[Opendnssec-user] Re: Zone signed but with old expiration dates?

Dick Visser visser at terena.org
Tue Jul 10 10:03:50 UTC 2012 

Just adding that I'm starting to see expired RRSIGs for some of my zones.
Interestingly, the last ones were created on 5 July....

Might this be related to that leap second that got injected on the 1st of July?


DIck

On 9 July 2012 14:47, Matthijs Mekking <matthijs at nlnetlabs.nl> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> On 07/09/2012 02:22 PM, Stephane Bortzmeyer wrote:
>> On Mon, Jul 09, 2012 at 02:04:16PM +0200, Matthijs Mekking
>> <matthijs at nlnetlabs.nl> wrote a message of 162 lines which said:
>>
>>> So, OpenDNSSEC did not write out a new signed zone file,
>>
>> It did. But the zone was, IMHO, incorrect. Generating on 5 July a
>> zone file containing signatures valid from 2 to 9 July seems
>> wrong.
>
> If the signer would generate a new zone on the 5th of July, with a
> signature from 2 to 9 July, that is not wrong, according to your policy:
>
> Expiration time: 9 July 2012, 4:37:43.
> Refresh period: 3 days
>
> The signature is fresh until 6 July 2012, 4:37:43. Sign time is 5 July
> 2012, 11:47. Signature may be reused.
>
> But given that you have a resign period of two hours, I would expect a
> signed zone file written out later than the 5th of July.
>
>
>>
>>> Do the logs give any pointers?
>>
>> We have BIND logs showing <NotifyCommand> was executed
>> successfully:
>>
>> Jul  5 11:47:01 lilith named[26440]: received control channel
>> command 'reload' Jul  5 11:47:01 lilith named[26440]: loading
>> configuration from '/etc/bind/named.conf' Jul  5 11:47:01 lilith
>> named[26440]: /etc/bind/trust-anchors:22: trusted key
>> 'test.dnssec-tools.org.' has a weak exponent Jul  5 11:47:01 lilith
>> named[26440]: reading built-in trusted keys from file
>> '/etc/bind/bind.keys' Jul  5 11:47:01 lilith named[26440]: using
>> default UDP/IPv4 port range: [1024, 65535] Jul  5 11:47:01 lilith
>> named[26440]: using default UDP/IPv6 port range: [1024, 65535] Jul
>> 5 11:47:01 lilith named[26440]: /etc/bind/trust-anchors:22: trusted
>> key 'test.dnssec-tools.org.' has a weak exponent Jul  5 11:47:01
>> lilith named[26440]: reloading configuration succeeded Jul  5
>> 11:47:01 lilith named[26440]: db.office--enregistrement.fr:10:
>> signature has expired Jul  5 11:47:01 lilith named[26440]: zone
>> office--enregistrement.fr/IN/internal: loaded serial 2011022700
>> (DNSSEC signed) Jul  5 11:47:01 lilith named[26440]:
>> db.office--enregistrement.fr:10: signature has expired Jul  5
>> 11:47:01 lilith named[26440]: zone
>> office--enregistrement.fr/IN/external: loaded serial 2011022700
>> (DNSSEC signed) Jul  5 11:47:01 lilith named[26440]: reloading
>> zones succeeded Jul  5 11:47:01 lilith named[26440]: zone
>> office--enregistrement.fr/IN/internal: expired Jul  5 11:47:01
>> lilith named[26440]: zone office--enregistrement.fr/IN/external:
>> expired Jul  5 11:47:01 lilith named[26440]: zone
>> rd.nic.fr/IN/internal: loaded serial 2012070505 (DNSSEC signed) Jul
>> 5 11:47:01 lilith named[26440]: zone rd.nic.fr/IN/internal: sending
>> notifies (serial 2012070505) Jul  5 11:47:01 lilith named[26440]:
>> zone rd.nic.fr/IN/external: loaded serial 2012070505 (DNSSEC
>> signed) Jul  5 11:47:01 lilith named[26440]: zone
>> rd.nic.fr/IN/external: sending notifies (serial 2012070505) Jul  5
>> 11:47:01 lilith named[26440]: client 192.134.0.49#51719: view
