[Opendnssec-user] Zone not properly signed

Discussion:

Volker Janzen

2016-07-19 12:36:23 UTC

Hi,

my monitoring found one zone in OpenDNSSEC that was not properly signed.
It's the domain I'm sending from: voja.de.

I found that one of my slaves had a wrong serial for the zone, I forced
him to fetch the current zone, but that does not solve my issue.

I backed up the signed zone file that was broken. dnsviz has the error
in it's history. This entry is the last that was working:
http://dnsviz.net/d/voja.de/V40wvQ/dnssec/

As of it's an important domain I forced the domain to go insecure at the
registry level, because I already found validating resolvers that are no
longer able to resolve the zone.

What steps can I do to find out what might have gone wrong?

I'm running OpenDNSSEC 1.4.6 on Debian Jessie.

Regards,
Volker

Jan-Piet Mens

2016-07-19 13:52:57 UTC

Permalink

Post by Volker Janzen
What steps can I do to find out what might have gone wrong?

I hope you still have the intermediate (tmp/) and signed files? Check whether
you have more than 1 NSEC3PARAM records in the output. I've frequently been
bitten by that .

-JP

Volker Janzen

2016-07-19 14:06:48 UTC

Permalink

Hi Jan-Piet,

I have not saved the old tmp entry, I forgot about that. :-(

But according to http://dnssec-debugger.verisignlabs.com/voja.de my live zone is still broken with the same error and available for further debugging.

The current signed file just have one NSEC3PARAM:

grep NSEC3PARAM voja.de
voja.de. 0 IN NSEC3PARAM 1 0 5 843d90aeda8e8d67
voja.de. 0 IN RRSIG NSEC3PARAM 8 2 0 20160802230408 20160719114534 53815 voja.de. cr34VLnEyYqrXwhRQkTTeOeiLRc6I7iQh50egme4XYyyXCtuj+paFHX7V834TAVZj05hA7Q82kl7RDfC5XGnvq6hkqexabNSNpwCNVKgAjpoAOBCtaY35iKNENzlic8MVkoasIj0I/eEg2bFwAhmy/gx0hmK3qwbcG5Nx3NUOvs=
29f0g0hr67r1rqj4jju7q2ibolhavrfv.voja.de. 3600 IN NSEC3 1 0 5 843d90aeda8e8d67 2t4icqlvbd9n0keb8onuohhtcuemfrfu A NS SOA MX AAAA SSHFP RRSIG DNSKEY NSEC3PARAM

Regards
Volker

Post by Volker Janzen
What steps can I do to find out what might have gone wrong?

I hope you still have the intermediate (tmp/) and signed files? Check whether you have more than 1 NSEC3PARAM records in the output. I've frequently been bitten by that .
-JP
_______________________________________________
Opendnssec-user mailing list
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Hoda Rohani

2016-07-19 14:45:57 UTC

Permalink

Hello,

I'd like to see your key list (running 'ods-ksmutil key list -v --all').
If the chain is still broken, the tmp and signed files might be helpful. If it is possible please send me those files.

Regards,
Hoda Rohani

Post by Volker Janzen
Hi Jan-Piet,
I have not saved the old tmp entry, I forgot about that. :-(
But according to http://dnssec-debugger.verisignlabs.com/voja.de my live zone is still broken with the same error and available for further debugging.
grep NSEC3PARAM voja.de
voja.de. 0 IN NSEC3PARAM 1 0 5 843d90aeda8e8d67
voja.de. 0 IN RRSIG NSEC3PARAM 8 2 0 20160802230408 20160719114534 53815 voja.de. cr34VLnEyYqrXwhRQkTTeOeiLRc6I7iQh50egme4XYyyXCtuj+paFHX7V834TAVZj05hA7Q82kl7RDfC5XGnvq6hkqexabNSNpwCNVKgAjpoAOBCtaY35iKNENzlic8MVkoasIj0I/eEg2bFwAhmy/gx0hmK3qwbcG5Nx3NUOvs=
29f0g0hr67r1rqj4jju7q2ibolhavrfv.voja.de. 3600 IN NSEC3 1 0 5 843d90aeda8e8d67 2t4icqlvbd9n0keb8onuohhtcuemfrfu A NS SOA MX AAAA SSHFP RRSIG DNSKEY NSEC3PARAM
Regards
Volker

Post by Volker Janzen
What steps can I do to find out what might have gone wrong?

_______________________________________________
Opendnssec-user mailing list
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Volker Janzen

2016-07-19 16:58:30 UTC

Permalink

Hello,

Post by Hoda Rohani
I'd like to see your key list (running 'ods-ksmutil key list -v --all').
If the chain is still broken, the tmp and signed files might be
helpful. If it is possible please send me those files.

I sent you the files and key list off-list.

For the record: my AXFR problem to one slave is solved. Bind does not
notify the nameserver in the SOA per default. In my hidden master
construct this prevented the instant transfer to one of the slaves, but
it was able to fetch the zone upon refresh.

