Re: [Opendnssec-user] Zone not properly signed

Tue, 19 Jul 2016 12:29:34 -0700 

Hi Yuri,

I can confirm that

ods-signer clear voja.de
ods-signer sign voja.de

fixes my problem.

The 1.4.6 is the latest available version for Debian Jessie. The 1.4.10 package 
is available from testing/unstable only. I need to evaluate if I can upgrade 
the signer VM to Debian testing. Is there anything I need to look for when 
migrating from 1.4.6 to 1.4.10?


Regards,
    Volker


> Am 19.07.2016 um 20:54 schrieb Yuri Schaeffer <y...@nlnetlabs.nl>:
> 
> Hi Volker,
> 
> Quite a bit of problems since 1.4.6 have surfaced regarding SOA serial
> and XFR (bump-in-wire setups). We have worked very hard to resolve those
> and the latest result of that is 1.4.10. Please consider upgrading, it
> is very likely to fix whatever bug you are facing.
> 
> Your message doesn't contain much information so I have no idea why your
> new ZSK is producing bad signatures. Hopefully you can repair it by
> resigning your zone:
> 
> ods-signer clear voja.de
> ods-signer sign voja.de
> 
> ///Yuri
> 
>> On 19-07-16 14:36, Volker Janzen wrote:
>> Hi,
>> 
>> my monitoring found one zone in OpenDNSSEC that was not properly signed.
>> It's the domain I'm sending from: voja.de.
>> 
>> I found that one of my slaves had a wrong serial for the zone, I forced
>> him to fetch the current zone, but that does not solve my issue.
>> 
>> I backed up the signed zone file that was broken. dnsviz has the error
>> in it's history. This entry is the last that was working:
>> http://dnsviz.net/d/voja.de/V40wvQ/dnssec/
>> 
>> As of it's an important domain I forced the domain to go insecure at the
>> registry level, because I already found validating resolvers that are no
>> longer able to resolve the zone.
>> 
>> What steps can I do to find out what might have gone wrong?
>> 
>> I'm running OpenDNSSEC 1.4.6 on Debian Jessie.
>> 
>> 
>> Regards,
>>   Volker
>> 
>> _______________________________________________
>> Opendnssec-user mailing list
>> Opendnssec-user@lists.opendnssec.org
>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
> 
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user@lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Reply via email to