>> internal: transfer of 'rd.nic.fr/IN': AXFR-style IXFR started Jul
>> 5 11:47:01 lilith named[26440]: client 192.134.0.49#51719: view
>> internal: transfer of 'rd.nic.fr/IN': AXFR-style IXFR ended
>>
>> The enforcer seems happy:
>>
>>
>> Jul  5 10:47:11 lilith ods-enforcerd: Reading config
>> "/etc/opendnssec/conf.xml" Jul  5 10:47:11 lilith ods-enforcerd:
>> Reading config schema "/usr/share/opendnssec/conf.rng" Jul  5
>> 10:47:11 lilith ods-enforcerd: Communication Interval: 3600 Jul  5
>> 10:47:11 lilith ods-enforcerd: No DS Submit command supplied Jul  5
>> 10:47:11 lilith ods-enforcerd: SQLite database set to:
>> /var/lib/opendnssec/db/kasp.db Jul  5 10:47:11 lilith
>> ods-enforcerd: Log User set to: daemon Jul  5 10:47:11 lilith
>> ods-enforcerd: Switched log facility to: daemon Jul  5 10:47:11
>> lilith ods-enforcerd: Connecting to Database... Jul  5 10:47:11
>> lilith ods-enforcerd: Policy default found. Jul  5 10:47:11 lilith
>> ods-enforcerd: Key sharing is Off. Jul  5 10:47:11 lilith
>> ods-enforcerd: Purging keys... Jul  5 10:47:11 lilith
>> ods-enforcerd: zonelist filename set to
>> /etc/opendnssec/zonelist.xml. Jul  5 10:47:11 lilith ods-enforcerd:
>> Zone rd.nic.fr found. Jul  5 10:47:11 lilith ods-enforcerd: Policy
>> for rd.nic.fr set to default. Jul  5 10:47:11 lilith ods-enforcerd:
>> Config will be output to
>> /var/lib/opendnssec/signconf/rd.nic.fr.xml. Jul  5 10:47:11 lilith
>> ods-enforcerd: WARNING: New KSK has reached the ready state; please
>> submit the DS for rd.nic.fr and use ods-ksmutil key ds-seen when
>> the DS appears in the DNS. Jul  5 10:47:11 lilith ods-enforcerd: No
>> change to: /var/lib/opendnssec/signconf/rd.nic.fr.xml Jul  5
>> 10:47:11 lilith ods-enforcerd: Disconnecting from Database... Jul
>> 5 10:47:11 lilith ods-enforcerd: Sleeping for 3600 seconds.
>>
>> I cannot find logs from the signer. Strange.
>
> What is the verbosity output? Aren't there any logs of BIND/OpenDNSSEC
> after the 5th of July (after the last signed zone file was outputted)?
>
>>
>>> zone file created on 5th of July, an expiration time on the 9th
>>> of July looks okay to me.
>>
>> Not for me, with a validity period of 7 days.
>
> The validity period was about 7 days (+ some jitter). The expiration
> time minus refresh seems to be valid too.
>
>>
>>> Lots of things can happen that prevents OpenDNSSEC from writing a
>>> new signed zonefile: - - Auditor not happy
>>
>> Auditor was disabled.
>>
>>> - - HSM connection problems
>>
>> SoftHSM
>>
>>> - - Permission problems
>>
>> Nothing changed on the machine. And remember ods-signer sign
>> rd.nic.fr worked.
>
> Hm, yes. Too bad there aren't any logs.
>
>
> Best regards,
>   Matthijs
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQEcBAEBAgAGBQJP+tLzAAoJEA8yVCPsQCW5/AIIAIYjj7yxRZohCsr6ZXmVayeF
> aFC/nKfLiGzNPSUEdAOaEQfp7393IZfOn2diKAU/C4v7YI6XoeGN7Ih6uZHIUTrg
> 3Z10djkkQsq3CUL7yywGNG/1UcE3Ei+cwV0uO2pwzxIs3wveL929o9nRsIVmvf1C
> yA27UNejfUyJdCpYaECWVN98flETV645uYehDNKO5tgkH51FNcjXW621pymY8kX9
> oD1qAMaz51FHugNC6cholhCmPgljgPYUouUXFyj6tX6Qaj+gfqDJPS/FnOWw9miC
> xFncS+j59i24x6MdHog/ws/Chnn9iczzkwSBx1Mh7qXjRrALPAf5nxU+1Zqk91g=
> =Ftry
> -----END PGP SIGNATURE-----
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user



-- 
Dick Visser
System & Networking Engineer
TERENA Secretariat
Singel 468 D, 1017 AW Amsterdam
The Netherlands

More information about the Opendnssec-user mailing list