[Opendnssec-user] ods-auditor problem

Alex Dalitz AlexD at nominet.org.uk
Tue Jan 3 14:36:03 UTC 2012


Hi - 

This should be fixed in OpenDNSSEC svn r5992, which will make its way into ODS 1.3.4.

Thanks for the report,


Alex.


On 31 Dec 2011, at 14:42, Wytze van der Raay wrote:

> Since Dec 26, we are suddenly experiencing a problem with the ods-auditor:
> it has started to reject the signed result for the cacert.org zone:
> 
> Dec 26 13:32:46 ns ods-auditor[13655]: Auditor started
> Dec 26 13:32:46 ns ods-auditor[13655]: Auditor starting on cacert.org
> Dec 26 13:32:47 ns ods-auditor[13655]: SOA differs : from 2011122301 to 2011122606
> Dec 26 13:32:47 ns ods-auditor[13655]: Auditing cacert.org zone : NSEC3 SIGNED
> Dec 26 13:32:48 ns ods-auditor[13655]: Unexpected error auditing files
> (/var/opendnssec/tmp/cacert.org.inbound and
> /var/opendnssec/tmp/cacert.org.finalized) : ERR private method `split' called
> for nil:NilClass- moving on to next zone. Trace for debugging :
> /usr/local/lib/opendnssec/kasp_auditor/auditor.rb:1275:in `get_name_and_types'
> /usr/local/lib/opendnssec/kasp_auditor/auditor.rb:1227:in
> `check_nsec3_types_and_opt_out'
> /usr/local/lib/opendnssec/kasp_auditor/auditor.rb:1184:in `open'
> /usr/local/lib/opendnssec/kasp_auditor/auditor.rb:1184:in
> `check_nsec3_types_and_opt_out'
> /usr/local/lib/opendnssec/kasp_auditor/auditor.rb:1182:in `open'
> /usr/local/lib/opendnssec/kasp_auditor/auditor.rb:1182:in
> `check_nsec3_types_and_opt_out'
> /usr/local/lib/opendnssec/kasp_auditor/auditor.rb:1180:in `open'
> /usr/local/lib/opendnssec/kasp_auditor/auditor.rb:1180:in
> `check_nsec3_types_and_opt_out'
> /usr/local/lib/opendnssec/kasp_auditor/auditor.rb:184:in `check_zone'
> /usr/local/lib/opendnssec/kasp_auditor.rb:215:in `full_audit'
> /usr/local/lib/opendnssec/kasp_auditor.rb:168:in `run_with_syslog'
> /usr/local/lib/opendnssec/kasp_auditor.rb:142:in `each'
> /usr/local/lib/opendnssec/kasp_auditor.rb:142:in `run_with_syslog'
> /usr/local/lib/opendnssec/kasp_auditor.rb:115:in `run'
> /usr/local/lib/opendnssec/kasp_auditor.rb:113:in `open'
> /usr/local/lib/opendnssec/kasp_auditor.rb:113:in `run'
> /usr/local/bin/ods-auditor:169
> Dec 26 13:32:48 ns ods-signerd: [worker[1]] backoff task [nsecify] for zone
> cacert.org with 60 seconds
> 
> The same error was repeated on every new attempt to resign/audit the zone.
> As a result, the resigned zone does not get installed, and after a few days
> we ended up with expired signatures in the zone.
> 
> This happened while running OpenDNSSEC 1.3.2. On Dec 30 I have upgraded our
> installation to 1.3.4, but this has not brought any improvement; the zone
> keeps getting rejected by ods-auditor. However, simply deploying the file
> "cacert.org.finalized" left in /var/opendnssec/tmp seems to work just fine,
> the zone runs with up-to-date signatures again now.
> 
> Can someone please advise as to how to get rid of this "Unexpected error"
> in the ods-auditor, so the deployment of resigned zonefiles is automatic
> again as it should?
> 
> Regards,
> Wytze van der Raay
> 
> 
> 
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user




More information about the Opendnssec-user mailing list