[Opendnssec-user] 1.4.0a1 ods-signerd wrote mangled RRSIG record

Sun Apr 8 16:46:59 UTC 2012

I noticed ods-signerd was not running and nsdc rebuild failing to load
a signed zone. Here is the snippit of the zone (excuse the linewraps)

localhost.hippiesfromhell.org.  3600    IN      RRSIG   A 8 3 3600
20120415060133 20120408153531 14463 hippiesfromhell.org.
chfWGylwS0mXfHTgO2GE+eJDTKYjlKbXmeeSDC3b3T85IeFapUPeYWB6t9YW0EelmljxfFUArsQ2x4zTCLS4QCYqVF82b4S8b7HqcjCZOnu9cHtr5okBidvNUshpacAD8rjrvkUzN4DLhkUHsH9tWezJAc+YmmLaAYH0NnpaHxA=
spjca3c5vaj3nu909q9dmehne80auahm.hippiesfromhell.org.   3600    IN
NSEC3   1 0 5 715e22f77cc2f0d7  ulf44lvfajc0jvc293v96s1k62p153lh A RRSIG
spjca3c5vaj3nu909q9dmehne80auahm.hippiesfromhell.org.   3600    IN
RRSIG   NSEC3 8 3 3600 20120414033000 20120407103303 14463
hippiesfromhell.org.
isAxQLhvT8ctAbJU1unNnomwgzwqeaLt419G9ZET4afSC5mZojQ/Ohkb092+YD2O6gTZUWi0ZogqEtFHtBpD/CikoBNyxCvvBqaSB2c5kjNLjbSeUyMYZOl+bDyIkUNWaeVL/u+M1ZUM4MRblT1INobBfDyZS2CjfVVtUYBJU38=
www.hippiesfromhell.org.        3600    IN      A       194.109.206.10
www.hippiesfromhell.org.        3600    IN      RRSIG   A 8 3 3600
20120415132541 20120408153531 14463 hippiesfromhell.org.
TnxW+5U59P2mrIH3aBeUmgc37YMTZTNLdD5G+R5YhHH6WUmVF3LCLG2WrR8NXxnITrFv/Wukle5219FHKFphROWaHsy4rjqaR/T7lLIl3rbO5Wv2WkMnRkPkPL+GbdkDSXpjn//6069ThayeuaEsJTWX6asAnY4hdwDcMM5HIBI=
www.hippiesfromhell.org.        3600    IN      AAAA    2001:888:2127::2
www.hippiesfromhell.org.        3600    IN      RRSIG     3 3600
20120415160824 20120408153531 14463 hippiesfromhell.org.
ak8IpXpCo6a67RQbWNp2JTf3ZhmgP6psK40NaI8JB761TOfDkr6kLQQsGqhN35IrU4GnNEV/i31cnIODukEBwgIRbHaWfs4A2ve6NxGaC5L03/HGVVnizOhGbLCxu8mTh9ox57D33VPF9e2NrHX5ltpjE36plGffvKkyMzWSvgs=
ulf44lvfajc0jvc293v96s1k62p153lh.hippiesfromhell.org.   3600    IN
NSEC3   1 0 5 715e22f77cc2f0d7  id80573gdcb27rrljq5019grpmttnnib A AAAA
RRSIG

Note the RRSIG record for www.hippiesfromhell.org has an RRSIG that has
"no records" as the list of records it is supposed to cover.

This zone was generated by 1.4.0a1.

A tarball of /etc/opendnssec and /var/opendnssec is available on
request (but not for public consumption in a bug tracker)

deleting the signed zone file and resigning resolved the problem.

Paul