/opendnssec/kasp_auditor/auditor.rb:184:in `check_zone'
/usr/local/lib/opendnssec/kasp_auditor.rb:215:in `full_audit'
/usr/local/lib/opendnssec/kasp_auditor.rb:168:in `run_with_syslog'
/usr/local/lib/opendnssec/kasp_auditor.rb:142:in `each'
/usr/local/lib/opendnssec/kasp_auditor.rb:142:in `run_with_syslog'
/usr/local/lib/opendnssec/kasp_auditor.rb:115:in `run'
/usr/local/lib/opendnssec/kasp_auditor.rb:113:in `open'
/usr/local/lib/opendnssec/kasp_auditor.rb:113:in `run'
/usr/local/bin/ods-auditor:169
Dec 26 13:32:48 ns ods-signerd: [worker[1]] backoff task [nsecify] for zone
cacert.org with 60 seconds

The same error was repeated on every new attempt to resign/audit the zone.
As a result, the resigned zone does not get installed, and after a few days
we ended up with expired signatures in the zone.

This happened while running OpenDNSSEC 1.3.2. On Dec 30 I have upgraded our
installation to 1.3.4, but this has not brought any improvement; the zone
keeps getting rejected by ods-auditor. However, simply deploying the file
"cacert.org.finalized" left in /var/opendnssec/tmp seems to work just fine,
the zone runs with up-to-date signatures again now.

Can someone please advise as to how to get rid of this "Unexpected error"
in the ods-auditor, so the deployment of resigned zonefiles is automatic
again as it should?

Regards,
Wytze van der Raay

More information about the Opendnssec-user mailing list