[Opendnssec-develop] Serial too large

Rick Zijlker rick.zijlker at sidn.nl
Tue Jun 1 09:57:33 UTC 2010 

Hey,

When resigning a zone which has a serial of 1000 and policy for the serial is "keep", and the zone still has that same serial, I get the following message:

Jun  1 11:22:15 signer1 ods-signerd: Cannot keep input serial 1000, output serial 1000 is too large. Aborting operation

How can an output serial be too large? On a sidenote, the zone was about to get a KSK rollover.

At earlier signing I got this message which is correct and expected:
Jun  1 11:12:11 signer1 ods-signerd: Error: serial setting is set to 'keep', but input serial has not increased. Aborting sign operation for ods

Full log:
Jun  1 11:22:14 signer1 ods-signerd: Scheduling task to sign zone ods at 1275384134.71 with resign time 180
Jun  1 11:22:14 signer1 ods-signerd: Scheduling task to sign zone ods at 1275384134.71 with resign time 180
Jun  1 11:22:14 signer1 ods-signerd: Zone ods added
Jun  1 11:22:14 signer1 ods-signerd: opening socket: /var/run/opendnssec/engine.sock
Jun  1 11:22:14 signer1 ods-signerd: Engine running
Jun  1 11:22:14 signer1 ods-enforcerd: opendnssec-enforcer starting...
Jun  1 11:22:14 signer1 ods-enforcerd: opendnssec-enforcer Parent exiting...
Jun  1 11:22:14 signer1 ods-enforcerd: opendnssec-enforcer forked OK...
Jun  1 11:22:14 signer1 ods-enforcerd: opendnssec-enforcer started (version 1.1.0rc3), pid 13521
Jun  1 11:22:14 signer1 ods-enforcerd: HSM opened successfully.
Jun  1 11:22:14 signer1 ods-enforcerd: Reading config "/etc/opendnssec/conf.xml"
Jun  1 11:22:14 signer1 ods-enforcerd: Reading config schema "/usr/local/share/opendnssec/conf.rng"
Jun  1 11:22:14 signer1 ods-enforcerd: Communication Interval: 1800
Jun  1 11:22:14 signer1 ods-enforcerd: No DS Submit command supplied
Jun  1 11:22:14 signer1 ods-enforcerd: SQLite database set to: /var/opendnssec/kasp.db
Jun  1 11:22:14 signer1 ods-enforcerd: Log User set to: local0
Jun  1 11:22:14 signer1 ods-enforcerd: Switched log facility to: local0
Jun  1 11:22:14 signer1 ods-enforcerd: Connecting to Database...
Jun  1 11:22:14 signer1 ods-enforcerd: Policy default found.
Jun  1 11:22:14 signer1 ods-enforcerd: Key sharing is Off.
Jun  1 11:22:14 signer1 ods-enforcerd: Policy gradual1 found.
Jun  1 11:22:14 signer1 ods-enforcerd: Key sharing is Off.
Jun  1 11:22:14 signer1 ods-enforcerd: zonelist filename set to /etc/opendnssec/zonelist.xml.
Jun  1 11:22:14 signer1 ods-enforcerd: Zone ods found.
Jun  1 11:22:14 signer1 ods-enforcerd: Policy for ods set to gradual1.
Jun  1 11:22:14 signer1 ods-enforcerd: Config will be output to /var/opendnssec/signconf/ods.xml.
Jun  1 11:22:15 signer1 ods-enforcerd: INFO: New DS records needed for the zone ods; details will follow
Jun  1 11:22:15 signer1 ods-enforcerd: WARNING: KSK Retirement reached; please submit the new DS for ods and use ods-ksmutil key ksk-roll to roll the key.
Jun  1 11:22:15 signer1 ods-enforcerd: No change to: /var/opendnssec/signconf/ods.xml
Jun  1 11:22:15 signer1 ods-enforcerd: DSChanged
Jun  1 11:22:15 signer1 ods-enforcerd: DS Record set has changed, the current set looks like:
Jun  1 11:22:15 signer1 ods-enforcerd: ods.     3600    IN      DNSKEY  257 3 7 AwEAAdipHfA+phxY3scDd7Go/ncAJm1WDfarQAz2jjmCFgSlG9SHvDzxpXIlO/ThDMU+IXC/LRyW9tMhedDA/ZKJ9fHjd+0MCa66o7SMSS4/ATozbzLwy/ENaFjtb6jAho3w/R9MPwajiKZQ2XtXO8DwjdglFklDHJKSbXeleaMRfDLzPRpx4DZxnE1sMgTSh2j707MrCm8vjZcrZDbR53vQfHztu/VHD9vv29ji426NYg5wqC1toUUHMMBCR70jZ1KO15Ubkpwf/FXRySxCuiZuO5KUpUWYWxh342l4ZGUwsLQ+fWZ04rhwAplXrvxRrq5NEMif9csFdZJyxxibOOGWlCE= ;{id = 45856 (ksk), size = 2048b}
Jun  1 11:22:15 signer1 ods-enforcerd: ods.     3600    IN      DNSKEY  257 3 7 AwEAAcNcbkEd+NhwfWk0WgVuUWJyfgBWLMwSF5ZRHD+9Sru5kRkKNXDl7IMpdiSjp/wSCFWjr2IR5/KMZe0Cf4laV63I8sJy6OWRpCF/Kk8EuDaE1T0MOP6GQkif9Fn+JUzwz/SESAMv/knY5+xwwGm4cMNuS8egmlsmUuNqnw3PqChJbLKKpDbzzBI5P98KY51kbVIdfLqMkf8X8B3y/5rc8xmBc0xhTY4ZbpP2dgm65dFeK8lCOF1FSSWwItc2qRT2jdG/60226CufjXnEeS7oChFKF0cP46ZXFRql6/3qOkfACwdVxAizWoraMU4JHp2rVvla2WmMBvhXJyDEl+xP/Qc= ;{id = 16581 (ksk), size = 2048b}
Jun  1 11:22:15 signer1 ods-enforcerd: Once the new DS records are seen in DNS please issue the ds-seen command for zone ods with the following cka_ids, b48cfc3c80e11ed41eb21ab49d7666df, 12306205b8e5aa46abb276d57544680c
Jun  1 11:22:15 signer1 ods-enforcerd: Disconnecting from Database...
Jun  1 11:22:15 signer1 ods-enforcerd: Sleeping for 1800 seconds.
Jun  1 11:22:15 signer1 ods-signerd: Zone action to perform: 3
Jun  1 11:22:15 signer1 ods-signerd: Cannot keep input serial 1000, output serial 1000 is too large. Aborting operation
Jun  1 11:22:25 signer1 ods-enforcerd: Received SIGTERM, exiting...
Jun  1 11:22:25 signer1 ods-enforcerd: all done! hsm_close result: 0
Jun  1 11:22:25 signer1 ods-signerd: Received command: 'stop'
Jun  1 11:22:25 signer1 ods-signerd: close syslog
Jun  1 11:22:25 signer1 python: Connection closed by peer

Cheers,
Rick

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20100601/51306abe/attachment.htm>

More information about the Opendnssec-develop mailing list