BIND - slaving the root zone and signature expired
Hello list,
Anyone else experienced this problem today ?
We slave the root zone and have received signature expired errors.
We slave the root zone like so:
zone . {
type slave;
file /etc/namedb/slave/root.slave;
masters {
192.5.5.241;// F.ROOT-SERVERS.NET.
};
notify no;
};
zone arpa {
type slave;
file /etc/namedb/slave/arpa.slave;
masters {
192.5.5.241;// F.ROOT-SERVERS.NET.
};
notify no;
};
And got the following errors:
messages.2:Oct 25 08:25:46 pf1 named[23251]: starting BIND 9.6.-ESV-R7
-t /var/named -u bind
messages.2:Oct 25 08:25:46 pf1 named[23251]: built with
'--prefix=/usr' '--infodir=/usr/share/info' '--mandir=/usr/share/man'
'--enable-threads' '--enable-getifaddrs' '--disable-linux-caps'
'--with-openssl=/usr' '--with-randomdev=/dev/random' '--without-idn'
'--without-libxml2'
messages.2:Oct 25 08:25:46 pf1 named[23251]:
messages.2:Oct 25 08:25:46 pf1 named[23251]: BIND 9 is maintained by
Internet Systems Consortium,
messages.2:Oct 25 08:25:46 pf1 named[23251]: Inc. (ISC), a non-profit
501(c)(3) public-benefit
messages.2:Oct 25 08:25:46 pf1 named[23251]: corporation. Support and
training for BIND 9 are
messages.2:Oct 25 08:25:46 pf1 named[23251]: available at
https://www.isc.org/support
messages.2:Oct 25 08:25:46 pf1 named[23251]:
messages.2:Oct 25 08:25:46 pf1 named[23251]: command channel listening
on 127.0.0.1#953
messages.2:Oct 25 08:25:46 pf1 named[23251]: command channel listening
on ::1#953
messages.2:Oct 25 08:25:46 pf1 named[23251]:
/etc/namedb/slave/root.slave:10: signature has expired
messages.2:Oct 25 08:25:46 pf1 named[23251]:
/etc/namedb/slave/arpa.slave:10: signature has expired
messages.2:Oct 25 08:25:46 pf1 named[23251]: running
messages.2:Oct 25 08:25:46 pf1 named[23251]: zone ./IN: expired
messages.2:Oct 25 08:25:46 pf1 named[23251]: zone arpa/IN: expired
messages.2:Oct 25 08:27:16 pf1 named[23251]: transfer of 'arpa/IN'
from 192.5.5.241#53: failed while receiving responses: connection
reset
messages.2:Oct 25 08:27:17 pf1 named[23251]: transfer of './IN' from
192.5.5.241#53: failed while receiving responses: connection reset
messages.2:Oct 25 08:28:47 pf1 named[23251]: transfer of './IN' from
192.5.5.241#53: failed while receiving responses: connection reset
messages.2:Oct 25 08:28:47 pf1 named[23251]: transfer of 'arpa/IN'
from 192.5.5.241#53: failed while receiving responses: connection
reset
messages.2:Oct 25 08:30:37 pf1 named[23251]: transfer of 'arpa/IN'
from 192.5.5.241#53: failed while receiving responses: connection
reset
messages.2:Oct 25 08:30:42 pf1 named[23251]: transfer of './IN' from
192.5.5.241#53: failed while receiving responses: connection reset
messages.2:Oct 25 08:32:47 pf1 named[23251]: stopping command channel
on 127.0.0.1#953
messages.2:Oct 25 08:32:47 pf1 named[23251]: stopping command channel on ::1#953
messages.2:Oct 25 08:32:47 pf1 named[23251]: exiting
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: BIND - slaving the root zone and signature expired
On Thu, 25 Oct 2012, Damien Fleuriot wrote: Anyone else experienced this problem today ? We slave the root zone and have received signature expired errors. Found this: https://lists.dns-oarc.net/pipermail/dns-operations/2011-March/007116.html which leads to this: http://in-addr-transition.icann.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: BIND - slaving the root zone and signature expired
On 25 October 2012 18:33, Warren Block wbl...@wonkity.com wrote:
On Thu, 25 Oct 2012, Damien Fleuriot wrote:
Anyone else experienced this problem today ?
We slave the root zone and have received signature expired errors.
Found this:
https://lists.dns-oarc.net/pipermail/dns-operations/2011-March/007116.html
which leads to this:
http://in-addr-transition.icann.org/
Hi Warren and thanks for your reply,
I've dug around some more and identified the problem we've been having.
