[Opendnssec-user] OpenDNSSEC breaking signed zone and other issues

Sebastian Castro sebastian at nzrs.net.nz
Fri Feb 25 04:49:23 UTC 2011

Yesterday and today my testing environment running OpenDNSSEC
1.3.0-trunk produced a couple of signed zones that don't verify using

The zones end up with some signatures using the active ZSK, some
signatures using the retired key ZSK and the retired key not being
included in the zone. This causes to some records to fail validation,
according to ldns-verify-zone and a couple of validating resolvers
pointing to the signed zones. The auditor also complains, but it's not
enabled by default, I run it manually.

This issue started before a ZSK rollover, so I'm not clear the cause.

ZSK rollover was executed on Fri Feb 25 12:33:02 2011
The signed zone with problems was created the same day at 11:57 (36
minutes before the rollover)
The missing key has tag 31548

The output from ods-ksmutil key list at 11:20 for that zone looks like

Date: Fri Feb 25 11:20:01 2011
Zone:                           Keytype:      State:    Date of next
  CKA_ID:                           Repository:
nz                              KSK           active    2011-03-01
09:21:41       c3aa5eb4625a7a84b1ac00573ae658a4  softHSM          3532
nz                              ZSK           retire    2011-02-25
13:12:05       16487fb4f1ffa788a55bb8d69eda1fc8  softHSM         30880
nz                              ZSK           retire    2011-02-27
13:43:44       f5140d550dbc50bfb4965a14f4803ae4  softHSM         53800
nz                              ZSK           retire    2011-02-28
21:43:30       1d45132c894ea7fa6288176f2522daba  softHSM         42723
nz                              ZSK           retire    2011-03-01
13:05:38       b861277486d76b8350eed6b30433763d  softHSM         20646
nz                              ZSK           active    2011-02-25
09:45:01       e11a88c384b1cc8ad2aa4991c72cd026  softHSM         31548
nz                              ZSK           publish   2011-02-25
12:25:37       c9f0b73965d46877e3ef374431e05b4a  softHSM         4579

The DNSKEY RRset is signed with key 3532 and 53284, zone records are
signed with key 31548.

No error messages were written in the log files, and the missing key can
be read using ods-hsmutil.

Any clues about this?
Is not the first case, on a third level zone we had the same issue.

In the "other issues" area, OpenDNSSEC sometimes complains with things like:

ods-signerd: [hsm] unable to get key: key
2fcd5073b81c04d1c3988f92ccbbb4e6 not found
ods-signerd: [zone] unable to publish dnskeys zone 1408-nz: error
creating DNSKEY for key 2fcd5073b81c04d1c3988f92ccbbb4e6

but the key is present in the HSM, so you can get the DNSKEY using

ods-signerd: [worker[2]]: sign zone geek.nz failed: 985 of 5 signatures

ods-signerd: [drudger[2]]: unable to drudge: no zone reference
ods-signerd: last message repeated 105 times

ods-signerd: [STATS] pgp.net.nz RR[count=0 time=0(sec)] NSEC[count=0
time=0(sec)] RRSIG[new=2 reused=78 time=0(sec) avg=0(sig/sec)]
AUDIT[time=0(sec)] TOTAL[time=1298607785(sec)]

where the TOTAL time taken don't make any sense (like missing start_time)


ods-signerd: [STATS] net.nz RR[count=0 time=3(sec)] NSEC3[count=0
time=0(sec)] RRSIG[new=14958 reused=7728 time=0(sec) avg=0(sig/sec)]
AUDIT[time=0(sec)] TOTAL[time=1646(sec)]


Sebastian Castro
DNS Specialist
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535

More information about the Opendnssec-user mailing list