[Opendnssec-user] Re: Zone signed but with old expiration dates?

Matthijs Mekking matthijs at nlnetlabs.nl
Mon Jul 9 12:47:47 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

On 07/09/2012 02:22 PM, Stephane Bortzmeyer wrote:
> On Mon, Jul 09, 2012 at 02:04:16PM +0200, Matthijs Mekking
> <matthijs at nlnetlabs.nl> wrote a message of 162 lines which said:
> 
>> So, OpenDNSSEC did not write out a new signed zone file,
> 
> It did. But the zone was, IMHO, incorrect. Generating on 5 July a
> zone file containing signatures valid from 2 to 9 July seems
> wrong.

If the signer would generate a new zone on the 5th of July, with a
signature from 2 to 9 July, that is not wrong, according to your policy:

Expiration time: 9 July 2012, 4:37:43.
Refresh period: 3 days

The signature is fresh until 6 July 2012, 4:37:43. Sign time is 5 July
2012, 11:47. Signature may be reused.

But given that you have a resign period of two hours, I would expect a
signed zone file written out later than the 5th of July.


> 
>> Do the logs give any pointers?
> 
> We have BIND logs showing <NotifyCommand> was executed
> successfully:
> 
> Jul  5 11:47:01 lilith named[26440]: received control channel
> command 'reload' Jul  5 11:47:01 lilith named[26440]: loading
> configuration from '/etc/bind/named.conf' Jul  5 11:47:01 lilith
> named[26440]: /etc/bind/trust-anchors:22: trusted key
> 'test.dnssec-tools.org.' has a weak exponent Jul  5 11:47:01 lilith
> named[26440]: reading built-in trusted keys from file
> '/etc/bind/bind.keys' Jul  5 11:47:01 lilith named[26440]: using
> default UDP/IPv4 port range: [1024, 65535] Jul  5 11:47:01 lilith
> named[26440]: using default UDP/IPv6 port range: [1024, 65535] Jul
> 5 11:47:01 lilith named[26440]: /etc/bind/trust-anchors:22: trusted
> key 'test.dnssec-tools.org.' has a weak exponent Jul  5 11:47:01
> lilith named[26440]: reloading configuration succeeded Jul  5
> 11:47:01 lilith named[26440]: db.office--enregistrement.fr:10:
> signature has expired Jul  5 11:47:01 lilith named[26440]: zone
> office--enregistrement.fr/IN/internal: loaded serial 2011022700
> (DNSSEC signed) Jul  5 11:47:01 lilith named[26440]:
> db.office--enregistrement.fr:10: signature has expired Jul  5
> 11:47:01 lilith named[26440]: zone
> office--enregistrement.fr/IN/external: loaded serial 2011022700
> (DNSSEC signed) Jul  5 11:47:01 lilith named[26440]: reloading
> zones succeeded Jul  5 11:47:01 lilith named[26440]: zone
> office--enregistrement.fr/IN/internal: expired Jul  5 11:47:01
> lilith named[26440]: zone office--enregistrement.fr/IN/external:
> expired Jul  5 11:47:01 lilith named[26440]: zone
> rd.nic.fr/IN/internal: loaded serial 2012070505 (DNSSEC signed) Jul
> 5 11:47:01 lilith named[26440]: zone rd.nic.fr/IN/internal: sending
> notifies (serial 2012070505) Jul  5 11:47:01 lilith named[26440]:
> zone rd.nic.fr/IN/external: loaded serial 2012070505 (DNSSEC
> signed) Jul  5 11:47:01 lilith named[26440]: zone
> rd.nic.fr/IN/external: sending notifies (serial 2012070505) Jul  5
> 11:47:01 lilith named[26440]: client 192.134.0.49#51719: view
> internal: transfer of 'rd.nic.fr/IN': AXFR-style IXFR started Jul
> 5 11:47:01 lilith named[26440]: client 192.134.0.49#51719: view
> internal: transfer of 'rd.nic.fr/IN': AXFR-style IXFR ended
> 
> The enforcer seems happy:
> 
> 
> Jul  5 10:47:11 lilith ods-enforcerd: Reading config
> "/etc/opendnssec/conf.xml" Jul  5 10:47:11 lilith ods-enforcerd:
> Reading config schema "/usr/share/opendnssec/conf.rng" Jul  5
> 10:47:11 lilith ods-enforcerd: Communication Interval: 3600 Jul  5
> 10:47:11 lilith ods-enforcerd: No DS Submit command supplied Jul  5
> 10:47:11 lilith ods-enforcerd: SQLite database set to:
> /var/lib/opendnssec/db/kasp.db Jul  5 10:47:11 lilith
> ods-enforcerd: Log User set to: daemon Jul  5 10:47:11 lilith
> ods-enforcerd: Switched log facility to: daemon Jul  5 10:47:11
> lilith ods-enforcerd: Connecting to Database... Jul  5 10:47:11
> lilith ods-enforcerd: Policy default found. Jul  5 10:47:11 lilith
> ods-enforcerd: Key sharing is Off. Jul  5 10:47:11 lilith
> ods-enforcerd: Purging keys... Jul  5 10:47:11 lilith
> ods-enforcerd: zonelist filename set to
> /etc/opendnssec/zonelist.xml. Jul  5 10:47:11 lilith ods-enforcerd:
> Zone rd.nic.fr found. Jul  5 10:47:11 lilith ods-enforcerd: Policy
> for rd.nic.fr set to default. Jul  5 10:47:11 lilith ods-enforcerd:
> Config will be output to
> /var/lib/opendnssec/signconf/rd.nic.fr.xml. Jul  5 10:47:11 lilith
> ods-enforcerd: WARNING: New KSK has reached the ready state; please
> submit the DS for rd.nic.fr and use ods-ksmutil key ds-seen when
> the DS appears in the DNS. Jul  5 10:47:11 lilith ods-enforcerd: No
> change to: /var/lib/opendnssec/signconf/rd.nic.fr.xml Jul  5
> 10:47:11 lilith ods-enforcerd: Disconnecting from Database... Jul
> 5 10:47:11 lilith ods-enforcerd: Sleeping for 3600 seconds.
> 
> I cannot find logs from the signer. Strange.

