[Opendnssec-user]The RR does not exist Error

刘硕 shuoleo at 126.com
Thu Jan 31 01:14:43 UTC 2013


Hi all,

I'm using rc2 now and I met a weird problem.

The log complains:
Jan 30 14:50:01 index ods-signerd: [rrset] RR does not exist: dstest1. 300 IN DNSKEY 256 3 8 AwEAAaEJGx4v9YA1f72qsL/xkRxlnBl16yd18NOfePwjELDzwGXhssoMYnxf0fpjKBun6XN7XZt3IhdjCTCsh9r+g3G6nh7I8QJos4UTDFF5tH86tnA2GHVthlL8MG9To9/f7HOlLaM+biW9GEjSKvEbkN3tnDKsHTNfOqrb8JTrtXbT ;{id = 64990 (zsk), size = 1024b}
Jan 30 14:50:01 index ods-signerd: [rrset] RR does not exist: dstest1. 300 IN DNSKEY 256 3 8 AwEAAbp1warmQfva92fTH/wgzFSjC7o1IG/rrCXp+wL/7zKTP0xUPRZj0Fy2aBqTjrFLcRrZMSSmv3hP8Ir6EKfzvyh5NMzE1DIggYUhmjiyu+eO3bjmiapKlMw7jIvX0hM2EqJk/o890Oz8D6X1yRGN/uTacO7BNBNOCSpSXLJX7NTH ;{id = 16159 (zsk), size = 1024b}

And I get get DNSKEYS from ods-ksmutil by
  
[root at index test]# /home/gtld/software/OpenDNSSEC-1.4.0rc2/bin/ods-ksmutil key export -z dstest1 --keytype ZSK

;active ZSK DNSKEY record:
dstest1.        300     IN      DNSKEY  256 3 8 AwEAAaEJGx4v9YA1f72qsL/xkRxlnBl16yd18NOfePwjELDzwGXhssoMYnxf0fpjKBun6XN7XZt3IhdjCTCsh9r+g3G6nh7I8QJos4UTDFF5tH86tnA2GHVthlL8MG9To9/f7HOlLaM+biW9GEjSKvEbkN3tnDKsHTNfOqrb8JTrtXbT ;{id = 64990 (zsk), size = 1024b}
[root at index test]# /home/gtld/software/OpenDNSSEC-1.4.0rc2/bin/ods-ksmutil key export -z dstest1 --keytype ZSK --keystate publish

;publish ZSK DNSKEY record:
dstest1.        300     IN      DNSKEY  256 3 8 AwEAAbp1warmQfva92fTH/wgzFSjC7o1IG/rrCXp+wL/7zKTP0xUPRZj0Fy2aBqTjrFLcRrZMSSmv3hP8Ir6EKfzvyh5NMzE1DIggYUhmjiyu+eO3bjmiapKlMw7jIvX0hM2EqJk/o890Oz8D6X1yRGN/uTacO7BNBNOCSpSXLJX7NTH ;{id = 16159 (zsk), size = 1024b}

And you can get all the keys
  
[root at index test]# /home/gtld/software/OpenDNSSEC-1.4.0rc2/bin/ods-ksmutil key list -v|grep dstest1
SQLite database set to: /home/gtld/software/OpenDNSSEC-1.4.0rc2/var/opendnssec/kasp.db
dstest1                         KSK           retire    2013-01-30 18:12:40 (dead)     2048    8           46c930f600348227c2a62dfb051ceef1  SoftHSM                           16837
dstest1                         KSK           active    2013-01-30 18:20:01 (retire)   2048    8           6e6b89655f5fdfc095391c85107e074a  SoftHSM                           28556
dstest1                         ZSK           active    2013-01-30 15:06:36 (retire)   1024    8           a086c93fae5c909096f3d8d085866409  SoftHSM                           64990
dstest1                         ZSK           publish   2013-01-30 14:22:36 (ready)    1024    8           d4266d844cb7695aef6417c24eefced7  SoftHSM                           16159

