[Opendnssec-user] Problem signing a zone
Casper Gielen
c.gielen at uvt.nl
Mon Jun 20 13:14:31 UTC 2011
Hello,
I have a strange problem with a zone that won't sign.
Ods-signer says the config has errors but it won't indicate what's wrong.
As far as I can see there is nothing wrong with the zone.
Copying a working zone-file does not work either. A sister-system does not have
this problem and signs the zone file. Which leads me to the conclusion that
something is wrong in the database. I've done a shallow inspection of the
(mysql) database but I can't seen anything wrong.
I'm out of ideas on what to do next to get this zone to sign, besides manually
analyzing the database. As the database contains a few hundred zones and as I
don't know what I'm looking for I would prefer to avoid that. The remainder of
this posts demonstrates the problem.
First I remove the zone, to clean-up any leftovers, than I add it again
and finally I try to get it signed.
# ods-ksmutil zone delete --zone 4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa
zonelist filename set to /etc/opendnssec/zonelist.xml.
Zone list updated: 1 removed, 0 added, 0 updated.
Configurations updated: 0; errors: 0; unchanged: 263.
# ods-ksmutil zone add --zone 4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa
zonelist filename set to /etc/opendnssec/zonelist.xml.
Imported zone: 4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa
# ods-signer sign 4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa
Zone 4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa not not being signed yet, updating sign configuration
Zone 4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa not found, updating zone list.
Zone list updated: 0 removed, 1 added, 0 updated.
Zone 4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa config has errors.
From syslog:
Jun 20 13:02:37 ramanujan ods-enforcerd: Zone 4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa found.
Jun 20 13:02:37 ramanujan ods-enforcerd: Policy for 4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa set to default.
Jun 20 13:02:37 ramanujan ods-enforcerd: Config will be output to /var/lib/opendnssec/signconf/4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa.xml.
Jun 20 13:02:37 ramanujan ods-enforcerd: Not enough keys to satisfy ksk policy for zone: 4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa
Jun 20 13:02:37 ramanujan ods-enforcerd: ods-enforcerd will create some more keys on its next run
Jun 20 13:02:37 ramanujan ods-enforcerd: Error allocating ksks to zone 4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa
Now let's try another zone, again I remove it, re-add it and sign it:
# ods-ksmutil zone delete --zone example.com
zonelist filename set to /etc/opendnssec/zonelist.xml.
Zone list updated: 1 removed, 0 added, 0 updated.
Configurations updated: 0; errors: 1; unchanged: 262.
# ods-ksmutil zone add --zone example.com
zonelist filename set to /etc/opendnssec/zonelist.xml.
Imported zone: example.com
# ods-signer sign example.com
Zone example.com not not being signed yet, updating sign configuration
Zone example.com not found, updating zone list.
Zone list updated: 0 removed, 1 added, 0 updated.
Zone example.com now has config.
Works fine, let's make a copy of the file and try that:
# cp example.com 4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa
# ods-ksmutil zone delete --zone 4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa
zonelist filename set to /etc/opendnssec/zonelist.xml.
Zone list updated: 1 removed, 0 added, 0 updated.
Configurations updated: 0; errors: 0; unchanged: 263.
# ods-ksmutil zone add --zone 4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa
zonelist filename set to /etc/opendnssec/zonelist.xml.
Imported zone: 4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa
# ods-signer sign 4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa
Zone 4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa not not being signed yet, updating sign configuration
Zone 4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa not found, updating zone list.
Zone list updated: 0 removed, 2 added, 0 updated.
Zone 4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa config has errors.
So, it's not in the zone file, let's check zonelist.xml, but that seems ok as well.
from zonelist.xml:
<Zone name="example.com">
<Policy>default</Policy>
<SignerConfiguration>/var/lib/opendnssec/signconf/example.com.xml</SignerConfiguration>
<Adapters>
<Input>
<File>/var/lib/opendnssec/unsigned/example.com</File>
</Input>
<Output>
<File>/var/lib/opendnssec/signed/example.com</File>
</Output>
</Adapters>
</Zone>
<Zone name="4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa">
<Policy>default</Policy>
<SignerConfiguration>/var/lib/opendnssec/signconf/4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa.xml</SignerConfiguration>
<Adapters>
<Input>
<File>/var/lib/opendnssec/unsigned/4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa</File>
</Input>
<Output>
<File>/var/lib/opendnssec/signed/4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa</File
</Output>
</Adapters>
</Zone>
zonefile:
$TTL 1D
@ IN SOA ns1.example.com. hostmaster.example.com. (
2010070200 ; version - Serial no of this file
28800 ; refresh - check for updates after 8 hour
14400 ; retry - if unable to do so, wait 4 hours
604800 ; expire - after 7 days of failure, toss
86400 ; minimum - default ttl's to 1 day
)
@ IN NS ns1.example.com.
IN NS ns2.example.com.
@ IN MX 10 a.mx.example.com.
IN MX 10 b.mx.example.com.
localhost IN A 127.0.0.1
Does anyone have a good idea on what to do next?
--
Casper Gielen <cgielen at uvt.nl> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981 63B8 2214 083C F80E 4AF7
Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20110620/bd3a199d/attachment.bin>
More information about the Opendnssec-user
mailing list