[Opendnssec-user] ZSK expired
Casper Gielen
c.gielen at uvt.nl
Fri Jan 7 12:48:16 UTC 2011
Hello,
I've got a bit of a problem with ZSKs that are not properly rotated.
As I understand it OpenDNSSEC should automatically create and use
new keys. This does not seem to happen for 5 of my zones (out of a total of 250).
I've tried to extract the relevant bits about one of those zones from the logs.
These logs are included at the end of this mail.
General information:
- openddnssec version 1.1.3
- Debian version 5.0.7
- I do not use the zone fetcher but read the zones from disk. Everytime
a zone changes ods-ksmutil update is used to notify opendnssec.
- This is an internal test, not an internet-facing production system.
- The zone is not really named example.net.
- All zones share the same policy.
- Keys are _not_ shared.
- I left for vacation on Dec 24. Nobody touched the machine after that.
The first thing that grabs my attention (in the Dec 21 logs) is that the zone
gets scheduled for signing twice. Is this normal?
In the Dec 26 logs the new bit is the line that says:
"Scheduling task to sign zone lisspanel.net, zone in progress, scheduling as soon as possible"
On Dec 28 the ZSK has expired
On Dec 29 the DNSKEY expires
On Dec 30 the entire RRSet fails
According to ods-ksmutil the ZSK has been rotated.
'ps' reveals a signer process that has been running for over a week on one of the problematic domains.
I think I can fix the problem so I'm more interested in what went wrong and
how to prevent it than a ready-made solution. Any ideas?
Dec 21 12:03:39 metagross ods-signerd: Zone example.net locked
Dec 21 12:03:39 metagross ods-signerd: Scheduling task to sign zone example.net at 1292929419.6 with resign time 7200
Dec 21 12:03:39 metagross ods-signerd: acquire cond
Dec 21 12:03:39 metagross ods-signerd: notify
Dec 21 12:03:39 metagross ods-signerd: release cond
Dec 21 12:03:39 metagross ods-signerd: Releasing lock on zone example.net
Dec 21 12:03:39 metagross ods-signerd: scheduling resign of zone 'example.net' in 4477 seconds
Dec 21 12:03:39 metagross ods-signerd: Scheduling task to sign zone example.net at 1292933896.82 with resign time 7200
Dec 21 12:03:39 metagross ods-signerd: acquire cond
Dec 21 12:03:39 metagross ods-signerd: notify
Dec 21 12:03:39 metagross ods-signerd: release cond
Dec 21 12:03:39 metagross ods-signerd: Zone example.net added
Dec 26 13:53:58 metagross ods-enforcerd: Zone example.net found.
Dec 26 13:53:58 metagross ods-enforcerd: Policy for example.net set to default.
Dec 26 13:53:58 metagross ods-enforcerd: Config will be output to /var/lib/opendnssec/signconf/example.net.xml.
Dec 26 13:53:58 metagross ods-enforcerd: WARNING: Making non-backed up ZSK active, PLEASE make sure that you know the potential problems of using keys which are not recoverable
Dec 26 13:53:58 metagross ods-enforcerd: INFO: ZSK has been rolled for example.net
Dec 26 13:53:58 metagross ods-signerd: Received command: 'update example.net'
Dec 26 13:53:58 metagross ods-signerd: Zone example.net locked
Dec 26 13:53:58 metagross ods-signerd: Scheduling task to sign zone example.net, zone in progress, scheduling as soon as possible
Dec 26 13:53:58 metagross ods-signerd: Releasing lock on zone example.net
Dec 26 13:53:58 metagross ods-signerd: acquire cond
Dec 26 13:53:58 metagross ods-signerd: notify
Dec 26 13:53:58 metagross ods-signerd: release cond
Dec 26 13:53:58 metagross ods-signerd: could not notify zone fetcher: pid file does not exist: /var/run/opendnssec/zone_fetcher.pid
Dec 26 13:53:58 metagross ods-signerd: Releasing lock on engine
Dec 26 13:53:58 metagross ods-signerd: Sending response: Zone config updated#012
Dec 26 13:53:58 metagross ods-signerd: Done handling command
Dec 26 13:53:58 metagross ods-signerd: Client socket shut down
