[Opendnssec-user] ods-signer not working anymore ?

Matthijs Mekking matthijs at nlnetlabs.nl
Tue Mar 4 11:14:24 UTC 2014


Hi,

I would like to know some more so that I can delve into this:

1. Can you provide the version used?

2. Can you increase the verbosity to 5 and schedule a sign again and 
provide those logs?

$ ods-signer verbosity
$ ods-signer sign hirlimann.net

3. Do the DNSKEY queries match the records in the signed file that the 
signer has produced?

4. What is the last time the signed file has been changed (fstat)?

Thanks,

Best regards,
   Matthijs

On 04-03-14 12:08, Ludovic Hirlimann wrote:
> Hi,
>
> today I've discovered that ods-signer stopped working 10+ days ago on my
> domain.
> I don't understand why it doesn't sign anymore :
>
> http://dnsviz.net/d/hirlimann.net/dnssec/
>
> perso:~ # dig +dnssec hirlimann.net dnskey @127.0.0.1
>
> ; <<>> DiG 9.8.3-P4 <<>> +dnssec hirlimann.net dnskey @127.0.0.1
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44230
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;hirlimann.net.            IN    DNSKEY
>
> ;; ANSWER SECTION:
> hirlimann.net.        3600    IN    DNSKEY    257 3 8
> AwEAAdGy0YLcGHD5R3Q9QY0aVV4BMjiS6Ev6m3rhkFsT1nFWkXhuLXit
> bJ2bejtFX3ebKpSexpdMN9fv98nhLmaSva0iaH0jMcCaGNqky6bDjlvi
> dWGVmXsINaH8rYqzAC2AgvUaOeDgTPUB74KMngtA36qT9+U0ruFWbwwu
> FoUSB42axWWmnd4pcKjBsXqn9OvcS/9WiiG0B59Pmegje/P8Qebjg+ps
> 8IoN44HPVfxjlcBjYzwvi1hujOiDeAyBcNcrI5Ql+PW1eFWejU6idXdD
> 4xgH0zBBrQu16WoVahIGc5e+PRH+FqJa2S10svfKMF9Vu4VgoybLeV7g EimuonuydD8=
> hirlimann.net.        3600    IN    DNSKEY    256 3 8
> AwEAAcOIAzr5Pzuyc6Hisw15I7KK2RjmDGnB7fQB55CDnJJdW0iPNwxa
> E4vOUGjkB/hosFra+JDDxoGoyhDWQGzhTcIHqUC24PngxxFxjpFAoE6r
> 6YpGYl2Lu+/inqykpkd59d4Ur7GLmLGqatHerqpg73sd009lhZ2+HYXf nGyEms5d
> hirlimann.net.        3600    IN    RRSIG    DNSKEY 8 2 3600
> 20140221061642 20140213221414 49361 hirlimann.net.
> V/gvWUkRvnTOYb3ujYiB9TJZ90UFS4KAus8PrcYoc08FllkW7hihzofO
> FaGBuQSyF5pyV+M3x7Gs+u9hERfYsqnRngkzAX6gP8ri/mHllCuacmEx
> CF0f/mH4azjsY9Xj2kU0g6ofzIVxIRkHCh0ET4yhlNuOTIHhcfV96R08
> ykqJ0DOvTI0OAqbJ0c9yMY3/GcVCu7pvBEUZPCeww7T6M6N/U2vzzsLs
> DO0IDkD7bIi3VYTrq3J8oAGa3g1K+niLk1ybT7v6Z/kO79LcLsYaoLs4
> 2Tws3KPpGTGASK4AS928lzMNLoGaK8mzkLeSTGiz/47ppcpIzPe1/7u1 aHG+DA==
>
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Tue Mar  4 12:03:05 2014
> ;; MSG SIZE  rcvd: 767
>
> root at perso:~ # date
> Tue Mar  4 12:03:20 CET 2014
> root at perso:~ # ods-signer sign hirlimann.net
> Zone hirlimann.net scheduled for immediate re-sign.
>
> root at perso:~ # rndc reload
> server reload successful
> root at perso:~ # dig +dnssec hirlimann.net dnskey @127.0.0.1
>
> ; <<>> DiG 9.8.3-P4 <<>> +dnssec hirlimann.net dnskey @127.0.0.1
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61871
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags: do; udp: 4096
> ;; QUESTION SECTION:
> ;hirlimann.net.            IN    DNSKEY
>
> ;; ANSWER SECTION:
> hirlimann.net.        3600    IN    DNSKEY    256 3 8
> AwEAAcOIAzr5Pzuyc6Hisw15I7KK2RjmDGnB7fQB55CDnJJdW0iPNwxa
> E4vOUGjkB/hosFra+JDDxoGoyhDWQGzhTcIHqUC24PngxxFxjpFAoE6r
> 6YpGYl2Lu+/inqykpkd59d4Ur7GLmLGqatHerqpg73sd009lhZ2+HYXf nGyEms5d
> hirlimann.net.        3600    IN    DNSKEY    257 3 8
> AwEAAdGy0YLcGHD5R3Q9QY0aVV4BMjiS6Ev6m3rhkFsT1nFWkXhuLXit
> bJ2bejtFX3ebKpSexpdMN9fv98nhLmaSva0iaH0jMcCaGNqky6bDjlvi
> dWGVmXsINaH8rYqzAC2AgvUaOeDgTPUB74KMngtA36qT9+U0ruFWbwwu
> FoUSB42axWWmnd4pcKjBsXqn9OvcS/9WiiG0B59Pmegje/P8Qebjg+ps
> 8IoN44HPVfxjlcBjYzwvi1hujOiDeAyBcNcrI5Ql+PW1eFWejU6idXdD
> 4xgH0zBBrQu16WoVahIGc5e+PRH+FqJa2S10svfKMF9Vu4VgoybLeV7g EimuonuydD8=
> hirlimann.net.        3600    IN    RRSIG    DNSKEY 8 2 3600
> 20140221061642 20140213221414 49361 hirlimann.net.
> V/gvWUkRvnTOYb3ujYiB9TJZ90UFS4KAus8PrcYoc08FllkW7hihzofO
> FaGBuQSyF5pyV+M3x7Gs+u9hERfYsqnRngkzAX6gP8ri/mHllCuacmEx
> CF0f/mH4azjsY9Xj2kU0g6ofzIVxIRkHCh0ET4yhlNuOTIHhcfV96R08
> ykqJ0DOvTI0OAqbJ0c9yMY3/GcVCu7pvBEUZPCeww7T6M6N/U2vzzsLs
> DO0IDkD7bIi3VYTrq3J8oAGa3g1K+niLk1ybT7v6Z/kO79LcLsYaoLs4
> 2Tws3KPpGTGASK4AS928lzMNLoGaK8mzkLeSTGiz/47ppcpIzPe1/7u1 aHG+DA==
>
> ;; Query time: 0 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Tue Mar  4 12:03:56 2014
> ;; MSG SIZE  rcvd: 767
>
> root at perso:~ # ods-ksmutil key list --zone hirlimann.net
> Keys:
> Zone:                           Keytype:      State:    Date of next
> transition:
> hirlimann.net                   KSK           active    2014-07-12
> 08:59:24
> hirlimann.net                   ZSK           active    2014-03-08 10:23:21
>
>
> I'm wondering if the issue is related to my ZSK key expiring soon. I've
> seen nothing in logs. Shall I start doing KSK and ZSK rollovers ? (eg
> I'd happilly RTFM on the subject)
>
> Ludo
>
>
>
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>




More information about the Opendnssec-user mailing list