[Opendnssec-user] Ubuntu 10.10 - Signing issues

Derek Brodeur dazednkonfused at gmail.com
Wed Feb 29 23:57:17 UTC 2012


Hello,

I am currently having issues on a small virtualized infrastructure. I have
3 systems all running ubuntu 10.10

DNS Server -   192.168.204.200
Webserver -    192.168.204.100
Client -           192.168.204.50

I followed the instructions at these tutorials to get DNS working. (
http://www.youtube.com/watch?NR=1&feature=endscreen&v=OUv03JV5SLc)

I was able to do a lookup and visit www.example.com as expected from my
client machine, and pull the web site from my web server.

I did not attempt any other DNSSEC steps at this point, I simply tried
installing dependencies and setting up OpenDNSSEC, and am currently having
issues with several errors.

Feb 29 14:39:08 ubuntu ods-auditor[30131]: example.com : SOA differs : from
2011022003 to 2011022004
Feb 29 14:39:08 ubuntu ods-auditor[30131]: example.com : Auditing
example.com zone : NSEC SIGNED
Feb 29 14:39:08 ubuntu ods-auditor[30131]: example.com : DNSKEY RR present
in unsigned file : example.com. 259200 IN DNSKEY 256 3 RSASHA1 (
AwEAAbd5A7tgIfFB+otnAym1dsRwumVptUMj65jqppAxdk17crCSzZEvGW2g1MBFHMEFTsUT5dWb+G9ype5BllsIRtlfdLiGO6LD251G63v65QbET+akIMneBfKnupCM/T7BLMky9WBScA5YHK0SzrUuUvqBNbxbdsvqo/Q4oHlW8a+9
) ; key_tag=58425
Feb 29 14:39:08 ubuntu ods-auditor[30131]: example.com : Finished auditing
example.com zone
Feb 29 14:39:08 ubuntu ods-signerd: [worker[2]] backoff task [read] for
zone example.com with 3600 seconds
Feb 29 15:31:21 ubuntu ods-signerd: [data] unable to use unixtime
1330558281 as serial: not greater than inbound serial 2011022003

as well as

Feb 29 15:31:21 ubuntu ods-signerd: [data] unable to use unixtime
1330558281 as serial: not greater than inbound serial 2011022003
Feb 29 15:31:21 ubuntu ods-auditor[30595]: Auditor started
Feb 29 15:31:22 ubuntu ods-auditor[30595]: Auditor starting on example.com
Feb 29 15:31:24 ubuntu ods-auditor[30595]: example.com : SOA differs : from
2011022003 to 2011022004
Feb 29 15:31:24 ubuntu ods-auditor[30595]: example.com : Auditing
example.com zone : NSEC SIGNED
Feb 29 15:31:24 ubuntu ods-auditor[30595]: example.com : RRSIGS should
include algorithm RSASHA1 for example.com, DNSKEY, have : RSASHA256
Feb 29 15:31:24 ubuntu ods-auditor[30595]: example.com : RRSIGS should
include algorithm RSASHA1 for example.com, NS, have : RSASHA256
Feb 29 15:31:24 ubuntu ods-auditor[30595]: example.com : RRSIGS should
include algorithm RSASHA1 for example.com, SOA, have : RSASHA256
Feb 29 15:31:24 ubuntu ods-auditor[30595]: example.com : RRSIGS should
include algorithm RSASHA1 for example.com, NSEC, have : RSASHA256
Feb 29 15:31:24 ubuntu ods-auditor[30595]: example.com : DNSKEY RR present
in unsigned file : example.com. 259200 IN DNSKEY 256 3 RSASHA1 (
AwEAAbd5A7tgIfFB+otnAym1dsRwumVptUMj65jqppAxdk17crCSzZEvGW2g1MBFHMEFTsUT5dWb+G9ype5BllsIRtlfdLiGO6LD251G63v65QbET+akIMneBfKnupCM/T7BLMky9WBScA5YHK0SzrUuUvqBNbxbdsvqo/Q4oHlW8a+9
) ; key_tag=58425
Feb 29 15:31:24 ubuntu ods-auditor[30595]: example.com : RRSIGS should
include algorithm RSASHA1 for pegasus.example.com, A, have : RSASHA256
Feb 29 15:31:24 ubuntu ods-auditor[30595]: example.com : RRSIGS should
include algorithm RSASHA1 for pegasus.example.com, NSEC, have : RSASHA256
Feb 29 15:31:24 ubuntu ods-auditor[30595]: example.com : RRSIGS should
include algorithm RSASHA1 for www.example.com, CNAME, have : RSASHA256
Feb 29 15:31:24 ubuntu ods-auditor[30595]: example.com : RRSIGS should
include algorithm RSASHA1 for www.example.com, NSEC, have : RSASHA256
Feb 29 15:31:24 ubuntu ods-auditor[30595]: example.com : Finished auditing
example.com zone
Feb 29 15:31:24 ubuntu ods-signerd: [tools] audit failed for zone
example.com
Feb 29 15:31:24 ubuntu ods-signerd: [worker[1]] backoff task [read] for
zone example.com with 3600 seconds

Please let me know if you have suggestions.

Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20120229/9734d05e/attachment.htm>


More information about the Opendnssec-user mailing list