[Opendnssec-user] ZSK expired

Casper Gielen c.gielen at uvt.nl
Fri Jan 7 12:48:16 UTC 2011


Hello,
I've got a bit of a problem with ZSKs that are not properly rotated.
As I understand it OpenDNSSEC should automatically create and use
new keys. This does not seem to happen for 5 of my zones (out of a total of 250).
I've tried to extract the relevant bits about one of those zones from the logs.
These logs are included at the end of this mail.

General information:
- openddnssec version 1.1.3
- Debian version 5.0.7
- I do not use the zone fetcher but read the zones from disk. Everytime
  a zone changes ods-ksmutil update is used to notify opendnssec.
- This is an internal test, not an internet-facing production system.
- The zone is not really named example.net.
- All zones share the same policy.
- Keys are _not_ shared.
- I left for vacation on Dec 24. Nobody touched the machine after that.

The first thing that grabs my attention (in the Dec 21 logs) is that the zone
gets scheduled for signing twice. Is this normal?

In the Dec 26 logs the new bit is the line that says:
"Scheduling task to sign zone lisspanel.net, zone in progress, scheduling as soon as possible"
On Dec 28 the ZSK has expired
On Dec 29 the DNSKEY expires
On Dec 30 the entire RRSet fails
According to ods-ksmutil the ZSK has been rotated.

'ps' reveals a signer process that has been running for over a week on one of the problematic domains.

I think I can fix the problem so I'm more interested in what went wrong and
how to prevent it than a ready-made solution. Any ideas?








Dec 21 12:03:39 metagross ods-signerd: Zone example.net locked
Dec 21 12:03:39 metagross ods-signerd: Scheduling task to sign zone example.net at 1292929419.6 with resign time 7200
Dec 21 12:03:39 metagross ods-signerd: acquire cond
Dec 21 12:03:39 metagross ods-signerd: notify
Dec 21 12:03:39 metagross ods-signerd: release cond
Dec 21 12:03:39 metagross ods-signerd: Releasing lock on zone example.net
Dec 21 12:03:39 metagross ods-signerd: scheduling resign of zone 'example.net' in 4477 seconds
Dec 21 12:03:39 metagross ods-signerd: Scheduling task to sign zone example.net at 1292933896.82 with resign time 7200
Dec 21 12:03:39 metagross ods-signerd: acquire cond
Dec 21 12:03:39 metagross ods-signerd: notify
Dec 21 12:03:39 metagross ods-signerd: release cond
Dec 21 12:03:39 metagross ods-signerd: Zone example.net added

Dec 26 13:53:58 metagross ods-enforcerd: Zone example.net found.
Dec 26 13:53:58 metagross ods-enforcerd: Policy for example.net set to default.
Dec 26 13:53:58 metagross ods-enforcerd: Config will be output to /var/lib/opendnssec/signconf/example.net.xml.
Dec 26 13:53:58 metagross ods-enforcerd: WARNING: Making non-backed up ZSK active, PLEASE make sure that you know the potential problems of using keys which are not recoverable
Dec 26 13:53:58 metagross ods-enforcerd: INFO: ZSK has been rolled for example.net 
Dec 26 13:53:58 metagross ods-signerd: Received command: 'update example.net'
Dec 26 13:53:58 metagross ods-signerd: Zone example.net locked
Dec 26 13:53:58 metagross ods-signerd: Scheduling task to sign zone example.net, zone in progress, scheduling as soon as possible
Dec 26 13:53:58 metagross ods-signerd: Releasing lock on zone example.net
Dec 26 13:53:58 metagross ods-signerd: acquire cond
Dec 26 13:53:58 metagross ods-signerd: notify
Dec 26 13:53:58 metagross ods-signerd: release cond
Dec 26 13:53:58 metagross ods-signerd: could not notify zone fetcher: pid file does not exist: /var/run/opendnssec/zone_fetcher.pid
Dec 26 13:53:58 metagross ods-signerd: Releasing lock on engine
Dec 26 13:53:58 metagross ods-signerd: Sending response: Zone config updated#012
Dec 26 13:53:58 metagross ods-signerd: Done handling command
Dec 26 13:53:58 metagross ods-signerd: Client socket shut down

