Hi Abdulkareem and list, Am 28.08.19 um 18:56 schrieb Abdulkareem H. Ali: > Hi Uli, > > On 28/08/2019 15:40, Ulrich-Lorenz Schlüter wrote: >> Hi list, >> >> 1. When the DNS adapter is used, will there ever be files in >> /var/opendnssec/unsigned & /var/opendnssec/signed? > > OpenDNSSec (ods) will only write into the signed dir. > > > By default, ods will look for the unsigned zone file in > `/var/opendnssec/unsigned` directory and will only do reads from it, and > writes the signed file into `/var/opendnssec/signed` dir. This is the corresponding folder structure: ls /var/opendnssec/* /var/opendnssec/kasp.db /var/opendnssec/kasp.db.backup /var/opendnssec/kasp.db.our_lock /var/opendnssec/enforcer: zones.xml /var/opendnssec/signconf: sycosys.de.xml /var/opendnssec/signed: /var/opendnssec/signer: sycosys.de.axfr sycosys.de.backup2 sycosys.de.ixfr /var/opendnssec/tmp: /var/opendnssec/unsigned:
The files in '/var/opendnssec/signer' are all signed. I was assuming this is due to using the DNS adaptor instead of the FILE adaptor when triggering a: 'ods-enforcer zone add -z sycosys.de -j DNS -q DNS' Is this explained anywhere in the documentation? >> 2. I can not interpret this log. Would someone be so kind? >> >> Aug 28 16:22:45 one ods-signerd[901]: [tools] notify nameserver: >> /usr/sbin/rndc >> Aug 28 16:22:45 one ods-signerd[901]: [tools] notify nameserver process >> forked >> Aug 28 16:22:45 one ods-signerd[901]: [tools] notify nameserver ok >> Aug 28 16:22:45 one ods-signerd[901]: [tools] log stats for zone >> sycosys.de serial 1567002165 >> Aug 28 16:22:45 one ods-signerd[901]: [STATS] sycosys.de 1567002165 >> RR[count=0 time=0(sec)] NSEC3[count=0 time=0(sec)] RRSIG[new=13 reused=0 >> time=0(sec) avg=0(sig/sec)] TOTAL[time=0(sec)] > > > The lines above show what looks like a normal signing operation of > `sycosys.de`, and these are the last lines in the log of that process. > The `notify` is perhaps in your conf.xml config with the `Notify` > directive in xml brackets. I'm guessing that you have a local bind > instance running so you're using `rndc` to reload the zone. Btw, this > `notify` isn't an actual DNS notify type query, it's just a directive > for ODS to hit a script or a program after it finishes signing a zone. > In this case, it's running rndc to perhaps reload the signed zone file > into bind. > > I think you have your logging level turned up, so you might want to > consider lower logging number if you don't want to see that much of a > detail. Also a directive in `conf.xml` with <Verbosity> directive. > > > The lines below looks like more in line with actual DNS notifies packets > to transfer the sycosys.de zone and then ods will authenticate XFRs with > the tsig key of `opendnssec-out`. We don't really use ods it self to do > those, so someone else can give a better indepth explanation about it. > > >> Aug 28 16:22:45 one ods-signerd[901]: [tools] forward a notify >> Aug 28 16:22:45 one ods-signerd[901]: [dnshandler] forwarded notify: 6 >> bytes sent >> Aug 28 16:22:45 one ods-signerd[901]: [file] open file >> file=sycosys.de.backup2.tmp mode=writing >> Aug 28 16:22:45 one ods-signerd[901]: [xfrhandler] read forwarded dns >> packet: 6 bytes received >> Aug 28 16:22:45 one ods-signerd[901]: [xfrhandler] netio dispatch >> Aug 28 16:22:45 one ods-signerd[901]: [netio] dispatch timeout event >> without checking for other events >> Aug 28 16:22:45 one ods-signerd[901]: [notify] handle notify for zone >> sycosys.de >> Aug 28 16:22:45 one ods-signerd[901]: [notify] notify timeout for zone >> sycosys.de >> Aug 28 16:22:45 one ods-signerd[901]: [domain] tsig sign notify with >> key: opendnssec-out. >> Aug 28 16:22:45 one ods-signerd[901]: [domain] tsig sign notify with >> algorithm: hmac-sha256. >> Aug 28 16:22:45 one ods-signerd[901]: [notify] tsig append rr to notify >> id=19564 >> Aug 28 16:22:45 one ods-signerd[901]: [file] openfile >> sycosys.de.backup2.tmp count 1 >> Aug 28 16:22:45 one ods-signerd[901]: [notify] send 190 bytes over udp >> to 127.0.0.1 >> Aug 28 16:22:45 one ods-signerd[901]: [scheduler] schedule task [sign] >> for sycosys.de >> Aug 28 16:22:45 one ods-signerd[901]: [worker[1]] finished working >> Aug 28 16:22:45 one ods-signerd[901]: [worker[1]]: report for duty >> Aug 28 16:22:45 one ods-signerd[901]: [socket] incoming udp message >> Aug 28 16:22:45 one ods-signerd[901]: [notify] notify retry 1 for zone >> sycosys.de sent to 127.0.0.1 >> Aug 28 16:22:45 one ods-signerd[901]: [xfrhandler] netio dispatch >> Aug 28 16:22:45 one ods-signerd[901]: [notify] handle notify for zone >> sycosys.de >> Aug 28 16:22:45 one ods-signerd[901]: [notify] read notify ok for zone >> sycosys.de >> Aug 28 16:22:45 one ods-signerd[901]: [notify] zone sycosys.de secondary >> 127.0.0.1 notify reply ok >> Aug 28 16:22:45 one ods-signerd[901]: [notify] zone sycosys.de no more >> secondaries, disable notify >> Aug 28 16:22:45 one ods-signerd[901]: [notify] notify for zone >> sycosys.de disabled >> Aug 28 16:22:45 one ods-signerd[901]: [xfrhandler] netio dispatch >> Aug 28 16:22:45 one ods-signerd[901]: [tsig] parse: not TSIG or not ANY >> but 2048:41 >> Aug 28 16:22:45 one ods-signerd[901]: [tsig] parse: not TSIG or not ANY >> but 14:2304 >> Aug 28 16:22:45 one ods-signerd[901]: [query] too many additional rrs >> Aug 28 16:22:45 one ods-signerd[901]: [query] formerr >> Aug 28 16:22:45 one ods-signerd[901]: [socket] query processed qstate=0 >> Aug 28 16:22:45 one ods-signerd[901]: [query] add edns opt ok >> Aug 28 16:22:45 one ods-signerd[901]: [socket] sending 141 bytes over udp >> Aug 28 16:22:45 one ods-signerd[901]: [dnshandler] netio dispatch >> >> Thanks & regards >> Uli >> _______________________________________________ >> Opendnssec-user mailing list >> [email protected] >> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user > > > HTH, > > Kareem. > > _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
