[Opendnssec-user]The RR does not exist Error(Latest)
=?us-ascii?B?wfXLtg==?=
shuoleo at 126.com
Fri Feb 1 08:58:42 UTC 2013
Hi all,
In my previous mail I have posted an issue called "The RR does not exist Error" and I hope some guy would check what the problem is.
Now I have tested 3 versions, they're 1.4.0b1,1.4.0rc1 and 1.4.0rc2 and all of which would complain that error when using DNS Adapter as input, that is
using a BIND to send AXFR/IXFR to opendnssec to sign.
What the errors complain is that there is no ZSK/KSK found in the zone when there are RRSIGs signed by it,like the following:
Feb 1 13:48:42 index ods-signerd: [rrset] RR does not exist: dstest1. 300 IN DNSKEY 257 3 8 AwEAAcBikm8lzsk34G5CQmEJl33qr/oJ3nVRL/Nr7ZN9J4T38F0hEAqYPth656NqAx8QiGb1OREg35pLqyePIRdtcOKTvuXt4pqkLnlk5WYMq+CS2y9ApY5lC41ce2e93RVlJUPT2DYSXbxB5FC8zo8B/9rncaUYguUxXRPebarb/fF5q/CEbaUdv0Xsnxt9UI8YsjJYff2hB4iwWFCSVWA05vLW0xpcXeRVlojbo4Axd0ESL4h+o36PMccfrdpdgnvxr0PwWgZe7xJBr6/Ms25Y81H2E7VYIw/VCbd3y0dxCPsFf1ck2M8xYyZxuPSSevni0Tsm1Q61KkLvmUomDk9XfZc= ;{id = 35434 (ksk), size = 2048b}
Feb 1 13:48:42 index ods-signerd: [rrset] RR does not exist: dstest1. 300 IN DNSKEY 256 3 8 AwEAAdRvlrx6v2krdsqteo89p6qwQZ3UE+qpzxMGZ+oHS2VA/BmV2GbmVDHWpw6CCysDG9Zde6pjEt4iwNtoZgUb+0m80C1ejOWduqhYMyMAp/MaBTv2Rhplft/bzhaSNTVILlgrtxmYkFuiewlS/eanYy6shspmd275tWobVZpxlQDZ ;{id = 49180 (zsk), size = 1024b}
And the trust chain will certainly broken because there are no such keys in the signed zone file, and if possible signed zone would contains lots of DNSKEY(256) but most of which are dead and could not be seen by ods-ksmutil key list.
So I suppose there must be something wrong with opendnssec using AXFR/IXFR, and I have tested File Adapter and it works fine.
BTW,in order to test trust chain, I have put KSK lifetime to 4H and ZSK to 2H and purge is default 14D, do you think purge would affect that?
Best regards,
Stuart
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20130201/53430ea5/attachment.htm>
More information about the Opendnssec-user
mailing list