  
[root at index test]# dig @202.173.9.4 dstest1 axfr

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.10.rc1.el6_3.6 <<>> @202.173.9.4 dstest1 axfr
; (1 server found)
;; global options: +cmd
dstest1.                300     IN      SOA     ns1.zdnscloud.net. mail.knet.cn. 1359527401 10800 3600 604800 300
dstest1.                300     IN      RRSIG   NSEC 8 1 300 20130130072912 20130130053001 64990 dstest1. WeKbdKL8B8exJ276oofh1Wy4zvlbBJ+2wh2NurhFjgJcsNfGLPgJElHU MjSsR+DN+mXg6IlY/tFmAjJLDoUoDIjQYyDlhX9cIP8fgNi3D5prWU9O aMY7SNYTiGVqRjden0Qb9sw9rJ8KtPNy2C5rAforuYHeJg1icZMsZTPC 0c0=
dstest1.                300     IN      NSEC    dnssec.dstest1. NS SOA RRSIG NSEC DNSKEY
dstest1.                3600    IN      RRSIG   NS 8 1 3600 20130130073042 20130130053001 64990 dstest1. XkaQhBg710CWMMEyhiX3byXHtk5VCiLIukYmBIlfAdln0PJSdrERwpoa qqrqFo2WB3kS+1gCehOdh4ELackmC+9OUS5QFXE0FVRS6V9BkZwyDo41 QNzYIty5QSeLtUeiIXY030OQW3sCXwKqBycIk9tXCBZXCRHRE+/+v2WC 8F4=
dstest1.                3600    IN      NS      ns.gtld.
dstest1.                300     IN      RRSIG   DNSKEY 8 1 300 20130130070719 20130130050637 16837 dstest1. yqVPkB+3PxfhU7RIhAHYw/jmnQlK64THmt2k9jags/N1ywH/FGOSBely YTeoCQe8m+DtExdmBOVSss3dOsa5MbjNaQvsh006x5L3U8GttywIIR+d ISlmkLp9NZIb5zQVN2L7p/omrDC34m640SJxsQWlrX/cS49OcZqEoP6j ZE30ARNUZHB3O+XtR86JcwqDHDFuqjiM6y68y2QvL711Rg3rApWmO4sQ KJgROaLiwDoKFeJOwQExJF5E+k3SVoNcYEEEfvHFjE8Guquf7lC5Xoah DVaEI1PxDDNpBnenaGW7uTMJeS5h7X9bS6rXpe9Svtq8QdXaYj8iqc84 Kd6u3Q==
dstest1.                300     IN      RRSIG   DNSKEY 8 1 300 20130130070719 20130130050637 28556 dstest1. NYKz+rUI1Vfoo+NCBctjL0hFaceUxzhJBAMqSnhbRgTfx1wb7/qARx/l nwNRCJl3bl6wd9OCIbivpHRT32oQAQepIE+kZL8srW1UdeIUIHf7QxMW rtkw4bos948y2PcpJU1yU7oX/bJul5IrYblQ839rGe7QOc4UPnBiRdYl 9wNL7Zx/fs69C9KLoNTvNDJJ2arOoEZO5MAoXpZjbFk3sWihhD5c47w3 kbvAOMhYWaKjH4NO3PbHab6SZ/QsMpLfbNQDurSKyqZYBFAgs1ycbQVU DWVgOXOSGbMVeHElp4roSLPtkdPY38H8R+UOGm/nclM5dIAcPb5ioYKc UprL2w==
dstest1.                300     IN      DNSKEY  256 3 8 AwEAAc7vXJO7uuEpwKyhiL9txOlxB3qc/zAekiXmAn5AluXe0yEiqVKf pXZGZiYLS7GjfH8lvZ0urVeCrT2V5aov+FsxsjP0LVFKSsvcEcEZ9dD1 zj5ok/P5EPWusX2TygbYJ0oNGXQq/W4sUBpv87sY+qKND7gFdJrnUQp+ jJokE9s9
dstest1.                300     IN      DNSKEY  256 3 8 AwEAAeDptC3E/Ll87hcl4TnETB7AFruBs1biUsgBEd81daiIYt2K13Vs YLw/P33GchhAGHvN1Xz1z8dpwPB/Suut1hKwEU3hELoWFyijdvr1r1+J 6Xu/x/Of0gkOCA1g+PcryEaqvtQoN25pOulEXSuBMrA+InR429GBk4IG ZpuXfTI7
