[Opendnssec-user] Zone not properly signed

Volker Janzen voja at voja.de
Tue Jul 19 19:29:01 UTC 2016 

Hi Yuri,

I can confirm that

ods-signer clear voja.de
ods-signer sign voja.de

fixes my problem.

The 1.4.6 is the latest available version for Debian Jessie. The 1.4.10 package is available from testing/unstable only. I need to evaluate if I can upgrade the signer VM to Debian testing. Is there anything I need to look for when migrating from 1.4.6 to 1.4.10?


Regards,
    Volker


> Am 19.07.2016 um 20:54 schrieb Yuri Schaeffer <yuri at nlnetlabs.nl>:
> 
> Hi Volker,
> 
> Quite a bit of problems since 1.4.6 have surfaced regarding SOA serial
> and XFR (bump-in-wire setups). We have worked very hard to resolve those
> and the latest result of that is 1.4.10. Please consider upgrading, it
> is very likely to fix whatever bug you are facing.
> 
> Your message doesn't contain much information so I have no idea why your
> new ZSK is producing bad signatures. Hopefully you can repair it by
> resigning your zone:
> 
> ods-signer clear voja.de
> ods-signer sign voja.de
> 
> ///Yuri
> 
>> On 19-07-16 14:36, Volker Janzen wrote:
>> Hi,
>> 
>> my monitoring found one zone in OpenDNSSEC that was not properly signed.
>> It's the domain I'm sending from: voja.de.
>> 
>> I found that one of my slaves had a wrong serial for the zone, I forced
>> him to fetch the current zone, but that does not solve my issue.
>> 
>> I backed up the signed zone file that was broken. dnsviz has the error
>> in it's history. This entry is the last that was working:
>> http://dnsviz.net/d/voja.de/V40wvQ/dnssec/
>> 
>> As of it's an important domain I forced the domain to go insecure at the
>> registry level, because I already found validating resolvers that are no
>> longer able to resolve the zone.
>> 
>> What steps can I do to find out what might have gone wrong?
>> 
>> I'm running OpenDNSSEC 1.4.6 on Debian Jessie.
>> 
>> 
>> Regards,
>>   Volker
>> 
>> _______________________________________________
>> Opendnssec-user mailing list
>> Opendnssec-user at lists.opendnssec.org
>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
> 
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20160719/5601db04/attachment.htm>

More information about the Opendnssec-user mailing list