[Opendnssec-user] deleting + adding zones causing outage

Matthijs Mekking matthijs at nlnetlabs.nl
Mon Jun 4 14:00:11 UTC 2012


What does the signconf file for nohats.ca and the other zone look like?

Matthijs

On Mon, 4 Jun 2012, Paul Wouters wrote:

> On Mon, 4 Jun 2012, Siôn Lloyd wrote:
>
>>> But you're telling me I need to switch to manual dnssec-signzone/bind
>>> for now to downgrade? There is no manual mode working for opendnssec
>>> at all?
>> 
>> Not currently for algorithm rollover... That is scheduled for version 2 of 
>> the enforcer.
>
> It got worse. I tried deleting the zones and re-adding them with the new
> policy, and unrelated zones started getting mangled. The nohats.ca domain
> (which was not deleted) ended up with NSEC3 records and 0 RRSIGs. One
> other zone ended up with only 1 RRSIG over the DNSKEY RRset in the zone.
>
> I had to remove the DLV record for nohats.ca as I could not get
> opendnssec to sign it properly whatsoever. Even stopping all daemons
> and removing all signed zones and all tmp/signconf files and
> running ods-ksmutil update all did not cause it to start signing
> again. I upgraded from 1.4.0a1 to 1.4.0a2 but it made no difference.
>
> Now 8 hours later, the nohats.ca has 1 RRSIG over the DNSKEY set, and
> no other RRSIGs.....
>
> Paul
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>


More information about the Opendnssec-user mailing list