dstest1.                300     IN      DNSKEY  257 3 8 AwEAAcMlFdp1m1R0LUcAMGMPzM/vpynVUTI+442g4PgG3e3/XwUTFBSw Xon297plY/3BnA1p1dtfVnqCnuUO4iK34d3RFTEav+HLFRlMiGtGJWPA XSbpXdDxKoEma37MJ7HJJbu4i0VBdzygUdPOuEXOnOTrEceXdFPpqzNp FAVJVL0GYUECqEcsBYe4pgI9jUzBSKzP5j7UErAVrCkl28Srd71EV8CG NTf2zY/b2IkyNLsqN009gz6wnkLK7tZiBUXddLWSttYWTbWtgx57AYyw iTwQUib8jW/JO5I9waQtU5MRHq0L/BU85eXjWaiNpRkN5evScG4JnLCf tzPWsY9wF1c=
dstest1.                300     IN      DNSKEY  257 3 8 AwEAAcPr8tt2p+i/NX8jlf2HY1pHpqm53HXdunEsq56IdWhd6Q8eA/mU q3CtRisN9SianLQo25G9oh8c4hHS83A1aT0TgcVas4kduiD8Vaqyvdm5 pEOEdqvQlvRDaHwPwTxn3QHOLYLG8dkMb99ny9rsIsxQoE6hyAjxGscV Phg6Ncg4vPGH+Ql9dTW9g1bFgyzK6fNHUn4yUXfmnI23qd6U014DtOyG d4degl8afJLCU7OIpHpHRHctEZjnSrMdJjJYs/L33r0HnTwffQ4hPHye Wg17F2K58Yc+VUPwt9486pqPz78a1evKYzzQHWAlENC21BTwzca6zJys r/YYjNrEjeM=
dstest1.                300     IN      DNSKEY  257 3 8 AwEAAdrbtNeZ/Iglnopd3hfS6YvrC+o4l9Z7pr/YDKzCm9bO7T1JaR6F x3pqbRB9/5SouA5wVM5VGGyMXEhSc+zrr3adV/lj2BO7PqlZ8WMX3PDm CuDw4aNjYIiBldKXPHm8PxIkwXTHqHl5FA+tNzWYVTnUSSnL24iKa8JK VSQ4VjRExNy4tCk9h95mRNQCD9R6K1juoVsinF403eMggV4Ape1H8huT lf6sDB/9fKMKkqF3bnuDmmtoto3u58w3xkN+CcAGSTZRT6NsdEKBJwCK Nkkwl7qxu/t80E+gSlefnBxN0JKm4Ka/asN8JveCseHVVt+ZWAmkyowL +MSAqQ56nwU=
dstest1.                300     IN      RRSIG   SOA 8 1 300 20130130072905 20130130053001 64990 dstest1. FSoB2daHR1k+DSj2LwMs/ZoPV4koP3Ec8sLiTSlj0TwR/dAJZMuk3NoR frzQhUX7LyedZCrSSBanKp5Fy0H07HJR+EDWIf80x1CV8OaUaCbx/zAJ Cz5I2E3/owAyPJg32ylOtFw9Dj6osIG6Aw56vuy2ldpnzghDVwkH5q7A F7k=
dnssec.dstest1.         300     IN      RRSIG   NSEC 8 2 300 20130130072057 20130130052001 64990 dstest1. nn62L6URbTDX0Xn5oTaMtegSiSIL2uSBabJjnMxod7OBRHHVCZysenMu TtoM3nDoV/0bp4yHE25XsVZ+WGOTqIbbwHYnvBHBNLbFG8sez0D5JC3y 8iMBU+auJVvk7Og8X9gybXESzlM9LAe6G8uLE3fsX3+1ZUd+57rtC4UZ WK0=
dnssec.dstest1.         300     IN      NSEC    dnssec0129.dstest1. NS DS RRSIG NSEC
dnssec.dstest1.         3600    IN      NS      ns1.dnssec.dstest1.
dnssec.dstest1.         3600    IN      RRSIG   DS 8 2 3600 20130130070603 20130130050636 64990 dstest1. eGfC5GkTbSz57Yzl1zAg+lhLJMcdjU1yhdhyRrLkO+D1WaZa9okqcZh5 pyvoiWXcG0oTyYAUIl+DBbx31sCxYwD0LQ2oolWFCLPfGahbGiziySZO G5VHM7HQ4w/FEEFVWysKGQl9/30/5crsDW2UYswpc7VaVSutgdtqJ6VY poo=
dnssec.dstest1.         3600    IN      DS      29628 7 2 F7CA2F14C5FDE12D3C944403E1BAEA28F68969D44EF970642B4EA017 A56B13E8
