[Opendnssec-user] Problems triggered by a zone removal in ODS 1.3.8.
ssmeenk at freshdot.net
Thu May 24 13:42:32 UTC 2012
Quoting Göran Bengtson (goeran at chalmers.se):
> 2 This is serious. Immediately after the ods-ksmutil update command
> is given ODS gets seriously confused about the keys in ANOTHER,
> remaining zone. A new ZSK key is generated, and the active ZSK
> dissapears (is not used anymore). ods-ksmutil key list
> only show the KSK key and the newly generated ZSK key (in publish
This is (almost?) exactly what happend in my setup yesterday.
According to logging, it must have happened after removing another
test-zone from the config, a totaly unrelated zone lost it's keys and
new ones were generated for that zone.
I noticed this because the auditor suddenly barfed on the (unrelated)
zone, which was perfectly signed and managed before. For each RR-type in
the zone it logged:
| May 23 15:05:32 ods1 ods-auditor: bit-dnssec-test.com : RRSIGS
| should include algorithm RSASHA256 for bit-dnssec-test.com, NS, have :
| May 23 15:05:32 ods1 ods-auditor: bit-dnssec-test.com : RRSet
| (bit-dnssec-test.com, NS) failed verification : No signatures in the
| RRSet : bit-dnssec-test.com, NS, tag = none
Then it errored out:
| May 23 15:05:32 ods1 ods-auditor: Unexpected error auditing files
| (/var/lib/opendnssec/tmp/bit-dnssec-test.com.inbound and
| /var/lib/opendnssec/tmp/bit-dnssec-test.com.finalized) : ERR private
| method `split' called for nil:NilClass- moving on to next zone. Trace
| for debugging : /usr/lib/opendnssec/kasp_auditor/auditor.rb:1279:in
This was most probably caused by the missing keys.
The only matching part is the name of the domains. I removed
bit-dnssec-test.nl from OpenDNSSEC and bit-dnssec-test.com broke
afterwards. Both were in a diferent policy although the policies are
identical and use the same (Soft)HSM.
| How many weeks are there in a light year?
| 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7 FBD6 F3A9 9442 20CC 6CD2
More information about the Opendnssec-user