> We have 12 zones and we see this situation a few times per week. We > have developed a cron script which compares the serial of the unsigned > DNS server with the serial in the /var/opendns/tmp/<zone>.xfrd-state > file. If a mismatch is detected, the work-around is to stop > OpenDNSSEC, delete this file and restart OpenDNSSEC again.
Hm. This, I think, is more frequent than what I'm seeing, but it may be a lack of monitoring on our part... > A similar problem occurs sometimes if the unsigned zone is not > changed for some weeks. OpenDNSSEC then does not update its > state anymore. Then, after some days the zone expires and no > outgoing zone transfers are possible anymore. This case is more > difficult to detect before the expiration of the zone. The > work-around is similar. This sounds strange, and I don't think we've seen this so far. For this to happen, the signer would have to stop answering SOA queries from the "slave" it uses for outgoing zone transfers, I would beleive; well, perhaps also in addition it'd have to stop outgoing zone transfers from happening. Is that what you've been seeing? Which version of OpenDNSSEC are you running? Regards, - HÃ¥vard _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
