[Opendnssec-user] 1.4.0a1 ods-signerd wrote mangled RRSIG record

Paul Wouters paul at nohats.ca
Thu Jun 21 16:59:06 UTC 2012

On Thu, 21 Jun 2012, Matthijs Mekking wrote:

> With what HSM backend is this? Going through the list of fixed issues,
> this sounds familiar to
> 	https://issues.opendnssec.org/browse/ODSPTHIST-294
> The problem then was in SoftHSM, which was fixed in 1.1.1, so I guess
> that's not it.

This happened with an AEP Keyper.

> I committed a defense mechanism for this, in trunk r6449. You'll need
> ldns trunk too (the upcoming 1.6.14, which will be released prior to
> OpenDNSSEC 1.4.0). Basically what it does, is every time that ldns is
> unable to convert a RDATA into a string, the signer engine uses the
> error to prevent writing out the signed zone/journal files. You will
> see this in the logs as:
> ods-signerd: [adapter] unable to write zone example.com file
> /opt/opendnssec/var/opendnssec/signed/example.com: one or more RR
> print failed
> Please let me know how this works for you.

That works, but could you log the rdata somehow? Or possibly have a
pointer back to a line number in the zone file?


More information about the Opendnssec-user mailing list