[Opendnssec-user] zonefetcher issues

Matthijs Mekking matthijs at NLnetLabs.nl
Fri Nov 6 13:19:29 UTC 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Is the TSIG name/algorithm/secret in the zonefetch.xml correct?

Best regards,

Matthijs

B C wrote:
> So I changed my config file to read:
> 
> <NotifyListen><IPv4>213.248.208.95</IPv4><Port>53</Port></NotifyListen>
> 
> Nov  6 13:06:20 test-signer1 ods-signerd: Run command:
> '/usr/libexec/opendnssec/zone_fetcher -c /etc/opendnssec/zonefetch.xml
> -z /etc/opendnssec/zonelist.xml -d -f local0'
> Nov  6 13:06:21 OpenDNSSEC signer engine: zone fetcher started
> Nov  6 13:06:21 OpenDNSSEC signer engine: zone fetcher AXFR for uk failed
> 
> The zonefetcher is now running but is not fetching the zone
> 
> I see the following when a notify arrives:
> 
> Nov  6 13:09:20 OpenDNSSEC signer engine: zone fetcher received NOTIFY
> for zone uk
> Nov  6 13:09:20 OpenDNSSEC signer engine: zone fetcher AXFR for uk failed
> 
> Brett
> 
> 2009/11/6 Antti Ristimäki <aristima at csc.fi <mailto:aristima at csc.fi>>
> 
>     Hi,
> 
>     I had previously also some problems with zone fetcher. Now I have
>     explicitly configured the interface, on which the zone fetcher should
>     listen for notify messages. This can be done by adding the <IPv4>
>     statement between the <NotifyListen> statements. For example:
> 
>     <NotifyListen><IPv4>a.b.c.d</IPv4><Port>53</Port></NotifyListen>
> 
>     Could it be possible that you have a name server instance running on
>     port 53? That might be the reason why zone fetcher fails to bind the
>     interface.
> 
>     Regards,
>     Antti
> 
>     On Fri, 2009-11-06 at 14:38 +0200, B C wrote:
>     > Today is the first day that I've tried to use zonefetcher so it
>     could be something I am doing wrong :)
>     >
>     > I have this in my config:
>     >
>     > <?xml version="1.0" encoding="UTF-8"?>
>     >
>     > <!-- $Id: zonefetch.xml.in
>     <http://zonefetch.xml.in><http://zonefetch.xml.in> 1920 2009-09-30
>     07:49:39Z matthijs $ -->
>     >
>     > <ZoneFetch>
>     >         <!-- where to listen for notifies -->
>     >         <!-- DEFAULT: do not listen to notify on specific address -->
>     >         <NotifyListen><Port>53</Port></NotifyListen>
>     >
>     >         <!-- default inbound AXFR settings
>     >              (per zone setting not yet implemented) -->
>     >         <Default>
>     >                 <!-- TSIG secret for inbound AXFR -->
>     >                 <!-- DEFAULT: don't use TSIG -->
>     >                 <TSIG>
>     >                         <Name>secret.example.com
>     <http://secret.example.com><http://secret.example.com>.</Name>
>     >
>     >                         <!--
>     http://www.iana.org/assignments/tsig-algorithm-names -->
>     >                         <Algorithm>hmac-sha256</Algorithm>
>     >
>     >                         <!-- base64 encoded secret -->
>     >                        
>     <Secret>sw0nMPCswVbes1tmQTm1pcMmpNRK+oGMYN+qKNR/BwQ=</Secret>
>     >                 </TSIG>
>     >
>     >                 <!-- address of host to request AXFR from -->
>     >                 <!-- incoming NOTIFY has to match this address as
>     well -->
>     >                 <!-- DEFAULT: none -->
>     >                 <RequestTransfer>
>     >                         <IPv4>213.248.208.91</IPv4><Port>53</Port>
>     >                 </RequestTransfer>
>     >         </Default>
>     > </ZoneFetch>
>     >
>     >
>     > There is nothing using port53 on this box but when I run ods-start
>     I see the following in the error log:
>     >
>     > Nov  6 12:34:30 test-signer1 ods-signerd: Run command:
>     '/usr/libexec/opendnssec/zone_fetcher -c
>     /etc/opendnssec/zonefetch.xml -z /etc/opendnssec/zonelist.xml -d -f
>     local0'
>     > Nov  6 12:34:30 OpenDNSSEC signer engine: zone fetcher started
>     > Nov  6 12:34:30 OpenDNSSEC signer engine: zone fetcher AXFR for uk
>     failed
>     > Nov  6 12:34:30 OpenDNSSEC signer engine: zone fetcher can't bind
>     UDP socket: Address already in use
>     > Nov  6 12:34:30 OpenDNSSEC signer engine: zone fetcher failed to
>     initialize sockets
>     > Nov  6 12:34:30 OpenDNSSEC signer engine: zone fetcher exiting...
>     >
>     > After this I do see:
>     >
>     > -rw-r--r-- 1 root root 0 Nov  6 12:34 uk.axfr.29621
>     >
>     > in
>     >
>     > /var/opendnssec/unsigned/
>     >
>     >
>     > If I do a dig @213.248.208.91
>     <http://213.248.208.91><http://213.248.208.91> uk axfr all is fine
>     >
>     >
>     > Did i miss something or is there a bug here?
>     >
>     >
>     > Brett
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBAgAGBQJK9CJgAAoJEA8yVCPsQCW5StoH/2xnduQiYchh3EY8Arovq6Du
glRTFktvjU3gwT6HPgmGGcLuWXLvovxpf+ENU+Km8LmOWpiACvLLAarin8Uyvpzg
1vavzmXusr6X46wQilFt9c24kyPHm06cTqgHN5VnpzEdgleLOAbHXYrNF/fv+has
eUZQJUqVy986s8MAjfpPvMFBVKJ+fqHBknUUfzY40xURC9pv3F1IVzq/NjVitoev
cWWAWn9wmaXinEAO44z9roKhRkFsgoUo27fSNHtQriUiVpYQ/RjwA1KkgW7vkqQo
CTdeFFuvIPDrWXy1Tyafx/V5oDqHGPGNfbbHpR3iuU5llAYocv95fErZAsM/ApM=
=0SHY
-----END PGP SIGNATURE-----

More information about the Opendnssec-user mailing list