[Opendnssec-user] ZSK expired

Matthijs Mekking matthijs at NLnetLabs.nl
Fri Jan 7 15:31:14 UTC 2011

Hash: SHA1


I would be interested to see the complete logfile, just to look if I see
something odd. Perhaps we can arrange something off list.

> It's very likely the second case, ods-signer sign --all.

Notice that sign --all should not trigger reading the zonelist, but
update --all (or start or update <zone>, the latter is often issued by
the enforcer)

Best regards,


On 01/07/2011 04:09 PM, Casper Gielen wrote:
> Op 07-01-11 15:31, Matthijs Mekking schreef:
> vacation on Dec 24. Nobody touched the machine after that.
>>> The first thing that grabs my attention (in the Dec 21 logs) is that the
>>> zone
>>> gets scheduled for signing twice. Is this normal?
>> No, a zone should always be scheduled at most once in the queue.
>> However, I notice the logs do mention twice that a zone is scheduled
>> when the zone is added.
> Tnx for clarifying
>> If it is not scheduled though, it may be that a worker is working on the
>> zone. We set a flag, so that we know it may not be scheduled (for
>> example, as a result of ods-signer update).
>> How did you notice it was scheduled twice? Did you see it by issuing
>> ods-signer queue? Or did you see it in the logs? If so, do you still
>> have that logs, so I can investigate (offline, if you prefer)?
> I saw it in the logs when I started looking for a reason for dnssec
> failures on some domains. I do have the entire logfile but it's rather
> big (20 megs in total, gzipped).
>>> I think I can fix the problem so I'm more interested in what went wrong and
>>> how to prevent it than a ready-made solution. Any ideas?
>> The only times I had similar issues is when I (accidentally) started two
>> signer daemons. The client (ods-signer start) checks if there is already
>> a daemon running, however, ods-signerd will kick of without such a check.
> There is this hanging signer process. I'm not sure if that really
> counts, but I will kill it now.
> <cut>
>>  Zone example.net added
>> Hence, probably the two log references of the zone being scheduled.
>> This can happen:
>> - on startup
>> - when receiving update [--all]
>> - when receiving update <zone>, but <zone> was not found
>> However, this line tells me that there was a signed example.net already:
>>> Dec 21 12:03:39 metagross ods-signerd: scheduling resign of zone
>>> 'example.net' in 4477 seconds
>> Did some event occur at this time? Could you reason which of the three
>> cases happened (so that we can narrow down the search scope)?
> It's very likely the second case, ods-signer sign --all.
> I run this command after every zone change which happens a few times
> each day. I know it's possible to specify a specific zone to sign but
> that does not (yet) fit in our environment.
> Thanks for your help so far.
> I will know kill the old signer proces and restart the signer daemon,
> if anything interesting happens I will post it here.
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the Opendnssec-user mailing list