Switching from openssl-1.0.1 to openssl-0.9.8 seems to have fixed the problem.
On 2 Jun 2012, at 9:57 AM, David Kreindler wrote: > Running BIND 9.9.1, 9.9.0 or 9.7.6 on AIX 5.2, we are experiencing > intermittent failures signing zones, both with named and with dnssec-signzone. > > We first noticed the problem when BIND 9.9.1's inline signing resulted in > zones with missing RRSIGs. > > When we turned off "auto-dnssec maintain" & "inline signing yes" for those > zones and attempted to sign them with dnssec-signzone, most of the small > zones were signed successfully, but the large zones failed with "Missing > RSASHA1 signature" verification messages (using dnssec-signzone's -a option). > > Adding "-v 2" to the command seemed to suggest that the "missing" signatures > actually were being generated and verified, though dnssec-signzone still > failed. > > Immediately attempting again to sign the zone with the same dnssec-signzone > command results in a different error message: > > "dnssec-signzone: fatal: No self-signed KSK DNSKEY found. Supply an > active key with the KSK flag set, or use '-P'." > > Oddly, this error message is preceded by dnssec-signzone writing to the > terminal that it has successfully fetched the KSK along with an active and a > standby ZSK (using dnssec-signzone's -S option). > > We have ruled out memory and disk space limitations. We suspected a lack of > entropy, since the errors changed each time we ran the dnssec-signzone > command, so we tried using both dnssec-signzone's -p option and "-r > /dev/urandom", to no avail. > > The problem seems to have arisen spontaneously, after years of successful > DNSSEC and months of successful BIND 9.9. We can identify no changes to the > system except the upgrade (about four days before the first occurrence of the > problem) to 9.9.1 -- but reverting to 9.9.0 and even 9.7.6 does not correct > the problem. > > Do you have any ideas about what the source of the problem might be or how to > go about troubleshooting further? > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
