[Opendnssec-user]Signed zone file loses RRs

刘硕 shuoleo at 126.com
Wed Sep 19 07:27:58 UTC 2012


Hi Matthijs,

>I would very much like the zone test4. With that and your scripts, I
>can try to reproduce. 

I will send it in a private mail because it's relatively large.
>Are you using the default kasp?

I think I have not changed the default policy in kasp.xml except for
removing <Audit/>.

Best regards,
Stuart

From: Matthijs Mekking
Date: 2012-09-19 15:12
To: shuoleo
CC: opendnssec-user
Subject: Re: [Opendnssec-user]Signed zone file loses RRs
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/19/2012 08:26 AM, Áõ˶ wrote:
> Hi Matthijs,
> 
> I'm using OpenDNSSEC1.3.10 for test purpose, and using
> <NotifyCommand> with a script to do the afterwards work. And I'm
> not using Audit which is not recommended.

The auditor is not recommended for to be in production. It is in my
opinion useful for testing and debugging.

> 
> But I have found out that sometimes the signed and raw zone file 's
> RRs do not match.

In you zonefile log, I see that zone test4 is complaining about
missing NS rrsets. Could you provide the contents of the unsigned and
signed zone file? Perhaps there are other occurrences of "NS" in the
signed zonefile, or some NS RRs are occluded due to being not in
bailiwick.

> The attachment called ods_call_by_opendnssec.sh is the script
> called by <NotifyCommand>, you can see clearly what we do after
> signing work ends, and when the validation failed, there seems 
> nothing we can do to make up for it, I have tried to call
> 'ods-signer sign %zone' but somethings more weird occurs, it seems
> the processes are there, but no output generated, so I need your
> opinion.
> 
> The attachment called validateZoneData.sh is the scripted used for 
> compare signed file with the raw one in case it lacks RRs. Our raw
> zone file is lowercase and signed zone file is uppercase.
> 
> The last file is a log generated by ods_call_by_opendnssec.sh, you
> can see that tld test4 's validation are failed because the NS RRs
> does not match with the unsigned file.
> 
> I have found the same problem in OpenDNSSEC1.4.a2 and I would like
> to help if needed.

I would very much like the zone test4. With that and your scripts, I
can try to reproduce. Are you using the default kasp?

Best regards,
  Matthijs

> 
> Thanks.
> 
> 
> Best regards, Stuart
> 
> 
> _______________________________________________ Opendnssec-user
> mailing list Opendnssec-user at lists.opendnssec.org 
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQEcBAEBAgAGBQJQWXBeAAoJEA8yVCPsQCW5cWwIAMkgkOhJFpgCfQHID0tLuWBo
b1+X5Nw7+3q2z4lCDCKtYtieNLkYFYSxV+BCGrb3V+RvYpsISMNQxSAMkNdGl27L
fEk9pAVOY3hh5lRkcgJ92nlf1gaxX53ybIuVImmBDgYY/qtXvqhK2wp8FM4+qgNj
l2fxTIVIjLPZuC2u4l8GGXAofgko1iLUMPPStjLO42U6HzIhUX0V6aZFwUzfWAqE
6mGsER61T+bjkjzFVjd/tF0imQ6fK732Sxcix02J3SYQPPpP8MS3XjQpyfPJP2g5
nkQpv7emLi/xKLe9w4U2aKHTLLaLwBB/vX3+AqrB7xOb8HKpj/gmjRCITHtSV/4=
=FVPx
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20120919/ca5930db/attachment.htm>


More information about the Opendnssec-user mailing list