[Opendnssec-user] Invalid signature generated

Matthijs Mekking matthijs at nlnetlabs.nl
Wed May 29 08:28:29 UTC 2013

Hello Einar,

Probably why you see issues only after a week is that because then new
signatures were being generated (pointing out the obvious).

Unfortunately, I have no clue of what caused this error. I am wondering
if this is reproducible. Could you elaborate a bit more on your
environment and what actions you have done (how exactly did you
reinitialize the tokens? Did you do a restart of OpenDNSSEC? Did you
clean up working directory files or not? Did you do a new ods-ksmutil
setup?) and what versions you are using (of OpenDNSSEC and softHSM). Thanks!

Also, you may want to create a SUPPORT ticket at
https://issues.opendnssec.org, so we can keep track of this.

Best regards,

On 05/28/2013 01:56 PM, Einar Bjarni Halldórsson wrote:
> Hi,
> We've been testing OpenDNSSEC for a few months now, and recently started
> the preparation to move into production. We're using SoftHSM and one of
> the things we did in preperation was to rename our tokens in SoftHSM.
> Since we are still in testing and were curious about what would happen,
> we simply re-initialized the tokens OpenDNSSEC was already using with
> new labels and then changed the config in ods. We wanted to know what
> would happen if you at anytime lost access to our keys and had to start
> over with new keys.
> It seemed to work pretty well for about a week, but then all of a sudden
> validns started to complain that it could not verify the signatures for
> the SOA RR and the DNSKEY RR. We could not find a reason for this but
> eventually we tried to roll the KSK and that removed the error.
> We'd very much like to know what exactly caused the error. It seems the
> signatures are not expired, and they're generated with a key that's in
> the zone. I've got the output from jdnssec-tools, if anybody can find a
> possible reason for the error from that it'd be greatly appreciated. 
> Link to (shortened) dnssec-tools output:
> http://pastebin.com/3WJMmCHd
> .einar
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20130529/fb16bf16/attachment.bin>

More information about the Opendnssec-user mailing list