[Opendnssec-user] Auditor Problem (ods 1.3.9)

Klaus Darilion klaus.mailinglists at pernau.at
Fri Jun 28 13:06:34 UTC 2013


Hi!

For testing I created a policy with rather short intervals (see below).

I now have the problem, that I have to disable the auditor as it complains:

ods-auditor[2778]: test : Key (6670) has gone straight to active use 
without a prepublished phase

Of course this is not true. There was a publish phase, but it transits 
from "ready" to "active" without waiting (I think this should be allowed).

I inspected the key events in the sqlite DB:

publish
'2013-06-28 14:43:12',
     ready
     '2013-06-28 14:44:52',
         active
         '2013-06-28 14:44:52',
            retire
            '2013-06-28 15:14:52',NULL

So, the key was in PUBLISH phase for 100 seconds. I use short TTLs 
(60s), thus this should be fine.

Is this a bug in the auditor or do I miss something here?

Inspecting the zone I see that every RR in the zone has a TTL of 60, 
except the NSEC3PARAM and its RRSIG do have a TTL of 3600?

Where is this TTL coming from? May this be the source of my problems?

Thanks
Klaus


Policy:
                 <Signatures>
                         <Resign>PT5M</Resign>
                         <Refresh>PT30M</Refresh>
                         <Validity>
                                 <Default>PT24H</Default>
                                 <Denial>PT24H</Denial>
                         </Validity>
                         <Jitter>PT0M</Jitter>
                         <InceptionOffset>PT120S</InceptionOffset>
                 </Signatures>

                 <Denial>
                         <NSEC3>
                                 <!-- <OptOut/> -->
                                 <Resalt>P10D</Resalt>
                                 <Hash>
                                         <Algorithm>1</Algorithm>
                                         <Iterations>5</Iterations>
                                         <Salt length="8"/>
                                 </Hash>
                         </NSEC3>
                 </Denial>
                 <Keys>
                         <!-- Parameters for both KSK and ZSK -->
                         <TTL>PT60S</TTL>
                         <RetireSafety>PT30S</RetireSafety>
                         <PublishSafety>PT30S</PublishSafety>
                         <!-- <ShareKeys/> -->
                         <!-- <Purge>PT20M</Purge> -->

                         <!-- Parameters for KSK only -->
                         <KSK>
                                 <Algorithm length="2048">8</Algorithm>
                                 <Lifetime>PT45M</Lifetime>
                                 <Repository>SoftHSM1</Repository>
                         </KSK>

                         <!-- Parameters for ZSK only -->
                         <ZSK>
                                 <Algorithm length="1024">8</Algorithm>
                                 <Lifetime>PT30M</Lifetime>
                                 <Repository>SoftHSM1</Repository>
                                 <!-- <ManualRollover/> -->
                         </ZSK>
                 </Keys>
                 <Zone>
                         <PropagationDelay>PT10S</PropagationDelay>
                         <SOA>
                                 <TTL>PT60S</TTL>
                                 <Minimum>PT3600S</Minimum>
                                 <Serial>unixtime</Serial>
                         </SOA>
                 </Zone>

                 <Parent>
                         <PropagationDelay>PT5S</PropagationDelay>
                         <DS>
                                 <TTL>PT60S</TTL>
                         </DS>
                         <SOA>
                                 <TTL>PT60S</TTL>
                                 <Minimum>PT60S</Minimum>
                         </SOA>
                 </Parent>



More information about the Opendnssec-user mailing list