Dec 28 07:00:43 metagross ods-auditor[6552]: Auditor starting on example.net
Dec 28 07:00:43 metagross ods-auditor[6552]: SOA differs : from 2009012900 to 2010122414
Dec 28 07:00:43 metagross ods-auditor[6552]: Auditing example.net zone : NSEC3 SIGNED
Dec 28 07:00:43 metagross ods-auditor[6552]: Signature expiration (1293683046) for example.net, NS should be later than (the refresh period (259200) - the resign period (7200)) from now (1293516043)
Dec 28 07:00:43 metagross ods-auditor[6552]: Signature expiration (1293722949) for example.net, NSEC3PARAM should be later than (the refresh period (259200) - the resign period (7200)) from now (1293516043)
Dec 28 07:00:43 metagross ods-auditor[6552]: Signature expiration (1293711846) for 52ffgfhc643hs0eqie7g4s93317ljd9h.example.net, NSEC3 should be later than (the refresh period (259200) - the resign period (7200)) from now (1293516043)
Dec 28 07:00:43 metagross ods-auditor[6552]: Signature expiration (1293744549) for 7ocbpcj0npt5spm8qo90459t582e1fks.example.net, NSEC3 should be later than (the refresh period (259200) - the resign period (7200)) from now (1293516043)
Dec 28 07:00:43 metagross ods-auditor[6552]: Signature expiration (1293751749) for nk3p2m9k03dndvfnqha8hcdjnkb32qgs.example.net, NSEC3 should be later than (the refresh period (259200) - the resign period (7200)) from now (1293516043)
Dec 28 07:00:43 metagross ods-auditor[6552]: Signature expiration (1293755046) for www.example.net, A should be later than (the refresh period (259200) - the resign period (7200)) from now (1293516043)
Dec 28 07:00:43 metagross ods-auditor[6552]: ZSK 53982 in use too long - should be max 2595600 seconds but has been 2741445 seconds
Dec 28 07:00:43 metagross ods-auditor[6552]: Finished auditing example.net zone

Dec 29 06:53:53 metagross ods-auditor[14969]: Auditor starting on example.net
Dec 29 06:53:53 metagross ods-auditor[14969]: SOA differs : from 2009012900 to 2010122414
Dec 29 06:53:53 metagross ods-auditor[14969]: Auditing example.net zone : NSEC3 SIGNED
Dec 29 06:53:53 metagross ods-auditor[14969]: Signature expiration (1293804042) for example.net, DNSKEY should be later than (the refresh period (259200) - the resign period (7200)) from now (1293602033)
Dec 29 06:53:53 metagross ods-auditor[14969]: Signature expiration (1293683046) for example.net, NS should be later than (the refresh period (259200) - the resign period (7200)) from now (1293602033)
Dec 29 06:53:53 metagross ods-auditor[14969]: Signature expiration (1293722949) for example.net, NSEC3PARAM should be later than (the refresh period (259200) - the resign period (7200)) from now (1293602033)
Dec 29 06:53:53 metagross ods-auditor[14969]: Signature expiration (1293853234) for example.net, SOA should be later than (the refresh period (259200) - the resign period (7200)) from now (1293602033)
Dec 29 06:53:53 metagross ods-auditor[14969]: Signature expiration (1293711846) for 52ffgfhc643hs0eqie7g4s93317ljd9h.example.net, NSEC3 should be later than (the refresh period (259200) - the resign period (7200)) from now (
Dec 29 06:53:53 metagross ods-auditor[14969]: Signature expiration (1293744549) for 7ocbpcj0npt5spm8qo90459t582e1fks.example.net, NSEC3 should be later than (the refresh period (259200) - the resign period (7200)) from now (
Dec 29 06:53:53 metagross ods-auditor[14969]: Signature expiration (1293782686) for localhost.example.net, A should be later than (the refresh period (259200) - the resign period (7200)) from now (1293602033)
Dec 29 06:53:53 metagross ods-auditor[14969]: Signature expiration (1293751749) for nk3p2m9k03dndvfnqha8hcdjnkb32qgs.example.net, NSEC3 should be later than (the refresh period (259200) - the resign period (7200)) from now (
Dec 29 06:53:53 metagross ods-auditor[14969]: Signature expiration (1293755046) for www.example.net, A should be later than (the refresh period (259200) - the resign period (7200)) from now (1293602033)
Dec 29 06:53:53 metagross ods-auditor[14969]: ZSK 53982 in use too long - should be max 2595600 seconds but has been 2827435 seconds
Dec 29 06:53:53 metagross ods-auditor[14969]: Finished auditing example.net zone

