[Opendnssec-user] ZSK expired

Roy Arends roy at nominet.org.uk
Wed Jan 19 09:23:52 UTC 2011 

Apologies, this email was in the moderator request list, and I did not cross
check with the mail already posted to the group. Hence the re-send.

Kind regards,

Roy Arends
List-moderator


On 1/7/11 12:48 PM, "Casper Gielen" <c.gielen at uvt.nl> wrote:

> Hello,
> I've got a bit of a problem with ZSKs that are not properly rotated.
> As I understand it OpenDNSSEC should automatically create and use
> new keys. This does not seem to happen for 5 of my zones (out of a total of
> 250).
> I've tried to extract the relevant bits about one of those zones from the
> logs.
> These logs are included at the end of this mail.
> 
> General information:
> - openddnssec version 1.1.3
> - Debian version 5.0.7
> - I do not use the zone fetcher but read the zones from disk. Everytime
>   a zone changes ods-ksmutil update is used to notify opendnssec.
> - This is an internal test, not an internet-facing production system.
> - The zone is not really named example.net.
> - All zones share the same policy.
> - Keys are _not_ shared.
> - I left for vacation on Dec 24. Nobody touched the machine after that.
> 
> The first thing that grabs my attention (in the Dec 21 logs) is that the zone
> gets scheduled for signing twice. Is this normal?
> 
> In the Dec 26 logs the new bit is the line that says:
> "Scheduling task to sign zone lisspanel.net, zone in progress, scheduling as
> soon as possible"
> On Dec 28 the ZSK has expired
> On Dec 29 the DNSKEY expires
> On Dec 30 the entire RRSet fails
> According to ods-ksmutil the ZSK has been rotated.
> 
> 'ps' reveals a signer process that has been running for over a week on one of
> the problematic domains.
> 
> I think I can fix the problem so I'm more interested in what went wrong and
> how to prevent it than a ready-made solution. Any ideas?
> 
> 
> 
> 
> 
> 
> 
> 
> Dec 21 12:03:39 metagross ods-signerd: Zone example.net locked
> Dec 21 12:03:39 metagross ods-signerd: Scheduling task to sign zone
> example.net at 1292929419.6 with resign time 7200
> Dec 21 12:03:39 metagross ods-signerd: acquire cond
> Dec 21 12:03:39 metagross ods-signerd: notify
> Dec 21 12:03:39 metagross ods-signerd: release cond
> Dec 21 12:03:39 metagross ods-signerd: Releasing lock on zone example.net
> Dec 21 12:03:39 metagross ods-signerd: scheduling resign of zone 'example.net'
> in 4477 seconds
> Dec 21 12:03:39 metagross ods-signerd: Scheduling task to sign zone
> example.net at 1292933896.82 with resign time 7200
> Dec 21 12:03:39 metagross ods-signerd: acquire cond
> Dec 21 12:03:39 metagross ods-signerd: notify
> Dec 21 12:03:39 metagross ods-signerd: release cond
> Dec 21 12:03:39 metagross ods-signerd: Zone example.net added
> 
> Dec 26 13:53:58 metagross ods-enforcerd: Zone example.net found.
> Dec 26 13:53:58 metagross ods-enforcerd: Policy for example.net set to
> default.
> Dec 26 13:53:58 metagross ods-enforcerd: Config will be output to
> /var/lib/opendnssec/signconf/example.net.xml.
> Dec 26 13:53:58 metagross ods-enforcerd: WARNING: Making non-backed up ZSK
> active, PLEASE make sure that you know the potential problems of using keys
> which are not recoverable
> Dec 26 13:53:58 metagross ods-enforcerd: INFO: ZSK has been rolled for
> example.net 
> Dec 26 13:53:58 metagross ods-signerd: Received command: 'update example.net'
> Dec 26 13:53:58 metagross ods-signerd: Zone example.net locked
> Dec 26 13:53:58 metagross ods-signerd: Scheduling task to sign zone
> example.net, zone in progress, scheduling as soon as possible
> Dec 26 13:53:58 metagross ods-signerd: Releasing lock on zone example.net
> Dec 26 13:53:58 metagross ods-signerd: acquire cond
> Dec 26 13:53:58 metagross ods-signerd: notify
> Dec 26 13:53:58 metagross ods-signerd: release cond
> Dec 26 13:53:58 metagross ods-signerd: could not notify zone fetcher: pid file
> does not exist: /var/run/opendnssec/zone_fetcher.pid
> Dec 26 13:53:58 metagross ods-signerd: Releasing lock on engine
> Dec 26 13:53:58 metagross ods-signerd: Sending response: Zone config
> updated#012
