[Opendnssec-user] ods-signer not working anymore ?

Ludovic Hirlimann ludovic at hirlimann.net
Tue Mar 4 11:08:32 UTC 2014 

Hi,

today I've discovered that ods-signer stopped working 10+ days ago on my
domain.
I don't understand why it doesn't sign anymore :

http://dnsviz.net/d/hirlimann.net/dnssec/

perso:~ # dig +dnssec hirlimann.net dnskey @127.0.0.1

; <<>> DiG 9.8.3-P4 <<>> +dnssec hirlimann.net dnskey @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44230
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;hirlimann.net.            IN    DNSKEY

;; ANSWER SECTION:
hirlimann.net.        3600    IN    DNSKEY    257 3 8
AwEAAdGy0YLcGHD5R3Q9QY0aVV4BMjiS6Ev6m3rhkFsT1nFWkXhuLXit
bJ2bejtFX3ebKpSexpdMN9fv98nhLmaSva0iaH0jMcCaGNqky6bDjlvi
dWGVmXsINaH8rYqzAC2AgvUaOeDgTPUB74KMngtA36qT9+U0ruFWbwwu
FoUSB42axWWmnd4pcKjBsXqn9OvcS/9WiiG0B59Pmegje/P8Qebjg+ps
8IoN44HPVfxjlcBjYzwvi1hujOiDeAyBcNcrI5Ql+PW1eFWejU6idXdD
4xgH0zBBrQu16WoVahIGc5e+PRH+FqJa2S10svfKMF9Vu4VgoybLeV7g EimuonuydD8=
hirlimann.net.        3600    IN    DNSKEY    256 3 8
AwEAAcOIAzr5Pzuyc6Hisw15I7KK2RjmDGnB7fQB55CDnJJdW0iPNwxa
E4vOUGjkB/hosFra+JDDxoGoyhDWQGzhTcIHqUC24PngxxFxjpFAoE6r
6YpGYl2Lu+/inqykpkd59d4Ur7GLmLGqatHerqpg73sd009lhZ2+HYXf nGyEms5d
hirlimann.net.        3600    IN    RRSIG    DNSKEY 8 2 3600
20140221061642 20140213221414 49361 hirlimann.net.
V/gvWUkRvnTOYb3ujYiB9TJZ90UFS4KAus8PrcYoc08FllkW7hihzofO
FaGBuQSyF5pyV+M3x7Gs+u9hERfYsqnRngkzAX6gP8ri/mHllCuacmEx
CF0f/mH4azjsY9Xj2kU0g6ofzIVxIRkHCh0ET4yhlNuOTIHhcfV96R08
ykqJ0DOvTI0OAqbJ0c9yMY3/GcVCu7pvBEUZPCeww7T6M6N/U2vzzsLs
DO0IDkD7bIi3VYTrq3J8oAGa3g1K+niLk1ybT7v6Z/kO79LcLsYaoLs4
2Tws3KPpGTGASK4AS928lzMNLoGaK8mzkLeSTGiz/47ppcpIzPe1/7u1 aHG+DA==

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Mar  4 12:03:05 2014
;; MSG SIZE  rcvd: 767

root at perso:~ # date
Tue Mar  4 12:03:20 CET 2014
root at perso:~ # ods-signer sign hirlimann.net
Zone hirlimann.net scheduled for immediate re-sign.

root at perso:~ # rndc reload
server reload successful
root at perso:~ # dig +dnssec hirlimann.net dnskey @127.0.0.1

; <<>> DiG 9.8.3-P4 <<>> +dnssec hirlimann.net dnskey @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61871
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;hirlimann.net.            IN    DNSKEY

;; ANSWER SECTION:
hirlimann.net.        3600    IN    DNSKEY    256 3 8
AwEAAcOIAzr5Pzuyc6Hisw15I7KK2RjmDGnB7fQB55CDnJJdW0iPNwxa
E4vOUGjkB/hosFra+JDDxoGoyhDWQGzhTcIHqUC24PngxxFxjpFAoE6r
6YpGYl2Lu+/inqykpkd59d4Ur7GLmLGqatHerqpg73sd009lhZ2+HYXf nGyEms5d
hirlimann.net.        3600    IN    DNSKEY    257 3 8
AwEAAdGy0YLcGHD5R3Q9QY0aVV4BMjiS6Ev6m3rhkFsT1nFWkXhuLXit
bJ2bejtFX3ebKpSexpdMN9fv98nhLmaSva0iaH0jMcCaGNqky6bDjlvi
dWGVmXsINaH8rYqzAC2AgvUaOeDgTPUB74KMngtA36qT9+U0ruFWbwwu
FoUSB42axWWmnd4pcKjBsXqn9OvcS/9WiiG0B59Pmegje/P8Qebjg+ps
8IoN44HPVfxjlcBjYzwvi1hujOiDeAyBcNcrI5Ql+PW1eFWejU6idXdD
4xgH0zBBrQu16WoVahIGc5e+PRH+FqJa2S10svfKMF9Vu4VgoybLeV7g EimuonuydD8=
hirlimann.net.        3600    IN    RRSIG    DNSKEY 8 2 3600
20140221061642 20140213221414 49361 hirlimann.net.
V/gvWUkRvnTOYb3ujYiB9TJZ90UFS4KAus8PrcYoc08FllkW7hihzofO
FaGBuQSyF5pyV+M3x7Gs+u9hERfYsqnRngkzAX6gP8ri/mHllCuacmEx
CF0f/mH4azjsY9Xj2kU0g6ofzIVxIRkHCh0ET4yhlNuOTIHhcfV96R08
ykqJ0DOvTI0OAqbJ0c9yMY3/GcVCu7pvBEUZPCeww7T6M6N/U2vzzsLs
DO0IDkD7bIi3VYTrq3J8oAGa3g1K+niLk1ybT7v6Z/kO79LcLsYaoLs4
2Tws3KPpGTGASK4AS928lzMNLoGaK8mzkLeSTGiz/47ppcpIzPe1/7u1 aHG+DA==

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Mar  4 12:03:56 2014
;; MSG SIZE  rcvd: 767

root at perso:~ # ods-ksmutil key list --zone hirlimann.net
Keys:
Zone:                           Keytype:      State:    Date of next
transition:
hirlimann.net                   KSK           active    2014-07-12
08:59:24      
hirlimann.net                   ZSK           active    2014-03-08 10:23:21


I'm wondering if the issue is related to my ZSK key expiring soon. I've
seen nothing in logs. Shall I start doing KSK and ZSK rollovers ? (eg
I'd happilly RTFM on the subject)

Ludo

-- 
http://sietch-tabr.tumblr.com/
http://www.flickr.com/photos/lhirlimann/


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 278 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140304/d3076edb/attachment.bin>

More information about the Opendnssec-user mailing list