[Opendnssec-user] Problems triggered by a zone removal in ODS 1.3.8.
Sander Smeenk
ssmeenk at freshdot.net
Thu May 24 13:42:32 UTC 2012
Quoting Göran Bengtson (goeran at chalmers.se):
> 2 This is serious. Immediately after the ods-ksmutil update command
> is given ODS gets seriously confused about the keys in ANOTHER,
> remaining zone. A new ZSK key is generated, and the active ZSK
> dissapears (is not used anymore). ods-ksmutil key list
> only show the KSK key and the newly generated ZSK key (in publish
> state).
This is (almost?) exactly what happend in my setup yesterday.
According to logging, it must have happened after removing another
test-zone from the config, a totaly unrelated zone lost it's keys and
new ones were generated for that zone.
I noticed this because the auditor suddenly barfed on the (unrelated)
zone, which was perfectly signed and managed before. For each RR-type in
the zone it logged:
| May 23 15:05:32 ods1 ods-auditor[17522]: bit-dnssec-test.com : RRSIGS
| should include algorithm RSASHA256 for bit-dnssec-test.com, NS, have :
| May 23 15:05:32 ods1 ods-auditor[17522]: bit-dnssec-test.com : RRSet
| (bit-dnssec-test.com, NS) failed verification : No signatures in the
| RRSet : bit-dnssec-test.com, NS, tag = none
Then it errored out:
| May 23 15:05:32 ods1 ods-auditor[17522]: Unexpected error auditing files
| (/var/lib/opendnssec/tmp/bit-dnssec-test.com.inbound and
| /var/lib/opendnssec/tmp/bit-dnssec-test.com.finalized) : ERR private
| method `split' called for nil:NilClass- moving on to next zone. Trace
| for debugging : /usr/lib/opendnssec/kasp_auditor/auditor.rb:1279:in
| `get_name_and_types'#012/usr/lib/opendnssec/kasp_auditor/auditor.rb:1231:in
| `check_nsec3_types_and_opt_out'#012/usr/lib/opendnssec/kasp_auditor/auditor.rb:1188:in
| `open'#012/usr/lib/opendnssec/kasp_auditor/auditor.rb:1188:in
| `check_nsec3_types_and_opt_out'#012/usr/lib/opendnssec/kasp_auditor/auditor.rb:1186:in
| `open'#012/usr/lib/opendnssec/kasp_auditor/auditor.rb:1186:in
| `check_nsec3_types_and_opt_out'#012/usr/lib/opendnssec/kasp_auditor/auditor.rb:1184:in
| `open'#012/usr/lib/opendnssec/kasp_auditor/auditor.rb:1184:in
| `check_nsec3_types_and_opt_out'#012/usr/lib/opendnssec/kasp_auditor/auditor.rb:184:in
| `check_zone'#012/usr/lib/opendnssec/kasp_auditor.rb:219:in
| `full_audit'#012/usr/lib/opendnssec/kasp_auditor.rb:172:in
| `run_with_syslog'#012/usr/lib/opendnssec/kasp_auditor.rb:146:in
| `each'#012/usr/lib/opendnssec/kasp_auditor.rb:146:in
| `run_with_syslog'#012/usr/lib/opendnssec/kasp_auditor.rb:119:in
| `run'#012/usr/lib/opendnssec/kasp_auditor.rb:117:in
| `open'#012/usr/lib/opendnssec/kasp_auditor.rb:117:in
| `run'#012/usr/bin/ods-auditor:169
This was most probably caused by the missing keys.
The only matching part is the name of the domains. I removed
bit-dnssec-test.nl from OpenDNSSEC and bit-dnssec-test.com broke
afterwards. Both were in a diferent policy although the policies are
identical and use the same (Soft)HSM.
With regards,
-Sander.
--
| How many weeks are there in a light year?
| 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7 FBD6 F3A9 9442 20CC 6CD2
More information about the Opendnssec-user
mailing list