[Opendnssec-user] "error creating RRSIG" because of retired and purged ZSK
Peter Olsson
pol at leissner.se
Mon Oct 24 11:16:12 UTC 2011
On Mon, Oct 24, 2011 at 01:05:16PM +0200, Mathieu Arnold wrote:
> +--On 24 octobre 2011 11:56:41 +0100 Siôn Lloyd <sion at nominet.org.uk>
> wrote:
> |> Here is xxx.se.sc:
> |> ;ODSSE1
> |> ;name: xxx.se
> |> ;filename: /usr/local/var/opendnssec/signconf/xxx.se.xml
> |> ;last_modified: 1315781548
> |>
> |
> | If the date here is correct it indicates that the file has not been
> | updated since 11 September 2011 (22:52:28)...
> |
> | Is there anything in the enforcer logs that might indicate why this is
> | the case?
>
> I've had this problem too, on FreeBSD, when the enforcer has no tty
> associated, it launches ods-signer update <zone>, but it has no effect
> whatsoever. (So I have it running in a screen.)
>
> Here, the first does not do anything, and the second works :
>
> # ods-signer update mat.cc < /dev/null
> # ods-signer update mat.cc
> Zone mat.cc config being updated.
> #
This seems to be our problem too!
I just ran ods-signer update xxx.se followed by ods-signer sign xxx.se
and now the zone is updated with current keys.
(Now what will happen when there are cached records out there
with the purged ZSK? Is there a risk of complete zone failure,
should I remove DS and start DNSSec fresh?)
Thanks!
--
Peter Olsson pol at leissner.se
CCIE #8963 R&S, Security +46 520 500511
Leissner Data AB +46 701 809511
More information about the Opendnssec-user
mailing list