-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Fred,
This is not a known issue (well until now that is). I am trying to hit this, but when I replace a CNAME like that with an A record, the signer seems happy: Jun 28 12:26:33 zoidberg ods-signerd: [cmdhandler] received command sign pletterpet.nl[18] Jun 28 12:26:33 zoidberg ods-signerd: [cmdhandler] zone pletterpet.nl scheduled for immediate re-sign Jun 28 12:26:33 zoidberg ods-signerd: [worker[1]] read zone pletterpet.nl Jun 28 12:26:33 zoidberg ods-signerd: [adapter] read zone pletterpet.nl from file input adapter /opt/opendnssec/var/opendnssec/unsigned/pletterpet.nl Jun 28 12:26:33 zoidberg ods-signerd: [adapter] zone pletterpet.nl set soa ttl to 360 Jun 28 12:26:33 zoidberg ods-signerd: [adapter] zone pletterpet.nl set soa minimum to 360 Jun 28 12:26:33 zoidberg ods-signerd: [adapter] zone pletterpet.nl set soa serial to 10 Jun 28 12:26:33 zoidberg ods-signerd: [worker[1]] sign zone pletterpet.nl Jun 28 12:26:33 zoidberg ods-signerd: [worker[1]] write zone pletterpet.nl Jun 28 12:26:33 zoidberg ods-signerd: [adapter] write zone pletterpet.nl serial 10 to output file adapter /opt/opendnssec/var/opendnssec/signed/pletterpet.nl Jun 28 12:26:33 zoidberg ods-signerd: [STATS] pletterpet.nl RR[count=1 time=0(sec)] NSEC3[count=0 time=0(sec)] RRSIG[new=1 reused=21 time=0(sec) avg=0(sig/sec)] TOTAL[time=0(sec)] Perhaps you can give me off list the zone contents before and after? Best regards, Matthijs On 06/28/2012 11:42 AM, Fred Zwarts (KVI) wrote: > We currently use OpenDNSSEC 1.4.0a2 in a Linux SLES11SP2 x86_64 > environment. > > In one of the zones we had a CNAME record : > > sms.kvi.nl. CNAME srv002.kvi.nl. > > For several reasons we changed the it in a new version of the zone > file into: > > sms.kvi.nl. A 129.125.37.29 > > Of course, also the SOA serial was updated. > > Now the signer refused to sign the new zone file. In the systemlog > we saw the messages: > > Jun 28 11:15:40 kvivs13 ods-signerd: [rrset] CNAME and other data > at the same name: <sms.kvi.nl,CNAME> Jun 28 11:15:40 kvivs13 > ods-signerd: [adapter] unable to read file: zonefile contains > errors Jun 28 11:15:40 kvivs13 ods-signerd: [tools] unable to read > zone KVI.nl: adapter failed (Conflict detected) Jun 28 11:15:40 > kvivs13 ods-signerd: [worker[1]] backoff task [read] for zone > KVI.nl with 480 seconds > > We checked and double-checked, but there is no CNAME anymore for > sms.kvi.nl in the unsigned zone. We could work around this problem, > by first deleting all records for sms.kvi.nl, sign the zone, > introduce the new records for sms.kvi.nl and sign the zone again > (each time, of course, incrementing the SOA serial). > > I suspect that this is a bug in the code. I could not find it in > the archives of this mailing list, nor in the KNOWN_ISSUES list, so > I think it is worthwhile to mention it here. > > Fred.Zwarts. > > _______________________________________________ Opendnssec-user > mailing list [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJP7DJXAAoJEA8yVCPsQCW5GIwIAIm4gUz9/KJJOm5zJBBGTfvN ROZ7UuTUqv5qd1WPoZAiSvpxxFE0sCx5MAN/NN3Inadiyi+NR0LNzmwqlpWSivFq nDS0SSPfx5ZQL6KZWbF49rTQe3wG8IukFXWxbXHR4sJXL0sFiDV8iP+uXG3ZXIAk SLb02RgetZhbGyXQBEI0rF5SAATclDkCOHTQfWPTQU8Mv96izJLE8uQAyoV34Whk zrZtErQ0coT0htjTvoCt3RHbeOU8QusbKVscksKBWcNNY3tZ7Rm0WY+3T3E+qAGe LDjetaR1f0Gh8ISy5cSB0b5TL05lilbZan87rVIUhOpGFyf/tp0GCxRKIqHPBo8= =IcdW -----END PGP SIGNATURE----- _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
