[Opendnssec-user] deleting + adding zones causing outage

Paul Wouters paul at nohats.ca
Mon Jun 4 13:43:53 UTC 2012


On Mon, 4 Jun 2012, Siôn Lloyd wrote:

>> But you're telling me I need to switch to manual dnssec-signzone/bind
>> for now to downgrade? There is no manual mode working for opendnssec
>> at all?
>
> Not currently for algorithm rollover... That is scheduled for version 2 of 
> the enforcer.

It got worse. I tried deleting the zones and re-adding them with the new
policy, and unrelated zones started getting mangled. The nohats.ca domain
(which was not deleted) ended up with NSEC3 records and 0 RRSIGs. One
other zone ended up with only 1 RRSIG over the DNSKEY RRset in the zone.

I had to remove the DLV record for nohats.ca as I could not get
opendnssec to sign it properly whatsoever. Even stopping all daemons
and removing all signed zones and all tmp/signconf files and
running ods-ksmutil update all did not cause it to start signing
again. I upgraded from 1.4.0a1 to 1.4.0a2 but it made no difference.

Now 8 hours later, the nohats.ca has 1 RRSIG over the DNSKEY set, and
no other RRSIGs.....

Paul



More information about the Opendnssec-user mailing list