> Dec 26 13:53:58 metagross ods-signerd: Done handling command
> Dec 26 13:53:58 metagross ods-signerd: Client socket shut down
> 
> Dec 28 07:00:43 metagross ods-auditor[6552]: Auditor starting on example.net
> Dec 28 07:00:43 metagross ods-auditor[6552]: SOA differs : from 2009012900 to
> 2010122414
> Dec 28 07:00:43 metagross ods-auditor[6552]: Auditing example.net zone : NSEC3
> SIGNED
> Dec 28 07:00:43 metagross ods-auditor[6552]: Signature expiration (1293683046)
> for example.net, NS should be later than (the refresh period (259200) - the
> resign period (7200)) from now (1293516043)
> Dec 28 07:00:43 metagross ods-auditor[6552]: Signature expiration (1293722949)
> for example.net, NSEC3PARAM should be later than (the refresh period (259200)
> - the resign period (7200)) from now (1293516043)
> Dec 28 07:00:43 metagross ods-auditor[6552]: Signature expiration (1293711846)
> for 52ffgfhc643hs0eqie7g4s93317ljd9h.example.net, NSEC3 should be later than
> (the refresh period (259200) - the resign period (7200)) from now (1293516043)
> Dec 28 07:00:43 metagross ods-auditor[6552]: Signature expiration (1293744549)
> for 7ocbpcj0npt5spm8qo90459t582e1fks.example.net, NSEC3 should be later than
> (the refresh period (259200) - the resign period (7200)) from now (1293516043)
> Dec 28 07:00:43 metagross ods-auditor[6552]: Signature expiration (1293751749)
> for nk3p2m9k03dndvfnqha8hcdjnkb32qgs.example.net, NSEC3 should be later than
> (the refresh period (259200) - the resign period (7200)) from now (1293516043)
> Dec 28 07:00:43 metagross ods-auditor[6552]: Signature expiration (1293755046)
> for www.example.net, A should be later than (the refresh period (259200) - the
> resign period (7200)) from now (1293516043)
> Dec 28 07:00:43 metagross ods-auditor[6552]: ZSK 53982 in use too long -
> should be max 2595600 seconds but has been 2741445 seconds
> Dec 28 07:00:43 metagross ods-auditor[6552]: Finished auditing example.net
> zone
> 
> Dec 29 06:53:53 metagross ods-auditor[14969]: Auditor starting on example.net
> Dec 29 06:53:53 metagross ods-auditor[14969]: SOA differs : from 2009012900 to
> 2010122414
> Dec 29 06:53:53 metagross ods-auditor[14969]: Auditing example.net zone :
> NSEC3 SIGNED
> Dec 29 06:53:53 metagross ods-auditor[14969]: Signature expiration
> (1293804042) for example.net, DNSKEY should be later than (the refresh period
> (259200) - the resign period (7200)) from now (1293602033)
> Dec 29 06:53:53 metagross ods-auditor[14969]: Signature expiration
> (1293683046) for example.net, NS should be later than (the refresh period
> (259200) - the resign period (7200)) from now (1293602033)
> Dec 29 06:53:53 metagross ods-auditor[14969]: Signature expiration
> (1293722949) for example.net, NSEC3PARAM should be later than (the refresh
> period (259200) - the resign period (7200)) from now (1293602033)
> Dec 29 06:53:53 metagross ods-auditor[14969]: Signature expiration
> (1293853234) for example.net, SOA should be later than (the refresh period
> (259200) - the resign period (7200)) from now (1293602033)
> Dec 29 06:53:53 metagross ods-auditor[14969]: Signature expiration
> (1293711846) for 52ffgfhc643hs0eqie7g4s93317ljd9h.example.net, NSEC3 should be
> later than (the refresh period (259200) - the resign period (7200)) from now (
> Dec 29 06:53:53 metagross ods-auditor[14969]: Signature expiration
> (1293744549) for 7ocbpcj0npt5spm8qo90459t582e1fks.example.net, NSEC3 should be
> later than (the refresh period (259200) - the resign period (7200)) from now (
> Dec 29 06:53:53 metagross ods-auditor[14969]: Signature expiration
> (1293782686) for localhost.example.net, A should be later than (the refresh
> period (259200) - the resign period (7200)) from now (1293602033)
> Dec 29 06:53:53 metagross ods-auditor[14969]: Signature expiration
> (1293751749) for nk3p2m9k03dndvfnqha8hcdjnkb32qgs.example.net, NSEC3 should be
> later than (the refresh period (259200) - the resign period (7200)) from now (
> Dec 29 06:53:53 metagross ods-auditor[14969]: Signature expiration
> (1293755046) for www.example.net, A should be later than (the refresh period
