[Opendnssec-user]Lots of Dead DNSKEYs in the Zone

Matthijs Mekking matthijs at nlnetlabs.nl
Tue Feb 5 14:01:33 UTC 2013

Hi Stuart,

The RR does not exist is a warning message: The signer is signing an
RRset, but there are RRs in memory that are not committed to the zone.
This is a strange situation, hence I am printing a warning message.

It gives a clue that there is a bug. And there is: If Inbound Adapter is
up to date or unchanged, also do a transfer transaction in order to
correctly update the new DNSKEYs and NSEC3PARAM in case of a change in

Only the 1.4.0rc2 is affected. I fixed it in trunk r7011. Thanks for
your report.

Best regards,

On 02/04/2013 09:13 AM, Áõ˶ wrote:
> Hi All,
> As I posted earlier, the 'RR Does Not Exist' and ods-signer would not
> signs RRSIGs until it expires cause a lot of problems.
> My test tlds here have their KSK rollovered every 4H and ZSK rollovered
> every 2H, and after days of test you can see the amount of DNSKEYS
> exist in the zone file and most of which are dead.
> [gtld at index zone]$ dig @ dstest1 dnskey +edns=0|grep DNSKEY|wc -l
> 75
> [gtld at index zone]$ dig @ dstest2 dnskey +edns=0|grep DNSKEY|wc -l
> 67
> It's obvious opendnssec did not remove them in the zone, I will change
> the <purge> to 1H which was 14D by default, I hope this will help.

Purge removes keys from the database, not from the zone.

> I wrote a script to do nsupdate soa to the INBOUND bind and this can
> make opendnssec resign the expiring RRs,or the RRSIGs will keep expired,
> but it can not solve the Lots-of-Dead-DNSKEYs problem.
> I need your help guys.
> Best regards,
> Stuart

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20130205/e472a152/attachment.bin>

More information about the Opendnssec-user mailing list