Re: [Opendnssec-user] Notify debugging

Fri, 16 May 2014 12:56:34 -0700

Now there is a similar, though slightly different problem with another zone kvi-cart.rug.nl. The signer responded with servfail when requested for the SOA record, or for zone transfers for this zone. 
In the systlog, there where a log of messages like:
May 16 20:32:42 dns ods-signerd: [axfr] zone kvi-cart.rug.nl expired at 1400245434, and it is now 1400265162: not serving soa May 16 20:32:42 dns ods-signerd: [axfr] zone kvi-cart.rug.nl expired at 1400245434, and it is now 1400265162: not serving soa May 16 20:32:42 dns ods-signerd: [axfr] zone kvi-cart.rug.nl expired at 1400245434, and it is now 1400265162: not serving soa May 16 20:32:43 dns ods-signerd: [axfr] zone kvi-cart.rug.nl expired at 1400245434, and it is now 1400265163: not serving soa May 16 20:32:43 dns ods-signerd: [axfr] zone kvi-cart.rug.nl expired at 1400245434, and it is now 1400265163: not serving soa May 16 20:32:43 dns ods-signerd: [axfr] zone kvi-cart.rug.nl expired at 1400245434, and it is now 1400265163: not serving soa 


Apparently, also for this zone the transfers of the unsigned zone where not 
processed correctly, but we did not notice it until the zone expired.

So, I used the same work-around and now the zone is served correctly.


I have the impression, that something is wrong with the processing of the 
incoming zone transfers and I would like to know what I can do to further 
diagnose this problem, before yet another zone will pop up with a similar 
problem.


Fred.Zwarts.


-----Oorspronkelijk bericht----- 
From: Rick van Rein

Sent: Thursday, May 15, 2014 10:43 PM
To: Fred.Zwarts
Cc: [email protected]
Subject: Re: [Opendnssec-user] Notify debugging

Hi Fred,


The /var/opendnssec/tmp/rug.nl-xfrd-state file still shows the old soa 
serial 2014051506, where the unsigned system is already at 2014051520.
To me it looks as if opendnssec receives the zone, but does not process 
it.

Any other ideas to diagnose this problem?


Can you have a look at /var/opendnssec/unsigned/rug.nl* ?


If the zone changes arrive (I assume the mutliple arrivals are due to zone 
updates, each resulting in a NOTIFY) then you should find it there, probably 
as rug.nl.axfr.



That should help you distinguish if it is a transport problem or a 
signer-trigger problem.



You can manually trigger resigning to see if it is a matter of the new 
arrival not triggering the signer properly, with

ods-signer sign rug.nl

-Rick

_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user






















					Reply via email to