[Opendnssec-user] zones with TLSA records need to: ods-signerd: [tools] unable to read zone

[Michael Grimm]

Hi —

Michael Grimm <trashcan at odo.in-berlin.de> wrote:

> I recently noticed, after trying to modify one of my zones, that some of my zones fail zone transfers (one example):
[…]
> All failing zones do have TLSA records in contrast to those zones transfering well.
> Thus I did remove those TLSA records for testing, and yes, now zone transfers work without any issue.

As a workaround I did switch to 'Adapter type="File"' in the <input> section of zonelist.xml for those zones. Now, those records are signed as expected. And, the signed zone is transfered to my nsd slaves without errors.

Thus, I am left with understanding/debugging why xfr from my nsd hidden primary will fail for zones with TLSA records set, and why the very same zone files with commented TLSA records can by xfr-ed without any issue.

Any ideas?

Thanks and with kind regards,
Michael