Running BIND 9.9.0 Upon having some DNSSEC keys run out of activity with no active replacements, we noticed some interesting behavior with the named process...
When a zone signing key enters it's Inactive phase, the zone still loads on startup: 19-Jun-2012 09:54:10.176 general: zone_timer: zone badzone.nau.edu/IN: enter 19-Jun-2012 09:54:10.176 general: zone_maintenance: zone badzone.nau.edu/IN: enter 19-Jun-2012 09:54:10.176 notify: zone badzone.nau.edu/IN: sending notifies (serial 91416) 19-Jun-2012 09:54:10.177 general: zone badzone.nau.edu/IN: Key badzone.nau.edu/RSASHA1/11985 missing or inactive and has no replacement: retaining signatures. 19-Jun-2012 09:54:10.177 general: zone_settimer: zone badzone.nau.edu/IN: enter 19-Jun-2012 09:54:10.177 general: zone_settimer: zone badzone.nau.edu/IN: enter Eventually we'll see failures on updating the zone: Jun 17 04:06:58 diamond named[19951]: client 134.114.X.X#52804: updating zone 'badzone.nau.edu/IN': found no active private keys, unable to generate any signatures Jun 17 04:06:58 diamond named[19951]: client 134.114.X.X#52804: updating zone 'badzone.nau.edu/IN': RRSIG/NSEC/NSEC3 update failed: not found This occurred to a few zones, but then something odd started happening... The named process ramped up to +%100 of processor. Nothing in the named logs indicated why this was happening... This caused SERVFAIL and other timeouts on all kinds of operations on the machine. Our initial solution was to make new keys available (keys were actually created, just not put in place,) and the zones at issue should recover. The zones at issue ended up requiring a manual re-sign to completely resolve the issue. Anyone have an explanation of why this would happen (named gobbling up CPU, and also requiring manual resigning of the zones)? Thanks in advance, Raymond Walker Software Systems Engineer Sr. ITS Northern Arizona University _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
