[Opendnssec-user]Signed zone file loses RRs

Thu Oct 18 08:00:54 UTC 2012

This is acknowledged as an operator error:

> After comparing the unsigned file with the signed one, I have found
> where the problem is, It's the unsigned zone files' fault, because
> there is a bug in the script which generates the zone files, some of
> the RRs doubles,so the signed file must contain less RRs than the
> unsigned one.

Thanks Stuart for letting us know this has been resolved.

Best regards,
  Matthijs

On 09/20/2012 05:50 AM, 刘硕 wrote:
>>1.
>>I have tried to sign your zone. This one indeed passed your validateZone
>>script:
>  
>>ns:630006 630008
>>ds&rrsig:126001 126001 126001
>>a:0 0
>>nsec3&rrsig:126003 126003
>  
>>Why is there a difference in ns?
>  
> It's weird to see that the singed zone has more NS RRs than the unsigned
> one,
> in my test it's always the opposite, so the script thinks it's
> impossible and
> discard this condition.
> if [ $rawNScount -gt $signedNScount ]
> then
>  echo "$zonename ns count not match"
>  return 1
> fi
>  
>>2.
>>Is the unsigned file touched by any means? For example, if you edit the
>>unsigned file during signing, the validateZone script is likely to fail.
>>I created a diff between your signed zone file and mine, and noticed
>>that all delegations from 091911657.test4 to 091911999.test4 are
>>missing. Do they ring any bells?
>  
> No, I have not edited the unsigned file, the file is generated by a
> script which
> loads zone RRs from database, after that I will call sign all command to
> sign,
> during that period, no one edited the unsigned file except for the next
> 10min round
> to re-generate the new zone files, but I 'm sure that the signing work
> will get done
> before the next round. 
>  
>>3.
>>You mentioned that you sign the zone every 10 minutes. Is this the
>>resign value from the policy or are you calling ods-signer sign test4
>>every 10 minutes (cron job?).
>  
> The resign value from the policy is 2H, a script call ods-signer sign
> --all every 10 mins.
>  
> Best regards,
> Stuart
> *From:* Matthijs Mekking <mailto:matthijs at nlnetlabs.nl>
> *Date:* 2012-09-20 20:58
> *To:* shuoleo <mailto:shuoleo at 126.com>
> *CC:* opendnssec-user <mailto:opendnssec-user at lists.opendnssec.org>
> *Subject:* Re: [Opendnssec-user]Signed zone file loses RRs
> Hi Stuart,
>  
> 1.
> I have tried to sign your zone. This one indeed passed your validateZone
> script:
>  
> ns:630006 630008
> ds&rrsig:126001 126001 126001
> a:0 0
> nsec3&rrsig:126003 126003
>  
> Why is there a difference in ns?
>  
> 2.
> Is the unsigned file touched by any means? For example, if you edit the
> unsigned file during signing, the validateZone script is likely to fail.
> I created a diff between your signed zone file and mine, and noticed
> that all delegations from 091911657.test4 to 091911999.test4 are
> missing. Do they ring any bells?
>  
> 3.
> You mentioned that you sign the zone every 10 minutes. Is this the
> resign value from the policy or are you calling ods-signer sign test4
> every 10 minutes (cron job?).
>  
> Best regards,
>   Matthijs
>  
>  
> On 09/19/2012 08:26 AM, ÁõË¶ wrote:
>> Hi Matthijs,
>>  
>> I'm using OpenDNSSEC1.3.10 for test purpose, and using <NotifyCommand>
>> with a script to do the afterwards work. And
>> I'm not using Audit which is not recommended.
>>  
>> But I have found out that sometimes the signed and raw zone file 's RRs
>> do not match.
>>  
>> The attachment called ods_call_by_opendnssec.sh is the script called by
>> <NotifyCommand>, you can see clearly what we 
>> do after signing work ends, and when the validation failed, there seems
>> nothing we can do to make up for it, I have
>> tried to call 'ods-signer sign %zone' but somethings more weird occurs,
>> it seems the processes are there, but no output
>> generated, so I need your opinion.
>>  
>> The attachment called validateZoneData.sh is the scripted used for
>> compare signed file with the raw one in case it
>> lacks RRs. Our raw zone file is lowercase and signed zone file is uppercase.
>>  
>> The last file is a log generated by ods_call_by_opendnssec.sh, you can
>> see that tld test4 's validation are failed
>> because the NS RRs does not match with the unsigned file.
>>  
>> I have found the same problem in OpenDNSSEC1.4.a2 and I would like to
>> help if needed.
>  
>  
>  
>  
>  
>>  
>> Thanks.
>>  
>>  
>> Best regards,
>> Stuart
>  
>  
>  

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 551 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20121018/2d3e7874/attachment.bin>