[Opendnssec-user] Problems triggered by a zone removal in ODS 1.3.8.

Sander Smeenk ssmeenk at freshdot.net
Thu May 24 13:42:32 UTC 2012

Quoting Göran Bengtson (goeran at chalmers.se):

> 2	This is serious. Immediately after the ods-ksmutil update command
> 	is given ODS gets seriously confused about the keys in ANOTHER,
> 	remaining zone. A new ZSK key is generated, and the active ZSK
> 	dissapears (is not used anymore). ods-ksmutil key list
> 	only show the KSK key and the newly generated ZSK key (in publish
> 	state).

This is (almost?) exactly what happend in my setup yesterday.

According to logging, it must have happened after removing another
test-zone from the config, a totaly unrelated zone lost it's keys and
new ones were generated for that zone.

I noticed this because the auditor suddenly barfed on the (unrelated)
zone, which was perfectly signed and managed before. For each RR-type in
the zone it logged:

| May 23 15:05:32 ods1 ods-auditor[17522]: bit-dnssec-test.com : RRSIGS
|    should include algorithm RSASHA256 for bit-dnssec-test.com, NS, have : 
| May 23 15:05:32 ods1 ods-auditor[17522]: bit-dnssec-test.com : RRSet
|    (bit-dnssec-test.com, NS) failed verification : No signatures in the
|    RRSet : bit-dnssec-test.com, NS, tag = none

Then it errored out:

| May 23 15:05:32 ods1 ods-auditor[17522]: Unexpected error auditing files
| (/var/lib/opendnssec/tmp/bit-dnssec-test.com.inbound and
| /var/lib/opendnssec/tmp/bit-dnssec-test.com.finalized) : ERR private
| method `split' called for nil:NilClass- moving on to next zone. Trace
| for debugging : /usr/lib/opendnssec/kasp_auditor/auditor.rb:1279:in
| `get_name_and_types'#012/usr/lib/opendnssec/kasp_auditor/auditor.rb:1231:in
| `check_nsec3_types_and_opt_out'#012/usr/lib/opendnssec/kasp_auditor/auditor.rb:1188:in
| `open'#012/usr/lib/opendnssec/kasp_auditor/auditor.rb:1188:in
| `check_nsec3_types_and_opt_out'#012/usr/lib/opendnssec/kasp_auditor/auditor.rb:1186:in
| `open'#012/usr/lib/opendnssec/kasp_auditor/auditor.rb:1186:in
| `check_nsec3_types_and_opt_out'#012/usr/lib/opendnssec/kasp_auditor/auditor.rb:1184:in
| `open'#012/usr/lib/opendnssec/kasp_auditor/auditor.rb:1184:in
| `check_nsec3_types_and_opt_out'#012/usr/lib/opendnssec/kasp_auditor/auditor.rb:184:in
| `check_zone'#012/usr/lib/opendnssec/kasp_auditor.rb:219:in
| `full_audit'#012/usr/lib/opendnssec/kasp_auditor.rb:172:in
| `run_with_syslog'#012/usr/lib/opendnssec/kasp_auditor.rb:146:in
| `each'#012/usr/lib/opendnssec/kasp_auditor.rb:146:in
| `run_with_syslog'#012/usr/lib/opendnssec/kasp_auditor.rb:119:in
| `run'#012/usr/lib/opendnssec/kasp_auditor.rb:117:in
| `open'#012/usr/lib/opendnssec/kasp_auditor.rb:117:in
| `run'#012/usr/bin/ods-auditor:169

This was most probably caused by the missing keys.

The only matching part is the name of the domains. I removed
bit-dnssec-test.nl from OpenDNSSEC and bit-dnssec-test.com broke
afterwards. Both were in a diferent policy although the policies are
identical and use the same (Soft)HSM.

With regards,
| How many weeks are there in a light year?
| 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7  FBD6 F3A9 9442 20CC 6CD2

More information about the Opendnssec-user mailing list