[Opendnssec-user] various zones stopped getting signed over "wrong salt"

Jerry Lundström jerry at opendnssec.org
Mon Mar 5 17:32:52 UTC 2012


Hi Paul,

Please attach all logs and such to
https://issues.opendnssec.org/browse/SUPPORT-22 .

Cheers
/Jerry

On 5 mar 2012, at 18:20, Paul Wouters <paul at nohats.ca> wrote:

>
> Hi,
>
> I'm seeing these kind of errors now:
>
> Mar  4 03:26:10 nohats ods-auditor[1377]: openswan.net : NSEC3PARAM has wrong salt : should be 715e22f77cc2f0d7 but was e08d8fa4ddb9e519
>
> This is happening for 12 out of 18 domains on this particular server.
> opendnssec running was 1.3.6. no recent changes to binaries or config
> files.
>
> After running ods-control stop and moving the /var/opendnssec/tmp/ files
> out of the way, and running ods-control start, everything got signed
> again properly.
>
> Looking at one set that broke, openswan.net:
>
> openswan.net.backup:
>
> ;ODSSE2
> ;;Zone: name openswan.net class 1 ttl 3600 inbound 2012012908 internal 2012013005 outbound 2012013005
> ;;Task: when 1330852177 what 4 interrupt 0 halted 0 backoff 0 flush 0
> ;;Signconf: lastmod 1330794270 resign PT7200S refresh PT259200S valid PT604800S denial PT604800S jitter PT43200S offset PT3600S nsec 50 dnskeyttl PT3600S soattl PT3600S soamin PT3600S serial unixtime audit 1
> ;;
> ;;Nsec3parameters: salt 715e22f77cc2f0d7 algorithm 1 optout 0 iterations 5
> openswan.net.   3600    IN      NSEC3PARAM      1 0 5 715e22f77cc2f0d7
> ;;Nsec3done
>
> openswan.net.finalized:
>
> openswan.net.   3600    IN      NSEC3PARAM      1 0 5 715e22f77cc2f0d7
>
> Note that in the currently just signed zone, the NSEC3PARAM is
> 715e22f77cc2f0d7. I did not find a reference to e08d8fa4ddb9e519
>
> The tmp directory and system logs are available to developers if needed,
>
> Paul
>
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user



More information about the Opendnssec-user mailing list