[Opendnssec-user] signerd crash and then some

Mathieu Arnold mat at mat.cc
Mon Oct 24 15:01:43 UTC 2011



+--On 24 octobre 2011 16:32:34 +0200 Matthijs Mekking
<matthijs at NLnetLabs.nl> wrote:
| -----BEGIN PGP SIGNED MESSAGE-----
| Hash: SHA1
| 
| Hi Mathieu,
| 
| You mentioned that you had upgraded to 1.3.2, but it didn't fix your
| problem. However, in your first e-mail you listed several problems:
| 
| I was wondering which of these issues are still there.
|
| Signer crashes.
| Auditor complaining about missing signatures (after key rollover)
| Auditor complaing about key has gone straight to active.

Well, not really, the "only" issue is the fact that the signer crashed, and
the enforcer did roll some zsk while the signer was out.

When I started the signer again, it failed to notice that the config had
been changed.

The auditor complaining of that is only because the signer did not notice
that there were new keys, and that the new keys (when I did ods-signer
update --all to try to fixup things) were going straight to active.

My fix was to restore old conf without the new zsk manually, update --all,
re add the new zsk manually in published mode (without the <ZSK> element)
reupdate the signer so that it notices the new keys, then after a bit
(about the TTL of the RRSIG) swap the ZSK so that the new is used for
signing.

-- 
Mathieu Arnold



More information about the Opendnssec-user mailing list