[Opendnssec-user] signerd crash and then some
Matthijs Mekking
matthijs at NLnetLabs.nl
Mon Oct 24 14:32:34 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Mathieu,
You mentioned that you had upgraded to 1.3.2, but it didn't fix your
problem. However, in your first e-mail you listed several problems:
I was wondering which of these issues are still there.
Best regards,
Matthijs
> Yesterday morning was the time the enforcer choose to publish some ZSK for
> some of my zones, that was a good idea at the time, and then, something
> strange happened, which ended up with the signer doing a segfault.
Signer crashes.
> Then, this morning, the enforcer knew it was time to swap the two ZSK :
>
> Oct 19 00:09:44 ods-enforcerd: Zone aeroport.fr found.
> Oct 19 00:09:44 ods-enforcerd: Policy for aeroport.fr set to OptOut.
> Oct 19 00:09:44 ods-enforcerd: Policy OptOut found in DB.
> Oct 19 00:09:44 ods-enforcerd: Config will be output to
> /usr/local/var/opendnssec/signconf/aeroport.fr.xml.
> Oct 19 00:09:44 ods-enforcerd: WARNING: Making non-backed up ZSK active,
> PLEASE make sure that you know the potential problems of using keys which
> are not recoverable
> Oct 19 00:09:45 ods-enforcerd: INFO: ZSK has been rolled for aeroport.fr
> Oct 19 00:09:45 ods-signerd: [signconf] zone aeroport.fr signconf:
> RESIGN[PT14400S] REFRESH[PT259200S] VALIDITY[PT604800S] DENIAL[PT604800S]
> JITTER[PT43200S] OFFSET[PT600S] NSEC[50] DNSKEYTTL[PT10800S]
> SOATTL[PT43200S] MINIMUM[PT600S] SERIAL[counter] AUDIT[1]
> Oct 19 00:09:46 ods-auditor[18301]: Auditor started
> Oct 19 00:09:47 ods-auditor[18301]: Auditor starting on aeroport.fr
> Oct 19 00:09:47 ods-auditor[18301]: SOA differs : from 1313509913 to
> 1313510088
> Oct 19 00:09:47 ods-auditor[18301]: Auditing aeroport.fr zone : NSEC3 SIGNED
> Oct 19 00:09:47 ods-auditor[18301]: RRSIGS should include algorithm
> RSASHA1-NSEC3-SHA1 for aeroport.fr, DNSKEY, have :
> Oct 19 00:09:47 ods-auditor[18301]: RRSet (aeroport.fr, DNSKEY) failed
> verification : No signatures in the RRSet : aeroport.fr, DNSKEY, tag = none
> Oct 19 00:09:47 ods-auditor[18301]: RRSIGS should include algorithm
> RSASHA1-NSEC3-SHA1 for aeroport.fr, SOA, have :
> Oct 19 00:09:47 ods-auditor[18301]: RRSet (aeroport.fr, SOA) failed
> verification : No signatures in the RRSet : aeroport.fr, SOA, tag = none
> Oct 19 00:09:48 ods-auditor[18301]: Finished auditing aeroport.fr zone
> Oct 19 00:09:48 ods-signerd: [worker[1]] backoff task [read] for zone
> aeroport.fr with 60 seconds
Auditor complaining about missing signatures (after key rollover)
> that looked bad, but I was sleeping at the time, and then :
>
> Oct 19 00:10:48 ods-auditor[18816]: Auditor started
> Oct 19 00:10:48 ods-auditor[18816]: Auditor starting on aeroport.fr
> Oct 19 00:10:49 ods-auditor[18816]: SOA differs : from 1313509913 to
> 1313510089
> Oct 19 00:10:49 ods-auditor[18816]: Auditing aeroport.fr zone : NSEC3 SIGNED
> Oct 19 00:10:49 ods-auditor[18816]: Key (6870) has gone straight to active
> use without a prepublished phase
> Oct 19 00:10:49 ods-auditor[18816]: Finished auditing aeroport.fr zone
> Oct 19 00:10:49 ods-signerd: [worker[2]] backoff task [read] for zone
> aeroport.fr with 120 seconds
>
> and since then, the backoff grew to 3600 seconds, and I can't seem to have
> the zones signed again.
Auditor complaing about key has gone straight to active.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJOpXcCAAoJEA8yVCPsQCW5GkQIAIbo41FZFm2+NGNHfOoKYWQ3
SN5Zx0mhox+7RoWmIPrXlDu0jAYOQG7p8oeAIvnszBKk+lckuV6LRCB7Olm6M2zb
3rMalboaYnqPlCsnvPev78XAtLQVaU7dgZUUlpGQD6qax6ysM09HBrCyZvjq//6F
aK916D3DkNfc3i4+9lPiwPOj8cZGJli9+hEfPkMEH6UIKPg6fE4Wn6ZXEbChQIvy
v2it3yyrpdkJwZoAHIKwUNMrKZ2D49Ci8AcXp+F172oyJxRzwG3066rpm/WkIdfx
uI0ximz3OiyhaKwo1r0XeBRup776yvqf7aN6Lhw0i74cB829f1qraaZuSKkC854=
=ZFzU
-----END PGP SIGNATURE-----
More information about the Opendnssec-user
mailing list