[Opendnssec-user] Signature failed to cryptographically verify
Matthijs Mekking
matthijs at nlnetlabs.nl
Wed Jun 4 14:11:08 UTC 2014
Hi Gilles,
On 04-06-14 15:24, Gilles Massen wrote:
> Hi,
>
>> Roughly: you should be able to run ods-signerd with a single run and a
>> specific config file:
>>
>> 1. Create a new conf.xml, probably using some different file locations.
>> 2. Make a signer configuration file signconf.xml for a zone, referencing
>> the specific locator of the key.
>> 3. Run 'ods-signerd -c conf.xml -1' (different cfg, single run)
>
> I try to get this to work, but have a few problems. So far I made a copy
> of the setup, adapted conf.xml, stripped the zonelist.xml down to a
> single zone and removed everything but a KSK and the possibly broken ZSK
> from signconf/.xml.
> Note: the KSK was previously active, while the ZSK was retired.
When the ZSK is retired, the signer will not create new signatures
anymore. You should probably add the <ZSK/> flag in the <key> section.
>
> Now the signer does produce a zone, but signs only the DNSKEY RRset with
> the KSK, and no other record. So the ZSK is not used (but the signer
> does not complain, even with multiple -v).
The signconf has no active ZSK configured, so the signer does not create
ZSK signatures.
> So what am I missing? Does the signer read the kasp.db? (I made the old
> ZSK active in the kasp.db, just in case, but that does not seem to
> help). What am I missing?
The signer does not read kasp.db, it's an enforcer thingy. The signer
gets its configuration from the signconf xml file.
> BTW: is there a way to tell the signer where to put his PID?
Just introduced in 1.3.17: <PidFile> :) (and soon to be in 1.4.6 too).
Best regards,
Matthijs
>
> best,
> Gilles
>
More information about the Opendnssec-user
mailing list