ns1.dnssec.dstest1.     3600    IN      A       202.173.9.46
dnssec0129.dstest1.     300     IN      RRSIG   NSEC 8 2 300 20130130070653 20130130050636 64990 dstest1. nu0j99fy/3rOBq8HR2z0422SOBkoHvl8zMNz/gOPwEoY8BiV54Ebzx0e RTgNOW2riZp4fKU3ZRelkDIvvxe9g00C1x9SKQQhcNiIMY3ybrCGuFrN ex2AXCqYQuifN2uW/2PLNRinDD6ouMvGIr5jVX2sdyrZRe30jsl99ahU I8s=
dnssec0129.dstest1.     300     IN      NSEC    dnssec01291.dstest1. NS DS RRSIG NSEC
dnssec0129.dstest1.     3600    IN      NS      ns1.dnssec0129.dstest1.
dnssec0129.dstest1.     3600    IN      RRSIG   DS 8 2 3600 20130130073056 20130130053001 64990 dstest1. AHwPb9bQHyhn1vJfEHQkAH7MDMHpr1YmXsL3DA3XeAWOXptWNWwD8Sq+ bmc/mOvuYzuArj9Vckwv2/Kc0L3YlroApdU55ZOiAteofLwi257I8JXS TQQqBXvdNtwkxK4PjNfoPIzLr7eRl8RgHVSL2dJq0lMc1m7DJoaA0Wer zNY=
dnssec0129.dstest1.     3600    IN      DS      43341 7 2 67F7BDE98FC5495944FF1DF796FF97B3FE33E46CF088ABA36C3A0903 7BCD5E1D
ns1.dnssec0129.dstest1. 3600    IN      A       202.173.9.46
dnssec01291.dstest1.    300     IN      RRSIG   NSEC 8 2 300 20130130073015 20130130053001 64990 dstest1. LpSHpCjIk/3CzoWqJWz7QHwDh2LYPKZjV2cj3zDrZ//JsPPsXF48JOoa NLyFFdf+vJlJrzNta+V9d2KPBRvqblY9DTUvBJndr9X4WRTiaFlaQa2U XQbg8VluJxUZsZVUNOeFliJFIrC/vqU+GXP1eFfWRbK7mMhk52GHjj1Q ExQ=
dnssec01291.dstest1.    300     IN      NSEC    dnssec1.dstest1. NS DS RRSIG NSEC
dnssec01291.dstest1.    3600    IN      NS      ns1.dnssec01291.dstest1.
dnssec01291.dstest1.    3600    IN      RRSIG   DS 8 2 3600 20130130070702 20130130050636 64990 dstest1. h6pUbc4JVoS/m0XtDLjWo2gzKgUC60HwFnP/CAsXgNgQvgIs21hYu3jI FTQKscn+6lSlWq22vPgq8pBJ6V5rsnqARhGx4R1iNGrhhF2H29k/OuDO GW9Wr2/avkl/ClWC+6A1zhRN37jmO0egF+fGHLW77mc6iQZi1USSg9pP 110=
dnssec01291.dstest1.    3600    IN      DS      53286 7 2 B38F5BFEE1519C8AE382C14203FD9B819DBE2B698EE6D99CCE6938A2 373D15D3
ns1.dnssec01291.dstest1. 3600   IN      A       202.173.9.46
dnssec1.dstest1.        300     IN      RRSIG   NSEC 8 2 300 20130130070700 20130130050636 64990 dstest1. FNljqaWlbWb8vG2dDWmgqRtEziReAZNQIqdMMYPNIfMGI72g8ec7yFEK JAcRfrkKtfhGQnLz78T7Al7sfn5xKGReTP+WRSB+H0Z+fP4c1XE/rjFL TcheZeBh4zgG2jwyVmIpUT0wKlzZ/l+JoT5s0ZkO/38pPNalrgY0cMPr gBQ=
dnssec1.dstest1.        300     IN      NSEC    dnssec10292.dstest1. NS DS RRSIG NSEC
dnssec1.dstest1.        3600    IN      NS      ns1.dnssec1.dstest1.
