[OPENDNSSEC-437] Signature problem on SOA RRset - OpenDNSSEC

XML

Word

Printable

Details

Type: Bug
Status: Resolved
Priority: Minor
Resolution: Fixed
Affects Version/s: 1.4.1
Fix Version/s: 1.4.13, 2.1.0
Component/s: Signer
Labels:
None

Sprint:
1.4.2, 1.4.7rc1

Description

Mathieu Arnold reported:

Yesterday, my monitoring reported a lot of faulty zones, validns complained
of :

validns -p all -z 1-wire.fr master/1-wire.fr.signed
master/1-wire.fr.signed:15: 1-wire.fr. RRSIG(SOA): cannot verify the
signature

And some more info:

What RRtypes where bogus? Only SOA or also other RRtypes?

Only the SOA is.

If only SOA, what are your SOA parameters (from kasp.xml)?

<SOA>
<TTL>PT12H</TTL>
<Minimum>PT10M</Minimum>
<Serial>counter</Serial>
</SOA>

What HSM are you using?

SoftHSM.

Was there anything special going on (ods-signer commands, change in

signconf parameters, ...)

There might have been a ZSK rollover before that.

I suspect a corner case condition where either:

the signature for the updated soa record was not renewed, or
the signature was renewed before updating the soa record

Attachments

Issue Links

relates to

OPENDNSSEC-451 Signer mixed up CKA_ID, key tag, public key

Closed

Activity

People

Assignee:: Hoda Rohani

Reporter:: Matthijs Mekking

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2013-07-25 15:08

Updated:: 2016-11-10 16:37

Resolved:: 2016-11-10 16:37

Time Tracking

Estimated:

4d

Remaining:

4d

Logged:

Not Specified