Skip to content

Statschannel setup can fail due to short validity interval

Job #4427706 failed for ce37dfd6: The records expire 1 second after signing. This can cause verification to fail.

zone=manykeys.
infile=manykeys.db.in
zonefile=manykeys.db.signed
ksk8=$("$KEYGEN" -q -a RSASHA256 -L 3600 -b 2048 -f KSK "$zone")
zsk8=$("$KEYGEN" -q -a RSASHA256 -L 3600 -b 2048 "$zone")
ksk13=$("$KEYGEN" -q -a ECDSAP256SHA256 -L 3600 -b 256 -f KSK "$zone")
zsk13=$("$KEYGEN" -q -a ECDSAP256SHA256 -L 3600 -b 256 "$zone")
ksk14=$("$KEYGEN" -q -a ECDSAP384SHA384 -L 3600 -b 384 -f KSK "$zone")
zsk14=$("$KEYGEN" -q -a ECDSAP384SHA384 -L 3600 -b 384 "$zone")
# Sign deliberately with a very short expiration date.
"$SIGNER" -S -x -O full -e "now"+1s -o "$zone" -f "$zonefile" "$infile" >"signzone.out.$zone" 2>&1

signzone.out.manykeys.:

No correct ECDSAP256SHA256 signature for manykeys SOA
No correct ECDSAP384SHA384 signature for manykeys SOA
No correct RSASHA256 signature for manykeys NS
No correct ECDSAP256SHA256 signature for manykeys NS
No correct ECDSAP384SHA384 signature for manykeys NS
No correct RSASHA256 signature for manykeys DNSKEY
No correct ECDSAP256SHA256 signature for manykeys DNSKEY
No correct ECDSAP384SHA384 signature for manykeys DNSKEY
No correct RSASHA256 signature for a.manykeys NSEC
No correct ECDSAP256SHA256 signature for a.manykeys NSEC
No correct ECDSAP384SHA384 signature for a.manykeys NSEC
No correct RSASHA256 signature for a.manykeys A
No correct ECDSAP256SHA256 signature for a.manykeys A
No correct ECDSAP384SHA384 signature for a.manykeys A
No correct RSASHA256 signature for a.manykeys MX
No correct ECDSAP256SHA256 signature for a.manykeys MX
No correct ECDSAP384SHA384 signature for a.manykeys MX
No correct RSASHA256 signature for mail.manykeys NSEC
No correct ECDSAP256SHA256 signature for mail.manykeys NSEC
No correct ECDSAP384SHA384 signature for mail.manykeys NSEC
No correct RSASHA256 signature for mail.manykeys A
No correct ECDSAP256SHA256 signature for mail.manykeys A
No correct ECDSAP384SHA384 signature for mail.manykeys A
No correct RSASHA256 signature for ns2.manykeys NSEC
No correct ECDSAP256SHA256 signature for ns2.manykeys NSEC
No correct ECDSAP384SHA384 signature for ns2.manykeys NSEC
No correct RSASHA256 signature for ns2.manykeys A
No correct ECDSAP256SHA256 signature for ns2.manykeys A
No correct ECDSAP384SHA384 signature for ns2.manykeys A
Fetching manykeys/ECDSAP256SHA256/37225 (KSK) from key repository.
Fetching manykeys/ECDSAP384SHA384/14323 (ZSK) from key repository.
Fetching manykeys/ECDSAP384SHA384/23868 (KSK) from key repository.
Fetching manykeys/ECDSAP256SHA256/26999 (ZSK) from key repository.
Fetching manykeys/RSASHA256/15127 (KSK) from key repository.
Fetching manykeys/RSASHA256/33774 (ZSK) from key repository.
Verifying the zone using the following algorithms:
- RSASHA256
- ECDSAP256SHA256
- ECDSAP384SHA384
The zone is not fully signed for the following algorithms:
 RSASHA256
 ECDSAP256SHA256
 ECDSAP384SHA384
.
DNSSEC completeness test failed.
Zone verification failed (failure)
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information