[Opendnssec-user] Zone not properly signed

Volker Janzen voja at voja.de
Tue Jul 19 18:32:23 UTC 2016 

Hello,

I forgot to look in the logfile, too. As of the time of the monitoring alert I was able to identify these log entries from the time the zone broke:

Jul 19 01:25:56 a ods-enforcerd: Zone voja.de found.
Jul 19 01:25:56 a ods-enforcerd: Policy for voja.de set to default.
Jul 19 01:25:56 a ods-enforcerd: Config will be output to /var/lib/opendnssec/signconf/voja.d
e.xml.
Jul 19 01:25:56 a ods-enforcerd: WARNING: Making non-backed up ZSK active, PLEASE make sure t
hat you know the potential problems of using keys which are not recoverable
Jul 19 01:25:56 a ods-enforcerd: INFO: ZSK has been rolled for voja.de
Jul 19 01:25:56 a ods-signerd: [signconf] zone voja.de signconf: RESIGN[PT7200S] REFRESH[PT11
23200S] VALIDITY[PT1209600S] DENIAL[PT1209600S] JITTER[PT43200S] OFFSET[PT3600S] NSEC[50] DNS
KEYTTL[PT3600S] SOATTL[PT3600S] MINIMUM[PT3600S] SERIAL[unixtime]
Jul 19 01:25:56 a ods-enforcerd: Called signer engine: /usr/sbin/ods-signer update voja.de
[...]
Jul 19 01:25:56 a named[307]: received control channel command 'reload voja.de'
Jul 19 01:25:56 a ods-signerd: [STATS] voja.de 1468884356 RR[count=1 time=0(sec)] NSEC3[count
=0 time=0(sec)] RRSIG[new=6 reused=212 time=0(sec) avg=0(sig/sec)] TOTAL[time=0(sec)]
Jul 19 01:25:56 a named[307]: zone voja.de/IN: loaded serial 1468884356 (DNSSEC signed)
Jul 19 01:25:56 a named[307]: zone voja.de/IN: sending notifies (serial 1468884356)

There is one other domain with the warning, but that zone is okay.


Viele Grüße
    Volker


> Am 19.07.2016 um 16:45 schrieb Hoda Rohani <hoda at nlnetlabs.nl>:
> 
> Hello,
> 
> I'd like to see your key list (running 'ods-ksmutil key list -v --all').
> If the chain is still broken, the tmp and signed files might be helpful. If it is possible please send me those files.
> 
> Regards,
> Hoda Rohani
> 
>> On 19-07-16 16:06, Volker Janzen wrote:
>> Hi Jan-Piet,
>> 
>> I have not saved the old tmp entry, I forgot about that. :-(
>> 
>> But according to http://dnssec-debugger.verisignlabs.com/voja.de my live zone is still broken with the same error and available for further debugging.
>> 
>> The current signed file just have one NSEC3PARAM:
>> 
>> grep NSEC3PARAM voja.de
>> voja.de.        0       IN      NSEC3PARAM      1 0 5 843d90aeda8e8d67 
>> voja.de.        0       IN      RRSIG   NSEC3PARAM 8 2 0 20160802230408 20160719114534 53815 voja.de. cr34VLnEyYqrXwhRQkTTeOeiLRc6I7iQh50egme4XYyyXCtuj+paFHX7V834TAVZj05hA7Q82kl7RDfC5XGnvq6hkqexabNSNpwCNVKgAjpoAOBCtaY35iKNENzlic8MVkoasIj0I/eEg2bFwAhmy/gx0hmK3qwbcG5Nx3NUOvs=
>> 29f0g0hr67r1rqj4jju7q2ibolhavrfv.voja.de.       3600    IN      NSEC3   1 0 5 843d90aeda8e8d67  2t4icqlvbd9n0keb8onuohhtcuemfrfu A NS SOA MX AAAA SSHFP RRSIG DNSKEY NSEC3PARAM 
>> 
>> 
>> Regards
>>    Volker
>> 
>> 
>> Am 19.07.2016 um 15:52 schrieb Jan-Piet Mens <jpmens.dns at gmail.com>:
>> 
>>>> What steps can I do to find out what might have gone wrong?
>>> 
>>> I hope you still have the intermediate (tmp/) and signed files? Check whether you have more than 1 NSEC3PARAM records in the output. I've frequently been bitten by that .
>>> 
>>>   -JP
>>> _______________________________________________
>>> Opendnssec-user mailing list
>>> Opendnssec-user at lists.opendnssec.org
>>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>> 
>> _______________________________________________
>> Opendnssec-user mailing list
>> Opendnssec-user at lists.opendnssec.org
>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>

More information about the Opendnssec-user mailing list