Dec 28 07:00:43 metagross ods-auditor[6552]: Auditor starting on example.net
Dec 28 07:00:43 metagross ods-auditor[6552]: SOA differs : from 2009012900 to 2010122414
Dec 28 07:00:43 metagross ods-auditor[6552]: Auditing example.net zone : NSEC3 SIGNED
Dec 28 07:00:43 metagross ods-auditor[6552]: Signature expiration (1293683046) for example.net, NS should be later than (the refresh period (259200) - the resign period (7200)) from now (1293516043)
Dec 28 07:00:43 metagross ods-auditor[6552]: Signature expiration (1293722949) for example.net, NSEC3PARAM should be later than (the refresh period (259200) - the resign period (7200)) from now (1293516043)
Dec 28 07:00:43 metagross ods-auditor[6552]: Signature expiration (1293711846) for 52ffgfhc643hs0eqie7g4s93317ljd9h.example.net, NSEC3 should be later than (the refresh period (259200) - the resign period (7200)) from now (1293516043)
Dec 28 07:00:43 metagross ods-auditor[6552]: Signature expiration (1293744549) for 7ocbpcj0npt5spm8qo90459t582e1fks.example.net, NSEC3 should be later than (the refresh period (259200) - the resign period (7200)) from now (1293516043)
Dec 28 07:00:43 metagross ods-auditor[6552]: Signature expiration (1293751749) for nk3p2m9k03dndvfnqha8hcdjnkb32qgs.example.net, NSEC3 should be later than (the refresh period (259200) - the resign period (7200)) from now (1293516043)
Dec 28 07:00:43 metagross ods-auditor[6552]: Signature expiration (1293755046) for www.example.net, A should be later than (the refresh period (259200) - the resign period (7200)) from now (1293516043)
Dec 28 07:00:43 metagross ods-auditor[6552]: ZSK 53982 in use too long - should be max 2595600 seconds but has been 2741445 seconds
Dec 28 07:00:43 metagross ods-auditor[6552]: Finished auditing example.net zone
Dec 29 06:53:53 metagross ods-auditor[14969]: Auditor starting on example.net
Dec 29 06:53:53 metagross ods-auditor[14969]: SOA differs : from 2009012900 to 2010122414
Dec 29 06:53:53 metagross ods-auditor[14969]: Auditing example.net zone : NSEC3 SIGNED
Dec 29 06:53:53 metagross ods-auditor[14969]: Signature expiration (1293804042) for example.net, DNSKEY should be later than (the refresh period (259200) - the resign period (7200)) from now (1293602033)
Dec 29 06:53:53 metagross ods-auditor[14969]: Signature expiration (1293683046) for example.net, NS should be later than (the refresh period (259200) - the resign period (7200)) from now (1293602033)
Dec 29 06:53:53 metagross ods-auditor[14969]: Signature expiration (1293722949) for example.net, NSEC3PARAM should be later than (the refresh period (259200) - the resign period (7200)) from now (1293602033)
Dec 29 06:53:53 metagross ods-auditor[14969]: Signature expiration (1293853234) for example.net, SOA should be later than (the refresh period (259200) - the resign period (7200)) from now (1293602033)
Dec 29 06:53:53 metagross ods-auditor[14969]: Signature expiration (1293711846) for 52ffgfhc643hs0eqie7g4s93317ljd9h.example.net, NSEC3 should be later than (the refresh period (259200) - the resign period (7200)) from now (
Dec 29 06:53:53 metagross ods-auditor[14969]: Signature expiration (1293744549) for 7ocbpcj0npt5spm8qo90459t582e1fks.example.net, NSEC3 should be later than (the refresh period (259200) - the resign period (7200)) from now (
Dec 29 06:53:53 metagross ods-auditor[14969]: Signature expiration (1293782686) for localhost.example.net, A should be later than (the refresh period (259200) - the resign period (7200)) from now (1293602033)
Dec 29 06:53:53 metagross ods-auditor[14969]: Signature expiration (1293751749) for nk3p2m9k03dndvfnqha8hcdjnkb32qgs.example.net, NSEC3 should be later than (the refresh period (259200) - the resign period (7200)) from now (
