Hi, today I've discovered that ods-signer stopped working 10+ days ago on my domain. I don't understand why it doesn't sign anymore :
http://dnsviz.net/d/hirlimann.net/dnssec/ perso:~ # dig +dnssec hirlimann.net dnskey @127.0.0.1 ; <<>> DiG 9.8.3-P4 <<>> +dnssec hirlimann.net dnskey @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44230 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;hirlimann.net. IN DNSKEY ;; ANSWER SECTION: hirlimann.net. 3600 IN DNSKEY 257 3 8 AwEAAdGy0YLcGHD5R3Q9QY0aVV4BMjiS6Ev6m3rhkFsT1nFWkXhuLXit bJ2bejtFX3ebKpSexpdMN9fv98nhLmaSva0iaH0jMcCaGNqky6bDjlvi dWGVmXsINaH8rYqzAC2AgvUaOeDgTPUB74KMngtA36qT9+U0ruFWbwwu FoUSB42axWWmnd4pcKjBsXqn9OvcS/9WiiG0B59Pmegje/P8Qebjg+ps 8IoN44HPVfxjlcBjYzwvi1hujOiDeAyBcNcrI5Ql+PW1eFWejU6idXdD 4xgH0zBBrQu16WoVahIGc5e+PRH+FqJa2S10svfKMF9Vu4VgoybLeV7g EimuonuydD8= hirlimann.net. 3600 IN DNSKEY 256 3 8 AwEAAcOIAzr5Pzuyc6Hisw15I7KK2RjmDGnB7fQB55CDnJJdW0iPNwxa E4vOUGjkB/hosFra+JDDxoGoyhDWQGzhTcIHqUC24PngxxFxjpFAoE6r 6YpGYl2Lu+/inqykpkd59d4Ur7GLmLGqatHerqpg73sd009lhZ2+HYXf nGyEms5d hirlimann.net. 3600 IN RRSIG DNSKEY 8 2 3600 20140221061642 20140213221414 49361 hirlimann.net. V/gvWUkRvnTOYb3ujYiB9TJZ90UFS4KAus8PrcYoc08FllkW7hihzofO FaGBuQSyF5pyV+M3x7Gs+u9hERfYsqnRngkzAX6gP8ri/mHllCuacmEx CF0f/mH4azjsY9Xj2kU0g6ofzIVxIRkHCh0ET4yhlNuOTIHhcfV96R08 ykqJ0DOvTI0OAqbJ0c9yMY3/GcVCu7pvBEUZPCeww7T6M6N/U2vzzsLs DO0IDkD7bIi3VYTrq3J8oAGa3g1K+niLk1ybT7v6Z/kO79LcLsYaoLs4 2Tws3KPpGTGASK4AS928lzMNLoGaK8mzkLeSTGiz/47ppcpIzPe1/7u1 aHG+DA== ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Mar 4 12:03:05 2014 ;; MSG SIZE rcvd: 767 root@perso:~ # date Tue Mar 4 12:03:20 CET 2014 root@perso:~ # ods-signer sign hirlimann.net Zone hirlimann.net scheduled for immediate re-sign. root@perso:~ # rndc reload server reload successful root@perso:~ # dig +dnssec hirlimann.net dnskey @127.0.0.1 ; <<>> DiG 9.8.3-P4 <<>> +dnssec hirlimann.net dnskey @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61871 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;hirlimann.net. IN DNSKEY ;; ANSWER SECTION: hirlimann.net. 3600 IN DNSKEY 256 3 8 AwEAAcOIAzr5Pzuyc6Hisw15I7KK2RjmDGnB7fQB55CDnJJdW0iPNwxa E4vOUGjkB/hosFra+JDDxoGoyhDWQGzhTcIHqUC24PngxxFxjpFAoE6r 6YpGYl2Lu+/inqykpkd59d4Ur7GLmLGqatHerqpg73sd009lhZ2+HYXf nGyEms5d hirlimann.net. 3600 IN DNSKEY 257 3 8 AwEAAdGy0YLcGHD5R3Q9QY0aVV4BMjiS6Ev6m3rhkFsT1nFWkXhuLXit bJ2bejtFX3ebKpSexpdMN9fv98nhLmaSva0iaH0jMcCaGNqky6bDjlvi dWGVmXsINaH8rYqzAC2AgvUaOeDgTPUB74KMngtA36qT9+U0ruFWbwwu FoUSB42axWWmnd4pcKjBsXqn9OvcS/9WiiG0B59Pmegje/P8Qebjg+ps 8IoN44HPVfxjlcBjYzwvi1hujOiDeAyBcNcrI5Ql+PW1eFWejU6idXdD 4xgH0zBBrQu16WoVahIGc5e+PRH+FqJa2S10svfKMF9Vu4VgoybLeV7g EimuonuydD8= hirlimann.net. 3600 IN RRSIG DNSKEY 8 2 3600 20140221061642 20140213221414 49361 hirlimann.net. V/gvWUkRvnTOYb3ujYiB9TJZ90UFS4KAus8PrcYoc08FllkW7hihzofO FaGBuQSyF5pyV+M3x7Gs+u9hERfYsqnRngkzAX6gP8ri/mHllCuacmEx CF0f/mH4azjsY9Xj2kU0g6ofzIVxIRkHCh0ET4yhlNuOTIHhcfV96R08 ykqJ0DOvTI0OAqbJ0c9yMY3/GcVCu7pvBEUZPCeww7T6M6N/U2vzzsLs DO0IDkD7bIi3VYTrq3J8oAGa3g1K+niLk1ybT7v6Z/kO79LcLsYaoLs4 2Tws3KPpGTGASK4AS928lzMNLoGaK8mzkLeSTGiz/47ppcpIzPe1/7u1 aHG+DA== ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Mar 4 12:03:56 2014 ;; MSG SIZE rcvd: 767 root@perso:~ # ods-ksmutil key list --zone hirlimann.net Keys: Zone: Keytype: State: Date of next transition: hirlimann.net KSK active 2014-07-12 08:59:24 hirlimann.net ZSK active 2014-03-08 10:23:21 I'm wondering if the issue is related to my ZSK key expiring soon. I've seen nothing in logs. Shall I start doing KSK and ZSK rollovers ? (eg I'd happilly RTFM on the subject) Ludo -- http://sietch-tabr.tumblr.com/ http://www.flickr.com/photos/lhirlimann/
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Opendnssec-user mailing list Opendnssec-user@lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
