[Opendnssec-user] ZSK expired

Casper Gielen c.gielen at uvt.nl
Fri Jan 7 13:00:33 UTC 2011


Hello,
I've got a bit of a problem with ZSKs that are not properly rotated.
As I understand it OpenDNSSEC should automatically create and use
new keys. This does not seem to happen for 5 of my zones (out of a total
of 250).
I've tried to extract the relevant bits about one of those zones from
the logs.
These logs are included at the end of this mail.

General information:
- openddnssec version 1.1.3
- Debian version 5.0.7
- I do not use the zone fetcher but read the zones from disk. Everytime
  a zone changes ods-ksmutil update is used to notify opendnssec.
- This is an internal test, not an internet-facing production system.
- The zone is not really named example.net.
- All zones share the same policy.
- Keys are _not_ shared.
- I left for vacation on Dec 24. Nobody touched the machine after that.

The first thing that grabs my attention (in the Dec 21 logs) is that the
zone
gets scheduled for signing twice. Is this normal?

In the Dec 26 logs the new bit is the line that says:
"Scheduling task to sign zone lisspanel.net, zone in progress,
scheduling as soon as possible"
On Dec 28 the ZSK has expired
On Dec 29 the DNSKEY expires
On Dec 30 the entire RRSet fails
According to ods-ksmutil the ZSK has been rotated.

'ps' reveals a signer process that has been running for over a week on
one of the problematic domains.

I think I can fix the problem so I'm more interested in what went wrong and
how to prevent it than a ready-made solution. Any ideas?








Dec 21 12:03:39 metagross ods-signerd: Zone example.net locked
Dec 21 12:03:39 metagross ods-signerd: Scheduling task to sign zone
example.net at 1292929419.6 with resign time 7200
Dec 21 12:03:39 metagross ods-signerd: acquire cond
Dec 21 12:03:39 metagross ods-signerd: notify
Dec 21 12:03:39 metagross ods-signerd: release cond
Dec 21 12:03:39 metagross ods-signerd: Releasing lock on zone example.net
Dec 21 12:03:39 metagross ods-signerd: scheduling resign of zone
'example.net' in 4477 seconds
Dec 21 12:03:39 metagross ods-signerd: Scheduling task to sign zone
example.net at 1292933896.82 with resign time 7200
Dec 21 12:03:39 metagross ods-signerd: acquire cond
Dec 21 12:03:39 metagross ods-signerd: notify
Dec 21 12:03:39 metagross ods-signerd: release cond
Dec 21 12:03:39 metagross ods-signerd: Zone example.net added

Dec 26 13:53:58 metagross ods-enforcerd: Zone example.net found.
Dec 26 13:53:58 metagross ods-enforcerd: Policy for example.net set to
default.
Dec 26 13:53:58 metagross ods-enforcerd: Config will be output to
/var/lib/opendnssec/signconf/example.net.xml.
Dec 26 13:53:58 metagross ods-enforcerd: WARNING: Making non-backed up
ZSK active, PLEASE make sure that you know the potential problems of
using keys which are not recoverable
Dec 26 13:53:58 metagross ods-enforcerd: INFO: ZSK has been rolled for
example.net Dec 26 13:53:58 metagross ods-signerd: Received command:
'update example.net'
Dec 26 13:53:58 metagross ods-signerd: Zone example.net locked
Dec 26 13:53:58 metagross ods-signerd: Scheduling task to sign zone
example.net, zone in progress, scheduling as soon as possible
Dec 26 13:53:58 metagross ods-signerd: Releasing lock on zone example.net
Dec 26 13:53:58 metagross ods-signerd: acquire cond
Dec 26 13:53:58 metagross ods-signerd: notify
Dec 26 13:53:58 metagross ods-signerd: release cond
Dec 26 13:53:58 metagross ods-signerd: could not notify zone fetcher:
pid file does not exist: /var/run/opendnssec/zone_fetcher.pid
Dec 26 13:53:58 metagross ods-signerd: Releasing lock on engine
Dec 26 13:53:58 metagross ods-signerd: Sending response: Zone config
updated#012
Dec 26 13:53:58 metagross ods-signerd: Done handling command
Dec 26 13:53:58 metagross ods-signerd: Client socket shut down