dnssec1.dstest1.        3600    IN      RRSIG   DS 8 2 3600 20130130071709 20130130051637 64990 dstest1. ZFJ638zd4FkgtCymGK1CZmRbV0K1+lD56n0TtjU1X1WJKOcUgKVOgsx/ yRd8miuy79QedHQrrvlEQZXNVElSeJ/p7atgyktBRbps2x+cWapD5g74 ZoDfUxM9p3empan1iCa3zGvSuzdKIRzf51E1MUQ0P19QScbNc+Q2Kdr2 jYo=
dnssec1.dstest1.        3600    IN      DS      57684 7 2 936C9C665AD8333294B55F4284CB77098CA1939DAE05A56B18F597C5 E25C92DD
ns1.dnssec1.dstest1.    3600    IN      A       202.173.9.46
dnssec10292.dstest1.    300     IN      RRSIG   NSEC 8 2 300 20130130070555 20130130050636 64990 dstest1. XP+qoQDJJlszCXHu18r1YwQnzRc7QFLgXU3qfXohpG+Qqtu9P/T2Qb5T Prq3LgId9d3iZUSd84Oh5INcGiMVmjpRb3MEg30cwBX7VOWyZqq+P4Xa PxjT1WS3INX6VDl3rkULz1Eq7kJGmWML406EDfUW7Pm8bGLocXjm3i+Y yMo=
dnssec10292.dstest1.    300     IN      NSEC    dnssec10293.dstest1. NS DS RRSIG NSEC
dnssec10292.dstest1.    3600    IN      NS      ns1.dnssec10292.dstest1.
dnssec10292.dstest1.    3600    IN      RRSIG   DS 8 2 3600 20130130070723 20130130050636 64990 dstest1. W6MgrGftxtv8tp8NON2T2JB/wspOAmyl9qGRhK9kCKvYRH+NM/RNMEQ4 mkkfwZWMZFpwFv8Sc0y1FzZMoN3HB7S/jcXQIbgYsBBljxKIiXBe7YG/ Gm7KDeDfkNmTx9zStR5mky06gpkqAsQ7m+Dq/BiYqdtzgHcoqucy1dF8 lrg=
dnssec10292.dstest1.    3600    IN      DS      1035 7 2 9D4EB8B240DD2CFA2FF4AF8E035CAE05A1CE78FD05935A1C00590677 FBE4C190
ns1.dnssec10292.dstest1. 3600   IN      A       202.173.9.46
dnssec10293.dstest1.    300     IN      RRSIG   NSEC 8 2 300 20130130070634 20130130050636 64990 dstest1. j1ndpjzZ1XpbWCp+9Z8NLjKMqCw2m+1uN5ViYTogJpSTW6MPXrZ3fXMu x5RYDb/4YUS71q0kD/7PcJk4jRcq+EvbRAj3whCqb1bwMefZqxZquYrE l+AWEAcGxCaGe+uwT3dK/Um6Av2Qvgdu1HVwBlDGp4Ikn+fsuHT3FdDu sso=
dnssec10293.dstest1.    300     IN      NSEC    dnssec10301111.dstest1. NS DS RRSIG NSEC
dnssec10293.dstest1.    3600    IN      NS      ns1.dnssec10293.dstest1.
dnssec10293.dstest1.    3600    IN      RRSIG   DS 8 2 3600 20130130072930 20130130053001 64990 dstest1. Jw7aPD0dmGlrILKcpZi+RjfKSfwz/d0dwdCkEptKjskwbw0X4dm5PMaT BJXfEm8oj+/gJEQcJIvu+ZhQjZ65mQUHYQ+mtd/E0Bzb/7qXujGTOCl/ jFj/IGkYchy3/9nf4IBttw78YAf2aJRxexfnC85IYHt+Sygygc3VqXaw Njk=
dnssec10293.dstest1.    3600    IN      DS      54360 7 2 879AAE7752540DC4E49232C62ABB7893930E78FC87BD5ED98FEC5619 FE15ED64
ns1.dnssec10293.dstest1. 3600   IN      A       202.173.9.46
