-
Type:
Bug
-
Status: Open
-
Priority:
Minor
-
Resolution: Unresolved
-
Affects Version/s: 2.1.8
-
Fix Version/s: None
-
Component/s: None
-
Labels:None
-
Environment:
RHEL 9
Setting NSEC3 params according https://datatracker.ietf.org/doc/rfc9276/ causes opendnssec to resign the the whole zone after restart:
Sep 8 14:34:59 localhost ods-signerd[11874]: [engine] signer started (version 2.1.8), pid 11874
Sep 8 14:34:59 localhost ods-signerd[11874]: [zone] corrupted backup file zone test3456.si: read nsec3parameters error
Sep 8 14:34:59 localhost ods-signerd[11874]: [engine] unable to recover zone test3456.si from backup, performing full sign
Sep 8 14:34:59 localhost ods-signerd[11874]: [signconf] zone test3456.si signconf: RESIGN[PT2H] REFRESH[P3D] VALIDITY[P14D] DENIAL[P14D] KEYSET[PT0S] JITTER[PT12H] OFFSET[PT1H] NSEC[50] DNSKEYTTL[PT1H] SOATTL[PT1H] MINIMUM[PT1H] SERIAL[unixtime]
Sep 8 14:34:59 localhost ods-signerd[11874]: [STATS] test3456.si 1662640499 RR[count=16 time=0(sec)] NSEC3[count=9 time=0(sec)] RRSIG[new=21 reused=0 time=0(sec) avg=0(sig/sec)] TOTAL[time=0(sec)]
In the signed zone there is correct NSEC3PARAM:
[root@localhost opendnssec]# egrep -i NSEC3PARAM /var/opendnssec/signed/test3456.si
test3456.si. 0 IN NSEC3PARAM 1 0 0 -
We have:
[root@localhost opendnssec]# ods-enforcer zone list
Database set to: /var/opendnssec/kasp.db
Zones:
Zone: Policy: Next change: Signer Configuration:
test3456.si EC_NSEC3_SoftHSM Fri Sep 9 04:34:42 2022 /var/opendnssec/signconf/test3456.si.xml
[root@localhost opendnssec]# ods-enforcer key list -v
Keys:
Zone: Keytype: State: Date of next transition: Size: Algorithm: CKA_ID: Repository: KeyTag:
test3456.si KSK publish 2022-09-09 04:34:42 4096 13 295c6442e5aea27631c3ea1961216793 SoftHSM 55869
test3456.si ZSK ready 2022-09-09 04:34:42 4096 13 1541a1ccf06b2eb5d84236028ddbbe4f SoftHSM 28054
Kasp.xml is attached