Regards,
Volker

Volker Janzen

2016-07-19 18:32:23 UTC

Permalink

Hello,

I forgot to look in the logfile, too. As of the time of the monitoring alert I was able to identify these log entries from the time the zone broke:

Jul 19 01:25:56 a ods-enforcerd: Zone voja.de found.
Jul 19 01:25:56 a ods-enforcerd: Policy for voja.de set to default.
Jul 19 01:25:56 a ods-enforcerd: Config will be output to /var/lib/opendnssec/signconf/voja.d
e.xml.
Jul 19 01:25:56 a ods-enforcerd: WARNING: Making non-backed up ZSK active, PLEASE make sure t
hat you know the potential problems of using keys which are not recoverable
Jul 19 01:25:56 a ods-enforcerd: INFO: ZSK has been rolled for voja.de
Jul 19 01:25:56 a ods-signerd: [signconf] zone voja.de signconf: RESIGN[PT7200S] REFRESH[PT11
23200S] VALIDITY[PT1209600S] DENIAL[PT1209600S] JITTER[PT43200S] OFFSET[PT3600S] NSEC[50] DNS
KEYTTL[PT3600S] SOATTL[PT3600S] MINIMUM[PT3600S] SERIAL[unixtime]
Jul 19 01:25:56 a ods-enforcerd: Called signer engine: /usr/sbin/ods-signer update voja.de
[...]
Jul 19 01:25:56 a named[307]: received control channel command 'reload voja.de'
Jul 19 01:25:56 a ods-signerd: [STATS] voja.de 1468884356 RR[count=1 time=0(sec)] NSEC3[count
=0 time=0(sec)] RRSIG[new=6 reused=212 time=0(sec) avg=0(sig/sec)] TOTAL[time=0(sec)]
Jul 19 01:25:56 a named[307]: zone voja.de/IN: loaded serial 1468884356 (DNSSEC signed)
Jul 19 01:25:56 a named[307]: zone voja.de/IN: sending notifies (serial 1468884356)

There is one other domain with the warning, but that zone is okay.

Viele Grüße
Volker

Post by Hoda Rohani
Hello,
I'd like to see your key list (running 'ods-ksmutil key list -v --all').
If the chain is still broken, the tmp and signed files might be helpful. If it is possible please send me those files.
Regards,
Hoda Rohani

Post by Volker Janzen
What steps can I do to find out what might have gone wrong?

_______________________________________________
Opendnssec-user mailing list
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Yuri Schaeffer

2016-07-19 18:54:58 UTC

Permalink

Hi Volker,

Quite a bit of problems since 1.4.6 have surfaced regarding SOA serial
and XFR (bump-in-wire setups). We have worked very hard to resolve those
and the latest result of that is 1.4.10. Please consider upgrading, it
is very likely to fix whatever bug you are facing.

Your message doesn't contain much information so I have no idea why your
new ZSK is producing bad signatures. Hopefully you can repair it by
resigning your zone:

ods-signer clear voja.de
ods-signer sign voja.de

///Yuri

Post by Volker Janzen
Hi,
my monitoring found one zone in OpenDNSSEC that was not properly signed.
It's the domain I'm sending from: voja.de.
I found that one of my slaves had a wrong serial for the zone, I forced
him to fetch the current zone, but that does not solve my issue.
I backed up the signed zone file that was broken. dnsviz has the error
http://dnsviz.net/d/voja.de/V40wvQ/dnssec/
As of it's an important domain I forced the domain to go insecure at the
registry level, because I already found validating resolvers that are no
longer able to resolve the zone.
What steps can I do to find out what might have gone wrong?
I'm running OpenDNSSEC 1.4.6 on Debian Jessie.
Regards,
Volker
_______________________________________________
Opendnssec-user mailing list
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Volker Janzen

2016-07-19 19:29:01 UTC

Permalink

Hi Yuri,

I can confirm that

ods-signer clear voja.de
ods-signer sign voja.de

fixes my problem.

The 1.4.6 is the latest available version for Debian Jessie. The 1.4.10 package is available from testing/unstable only. I need to evaluate if I can upgrade the signer VM to Debian testing. Is there anything I need to look for when migrating from 1.4.6 to 1.4.10?

Regards,
Volker

Post by Yuri Schaeffer
Hi Volker,
Quite a bit of problems since 1.4.6 have surfaced regarding SOA serial
and XFR (bump-in-wire setups). We have worked very hard to resolve those
and the latest result of that is 1.4.10. Please consider upgrading, it
is very likely to fix whatever bug you are facing.
Your message doesn't contain much information so I have no idea why your
new ZSK is producing bad signatures. Hopefully you can repair it by
ods-signer clear voja.de
ods-signer sign voja.de
///Yuri

_______________________________________________
Opendnssec-user mailing list
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Yuri Schaeffer

2016-07-19 20:12:33 UTC

Permalink

Post by Volker Janzen
Is there anything I need to
look for when migrating from 1.4.6 to 1.4.10?

Yes. between 1.4.6 and 1.4.10 there has been a database change. Below
the instructions from the MIGRATION file. It could be the package
maintainer already applied it if you are upgrading from apt.

You'll notice soon enough. The enforcer will complain about the database
version being old and refuses to start.

//Yuri

*** Migrating from 1.4.X to 1.4.8 ***

As of 1.4.8 the database has changes slightly. To migrate between databases
run the SQL statements given in:

enforcer/utils/migrate_1_4_8.sqlite3
or
enforcer/utils/migrate_1_4_8.mysql

against your existing database.

Continue reading on narkive:

Search results for '[Opendnssec-user] Zone not properly signed' (Questions and Answers)

replies

fined for speeding but no speed limit signs?

started 2013-08-08 07:25:57 UTC

law enforcement & police

replies

Vehicle Code 21367b driving BEFORE a construction zone?

started 2008-04-04 08:45:41 UTC

law enforcement & police

replies

ticket in school zone when not marked properly?