[Opendnssec-user]Signed zone file loses RRs

Thu Sep 20 03:50:53 UTC 2012

>1.
>I have tried to sign your zone. This one indeed passed your validateZone
>script:

>ns:630006 630008
>ds&rrsig:126001 126001 126001
>a:0 0
>nsec3&rrsig:126003 126003

>Why is there a difference in ns?

It's weird to see that the singed zone has more NS RRs than the unsigned one,
in my test it's always the opposite, so the script thinks it's impossible and
discard this condition.
if [ $rawNScount -gt $signedNScount ]
then
 echo "$zonename ns count not match"
 return 1
fi

>2.
>Is the unsigned file touched by any means? For example, if you edit the
>unsigned file during signing, the validateZone script is likely to fail.
>I created a diff between your signed zone file and mine, and noticed
>that all delegations from 091911657.test4 to 091911999.test4 are
>missing. Do they ring any bells?

No, I have not edited the unsigned file, the file is generated by a script which
loads zone RRs from database, after that I will call sign all command to sign,
during that period, no one edited the unsigned file except for the next 10min round
to re-generate the new zone files, but I 'm sure that the signing work will get done
before the next round. 

>3.
>You mentioned that you sign the zone every 10 minutes. Is this the
>resign value from the policy or are you calling ods-signer sign test4
>every 10 minutes (cron job?).

The resign value from the policy is 2H, a script call ods-signer sign --all every 10 mins.

Best regards,
Stuart
From: Matthijs Mekking
Date: 2012-09-20 20:58
To: shuoleo
CC: opendnssec-user
Subject: Re: [Opendnssec-user]Signed zone file loses RRs
Hi Stuart,

1.
I have tried to sign your zone. This one indeed passed your validateZone
script:

ns:630006 630008
ds&rrsig:126001 126001 126001
a:0 0
nsec3&rrsig:126003 126003

Why is there a difference in ns?

2.
Is the unsigned file touched by any means? For example, if you edit the
unsigned file during signing, the validateZone script is likely to fail.
I created a diff between your signed zone file and mine, and noticed
that all delegations from 091911657.test4 to 091911999.test4 are
missing. Do they ring any bells?

3.
You mentioned that you sign the zone every 10 minutes. Is this the
resign value from the policy or are you calling ods-signer sign test4
every 10 minutes (cron job?).

Best regards,
  Matthijs

On 09/19/2012 08:26 AM, ÁõË¶ wrote:
> Hi Matthijs,
>  
> I'm using OpenDNSSEC1.3.10 for test purpose, and using <NotifyCommand>
> with a script to do the afterwards work. And
> I'm not using Audit which is not recommended.
>  
> But I have found out that sometimes the signed and raw zone file 's RRs
> do not match.
>  
> The attachment called ods_call_by_opendnssec.sh is the script called by
> <NotifyCommand>, you can see clearly what we 
> do after signing work ends, and when the validation failed, there seems
> nothing we can do to make up for it, I have
> tried to call 'ods-signer sign %zone' but somethings more weird occurs,
> it seems the processes are there, but no output
> generated, so I need your opinion.
>  
> The attachment called validateZoneData.sh is the scripted used for
> compare signed file with the raw one in case it
> lacks RRs. Our raw zone file is lowercase and signed zone file is uppercase.
>  
> The last file is a log generated by ods_call_by_opendnssec.sh, you can
> see that tld test4 's validation are failed
> because the NS RRs does not match with the unsigned file.
>  
> I have found the same problem in OpenDNSSEC1.4.a2 and I would like to
> help if needed.

>  
> Thanks.
>  
>  
> Best regards,
> Stuart
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20120920/8ce94735/attachment.htm>