[Opendnssec-user] Problem signing a zone

Matthijs Mekking matthijs at NLnetLabs.nl
Mon Jun 20 13:33:43 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Casper,

If it is the ods-signer that it is complaining, it has nothing to do
with the database. The signer does not talk to the database (the
enforcer does).

Furthermore, it is probably the signer configuration
(signconf/<zone>.xml) that the signer is complaining about.

For me to able to investigate, I would like to receive the signconf file
that is causing this trouble. Also, which version are you using?

Best regards,

Matthijs


On 06/20/2011 03:14 PM, Casper Gielen wrote:
> Hello,
> I have a strange problem with a zone that won't sign.
> Ods-signer says the config has errors but it won't indicate what's wrong.
> As far as I can see there is nothing wrong with the zone.
> Copying a working zone-file does not work either. A sister-system does not have
> this problem and signs the zone file. Which leads me to the conclusion that
> something is wrong in the database. I've done a shallow inspection of the
> (mysql) database but I can't seen anything wrong.
> 
> I'm out of ideas on what to do next to get this zone to sign, besides manually
> analyzing the database. As the database contains a few hundred zones and as I
> don't know what I'm looking for I would prefer to avoid that. The remainder of
> this posts demonstrates the problem.
> 
> 
> 
> First I remove the zone, to clean-up any leftovers, than I add it again
> and finally I try to get it signed.
> 
> 
> # ods-ksmutil zone delete --zone 4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa
> zonelist filename set to /etc/opendnssec/zonelist.xml.
> Zone list updated: 1 removed, 0 added, 0 updated.
> Configurations updated: 0; errors: 0; unchanged: 263.
> 
> # ods-ksmutil zone add --zone 4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa
> zonelist filename set to /etc/opendnssec/zonelist.xml.
> Imported zone: 4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa
> 
> # ods-signer sign 4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa
> Zone 4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa not not being signed yet, updating sign configuration
> Zone 4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa not found, updating zone list.
> Zone list updated: 0 removed, 1 added, 0 updated.
> Zone 4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa config has errors.
> 
> 
> 
> From syslog:
> 
> Jun 20 13:02:37 ramanujan ods-enforcerd: Zone 4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa found.
> Jun 20 13:02:37 ramanujan ods-enforcerd: Policy for 4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa set to default.
> Jun 20 13:02:37 ramanujan ods-enforcerd: Config will be output to /var/lib/opendnssec/signconf/4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa.xml.
> Jun 20 13:02:37 ramanujan ods-enforcerd: Not enough keys to satisfy ksk policy for zone: 4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa
> Jun 20 13:02:37 ramanujan ods-enforcerd: ods-enforcerd will create some more keys on its next run
> Jun 20 13:02:37 ramanujan ods-enforcerd: Error allocating ksks to zone 4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa
> 
> 
> 
> Now let's try another zone, again I remove it, re-add it and sign it:
> 
> 
> # ods-ksmutil zone delete --zone example.com                            
> zonelist filename set to /etc/opendnssec/zonelist.xml.
> Zone list updated: 1 removed, 0 added, 0 updated.
> Configurations updated: 0; errors: 1; unchanged: 262.
> 
> # ods-ksmutil zone add --zone example.com
> zonelist filename set to /etc/opendnssec/zonelist.xml.
> Imported zone: example.com
> 
> # ods-signer sign example.com
> Zone example.com not not being signed yet, updating sign configuration
> Zone example.com not found, updating zone list.
> Zone list updated: 0 removed, 1 added, 0 updated.
> Zone example.com now has config.
> 
> 
> Works fine, let's make a copy of the file and try that:
> 
> 
> # cp example.com 4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa
> 
> 
> # ods-ksmutil zone delete --zone 4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa
> zonelist filename set to /etc/opendnssec/zonelist.xml.
> Zone list updated: 1 removed, 0 added, 0 updated.
> Configurations updated: 0; errors: 0; unchanged: 263.
> 
> # ods-ksmutil zone add --zone 4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa
> zonelist filename set to /etc/opendnssec/zonelist.xml.
> Imported zone: 4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa
> 
> #  ods-signer sign 4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa
> Zone 4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa not not being signed yet, updating sign configuration
> Zone 4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa not found, updating zone list.
> Zone list updated: 0 removed, 2 added, 0 updated.
> Zone 4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa config has errors.
> 
> 
> So, it's not in the zone file, let's check zonelist.xml, but that seems ok as well.
> 
> from zonelist.xml:
> <Zone name="example.com">
>         <Policy>default</Policy>
>         <SignerConfiguration>/var/lib/opendnssec/signconf/example.com.xml</SignerConfiguration>
>         <Adapters>
>                 <Input>
>                         <File>/var/lib/opendnssec/unsigned/example.com</File>
>                 </Input>
>                 <Output>
>                         <File>/var/lib/opendnssec/signed/example.com</File>
>                 </Output>
>         </Adapters>
> </Zone>
> <Zone name="4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa">
>         <Policy>default</Policy>
>         <SignerConfiguration>/var/lib/opendnssec/signconf/4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa.xml</SignerConfiguration>
>         <Adapters>
>                 <Input>
>                         <File>/var/lib/opendnssec/unsigned/4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa</File>
>                 </Input>
>                 <Output>
>                         <File>/var/lib/opendnssec/signed/4.x.x.x.x.x.x.x.0.1.0.0.2.ip6.arpa</File
>                 </Output>
>         </Adapters>
> </Zone>
> 
> 
> 
> zonefile:
> $TTL    1D
> 
> @               IN      SOA     ns1.example.com.     hostmaster.example.com. (
>                         2010070200      ; version - Serial no of this file
>                         28800   ; refresh - check for updates after 8 hour
>                         14400   ; retry   - if unable to do so, wait 4 hours
>                         604800  ; expire  - after 7 days of failure, toss
>                         86400   ; minimum - default ttl's to 1 day
>                         )
> 
> @               IN      NS      ns1.example.com.
>                 IN      NS      ns2.example.com.
> 
> @               IN      MX      10      a.mx.example.com.
>                 IN      MX      10      b.mx.example.com.
> 
> localhost       IN      A       127.0.0.1
> 
> 
> 
> Does anyone have a good idea on what to do next?
> 
> 
> 
> 
> 
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJN/0w2AAoJEA8yVCPsQCW5abYIALIvCc5gd4lDzPNYvb3IdfZK
krLR2b1TXYgbiH5EHOzHY2u5k61rns2OchBtERsh1h+vJfFAQcWJQv6LPf7zIjzM
m/JdNkM9gzlspLlWJ0Yy7QAs8ddU0x9DryQGDwML0ZVhrB2LmZc91f0C21jSTqR1
T2YpOlNBfdxtiPNWO9PW+P1aEgmstvsHIR8RZGbh0r5awWjBTHikPM8F+b4QEKCQ
inUv/493s/OZ5QW3EPftS3fcYovANUNULQdI1MuLR8bTbHxTKbkyFkVY7uGNVccs
yG9BLjGJT0EXcV+sO+tgP+UeLh/uYquh33nhkBDZn+jzFW0hWvu1qnFrIgJzics=
=xs2G
-----END PGP SIGNATURE-----

More information about the Opendnssec-user mailing list