Apparently, from a given netblock, we can't AXFR the . and arpa
zones anymore with F.ROOT-SERVERS.NET.
We can from some other boxes.
I suspect we might have been firewalled or something, although we
don't query them very often , but that's beyond the point.
I've now transitioned all our PF boxes to slave from
xfr.lax.dns.icann.org and xfr.cjr.dns.icann.org as per the
documentation found in /etc/namedb/named.conf
What bothers me is that the commented lines from named.conf say to use
the ICANN XFR servers, while the actual commented configuration uses
F.ROOT-SERVERS.NET
See below a freshly SVNup'd copy on 10.0:
% svn info named.conf
Path: named.conf
Name: named.conf
Working Copy Root Path: /data/freebsd/src/head
URL: svn://svn.freebsd.org/base/head/etc/namedb/named.conf
Repository Root: svn://svn.freebsd.org/base
Repository UUID: ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
Revision: 242082
Node Kind: file
Schedule: normal
Last Changed Author: uqs
Last Changed Rev: 229783
Last Changed Date: 2012-01-07 16:10:32 + (Sat, 07 Jan 2012)
Text Last Updated: 2012-09-01 11:43:31 + (Sat, 01 Sep 2012)
Checksum: 598add209c192aac1dc4d973ce31922dff8b93c9
I SVNup'd it just today, and yet:
===
As documented at http://dns.icann.org/services/axfr/ these zones:
. (the root), ARPA, IN-ADDR.ARPA, IP6.ARPA, and ROOT-SERVERS.NET
are available for AXFR from these servers on IPv4 and IPv6:
xfr.lax.dns.icann.org, xfr.cjr.dns.icann.org
*/
/*
zone . {
type slave;
file /etc/namedb/slave/root.slave;
masters {
192.5.5.241;// F.ROOT-SERVERS.NET.
};
notify no;
};
===
I'm going to file a PR with a small diff to use the ICANN's XFR
servers instead of F.
Thanks for your feedback regardless :)
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: BIND - slaving the root zone and signature expired
On 25 October 2012 18:55, Damien Fleuriot m...@my.gd wrote:
On 25 October 2012 18:33, Warren Block wbl...@wonkity.com wrote:
On Thu, 25 Oct 2012, Damien Fleuriot wrote:
Anyone else experienced this problem today ?
We slave the root zone and have received signature expired errors.
Found this:
https://lists.dns-oarc.net/pipermail/dns-operations/2011-March/007116.html
which leads to this:
http://in-addr-transition.icann.org/
Hi Warren and thanks for your reply,
I've dug around some more and identified the problem we've been having.
Apparently, from a given netblock, we can't AXFR the . and arpa
zones anymore with F.ROOT-SERVERS.NET.
We can from some other boxes.
I suspect we might have been firewalled or something, although we
don't query them very often , but that's beyond the point.
I've now transitioned all our PF boxes to slave from
xfr.lax.dns.icann.org and xfr.cjr.dns.icann.org as per the
documentation found in /etc/namedb/named.conf
What bothers me is that the commented lines from named.conf say to use
the ICANN XFR servers, while the actual commented configuration uses
F.ROOT-SERVERS.NET
See below a freshly SVNup'd copy on 10.0:
% svn info named.conf
Path: named.conf
Name: named.conf
Working Copy Root Path: /data/freebsd/src/head
URL: svn://svn.freebsd.org/base/head/etc/namedb/named.conf
Repository Root: svn://svn.freebsd.org/base
Repository UUID: ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
Revision: 242082
Node Kind: file
Schedule: normal
Last Changed Author: uqs
Last Changed Rev: 229783
Last Changed Date: 2012-01-07 16:10:32 + (Sat, 07 Jan 2012)
Text Last Updated: 2012-09-01 11:43:31 + (Sat, 01 Sep 2012)
Checksum: 598add209c192aac1dc4d973ce31922dff8b93c9
I SVNup'd it just today, and yet:
===
As documented at http://dns.icann.org/services/axfr/ these zones:
. (the root), ARPA, IN-ADDR.ARPA, IP6.ARPA, and ROOT-SERVERS.NET
are available for AXFR from these servers on IPv4 and IPv6:
xfr.lax.dns.icann.org, xfr.cjr.dns.icann.org
*/
/*
zone . {
type slave;
file /etc/namedb/slave/root.slave;
masters {
192.5.5.241;// F.ROOT-SERVERS.NET.
};
notify no;
};
===
I'm going to file a PR with a small diff to use the ICANN's XFR
servers instead of F.
Thanks for your feedback regardless :)
If anyone cares to take it, filed as conf/173077
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
