[Opendnssec-user] 1.4.0a1 ods-signerd wrote mangled RRSIG record

Matthijs Mekking matthijs at nlnetlabs.nl
Thu Jun 21 20:57:11 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/21/2012 06:59 PM, Paul Wouters wrote:
> On Thu, 21 Jun 2012, Matthijs Mekking wrote:
> 
>> With what HSM backend is this? Going through the list of fixed
>> issues, this sounds familiar to
>> 
>> https://issues.opendnssec.org/browse/ODSPTHIST-294
>> 
>> The problem then was in SoftHSM, which was fixed in 1.1.1, so I
>> guess that's not it.
> 
> This happened with an AEP Keyper.
> 
>> I committed a defense mechanism for this, in trunk r6449. You'll
>> need ldns trunk too (the upcoming 1.6.14, which will be released
>> prior to OpenDNSSEC 1.4.0). Basically what it does, is every time
>> that ldns is unable to convert a RDATA into a string, the signer
>> engine uses the error to prevent writing out the signed
>> zone/journal files. You will see this in the logs as:
>> 
>> ods-signerd: [adapter] unable to write zone example.com file 
>> /opt/opendnssec/var/opendnssec/signed/example.com: one or more
>> RR print failed
>> 
>> Please let me know how this works for you.
> 
> That works, but could you log the rdata somehow? Or possibly have
> a pointer back to a line number in the zone file?

Well, if printing the RR fails, it is unlikely that logging it will
work. I do log the RRset that is failing:

+            log_rrset(ldns_rr_owner(rrset->rrs[i].rr), rrset->rrtype,
+                "error printing RRset", LOG_CRIT);


> 
> Paul

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJP44qnAAoJEA8yVCPsQCW5swAH/i81mVd8GS+18BeILVCuY1e7
vdUYIzzN05O8BglLf2K+X0dFKFVuhDqtYk9+KWtEaLT/yyz1QHcVUTDXchHxOq/o
3ZKSHKvtQNZpdml8J4oA9RTK/2szjy0SdSFkKSj9NnQ8lRbZgSqfXd1qxC+vSgZI
M4WY4QGPIC1ZqjVkDolvXgFdOu22XCuURXaU4cU32bzuwSNiYzpQP76Em7FFbLhL
jKRZNR2GcsLeh+SNoq+dT2efL/whjVgH7nQOPtAAf9IbVhcG6x50XZzlUzh4L3sK
d9yqKVmBn5B7yZMzpPK6PkHFodSi1M301pbWWKsm3fYNNoDGZgrOmr3iZG1T+Fw=
=DQmP
-----END PGP SIGNATURE-----



More information about the Opendnssec-user mailing list