Hello,
I forgot to look in the logfile, too. As of the time of the monitoring alert I
was able to identify these log entries from the time the zone broke:
Jul 19 01:25:56 a ods-enforcerd: Zone voja.de found.
Jul 19 01:25:56 a ods-enforcerd: Policy for voja.de set to default.
Jul 19 01:25:56 a ods-enforcerd: Config will be output to
/var/lib/opendnssec/signconf/voja.d
e.xml.
Jul 19 01:25:56 a ods-enforcerd: WARNING: Making non-backed up ZSK active,
PLEASE make sure t
hat you know the potential problems of using keys which are not recoverable
Jul 19 01:25:56 a ods-enforcerd: INFO: ZSK has been rolled for voja.de
Jul 19 01:25:56 a ods-signerd: [signconf] zone voja.de signconf:
RESIGN[PT7200S] REFRESH[PT11
23200S] VALIDITY[PT1209600S] DENIAL[PT1209600S] JITTER[PT43200S]
OFFSET[PT3600S] NSEC[50] DNS
KEYTTL[PT3600S] SOATTL[PT3600S] MINIMUM[PT3600S] SERIAL[unixtime]
Jul 19 01:25:56 a ods-enforcerd: Called signer engine: /usr/sbin/ods-signer
update voja.de
[...]
Jul 19 01:25:56 a named[307]: received control channel command 'reload voja.de'
Jul 19 01:25:56 a ods-signerd: [STATS] voja.de 1468884356 RR[count=1
time=0(sec)] NSEC3[count
=0 time=0(sec)] RRSIG[new=6 reused=212 time=0(sec) avg=0(sig/sec)]
TOTAL[time=0(sec)]
Jul 19 01:25:56 a named[307]: zone voja.de/IN: loaded serial 1468884356 (DNSSEC
signed)
Jul 19 01:25:56 a named[307]: zone voja.de/IN: sending notifies (serial
1468884356)
There is one other domain with the warning, but that zone is okay.
Viele Grüße
Volker
> Am 19.07.2016 um 16:45 schrieb Hoda Rohani <h...@nlnetlabs.nl>:
>
> Hello,
>
> I'd like to see your key list (running 'ods-ksmutil key list -v --all').
> If the chain is still broken, the tmp and signed files might be helpful. If
> it is possible please send me those files.
>
> Regards,
> Hoda Rohani
>
>> On 19-07-16 16:06, Volker Janzen wrote:
>> Hi Jan-Piet,
>>
>> I have not saved the old tmp entry, I forgot about that. :-(
>>
>> But according to http://dnssec-debugger.verisignlabs.com/voja.de my live
>> zone is still broken with the same error and available for further debugging.
>>
>> The current signed file just have one NSEC3PARAM:
>>
>> grep NSEC3PARAM voja.de
>> voja.de. 0 IN NSEC3PARAM 1 0 5 843d90aeda8e8d67
>> voja.de. 0 IN RRSIG NSEC3PARAM 8 2 0 20160802230408
>> 20160719114534 53815 voja.de.
>> cr34VLnEyYqrXwhRQkTTeOeiLRc6I7iQh50egme4XYyyXCtuj+paFHX7V834TAVZj05hA7Q82kl7RDfC5XGnvq6hkqexabNSNpwCNVKgAjpoAOBCtaY35iKNENzlic8MVkoasIj0I/eEg2bFwAhmy/gx0hmK3qwbcG5Nx3NUOvs=
>> 29f0g0hr67r1rqj4jju7q2ibolhavrfv.voja.de. 3600 IN NSEC3 1 0
>> 5 843d90aeda8e8d67 2t4icqlvbd9n0keb8onuohhtcuemfrfu A NS SOA MX AAAA SSHFP
>> RRSIG DNSKEY NSEC3PARAM
>>
>>
>> Regards
>> Volker
>>
>>
>> Am 19.07.2016 um 15:52 schrieb Jan-Piet Mens <jpmens....@gmail.com>:
>>
>>>> What steps can I do to find out what might have gone wrong?
>>>
>>> I hope you still have the intermediate (tmp/) and signed files? Check
>>> whether you have more than 1 NSEC3PARAM records in the output. I've
>>> frequently been bitten by that .
>>>
>>> -JP
>>> _______________________________________________
>>> Opendnssec-user mailing list
>>> Opendnssec-user@lists.opendnssec.org
>>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>>
>> _______________________________________________
>> Opendnssec-user mailing list
>> Opendnssec-user@lists.opendnssec.org
>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