Dec 28 07:00:43 metagross ods-auditor[6552]: Auditor starting on example.net
Dec 28 07:00:43 metagross ods-auditor[6552]: SOA differs : from
2009012900 to 2010122414
Dec 28 07:00:43 metagross ods-auditor[6552]: Auditing example.net zone :
NSEC3 SIGNED
Dec 28 07:00:43 metagross ods-auditor[6552]: Signature expiration
(1293683046) for example.net, NS should be later than (the refresh
period (259200) - the resign period (7200)) from now (1293516043)
Dec 28 07:00:43 metagross ods-auditor[6552]: Signature expiration
(1293722949) for example.net, NSEC3PARAM should be later than (the
refresh period (259200) - the resign period (7200)) from now (1293516043)
Dec 28 07:00:43 metagross ods-auditor[6552]: Signature expiration
(1293711846) for 52ffgfhc643hs0eqie7g4s93317ljd9h.example.net, NSEC3
should be later than (the refresh period (259200) - the resign period
(7200)) from now (1293516043)
Dec 28 07:00:43 metagross ods-auditor[6552]: Signature expiration
(1293744549) for 7ocbpcj0npt5spm8qo90459t582e1fks.example.net, NSEC3
should be later than (the refresh period (259200) - the resign period
(7200)) from now (1293516043)
Dec 28 07:00:43 metagross ods-auditor[6552]: Signature expiration
(1293751749) for nk3p2m9k03dndvfnqha8hcdjnkb32qgs.example.net, NSEC3
should be later than (the refresh period (259200) - the resign period
(7200)) from now (1293516043)
Dec 28 07:00:43 metagross ods-auditor[6552]: Signature expiration
(1293755046) for www.example.net, A should be later than (the refresh
period (259200) - the resign period (7200)) from now (1293516043)
Dec 28 07:00:43 metagross ods-auditor[6552]: ZSK 53982 in use too long -
should be max 2595600 seconds but has been 2741445 seconds
Dec 28 07:00:43 metagross ods-auditor[6552]: Finished auditing
example.net zone

Dec 29 06:53:53 metagross ods-auditor[14969]: Auditor starting on
example.net
Dec 29 06:53:53 metagross ods-auditor[14969]: SOA differs : from
2009012900 to 2010122414
Dec 29 06:53:53 metagross ods-auditor[14969]: Auditing example.net zone
: NSEC3 SIGNED
Dec 29 06:53:53 metagross ods-auditor[14969]: Signature expiration
(1293804042) for example.net, DNSKEY should be later than (the refresh
period (259200) - the resign period (7200)) from now (1293602033)
Dec 29 06:53:53 metagross ods-auditor[14969]: Signature expiration
(1293683046) for example.net, NS should be later than (the refresh
period (259200) - the resign period (7200)) from now (1293602033)
Dec 29 06:53:53 metagross ods-auditor[14969]: Signature expiration
(1293722949) for example.net, NSEC3PARAM should be later than (the
refresh period (259200) - the resign period (7200)) from now (1293602033)
Dec 29 06:53:53 metagross ods-auditor[14969]: Signature expiration
(1293853234) for example.net, SOA should be later than (the refresh
period (259200) - the resign period (7200)) from now (1293602033)
Dec 29 06:53:53 metagross ods-auditor[14969]: Signature expiration
(1293711846) for 52ffgfhc643hs0eqie7g4s93317ljd9h.example.net, NSEC3
should be later than (the refresh period (259200) - the resign period
(7200)) from now (
Dec 29 06:53:53 metagross ods-auditor[14969]: Signature expiration
(1293744549) for 7ocbpcj0npt5spm8qo90459t582e1fks.example.net, NSEC3
should be later than (the refresh period (259200) - the resign period
(7200)) from now (
Dec 29 06:53:53 metagross ods-auditor[14969]: Signature expiration
(1293782686) for localhost.example.net, A should be later than (the
refresh period (259200) - the resign period (7200)) from now (1293602033)
Dec 29 06:53:53 metagross ods-auditor[14969]: Signature expiration
(1293751749) for nk3p2m9k03dndvfnqha8hcdjnkb32qgs.example.net, NSEC3
should be later than (the refresh period (259200) - the resign period
(7200)) from now (
Dec 29 06:53:53 metagross ods-auditor[14969]: Signature expiration
(1293755046) for www.example.net, A should be later than (the refresh
period (259200) - the resign period (7200)) from now (1293602033)
Dec 29 06:53:53 metagross ods-auditor[14969]: ZSK 53982 in use too long
- should be max 2595600 seconds but has been 2827435 seconds
Dec 29 06:53:53 metagross ods-auditor[14969]: Finished auditing
example.net zone

