[Opendnssec-user] manual key rollover results in "1970-01-01 01:00:00"

Dennis Baaten dennis at baaten.com
Mon Nov 13 10:37:09 UTC 2017 

> That timestamp indeed seems strange. If a rollover would have happened I would expect that value to be updated. Is the signer running? - what is it logging?
> 
> If you want I can take a look at your setup to make sure everything is in order. Can you provide me with the following details:
> 
> - output of: ods-enforcer key list -d
> - output of: ods-enforcer queue
> - timestamp on signconf of dennisbaaten.com off list:
> - signconf of dennisbaaten.com
> - kasp.db

As requested, the information below. 


****************

Signer is running and logging to syslog. I don't see anything strange in the logs. 


root at traxotic [~]$ service opendnssec-signer status
● opendnssec-signer.service - OpenDNSSEC signer daemon
   Loaded: loaded (/lib/systemd/system/opendnssec-signer.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2017-11-03 11:14:10 CET; 1 weeks 3 days ago
 Main PID: 17502 (ods-signerd)
    Tasks: 11 (limit: 4915)
   CGroup: /system.slice/opendnssec-signer.service
           └─17502 /usr/sbin/ods-signerd -d

Nov 13 11:14:11 traxotic.net ods-signerd[17502]: [worker[2]] nothing to do
Nov 13 11:14:11 traxotic.net ods-signerd[17502]: [drudger[4]] report for duty
Nov 13 11:14:11 traxotic.net ods-signerd[17502]: [drudger[4]] nothing to do, wait
Nov 13 11:14:11 traxotic.net ods-signerd[17502]: [drudger[2]] report for duty
Nov 13 11:14:11 traxotic.net ods-signerd[17502]: [drudger[2]] nothing to do, wait
Nov 13 11:14:11 traxotic.net ods-signerd[17502]: [worker[3]] finished working on zone otherdomain.nl
Nov 13 11:14:11 traxotic.net ods-signerd[17502]: [scheduler] schedule task [sign] for zone otherdomain.nl
Nov 13 11:14:11 traxotic.net ods-signerd[17502]: [task] On Mon Nov 13 13:14:11 2017 I will [sign] zone otherdomain.nl
Nov 13 11:14:11 traxotic.net ods-signerd[17502]: [worker[3]] report for duty
Nov 13 11:14:11 traxotic.net ods-signerd[17502]: [worker[3]] nothing to do


****************


root at traxotic [~]$ ods-enforcer key list -d | grep dennisbaaten.com
key list completed in 0 seconds.
dennisbaaten.com                ZSK           NA           unretentive  NA           unretentive  0    0    ce3507796d7c176695bbfdc18f100fc6
dennisbaaten.com                ZSK           NA           omnipresent  NA           omnipresent  1    1    49bad7794a2e2c4d5f44755f33317982
dennisbaaten.com                KSK           omnipresent  omnipresent  omnipresent  NA           1    1    f82e46fa26d4772c3b09db259aa41a30
dennisbaaten.com                ZSK           NA           rumoured     NA           hidden       1    0    75602642359504fa4d1decc0d7ab37e4


****************


root at traxotic [~]$ ods-enforcer queue
There are 0 tasks scheduled.
It is now Mon Nov 13 11:11:20 2017 (1510567880 seconds since epoch)
queue completed in 0 seconds.


****************


root at traxotic [/var/lib/opendnssec/signconf]$ ll | grep dennisbaaten
-rw-r--r--  1 opendnssec opendnssec 1124 Nov  3 11:13 dennisbaaten_com.xml
-rw-r--r--  1 opendnssec opendnssec 1115 Oct 19 22:07 dennisbaaten_com.xml.OLD


****************


root at traxotic [/var/lib/opendnssec/signconf]$ cat dennisbaaten_com.xml
<?xml version="1.0" encoding="UTF-8"?>
<SignerConfiguration>
  <Zone name="dennisbaaten.com">
    <Signatures>
      <Resign>PT2H</Resign>
      <Refresh>P3D</Refresh>
      <Validity>
        <Default>P14D</Default>
        <Denial>P14D</Denial>
      </Validity>
      <Jitter>PT12H</Jitter>
      <InceptionOffset>PT1H</InceptionOffset>
      <MaxZoneTTL>P1D</MaxZoneTTL>
    </Signatures>
    <Denial>
      <NSEC/>
    </Denial>
    <Keys>
      <TTL>PT12H</TTL>
      <Key>
        <Flags>256</Flags>
        <Algorithm>8</Algorithm>
        <Locator>ce3507796d7c176695bbfdc18f100fc6</Locator>
      </Key>
      <Key>
        <Flags>256</Flags>
        <Algorithm>8</Algorithm>
        <Locator>49bad7794a2e2c4d5f44755f33317982</Locator>
        <ZSK/>
        <Publish/>
      </Key>
      <Key>
        <Flags>257</Flags>
        <Algorithm>8</Algorithm>
        <Locator>f82e46fa26d4772c3b09db259aa41a30</Locator>
        <KSK/>
        <Publish/>
      </Key>
    </Keys>
    <SOA>
      <TTL>PT1H</TTL>
      <Minimum>PT1H</Minimum>
      <Serial>datecounter</Serial>
    </SOA>
  </Zone>
</SignerConfiguration>


****************


root at traxotic [~]$ db_dump -p /var/lib/opendnssec/kasp.db
db_dump: BDB0641 __db_meta_setup: /var/lib/opendnssec/kasp.db: unexpected file type or format
db_dump: BDB5115 open: /var/lib/opendnssec/kasp.db: Invalid argument

I'm not able to dump the kasp.db database file. Maybe due to a versioning incompatibility (.db file versus db_dump)?


-- 
Dennis

More information about the Opendnssec-user mailing list