dnssec10301111.dstest1. 300     IN      RRSIG   NSEC 8 2 300 20130130071908 20130130052001 64990 dstest1. QLA4xpAW0GJT+O8HCMpceNkTyrWAVaD1vPFmwgUK29aq1/E6axvBPu+F AGVfK2NDBGeMCAix45kRh+8R2HJH5dZP8YkbaQ6VoqUZQ/yySlAMt1od Q9+pD5zcphui22F3dfEVnFPIuZoHPyugagt5FNwayXsrZ1UsZDAS5d0h szM=
dnssec10301111.dstest1. 300     IN      NSEC    dnssec2.dstest1. NS DS RRSIG NSEC
dnssec10301111.dstest1. 3600    IN      RRSIG   DS 8 2 3600 20130130071940 20130130052001 64990 dstest1. M+HOpe4rSvAz/dv3b30dyelVw6EFR6swgNjIa8k4TODmQG7YyRymDnAD IgBWziTbv+MeabkDWG4L7zxA1oJm5I0uwUKqDR/6+u6D0uvgnCuvcWtB N5bOimBQtrGVS96KgNMvK5PEj93sX1Mz1P/VvItb4o2PkORZUKjuO4D8 eFY=
dnssec10301111.dstest1. 3600    IN      DS      56454 7 2 D42DB18325D5F142150596FE75A7353B3D79BAC815058434AB761BAC 7EB95AFD
dnssec10301111.dstest1. 3600    IN      NS      ns1.dnssec10301111.dstest1.
ns1.dnssec10301111.dstest1. 3600 IN     A       202.173.9.46
dnssec2.dstest1.        300     IN      RRSIG   NSEC 8 2 300 20130130072903 20130130053001 64990 dstest1. fK20zMFQjYphQv6eSz+2sjEwUkgENMbRllkit7ggu/V3F3AF8/WX9ztC D4KUJcbCj897a4i9pCPvONkkHssLT9N6ZGULtZU7BaAJEMYXjZN8+HHi o5s8kjw535Tg8YyjMGgtTBvRx8gxIHcYKl3zA/1svoR0PeQzNZF5Arn+ RFI=
dnssec2.dstest1.        300     IN      NSEC    dstest1. NS DS RRSIG NSEC
dnssec2.dstest1.        3600    IN      NS      ns1.dnssec2.dstest1.
dnssec2.dstest1.        3600    IN      RRSIG   DS 8 2 3600 20130130073003 20130130053001 64990 dstest1. MLbjkNX9z4BM/1keNK0JItdTvpVCnctTij+t0iuvc8JqGEUDhG+kYH5B Jl3K8YoaNvReTuwJwDC8iNYA2u8UZZQqNSW2TziOtDrsHlk5HY1EJSza GsVIVv0VtfsCIM7bgitZYhEySjBvAMIi1upG7uDXo+wdkqc7gxcVr78D K8Y=
dnssec2.dstest1.        3600    IN      DS      61158 7 2 42FF4849E829F4C348E07152A11A6AA79FC118CE609C498369889758 23183752
ns1.dnssec2.dstest1.    3600    IN      A       202.173.9.46
dstest1.                300     IN      SOA     ns1.zdnscloud.net. mail.knet.cn. 1359527401 10800 3600 604800 300


You can see 64990 is indeed the actual active ZKS used for signing RRs, but I find that the DNSKEY(64990) and DNSKEY(16159) exported by ods-ksmutil do not match any of the DNSKEY in the zone, so I think 64990 and 16159 are not in the zone!So the log compains "RR does not exist".And the trust chain is broken because no correct DNSKEYs are found.


Has anybody ever met this before?


Best regards,
Stuart
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20130131/6f6e1be7/attachment.htm>


More information about the Opendnssec-user mailing list