[Opendnssec-develop] Serial too large

Rick Zijlker rick.zijlker at sidn.nl
Wed Jun 2 13:27:13 UTC 2010 

> I agree with Rickards previous e-mail. Perhaps a different serial
> setting (unixtime of counter for example) is more fitting when you have
> a very static zone.

I understand

> This message should not appear in the case of regular resigning. But you
> mentioned a key rollover was in process. So now the message is 'output
> serial too large' does appear.

I still don't understand how the output serial can be 'too large'? It was 1000 and still is 1000. 
 
Cheers,
Rick

-----Original Message-----
From: Matthijs Mekking [mailto:matthijs at NLnetLabs.nl] 
Sent: Wednesday, June 02, 2010 2:21 PM
To: Rick Zijlker
Cc: Opendnssec-develop at lists.opendnssec.org
Subject: Re: [Opendnssec-develop] Serial too large

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Rick,

Rick Zijlker wrote:
>> The output serial is too large if it is equal or larger than the input
>> serial.
> 
> This has never happened before when resigning with equal serial. Many tests exists of resigning the exact same zonefile. I expected the first message (serial not increased) but not the second message (serial too long) in between these 2 resigns nothing was changed in the zone or config. I would expect the first message (serial not increased) to continue showing every resign.

This message should not appear in the case of regular resigning. But you
mentioned a key rollover was in process. So now the message is 'output
serial too large' does appear.

> 
> In my opinion at key rollover when serial set to 'keep', the zone should actually still sign the zone since the keys change, which means you need to resign the same zone. Even when it's the same zone serial. Some zones don't change for years but they do get rollovers.

I agree with Rickards previous e-mail. Perhaps a different serial
setting (unixtime of counter for example) is more fitting when you have
a very static zone.


