[Opendnssec-user] various zones stopped getting signed over "wrong salt"
Paul Wouters
paul at nohats.ca
Mon Mar 5 17:21:17 UTC 2012
Hi,
I'm seeing these kind of errors now:
Mar 4 03:26:10 nohats ods-auditor[1377]: openswan.net : NSEC3PARAM has wrong salt : should be 715e22f77cc2f0d7 but was e08d8fa4ddb9e519
This is happening for 12 out of 18 domains on this particular server.
opendnssec running was 1.3.6. no recent changes to binaries or config
files.
After running ods-control stop and moving the /var/opendnssec/tmp/ files
out of the way, and running ods-control start, everything got signed
again properly.
Looking at one set that broke, openswan.net:
openswan.net.backup:
;ODSSE2
;;Zone: name openswan.net class 1 ttl 3600 inbound 2012012908 internal 2012013005 outbound 2012013005
;;Task: when 1330852177 what 4 interrupt 0 halted 0 backoff 0 flush 0
;;Signconf: lastmod 1330794270 resign PT7200S refresh PT259200S valid PT604800S denial PT604800S jitter PT43200S offset PT3600S nsec 50 dnskeyttl PT3600S soattl PT3600S soamin PT3600S serial unixtime audit 1
;;
;;Nsec3parameters: salt 715e22f77cc2f0d7 algorithm 1 optout 0 iterations 5
openswan.net. 3600 IN NSEC3PARAM 1 0 5 715e22f77cc2f0d7
;;Nsec3done
openswan.net.finalized:
openswan.net. 3600 IN NSEC3PARAM 1 0 5 715e22f77cc2f0d7
Note that in the currently just signed zone, the NSEC3PARAM is
715e22f77cc2f0d7. I did not find a reference to e08d8fa4ddb9e519
The tmp directory and system logs are available to developers if needed,
Paul
More information about the Opendnssec-user
mailing list