Spam detection software, running on the system "dicht.nlnetlabs.nl",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
The administrator of that system for details.
Content preview: Last week I migrated the ods 1.4.10 system on our test system
to ods 2.0.1. As mentioned my previous mails, there were some problems to
understand what was happening, but at the end I thought that al was running
well. [...]
Content analysis details: (5.8 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.2 STOX_REPLY_TYPE No description available.
1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
1.9 STOX_REPLY_TYPE_WITHOUT_QUOTES No description available.
2.5 TO_NO_BRKTS_MSFT To: lacks brackets and supposed Microsoft tool
--- Begin Message ---
Last week I migrated the ods 1.4.10 system on our test system to ods 2.0.1.
As mentioned my previous mails, there were some problems to understand what
was happening, but at the end I thought that al was running well.
This morning I am confused again. I see the following:
# date
Mon Aug 15 09:06:30 CEST 2016
# ods-enforcer queue
There are 2 tasks scheduled.
It is now Mon Aug 15 09:06:33 2016 (1471244793 seconds since epoch)
Next task scheduled Sat Aug 13 14:22:00 2016 (1471090920 seconds since
epoch)
On Sat Aug 13 14:22:00 2016 I will [enforce] 40.125.129.in-addr.arpa
On Fri Nov 18 11:10:04 2016 I will [resalt] policies
queue completed in 0 seconds.
# ods-enforcer key list --verbose --zone 40.125.129.in-addr.arpa
Keys:
Zone: Keytype: State: Date of next transition:
Size: Algorithm: CKA_ID: Repository: KeyTag:
40.125.129.in-addr.arpa KSK retire 2016-08-13 14:22:00
2048 8 e1702efbbc4f06eeee49b30b480751a6 SoftHSM 43985
40.125.129.in-addr.arpa KSK active 2016-08-13 14:22:00
2048 8 956d1b9309f7db3f5dd407c5a2153d64 SoftHSM 64277
40.125.129.in-addr.arpa ZSK retire 2016-08-13 14:22:00
1024 8 f3234adb1562a65782baf23fbb03fb47 SoftHSM 1558
40.125.129.in-addr.arpa ZSK active 2016-08-13 14:22:00
1024 8 0db0fe4431642f178a1130330e87420e SoftHSM 57468
40.125.129.in-addr.arpa ZSK ready 2016-08-13 14:22:00
1024 8 41501fedde3f3380fa05753010f2f022 SoftHSM 53019
key list completed in 0 seconds.
#
The enforcer has scheduled a task in the past. How is that possible?
A second question.
I also noticed messages in the system log file of a few days ago. They
appear for all domains. I list it here for one domain:
2016-08-10T11:56:24.269750+02:00 kvivs20 ods-signerd: [namedb] zone KVI.nl
cannot keep SOA SERIAL from input zone (2014042300): previous output SOA
SERIAL is 201608100
3
2016-08-10T11:56:24.270169+02:00 kvivs20 ods-signerd: [adapter] unable to
add soa to zone KVI.nl: failed to replace soa serial rdata (Conflict
detected)
2016-08-10T11:56:24.274181+02:00 kvivs20 ods-signerd: [adapter] If this is
the result of a key rollover, please increment the serial in the unsigned
zone KVI.nl
2016-08-10T11:56:24.274784+02:00 kvivs20 ods-signerd: [adapter] unable to
add rr: failed to process soa record
2016-08-10T11:56:24.275224+02:00 kvivs20 ods-signerd: [adapter] error adding
RR at line 594: KVI.nl. IN SOA DNS1.KVI.nl.
HOSTMASTER.KVI.nl.
2014042300 12h
1h
4d 1h
2016-08-10T11:56:24.275677+02:00 kvivs20 ods-signerd: [tools] unable to read
zone KVI.nl: adapter failed (Conflict detected)
-
These messages started early in the morning, continued for about 4 hours
(about 10 times for each domain with increasing intervals between 1 minute
and one hour) and then stopped, without any change in the configuration.
Also the input zones were not changed. Is this something to worry about?
Are we assumed to increment the serial of the unsigned zone during a
rollover?
At the moment everything looks normal. The unsigned zone is still unchanged
and the signed zone is dated Aug 15 08:33 and shows a serial of 2016081504.
Regards,
Fred.Zwarts.
--- End Message ---
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
