[Opendnssec-user] zone signed with wrong key

Emil Natan shlyoko at gmail.com
Tue Jul 18 14:57:45 UTC 2017 

Hello,

opendnssec version 1.4.13.

The zonefile is signed with 51915 ZSK when I'm expecting it to be signed
with 37063 ZSK. The DNSKEY RRset contains all four keys and is correctly
signed with both KSKs. I force signing with ods-signer sign zone with the
same result.

# ods-ksmutil key list -z example.com -v
...
Keys:
Zone:                           Keytype:      State:    Date of next
transition (to):  Size:   Algorithm:  CKA_ID:
Repository:                       Keytag:
example.com                           KSK           active    2017-03-29
15:38:36 (retire)   2048    8           379855eb637390420bb659c63e34875a
 Keyper                            31082
example.com                           ZSK           retire    2017-07-30
23:59:30 (dead)     2048    8           898c304545fcf1bbd3b4f4dee01de431
 Keyper                            51915
example.com                           KSK           ready     waiting for
ds-seen (active)   2048    8           41cc87e43330a139c10daec84c926af6
 Keyper                            35999
example.com                           ZSK           active    2017-10-30
21:59:30 (retire)   2048    8           569cfa7acc4e45518ba9c6bb64660b6d
 Keyper                            37063

from signconf file for the zone:

                <Keys>
                        <TTL>PT3600S</TTL>
                        <Key>
                                <Flags>257</Flags>
                                <Algorithm>8</Algorithm>

<Locator>379855eb637390420bb659c63e34875a</Locator>
                                <KSK />
                                <Publish />
                        </Key>

                        <Key>
                                <Flags>257</Flags>
                                <Algorithm>8</Algorithm>

<Locator>41cc87e43330a139c10daec84c926af6</Locator>
                                <KSK />
                                <Publish />
                        </Key>

                        <Key>
                                <Flags>256</Flags>
                                <Algorithm>8</Algorithm>

<Locator>898c304545fcf1bbd3b4f4dee01de431</Locator>
                                <Publish />
                        </Key>

                        <Key>
                                <Flags>256</Flags>
                                <Algorithm>8</Algorithm>

<Locator>569cfa7acc4e45518ba9c6bb64660b6d</Locator>
                                <ZSK />
                                <Publish />
                        </Key>

                </Keys>

This is from the backup2 file which is recent:
;;Key: locator 379855eb637390420bb659c63e34875a algorithm 8 flags 257
publish 1 ksk 1 zsk 0 rfc5011 0
;;Key: locator 41cc87e43330a139c10daec84c926af6 algorithm 8 flags 257
publish 1 ksk 1 zsk 0 rfc5011 0
;;Key: locator 898c304545fcf1bbd3b4f4dee01de431 algorithm 8 flags 256
publish 1 ksk 0 zsk 1 rfc5011 0
;;Key: locator 569cfa7acc4e45518ba9c6bb64660b6d algorithm 8 flags 256
publish 1 ksk 0 zsk 0 rfc5011 0

And here are the signatures created:
example.com.  86400   IN      RRSIG   SOA 8 2 86400 20170818133611
20170718123611 51915 example.com.
IFHFZF7DTgwPATmWw3tLyEAYUdwGMhH9BCON4uGr7invMz64NRNLD142Yz...
example.com.  86400   IN      RRSIG   NS 8 2 86400 20170818133611
20170718123611 51915 example.com.
K37AntYRr29Ad9H/EvlDsjwFHhLLnj4TBq2x93flDa4laMhyXdgKAQz0t4SnBp49...

Thank you in advance.
Emil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20170718/ea90e216/attachment.htm>

More information about the Opendnssec-user mailing list