[Opendnssec-user] OpenDNSSEC 1.3.0-trunk generating bogus signed zone
Sebastian Castro
sebastian at nzrs.net.nz
Thu Mar 3 05:22:56 UTC 2011
Hi:
This happened today on my testing box.
Zone Serial Time Signed Status Diff
nz 2011030300 9:30:44 Validates
nz 2011030301 9:46:03 Bogus sig added ZSK
nz 2011030302 11:52:09 Validates refresh sig
nz 2011030304 13:28:18 Bogus sig deleted ZSK
Note1: Verified with ldns-verify-zone. In case of the bogus signatures,
the error is
Error: Bogus DNSSEC signature for nz. SOA
Error: Bogus DNSSEC signature for nz. DNSKEY
Note2: There is no 2011030303 serial.
Column 'Diff' indicates what changed between zones. May be it's just a
coincidence, but the zone with bogus sig appears after an operation
around ZSK keys.
There are no indication in the logs about an error, using verbosity level 4.
I haven't checked if other zones repeat the same pattern, this one
stands up because validation breaks for all the zones I'm playing with.
Any suggestions to diagnose?
Regards,
--
Sebastian Castro
DNS Specialist
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535
More information about the Opendnssec-user
mailing list