Best regards,

Matthijs



> 
> Cheers,
> Rick
> 
> 
> -----Original Message-----
> From: Matthijs Mekking [mailto:matthijs at NLnetLabs.nl] 
> Sent: Tuesday, June 01, 2010 2:33 PM
> To: Rick Zijlker
> Cc: Opendnssec-develop at lists.opendnssec.org
> Subject: Re: [Opendnssec-develop] Serial too large
> 
> Hi Rick,
> 
> I wrote my comments in between lines....
> 
> Rick Zijlker wrote:
>> Hey,
> 
>> When resigning a zone which has a serial of 1000 and policy for the
>> serial is 
keep
, and the zone still has that same serial, I get the
>> following message:
> 
>> Jun  1 11:22:15 signer1 ods-signerd: Cannot keep input serial 1000,
>> output serial 1000 is too large. Aborting operation
> 
>> How can an output serial be too large? On a sidenote, the zone was about
>> to get a KSK rollover.
> 
> The output serial is too large if it is equal or larger than the input
> serial.
> 
> However, if you are in a key rollover it will also look at the input
> serial. Thus if you do not increase the serial value in the input file,
> the key rollover will not be picked up by the signer (in the case of
> serial keep). I am not sure if this is desired behavior.
> 
> Should we increase the serial when doing a rollover, even if the serial
> is set to keep?
> 
>> At earlier signing I got this message which is correct and expected:
> 
>> Jun  1 11:12:11 signer1 ods-signerd: Error: serial setting is set to
>> 'keep', but input serial has not increased. Aborting sign operation for ods
> 
> This message can appear when the actual signing is going on
> (adding/updating RRSIG records). If you for example re-sign every hour,
> but don't update the serial in the input file in the mean time, you'll
> see this error.
> 
> The other, previous message you'll see when you need to sort the zone,
> because of a change in the signer configuration or a change in the input
> file.
> 
> Best regards,
> 
> Matthijs
> 
>> Full log:
> 
>> Jun  1 11:22:14 signer1 ods-signerd: Scheduling task to sign zone ods at
>> 1275384134.71 with resign time 180
> 
>> Jun  1 11:22:14 signer1 ods-signerd: Scheduling task to sign zone ods at
>> 1275384134.71 with resign time 180
> 
>> Jun  1 11:22:14 signer1 ods-signerd: Zone ods added
> 
>> Jun  1 11:22:14 signer1 ods-signerd: opening socket:
>> /var/run/opendnssec/engine.sock
> 
>> Jun  1 11:22:14 signer1 ods-signerd: Engine running
> 
>> Jun  1 11:22:14 signer1 ods-enforcerd: opendnssec-enforcer starting...
> 
>> Jun  1 11:22:14 signer1 ods-enforcerd: opendnssec-enforcer Parent exiting...
> 
>> Jun  1 11:22:14 signer1 ods-enforcerd: opendnssec-enforcer forked OK...
> 
>> Jun  1 11:22:14 signer1 ods-enforcerd: opendnssec-enforcer started
>> (version 1.1.0rc3), pid 13521
> 
>> Jun  1 11:22:14 signer1 ods-enforcerd: HSM opened successfully.
> 
>> Jun  1 11:22:14 signer1 ods-enforcerd: Reading config
>> "/etc/opendnssec/conf.xml"
> 
>> Jun  1 11:22:14 signer1 ods-enforcerd: Reading config schema
>> "/usr/local/share/opendnssec/conf.rng"
> 
>> Jun  1 11:22:14 signer1 ods-enforcerd: Communication Interval: 1800
> 
>> Jun  1 11:22:14 signer1 ods-enforcerd: No DS Submit command supplied
> 
>> Jun  1 11:22:14 signer1 ods-enforcerd: SQLite database set to:
>> /var/opendnssec/kasp.db
> 
>> Jun  1 11:22:14 signer1 ods-enforcerd: Log User set to: local0
> 
>> Jun  1 11:22:14 signer1 ods-enforcerd: Switched log facility to: local0
> 
>> Jun  1 11:22:14 signer1 ods-enforcerd: Connecting to Database...
> 
>> Jun  1 11:22:14 signer1 ods-enforcerd: Policy default found.
> 
>> Jun  1 11:22:14 signer1 ods-enforcerd: Key sharing is Off.
> 
>> Jun  1 11:22:14 signer1 ods-enforcerd: Policy gradual1 found.
