[Opendnssec-user] zone signed with wrong key

Berry A.W. van Halderen berry at nlnetlabs.nl
Wed Jul 19 07:17:38 UTC 2017

On 07/19/2017 08:38 AM, Emil Natan wrote:
> Hi Berry,
> Thank you very much for your response.
> I do not think it's a matter of preserving signatures. First (and sorry
> for not bringing up this earlier) the policy in use has refresh interval
> of zero (<Refresh>PT0S</Refresh>) so all signatures should be generated
> every time the signer runs. Second, the signatures are always generated
> and I see the inception and expiration timestamps reflecting on that.
> Here is how the signature looks when I forced resign today:
> example.com <http://example.com>.  86400   IN      RRSIG   SOA 8 2 86400
> 20170819061448 20170719051448 51915 example.com <http://example.com>.
> qj0MmG/W4XzY2TxePRHC7xCcqG2adU00FosgnWIkAFo9MnQkuzn5aXbU2wlcKQ16DhIpnGVmMQ5gMh9hxy....
> Still ZSK with keytag 51915 is used instead of 37063.
> "ods-signer update" helped though. After running it I see the zone
> signed with ZSK with keytag 37063. I do not know how it is different
> from restarting the signer which is the first thing I tried yesterday.

A, that quite explains it.  Indeed the signer wasn't running at the time
the enforcer issued an "ods-signer update" command.  The enforcer has no
retry mechanism to do this, and you have the assumption that the signer
reads the signconf files during startup.  However this is not the case,
it uses these values from the backup files.  Hence the signer is never
really informed of a new signconf.

Your assumption isn't really strange, and I could imagine you want to,
but there are also some arguments for only reading in these files
upon explicit request.  So these are areas in which future releases may
differ, but the 1.4 will not change this behaviour.

With kind regards,
Berry van Halderen

More information about the Opendnssec-user mailing list