[Opendnssec-user] "error creating RRSIG" because of retired and purged ZSK

Peter Olsson pol at leissner.se
Mon Oct 24 10:46:57 UTC 2011 

Hello!

Today we got this error, never seen it before:
Oct 24 09:55:27 ns1 ods-signerd: error creating RRSIG for rrset[15]
Oct 24 09:55:27 ns1 ods-signerd: failed to sign RRset[15]
Oct 24 09:55:27 ns1 ods-signerd: unable to sign zone data: failed to sign domain
Oct 24 09:55:27 ns1 ods-signerd: task [sign zone xxx.se] failed
Oct 24 09:56:26 ns1 ods-signerd: signature set has no RRSIG record: drop signatures for RRset[15]
Oct 24 09:56:26 ns1 ods-signerd: error creating RRSIG for rrset[15]
Oct 24 09:56:26 ns1 ods-signerd: failed to sign RRset[15]
Oct 24 09:56:26 ns1 ods-signerd: unable to sign zone data: failed to sign domain
Oct 24 09:56:26 ns1 ods-signerd: task [sign zone xxx.se] failed

Problem is that our three signed zones seems to have been signed
with retired keys for the last month. More info below, but I see
that our signed zone xxx.se (real name hidden) is signed with
key 64545, which was retired 18/9:
< xxx.se  ZSK     ready     next rollover          9295
< xxx.se  ZSK     active    2011-09-18 21:17:45    64545
---
> xxx.se  ZSK     active    2011-10-18 21:59:10    9295
> xxx.se  ZSK     retire    2011-10-09 23:29:10    64545

It is also the key 64545 that is entered as DNSKEY 256 in the
zone xxx.se. Why hasn't it changed over to signing with the
new active key?

Old ZSK keys were automatically purged this night, which
must be what is causing the signer failures now:
Oct 24 00:57:06 ns1 ods-enforcerd: SoftHSM: C_DestroyObject: An object has been destroyed
Oct 24 00:57:06 ns1 ods-enforcerd: SoftHSM: C_DestroyObject: An object has been destroyed
Oct 24 00:57:06 ns1 ods-enforcerd: Key remove successful.
Oct 24 00:57:06 ns1 ods-enforcerd: SoftHSM: C_DestroyObject: An object has been destroyed
Oct 24 00:57:06 ns1 ods-enforcerd: SoftHSM: C_DestroyObject: An object has been destroyed
Oct 24 00:57:06 ns1 ods-enforcerd: Key remove successful.
Oct 24 00:57:06 ns1 ods-enforcerd: SoftHSM: C_DestroyObject: An object has been destroyed
Oct 24 00:57:06 ns1 ods-enforcerd: SoftHSM: C_DestroyObject: An object has been destroyed
Oct 24 00:57:06 ns1 ods-enforcerd: Key remove successful.

Our ZSK keys have rolled at least 3-4 times before using exact same
procedure, never had this problem.

We have however twice had the problem "Key (xxx) has gone straight to
active use without a prepublished phase", both probably because of
server reboots that wiped the entire /usr/local/var, which was placed
inside the chrooted named in FreeBSD. I have now moved /usr/local/var
out of this chroot, and that seems to have got rid of the reboot/wipe-
problem.

Because of this I have ran with audit disabled the last month.
The previous time this happened it seemed to work fine, but this
time it seems that opendnssec hasn't started using the new ZSK
even though it was rolled.

$ ods-ksmutil key list -v
SQLite database set to: /usr/local/var/opendnssec/kasp.db
Keys:
Zone:    Keytype:  State:    Date of next transition:  CKA_ID:  Repository:  Keytag:
xxx.se   ZSK       retire    2011-11-09 00:27:25       xxx      SoftHSM      9295
xxx.se   ZSK       active    2011-11-17 22:57:25       xxx      SoftHSM      8578
xxx.se   KSK       active    2015-05-21 01:00:57       xxx      SoftHSM      686
xxx2.se  ZSK       active    2011-11-17 22:57:25       xxx      SoftHSM      17503
xxx2.se  KSK       active    2015-05-21 00:08:26       xxx      SoftHSM      64697
xxx2.se  ZSK       retire    2011-11-09 00:27:25       xxx      SoftHSM      54219
xxx3.se  KSK       active    2015-05-20 22:38:38       xxx      SoftHSM      22460
xxx3.se  ZSK       retire    2011-11-09 00:27:25       xxx      SoftHSM      31506
xxx3.se  ZSK       active    2011-11-17 22:57:25       xxx      SoftHSM      8176

We run FreeBSD 8.1-RELEASE-p4 with opendnssec-1.2.1,
softhsm-1.2.1 and sqlite3-3.7.6.3.

Here is xxx.se.sc:
;ODSSE1
;name: xxx.se
;filename: /usr/local/var/opendnssec/signconf/xxx.se.xml
;last_modified: 1315781548
;sig_resign_interval: PT7200S
;sig_refresh_interval: PT259200S
;sig_validity_default: PT1814400S
;sig_validity_denial: PT1814400S
;sig_jitter: PT43200S
;sig_inception_offset: PT3600S
;nsec_type: 50
;dnskey_ttl: PT3600S
;soa_ttl: PT3600S
;soa_min: PT3600S
;soa_serial: datecounter
;audit: 0
;ODSSE1

xxx.se.state:
;ODSSE1
;name: xxx.se
;class: 1
;fetch: 0
;default_ttl: 3600
;inbound_serial: 2011101101
;internal_serial: 2011102400
;outbound_serial: 2011102001
;ODSSE1

Thanks!

-- 
Peter Olsson                    pol at leissner.se

More information about the Opendnssec-user mailing list