[Opendnssec-user] Invalid signature generated

Einar Bjarni Halldórsson einar at isnic.is
Tue May 28 11:56:43 UTC 2013


We've been testing OpenDNSSEC for a few months now, and recently started the preparation to move into production. We're using SoftHSM and one of the things we did in preperation was to rename our tokens in SoftHSM. Since we are still in testing and were curious about what would happen, we simply re-initialized the tokens OpenDNSSEC was already using with new labels and then changed the config in ods. We wanted to know what would happen if you at anytime lost access to our keys and had to start over with new keys.

It seemed to work pretty well for about a week, but then all of a sudden validns started to complain that it could not verify the signatures for the SOA RR and the DNSKEY RR. We could not find a reason for this but eventually we tried to roll the KSK and that removed the error.

We'd very much like to know what exactly caused the error. It seems the signatures are not expired, and they're generated with a key that's in the zone. I've got the output from jdnssec-tools, if anybody can find a possible reason for the error from that it'd be greatly appreciated. 

Link to (shortened) dnssec-tools output:

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20130528/cc4a7a2d/attachment.htm>

More information about the Opendnssec-user mailing list