> 
>> Jun  1 11:22:14 signer1 ods-enforcerd: Key sharing is Off.
> 
>> Jun  1 11:22:14 signer1 ods-enforcerd: zonelist filename set to
>> /etc/opendnssec/zonelist.xml.
> 
>> Jun  1 11:22:14 signer1 ods-enforcerd: Zone ods found.
> 
>> Jun  1 11:22:14 signer1 ods-enforcerd: Policy for ods set to gradual1.
> 
>> Jun  1 11:22:14 signer1 ods-enforcerd: Config will be output to
>> /var/opendnssec/signconf/ods.xml.
> 
>> Jun  1 11:22:15 signer1 ods-enforcerd: INFO: New DS records needed for
>> the zone ods; details will follow
> 
>> Jun  1 11:22:15 signer1 ods-enforcerd: WARNING: KSK Retirement reached;
>> please submit the new DS for ods and use ods-ksmutil key ksk-roll to
>> roll the key.
> 
>> Jun  1 11:22:15 signer1 ods-enforcerd: No change to:
>> /var/opendnssec/signconf/ods.xml
> 
>> Jun  1 11:22:15 signer1 ods-enforcerd: DSChanged
> 
>> Jun  1 11:22:15 signer1 ods-enforcerd: DS Record set has changed, the
>> current set looks like:
> 
>> Jun  1 11:22:15 signer1 ods-enforcerd: ods.     3600    IN      DNSKEY 
>> 257 3 7
>> AwEAAdipHfA+phxY3scDd7Go/ncAJm1WDfarQAz2jjmCFgSlG9SHvDzxpXIlO/ThDMU+IXC/LRyW9tMhedDA/ZKJ9fHjd+0MCa66o7SMSS4/ATozbzLwy/ENaFjtb6jAho3w/R9MPwajiKZQ2XtXO8DwjdglFklDHJKSbXeleaMRfDLzPRpx4DZxnE1sMgTSh2j707MrCm8vjZcrZDbR53vQfHztu/VHD9vv29ji426NYg5wqC1toUUHMMBCR70jZ1KO15Ubkpwf/FXRySxCuiZuO5KUpUWYWxh342l4ZGUwsLQ+fWZ04rhwAplXrvxRrq5NEMif9csFdZJyxxibOOGWlCE=
>> ;{id = 45856 (ksk), size = 2048b}
> 
>> Jun  1 11:22:15 signer1 ods-enforcerd: ods.     3600    IN      DNSKEY 
>> 257 3 7
>> AwEAAcNcbkEd+NhwfWk0WgVuUWJyfgBWLMwSF5ZRHD+9Sru5kRkKNXDl7IMpdiSjp/wSCFWjr2IR5/KMZe0Cf4laV63I8sJy6OWRpCF/Kk8EuDaE1T0MOP6GQkif9Fn+JUzwz/SESAMv/knY5+xwwGm4cMNuS8egmlsmUuNqnw3PqChJbLKKpDbzzBI5P98KY51kbVIdfLqMkf8X8B3y/5rc8xmBc0xhTY4ZbpP2dgm65dFeK8lCOF1FSSWwItc2qRT2jdG/60226CufjXnEeS7oChFKF0cP46ZXFRql6/3qOkfACwdVxAizWoraMU4JHp2rVvla2WmMBvhXJyDEl+xP/Qc=
>> ;{id = 16581 (ksk), size = 2048b}
> 
>> Jun  1 11:22:15 signer1 ods-enforcerd: Once the new DS records are seen
>> in DNS please issue the ds-seen command for zone ods with the following
>> cka_ids, b48cfc3c80e11ed41eb21ab49d7666df, 12306205b8e5aa46abb276d57544680c
> 
>> Jun  1 11:22:15 signer1 ods-enforcerd: Disconnecting from Database...
> 
>> Jun  1 11:22:15 signer1 ods-enforcerd: Sleeping for 1800 seconds.
> 
>> Jun  1 11:22:15 signer1 ods-signerd: Zone action to perform: 3
> 
>> Jun  1 11:22:15 signer1 ods-signerd: Cannot keep input serial 1000,
>> output serial 1000 is too large. Aborting operation
> 
>> Jun  1 11:22:25 signer1 ods-enforcerd: Received SIGTERM, exiting...
> 
>> Jun  1 11:22:25 signer1 ods-enforcerd: all done! hsm_close result: 0
> 
>> Jun  1 11:22:25 signer1 ods-signerd: Received command: 'stop'
> 
>> Jun  1 11:22:25 signer1 ods-signerd: close syslog
> 
>> Jun  1 11:22:25 signer1 python: Connection closed by peer
> 
> 
> 
>> Cheers,
> 
>> Rick
> 
> 
> 
> 
>> ------------------------------------------------------------------------
> 
>> _______________________________________________
>> Opendnssec-develop mailing list
>> Opendnssec-develop at lists.opendnssec.org
>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBAgAGBQJMBkybAAoJEA8yVCPsQCW5YTMH/3JRmYOWGhrLmzeqZDj5xs/v
kVH/NbjjEjSksLAGN9PZ/Om8VJxOLBgvWHCgICD9nekQsMtfmPeIXOdSI9AvjWm1
J9ON0xgQ7NeNNunJPAec80RqijFRIxoS8ViNDuhMEP5m0Fdv6kn3B0UkV6St7+h8
oWCkdbRhijHebudHuyIdu0e06MupFy8sCsdHWcpqPIuzL4mEAmakpFVHaMBHEr/F
yan884rooeKT/Rq7h7uANN0qy5oIOCq8FjtMLt3o2TWBz6RyGH/vLyeusX+ElHl2
60dYgRrZZEOa/rA7NhNsJPKHqphXwWJvMWBmsy0PlglhUtpxxjLqCeY6fM649SA=
=JDX7
-----END PGP SIGNATURE-----

More information about the Opendnssec-develop mailing list