[Opendnssec-user] Zone signed but with old expiration dates?
Matthijs Mekking
matthijs at nlnetlabs.nl
Mon Jul 9 12:04:16 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Stephane,
On 07/09/2012 12:39 PM, Stephane Bortzmeyer wrote:
> We discovered today that our zone's DNSKEY signature expired.
> OpenDNSSEC created the last version on 5th july (and reloaded the
> DNS master, a BIND):
>
> % find . -type f |xargs ls -l -rw-r--r-- 1 root root
> 24576 Jul 9 11:47 ./db/kasp.db -rw-r--r-- 1 root root
> 24576 Apr 10 14:36 ./db/kasp.db.backup -rw-r--r-- 1 root root
> 0 Jul 9 11:47 ./db/kasp.db.our_lock -rw-r--r-- 1 root root
> 1119 Jul 2 15:47 ./signconf/rd.nic.fr.xml -rw-r--r-- 1 root
> root 1119 Jul 2 00:46 ./signconf/rd.nic.fr.xml.OLD
> -rw-r--r-- 1 opendnssec opendnssec 29378 Jul 5 11:47
> ./signed/rd.nic.fr -rw-r--r-- 1 root root 29133 Jun 15
> 11:06 ./signed/rd.nic.fr-orig -rw-r--r-- 1 opendnssec opendnssec
> 32601 Jul 5 13:47 ./tmp/rd.nic.fr.backup -rw-r--r-- 1 opendnssec
> opendnssec 4001 Jul 2 00:46 ./tmp/rd.nic.fr.inbound
So, OpenDNSSEC did not write out a new signed zone file, while it
should have. Do the logs give any pointers?
>
> But signed/rd.nic.fr contains signatures which work from 1st July
> to 9th July:
>
> rd.nic.fr. 3600 IN DNSKEY 256 3 8
> AwEAAbKFODstxs+c4yBhRTaMXPFxe/CcCm9Yv7m4v6nC+z/QnK7SpCVcpUNplihimV8giDvNez
>
>
80ZrsJLNOhOUmfyhNm0FkaZEx0AzZy0Iftf7DwqKpqWY5vwtRqOYaE0rfjTI93AOQxO6X+ktcuvA2sS92GxEz4wG24My7JErAjYl41
;{id = 61800 (zsk),
> size = 1024b} rd.nic.fr. 3600 IN DNSKEY 256 3 8
> AwEAAb3wf51lBc8U8a8oCv0VbX9HsvsgpwnoxpBld5GwSnmdPx88qZ5fvNaOsiW1gmyQMNUXoI
>
>
xBnxWG4/nEWmfdOr9R2BChZymLx1qCp6JDYsq7XO+MCRLiWpfwXy1YfylJOCo9laIbTztJF5H2cLuIazWXfTZsmhmtbjzqIs2gm7ej
;{id = 29214 (zsk),
> size = 1024b} rd.nic.fr. 3600 IN DNSKEY 257 3 8
> AwEAAfDCm6XxMotTfpBpaCWJNovM+vDNd+ma47WjHjFj2vZ5RHhi0ocuOURGuin2ZwUqcb5dqd
>
>
mSKYn8PZYk27BdMA0jipZBfmLokmjvo8Eg38zuxv/g93b/h9YZSAmoauZFZ3AS2YsFuJY1syjIPUb/PFbbkktroyzNVCfveHRCseZCz94QPFt3OJKQM9lbg9NY
> n7AT3it9RroRO9gZRYe4ekMOZaFGvDy7fHvtScHOq2ClYgblHDLUt4Ys7IHWqstssFtksGVUGqaavKH5OGF2h7evIxweke9PR8QrheO5rV79XqXFR6YZVuydk/
>
>
QdZcEd09+xsK7ScGA/uGVcF9deRhE= ;{id = 10555 (ksk), size = 2048b}
> rd.nic.fr. 3600 IN RRSIG DNSKEY 8 3 3600
> 20120709043743 20120701214659 10555 rd.nic.fr. tWNggM40zMrFc3cHgMD
> HmgDhHA8XQUQG6h4Jv1JiAeQy+dTdYmU5gF6tvTO97QlWo1NUXfTWfez/okjei9XC+Qpvhm1QoRUBFPEB6wcTjRhNZ3hEldojJHBerdu1INHy3XQse7u22dGOG
>
>
1luoV6x8Tprkync/9Yx2IlMAXTXB2Sa/cdJJjSb6AlKthYdSzt0/dADU0mfX8sD4War/qR6b/b/Lyip0Nd4pzDQ+vEM627EGofv57yt6QjR1cqAFQD1bginXFK
> g5qulHTAnloi0qBq+fisD7FJ2G78fwL/QfwgzeHn+f9hMlEYPFDQy6qUXkwmyUq+XZ6NHXC/0dbLv2w==
Signed
>
zone file created on 5th of July, an expiration time on the 9th
of July looks okay to me. The sign time is before expiration time
minus refresh time.
>
> Same problem for the NSEC3PARAM. But the NS rrset signature is
> correct, going from 4th to 12th july:
>
> rd.nic.fr. 3600 IN NS ns1.rd.nic.fr. rd.nic.fr.
