[Opendnssec-user] Ubuntu 10.10 - Signing issues
Matthijs Mekking
matthijs at nlnetlabs.nl
Mon Mar 5 10:34:21 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Derek,
On 03/02/2012 12:12 AM, Derek Brodeur wrote:
> Thanks for the reply,
>
> I didn't think I had, I thought it automatically did that when I
> used
>
> ods-signer sign example.com <http://example.com>
OpenDNSSEC will never write anything to the unsigned zonefile.
>
> I removed the DNSKEY from the unsigned file and did
>
> ods-ksmutil setup
>
> and then
>
> ods-signer sign example.com <http://example.com>
>
> it seemed to get rid of the error but..
>
> I am still receiving the SOA differs error, I understand it tries
> to increment that number but I thought that was automatic... even
> if I increment it myself, it still gives me the error?
The first time OpenDNSSEC signs a zone, it wants to ensure that the
serial of the signed zone increments the serial of the unsigned zone.
This way, secondary servers will be able to pick up the changes that
come with signing.
If OpenDNSSEC is unable to increment the serial with the settings from
the policy (in kasp.xml), it will give a warning. In your case, the
unixtime is not incrementing the inbound serial:
1330558281 <= 2011022003
>
> What should I be changing, do I need to download a different time
> package or something?
To fix this, make sure that the serials in your unsigned zone files
match the type of serial used in the policy. In your case: unixtime.
Or change your policy so that you will use datecounter as serial.
Best regards,
Matthijs
>
> Thanks, Derek
>
> (I hope this posts as it is supposed to)
>
> On Thu, Mar 1, 2012 at 3:14 AM, Matthijs Mekking
> <matthijs at nlnetlabs.nl <mailto:matthijs at nlnetlabs.nl>> wrote:
>
> Hi,
>
> Also, the signer initially tries to increment the serial with
> respect to the serial in the unsigned zone. Therefore, the warning
>
> Feb 29 15:31:21 ubuntu ods-signerd: [data] unable to use unixtime
> 1330558281 as serial: not greater than inbound serial 2011022003
>
> is shown.
>
> Best regards, Matthijs
>
>
>
> On 03/01/2012 08:53 AM, Jerry Lundström wrote:
>> Hi Derek,
>
>> The problem you seem to have might be because you have added a
>> DNSKEY to the unsigned zone with algorithm RSASHA1 and the rest
>> of the signed zone is signed with algorithm RSASHA256. Auditor
>> detects this and expect every signed entry to have all
>> algorithms.
>
>> Could I ask why you added a DNSKEY to the unsigned zone?
>
>> /Jerry _______________________________________________
>> Opendnssec-user mailing list
>> Opendnssec-user at lists.opendnssec.org
> <mailto:Opendnssec-user at lists.opendnssec.org>
>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJPVJatAAoJEA8yVCPsQCW5T50H/j3LZ59ggrAZgHqoZrhhDPRA
EDXGs3JQqdvcjeNzybu/Gh97pdT1ZzHUvas/wLNp12Dw+9BXrGA84NrYNK98E2bN
ZYsIm/rA1d3AKuvL39Aabs/ZqgkNl34hcTZk5bt7mT8tlKN9s4pbt2f2piFG3XUC
AiY90HePPN/w7qqgq0TOoiMByoFUoRCxpH6y+ctdPjx6oZa+lIYgtNdFUyCr9gJi
LWQNyl9zm8YiMVxKx3Sq1gaKCoxYaBeDk8WBg8L6T4/iwbiOwV0TLywHcs5UyRiW
rj0vxTW4ZS6QAoQJ8YCi+iDoAEtKK73HOoJ3fIGUKA9ZpizH43TDlhxLXYUVvpM=
=FHZt
-----END PGP SIGNATURE-----
More information about the Opendnssec-user
mailing list