Dec 29 06:53:53 metagross ods-auditor[14969]: Signature expiration (1293755046) for www.example.net, A should be later than (the refresh period (259200) - the resign period (7200)) from now (1293602033)
Dec 29 06:53:53 metagross ods-auditor[14969]: ZSK 53982 in use too long - should be max 2595600 seconds but has been 2827435 seconds
Dec 29 06:53:53 metagross ods-auditor[14969]: Finished auditing example.net zone
Dec 30 06:37:11 metagross ods-auditor[9998]: Auditor starting on example.net
Dec 30 06:37:11 metagross ods-auditor[9998]: SOA differs : from 2009012900 to 2010122414
Dec 30 06:37:11 metagross ods-auditor[9998]: Auditing example.net zone : NSEC3 SIGNED
Dec 30 06:37:11 metagross ods-auditor[9998]: Signature expiration (1293804042) for example.net, DNSKEY should be later than (the refresh period (259200) - the resign period (7200)) from now (1293687431)
Dec 30 06:37:11 metagross ods-auditor[9998]: RRSet (example.net, NS) failed verification : Signature record not in validity period, tag = 53982
Dec 30 06:37:11 metagross ods-auditor[9998]: Signature expiration (1293722949) for example.net, NSEC3PARAM should be later than (the refresh period (259200) - the resign period (7200)) from now (1293687431)
Dec 30 06:37:11 metagross ods-auditor[9998]: Signature expiration (1293853234) for example.net, SOA should be later than (the refresh period (259200) - the resign period (7200)) from now (1293687431)
Dec 30 06:37:11 metagross ods-auditor[9998]: Signature expiration (1293711846) for 52ffgfhc643hs0eqie7g4s93317ljd9h.example.net, NSEC3 should be later than (the refresh period (259200) - the resign period (7200)) from now (
1293687431)
Dec 30 06:37:11 metagross ods-auditor[9998]: Signature expiration (1293744549) for 7ocbpcj0npt5spm8qo90459t582e1fks.example.net, NSEC3 should be later than (the refresh period (259200) - the resign period (7200)) from now (1293687431)
Dec 30 06:37:11 metagross ods-auditor[9998]: Signature expiration (1293782686) for localhost.example.net, A should be later than (the refresh period (259200) - the resign period (7200)) from now (1293687431)
Dec 30 06:37:11 metagross ods-auditor[9998]: Signature expiration (1293751749) for nk3p2m9k03dndvfnqha8hcdjnkb32qgs.example.net, NSEC3 should be later than (the refresh period (259200) - the resign period (7200)) from now (1293687431)
Dec 30 06:37:11 metagross ods-auditor[9998]: Signature expiration (1293755046) for www.example.net, A should be later than (the refresh period (259200) - the resign period (7200)) from now (1293687431)
Dec 30 06:37:11 metagross ods-auditor[9998]: ZSK 53982 in use too long - should be max 2595600 seconds but has been 2912833 seconds
# ods-ksmutil key list -v --zone example.net
SQLite database set to: /var/lib/opendnssec/db/kasp.db
Keys:
Zone: Keytype: State: Date of next transition: CKA_ID: Repository: Keytag:
example.net KSK active 2011-11-29 14:35:10 3c82d67b1b7b717055af9cbb3255e783 SoftHSM 15858
example.net KSK dsready When required 3838030dc7d49c11877a1b7c2aa36d6d SoftHSM 32658
example.net KSK dsready When required 8da6ed4b621792eab7d60a025be59e3b SoftHSM 55999
example.net ZSK active 2011-01-25 13:53:58 d7983d5faeeb636f944b318bcc7b1a72 SoftHSM 19023
example.net ZSK ready next rollover 854f62703e25a10588daa9ea95309f1f SoftHSM 51209
example.net ZSK ready next rollover ad263bf4b84ab2a51aa1e6d606aaace2 SoftHSM 21570
example.net ZSK ready next rollover c56ee4470e7b25ced6b46ebdce6e10e7 SoftHSM 44978
example.net ZSK ready next rollover c6a3075d2fbfb0e163fea75713127f15 SoftHSM 65129
--
Casper Gielen <cgielen at uvt.nl> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981 63B8 2214 083C F80E 4AF7
Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20110107/9e67ab7a/attachment.bin>
More information about the Opendnssec-user
mailing list