> 3600 IN NS ns3.nic.fr. rd.nic.fr. 3600 IN
> RRSIG NS 8 3 3600 20120712004919 20120704224701 29214 rd.nic.fr.
> RTkNMogF7jb37mhBcGSqlcc
> dzNna/jwAa6R7puMesCJUoWefk4j+RqC4c6M6QZAreMvGNoNFfCCN0tIpZQtbNgGnGneq4F1UdW6qIjUqfCHZabbp6je+QftpI5XzXz6Blo5RvUqyd2M0Rahf+
>
>
X14D12P1RpSG9sNaZmf/hpvSoo=
>
> Even funnier, one A record has a proper inception/expiration but
> not the AAAA:
>
> adia.rd.nic.fr. 3600 IN A 192.134.7.132
> adia.rd.nic.fr. 3600 IN RRSIG A 8 4 3600 20120712020917
> 20120705044701 29214 rd.nic.fr. X1jFEDOmeujxTDaMoCfBOiyD
> nFZqrPSHDvf0iaqEG5LfCi0Ldb+p5q9mpQcknin4ZeFkbefz0YsMht1ZQfgYBhZUuuS2IgodyyY6RnUzhtJjTgvglv09pwDMl3vZHusNoYCWipMwphiUxFz63+
>
>
2jR7+kFjhAA699Ji/4pGEuuKY=
> adia.rd.nic.fr. 3600 IN AAAA 2001:660:3003:6::7:132
> adia.rd.nic.fr. 3600 IN RRSIG AAAA 8 4 3600
> 20120708132308 20120701060835 61800 rd.nic.fr.
> sXXzADzgL8ahAmPWTb8Di
> +zkftSK9udTyn0e7kA2N3lXsknE5Al9sDis4zaE6WO50KPdFgXE4TwXf78EnbXJJQ7Nf0MMdjeZtCrqVjTFsLMBfhxagiooYSMGvo4d3jK22QqyJGS3Q0qcN8B
>
>
yCp9RdST6J/E8FYAgZ1RGnOUS680=
One signature is refreshed, the other could be reused.
>
> Any idea of what went wrong?
Lots of things can happen that prevents OpenDNSSEC from writing a new
signed zonefile:
- - Auditor not happy
- - HSM connection problems
- - Permission problems
- - ...
I hope the logs can provide more pointers.
Best regards,
Matthijs
>
> Debian "stable", OpenDNSSEC from the backports, version 1.3.2
> (Debian 1.3.2-1~bpo60+1), using SoftHSM.
>
> Default policy used:
>
>
>
> <Policy name="default"> <Description>A default policy that will
> amaze you and your friends</Description> <Signatures>
> <Resign>PT2H</Resign> <Refresh>P3D</Refresh> <Validity>
> <Default>P7D</Default> <Denial>P7D</Denial> </Validity>
> <Jitter>PT12H</Jitter> <InceptionOffset>PT3600S</InceptionOffset>
> </Signatures>
>
> <Denial> <NSEC3> <!-- <OptOut/> --> <Resalt>P100D</Resalt> <Hash>
> <Algorithm>1</Algorithm> <Iterations>5</Iterations> <Salt
> length="8"/> </Hash> </NSEC3> </Denial>
>
> <Keys> <!-- Parameters for both KSK and ZSK --> <TTL>PT3600S</TTL>
> <RetireSafety>PT3600S</RetireSafety>
> <PublishSafety>PT3600S</PublishSafety> <!-- <ShareKeys/> -->
> <Purge>P14D</Purge>
>
> <!-- Parameters for KSK only --> <KSK> <Algorithm
> length="2048">8</Algorithm> <Lifetime>P1Y</Lifetime>
> <Repository>SoftHSM</Repository> </KSK>
>
> <!-- Parameters for ZSK only --> <ZSK> <Algorithm
> length="1024">8</Algorithm> <Lifetime>P30D</Lifetime>
> <Repository>SoftHSM</Repository> <!-- <ManualRollover/> --> </ZSK>
> </Keys>
>
> _______________________________________________ Opendnssec-user
> mailing list Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJP+sjAAAoJEA8yVCPsQCW5fI0H/3GlGouM0Wm4Lp0sv+QaVNub
MnED8eWcvAstr8S2MKZVVBPSI6Axajt7yov3kQC6vs6DJwzYmm8Om4VEv5EWTAj/
f507XoanrO/sZ+sYRvBAQv7EQJ5ZfDzQwTDA9LxjTxDLIZDpM1qr1AX1a/e6Y5YR
OsbsI8WTT/QteuT9cWt+Gd6fOEeVjqB/dFR78aC6jfBnh0qqQBNe+vmJHsWXNY5e
BgWC6p9ktT34cnyUb8g8D0SS9czEgYt7uqpxa66UdbzUBE/wlIKJ8EjJAW5YwMRW
Ke4vxWJEXgK9yv4tpd+0rVCup6YeQL9ju6LCdYdze7dQ/Ac2/0A45uEyvXe7t14=
=mGsD
-----END PGP SIGNATURE-----
More information about the Opendnssec-user
mailing list