[Opendnssec-user] Signature failed to cryptographically verify

Gilles Massen gilles.massen at restena.lu
Wed Jun 4 13:24:48 UTC 2014


Hi,

> Roughly: you should be able to run ods-signerd with a single run and a
> specific config file:
> 
> 1. Create a new conf.xml, probably using some different file locations.
> 2. Make a signer configuration file signconf.xml for a zone, referencing
> the specific locator of the key.
> 3. Run 'ods-signerd -c conf.xml -1' (different cfg, single run)

I try to get this to work, but have a few problems. So far I made a copy
of the setup, adapted conf.xml, stripped the zonelist.xml down to a
single zone and removed everything but a KSK and the possibly broken ZSK
from signconf/.xml.

Note: the KSK was previously active, while the ZSK was retired.

Now the signer does produce a zone, but signs only the DNSKEY RRset with
the KSK, and no other record. So the ZSK is not used (but the signer
does not complain, even with multiple -v).

So what am I missing? Does the signer read the kasp.db? (I made the old
ZSK active in the kasp.db, just in case, but that does not seem to
help). What am I missing?

BTW: is there a way to tell the signer where to put his PID?

best,
Gilles




More information about the Opendnssec-user mailing list