Dec 30 06:37:11 metagross ods-auditor[9998]: Auditor starting on example.net
Dec 30 06:37:11 metagross ods-auditor[9998]: SOA differs : from
2009012900 to 2010122414
Dec 30 06:37:11 metagross ods-auditor[9998]: Auditing example.net zone :
NSEC3 SIGNED
Dec 30 06:37:11 metagross ods-auditor[9998]: Signature expiration
(1293804042) for example.net, DNSKEY should be later than (the refresh
period (259200) - the resign period (7200)) from now (1293687431)
Dec 30 06:37:11 metagross ods-auditor[9998]: RRSet (example.net, NS)
failed verification : Signature record not in validity period, tag = 53982
Dec 30 06:37:11 metagross ods-auditor[9998]: Signature expiration
(1293722949) for example.net, NSEC3PARAM should be later than (the
refresh period (259200) - the resign period (7200)) from now (1293687431)
Dec 30 06:37:11 metagross ods-auditor[9998]: Signature expiration
(1293853234) for example.net, SOA should be later than (the refresh
period (259200) - the resign period (7200)) from now (1293687431)
Dec 30 06:37:11 metagross ods-auditor[9998]: Signature expiration
(1293711846) for 52ffgfhc643hs0eqie7g4s93317ljd9h.example.net, NSEC3
should be later than (the refresh period (259200) - the resign period
(7200)) from now (
1293687431)
Dec 30 06:37:11 metagross ods-auditor[9998]: Signature expiration
(1293744549) for 7ocbpcj0npt5spm8qo90459t582e1fks.example.net, NSEC3
should be later than (the refresh period (259200) - the resign period
(7200)) from now (1293687431)
Dec 30 06:37:11 metagross ods-auditor[9998]: Signature expiration
(1293782686) for localhost.example.net, A should be later than (the
refresh period (259200) - the resign period (7200)) from now (1293687431)
Dec 30 06:37:11 metagross ods-auditor[9998]: Signature expiration
(1293751749) for nk3p2m9k03dndvfnqha8hcdjnkb32qgs.example.net, NSEC3
should be later than (the refresh period (259200) - the resign period
(7200)) from now (1293687431)
Dec 30 06:37:11 metagross ods-auditor[9998]: Signature expiration
(1293755046) for www.example.net, A should be later than (the refresh
period (259200) - the resign period (7200)) from now (1293687431)
Dec 30 06:37:11 metagross ods-auditor[9998]: ZSK 53982 in use too long -
should be max 2595600 seconds but has been 2912833 seconds

# ods-ksmutil key list -v --zone example.net SQLite database set to:
/var/lib/opendnssec/db/kasp.db
Keys:
Zone:                         Keytype:      State:    Date of next
transition:  CKA_ID:                           Repository:
         Keytag:
example.net                   KSK           active    2011-11-29
14:35:10       3c82d67b1b7b717055af9cbb3255e783  SoftHSM
           15858
example.net                   KSK           dsready   When required
        3838030dc7d49c11877a1b7c2aa36d6d  SoftHSM
    32658
example.net                   KSK           dsready   When required
        8da6ed4b621792eab7d60a025be59e3b  SoftHSM
    55999
example.net                   ZSK           active    2011-01-25
13:53:58       d7983d5faeeb636f944b318bcc7b1a72  SoftHSM
           19023
example.net                   ZSK           ready     next rollover
        854f62703e25a10588daa9ea95309f1f  SoftHSM
    51209
example.net                   ZSK           ready     next rollover
        ad263bf4b84ab2a51aa1e6d606aaace2  SoftHSM
    21570
example.net                   ZSK           ready     next rollover
        c56ee4470e7b25ced6b46ebdce6e10e7  SoftHSM
    44978
example.net                   ZSK           ready     next rollover
        c6a3075d2fbfb0e163fea75713127f15  SoftHSM
    65129



-- 
Casper Gielen <cgielen at uvt.nl> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981  63B8 2214 083C F80E 4AF7

Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl





-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20110107/87183f50/attachment.bin>


More information about the Opendnssec-user mailing list