[Opendnssec-user] 1.4.0a1 ods-signerd wrote mangled RRSIG record
Paul Wouters
paul at nohats.ca
Thu Jun 21 16:59:06 UTC 2012
On Thu, 21 Jun 2012, Matthijs Mekking wrote:
> With what HSM backend is this? Going through the list of fixed issues,
> this sounds familiar to
>
> https://issues.opendnssec.org/browse/ODSPTHIST-294
>
> The problem then was in SoftHSM, which was fixed in 1.1.1, so I guess
> that's not it.
This happened with an AEP Keyper.
> I committed a defense mechanism for this, in trunk r6449. You'll need
> ldns trunk too (the upcoming 1.6.14, which will be released prior to
> OpenDNSSEC 1.4.0). Basically what it does, is every time that ldns is
> unable to convert a RDATA into a string, the signer engine uses the
> error to prevent writing out the signed zone/journal files. You will
> see this in the logs as:
>
> ods-signerd: [adapter] unable to write zone example.com file
> /opt/opendnssec/var/opendnssec/signed/example.com: one or more RR
> print failed
>
> Please let me know how this works for you.
That works, but could you log the rdata somehow? Or possibly have a
pointer back to a line number in the zone file?
Paul
More information about the Opendnssec-user
mailing list