Dec 30 06:37:11 metagross ods-auditor[9998]: Auditor starting on example.net
Dec 30 06:37:11 metagross ods-auditor[9998]: SOA differs : from 2009012900 to 2010122414
Dec 30 06:37:11 metagross ods-auditor[9998]: Auditing example.net zone : NSEC3 SIGNED
Dec 30 06:37:11 metagross ods-auditor[9998]: Signature expiration (1293804042) for example.net, DNSKEY should be later than (the refresh period (259200) - the resign period (7200)) from now (1293687431)
Dec 30 06:37:11 metagross ods-auditor[9998]: RRSet (example.net, NS) failed verification : Signature record not in validity period, tag = 53982
Dec 30 06:37:11 metagross ods-auditor[9998]: Signature expiration (1293722949) for example.net, NSEC3PARAM should be later than (the refresh period (259200) - the resign period (7200)) from now (1293687431)
Dec 30 06:37:11 metagross ods-auditor[9998]: Signature expiration (1293853234) for example.net, SOA should be later than (the refresh period (259200) - the resign period (7200)) from now (1293687431)
Dec 30 06:37:11 metagross ods-auditor[9998]: Signature expiration (1293711846) for 52ffgfhc643hs0eqie7g4s93317ljd9h.example.net, NSEC3 should be later than (the refresh period (259200) - the resign period (7200)) from now (
1293687431)
Dec 30 06:37:11 metagross ods-auditor[9998]: Signature expiration (1293744549) for 7ocbpcj0npt5spm8qo90459t582e1fks.example.net, NSEC3 should be later than (the refresh period (259200) - the resign period (7200)) from now (1293687431)
Dec 30 06:37:11 metagross ods-auditor[9998]: Signature expiration (1293782686) for localhost.example.net, A should be later than (the refresh period (259200) - the resign period (7200)) from now (1293687431)
Dec 30 06:37:11 metagross ods-auditor[9998]: Signature expiration (1293751749) for nk3p2m9k03dndvfnqha8hcdjnkb32qgs.example.net, NSEC3 should be later than (the refresh period (259200) - the resign period (7200)) from now (1293687431)
Dec 30 06:37:11 metagross ods-auditor[9998]: Signature expiration (1293755046) for www.example.net, A should be later than (the refresh period (259200) - the resign period (7200)) from now (1293687431)
Dec 30 06:37:11 metagross ods-auditor[9998]: ZSK 53982 in use too long - should be max 2595600 seconds but has been 2912833 seconds

# ods-ksmutil key list -v --zone example.net 
SQLite database set to: /var/lib/opendnssec/db/kasp.db
Keys:
Zone:                         Keytype:      State:    Date of next transition:  CKA_ID:                           Repository:                       Keytag:
example.net                   KSK           active    2011-11-29 14:35:10       3c82d67b1b7b717055af9cbb3255e783  SoftHSM                           15858
example.net                   KSK           dsready   When required             3838030dc7d49c11877a1b7c2aa36d6d  SoftHSM                           32658
example.net                   KSK           dsready   When required             8da6ed4b621792eab7d60a025be59e3b  SoftHSM                           55999
example.net                   ZSK           active    2011-01-25 13:53:58       d7983d5faeeb636f944b318bcc7b1a72  SoftHSM                           19023
example.net                   ZSK           ready     next rollover             854f62703e25a10588daa9ea95309f1f  SoftHSM                           51209
example.net                   ZSK           ready     next rollover             ad263bf4b84ab2a51aa1e6d606aaace2  SoftHSM                           21570
example.net                   ZSK           ready     next rollover             c56ee4470e7b25ced6b46ebdce6e10e7  SoftHSM                           44978
example.net                   ZSK           ready     next rollover             c6a3075d2fbfb0e163fea75713127f15  SoftHSM                           65129



-- 
Casper Gielen <cgielen at uvt.nl> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981  63B8 2214 083C F80E 4AF7

Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20110107/9e67ab7a/attachment.bin>


More information about the Opendnssec-user mailing list