Intermittent Zone Signing Failures

David Kreindler david at govnet.state.vt.us
Sat Jun 2 21:59:04 UTC 2012 

Switching from openssl-1.0.1 to openssl-0.9.8 seems to have fixed the problem.

On 2 Jun 2012, at 9:57 AM, David Kreindler wrote:

> Running BIND 9.9.1, 9.9.0 or 9.7.6 on AIX 5.2, we are experiencing intermittent failures signing zones, both with named and with dnssec-signzone.
> 
> We first noticed the problem when BIND 9.9.1's inline signing resulted in zones with missing RRSIGs.
> 
> When we turned off "auto-dnssec maintain" & "inline signing yes" for those zones and attempted to sign them with dnssec-signzone, most of the small zones were signed successfully, but the large zones failed with "Missing RSASHA1 signature" verification messages (using dnssec-signzone's -a option).
> 
> Adding "-v 2" to the command seemed to suggest that the "missing" signatures actually were being generated and verified, though dnssec-signzone still failed.
> 
> Immediately attempting again to sign the zone with the same dnssec-signzone command results in a different error message:
> 
> 	"dnssec-signzone: fatal: No self-signed KSK DNSKEY found.  Supply an active key with the KSK flag set, or use '-P'."
> 
> Oddly, this error message is preceded by dnssec-signzone writing to the terminal that it has successfully fetched the KSK along with an active and a standby ZSK (using dnssec-signzone's -S option).
> 
> We have ruled out memory and disk space limitations. We suspected a lack of entropy, since the errors changed each time we ran the dnssec-signzone command, so we tried using both dnssec-signzone's -p option and "-r /dev/urandom", to no avail.
> 
> The problem seems to have arisen spontaneously, after years of successful DNSSEC and months of successful BIND 9.9. We can identify no changes to the system except the upgrade (about four days before the first occurrence of the problem) to 9.9.1 -- but reverting to 9.9.0 and even 9.7.6 does not correct the problem.
> 
> Do you have any ideas about what the source of the problem might be or how to go about troubleshooting further?
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list