What is the verbosity output? Aren't there any logs of BIND/OpenDNSSEC
after the 5th of July (after the last signed zone file was outputted)?

> 
>> zone file created on 5th of July, an expiration time on the 9th
>> of July looks okay to me.
> 
> Not for me, with a validity period of 7 days.

The validity period was about 7 days (+ some jitter). The expiration
time minus refresh seems to be valid too.

> 
>> Lots of things can happen that prevents OpenDNSSEC from writing a
>> new signed zonefile: - - Auditor not happy
> 
> Auditor was disabled.
> 
>> - - HSM connection problems
> 
> SoftHSM
> 
>> - - Permission problems
> 
> Nothing changed on the machine. And remember ods-signer sign
> rd.nic.fr worked.

Hm, yes. Too bad there aren't any logs.


Best regards,
  Matthijs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJP+tLzAAoJEA8yVCPsQCW5/AIIAIYjj7yxRZohCsr6ZXmVayeF
aFC/nKfLiGzNPSUEdAOaEQfp7393IZfOn2diKAU/C4v7YI6XoeGN7Ih6uZHIUTrg
3Z10djkkQsq3CUL7yywGNG/1UcE3Ei+cwV0uO2pwzxIs3wveL929o9nRsIVmvf1C
yA27UNejfUyJdCpYaECWVN98flETV645uYehDNKO5tgkH51FNcjXW621pymY8kX9
oD1qAMaz51FHugNC6cholhCmPgljgPYUouUXFyj6tX6Qaj+gfqDJPS/FnOWw9miC
xFncS+j59i24x6MdHog/ws/Chnn9iczzkwSBx1Mh7qXjRrALPAf5nxU+1Zqk91g=
=Ftry
-----END PGP SIGNATURE-----

More information about the Opendnssec-user mailing list