> (259200) - the resign period (7200)) from now (1293602033)
> Dec 29 06:53:53 metagross ods-auditor[14969]: ZSK 53982 in use too long -
> should be max 2595600 seconds but has been 2827435 seconds
> Dec 29 06:53:53 metagross ods-auditor[14969]: Finished auditing example.net
> zone
> 
> Dec 30 06:37:11 metagross ods-auditor[9998]: Auditor starting on example.net
> Dec 30 06:37:11 metagross ods-auditor[9998]: SOA differs : from 2009012900 to
> 2010122414
> Dec 30 06:37:11 metagross ods-auditor[9998]: Auditing example.net zone : NSEC3
> SIGNED
> Dec 30 06:37:11 metagross ods-auditor[9998]: Signature expiration (1293804042)
> for example.net, DNSKEY should be later than (the refresh period (259200) -
> the resign period (7200)) from now (1293687431)
> Dec 30 06:37:11 metagross ods-auditor[9998]: RRSet (example.net, NS) failed
> verification : Signature record not in validity period, tag = 53982
> Dec 30 06:37:11 metagross ods-auditor[9998]: Signature expiration (1293722949)
> for example.net, NSEC3PARAM should be later than (the refresh period (259200)
> - the resign period (7200)) from now (1293687431)
> Dec 30 06:37:11 metagross ods-auditor[9998]: Signature expiration (1293853234)
> for example.net, SOA should be later than (the refresh period (259200) - the
> resign period (7200)) from now (1293687431)
> Dec 30 06:37:11 metagross ods-auditor[9998]: Signature expiration (1293711846)
> for 52ffgfhc643hs0eqie7g4s93317ljd9h.example.net, NSEC3 should be later than
> (the refresh period (259200) - the resign period (7200)) from now (
> 1293687431)
> Dec 30 06:37:11 metagross ods-auditor[9998]: Signature expiration (1293744549)
> for 7ocbpcj0npt5spm8qo90459t582e1fks.example.net, NSEC3 should be later than
> (the refresh period (259200) - the resign period (7200)) from now (1293687431)
> Dec 30 06:37:11 metagross ods-auditor[9998]: Signature expiration (1293782686)
> for localhost.example.net, A should be later than (the refresh period (259200)
> - the resign period (7200)) from now (1293687431)
> Dec 30 06:37:11 metagross ods-auditor[9998]: Signature expiration (1293751749)
> for nk3p2m9k03dndvfnqha8hcdjnkb32qgs.example.net, NSEC3 should be later than
> (the refresh period (259200) - the resign period (7200)) from now (1293687431)
> Dec 30 06:37:11 metagross ods-auditor[9998]: Signature expiration (1293755046)
> for www.example.net, A should be later than (the refresh period (259200) - the
> resign period (7200)) from now (1293687431)
> Dec 30 06:37:11 metagross ods-auditor[9998]: ZSK 53982 in use too long -
> should be max 2595600 seconds but has been 2912833 seconds
> 
> # ods-ksmutil key list -v --zone example.net
> SQLite database set to: /var/lib/opendnssec/db/kasp.db
> Keys:
> Zone:                         Keytype:      State:    Date of next transition:
> CKA_ID:                           Repository:                       Keytag:
> example.net                   KSK           active    2011-11-29 14:35:10
> 3c82d67b1b7b717055af9cbb3255e783  SoftHSM                           15858
> example.net                   KSK           dsready   When required
> 3838030dc7d49c11877a1b7c2aa36d6d  SoftHSM                           32658
> example.net                   KSK           dsready   When required
> 8da6ed4b621792eab7d60a025be59e3b  SoftHSM                           55999
> example.net                   ZSK           active    2011-01-25 13:53:58
> d7983d5faeeb636f944b318bcc7b1a72  SoftHSM                           19023
> example.net                   ZSK           ready     next rollover
> 854f62703e25a10588daa9ea95309f1f  SoftHSM                           51209
> example.net                   ZSK           ready     next rollover
> ad263bf4b84ab2a51aa1e6d606aaace2  SoftHSM                           21570
> example.net                   ZSK           ready     next rollover
> c56ee4470e7b25ced6b46ebdce6e10e7  SoftHSM                           44978
> example.net                   ZSK           ready     next rollover
> c6a3075d2fbfb0e163fea75713127f15  SoftHSM                           65129
> 
>

More information about the Opendnssec-user mailing list