[Opendnssec-user] zonefetcher issues

Antti Ristimäki aristima at csc.fi
Fri Nov 6 13:23:24 UTC 2009 

Have you checked your firewall rules on the signer and on the hidden
master? When the zone fetcher tries to make the AXFR, it first sends a
regular SOA query on top of UDP. In our environment, the AXFR failed
because the zone fetcher couldn't receive the response for the initial
SOA query.

I don't know if this helps but your problem sounds so similar to the one
I was struggling with...

Antti

On Fri, 2009-11-06 at 15:10 +0200, B C wrote:
> So I changed my config file to read:
> 
> <NotifyListen><IPv4>213.248.208.95</IPv4><Port>53</Port></NotifyListen>
> 
> Nov  6 13:06:20 test-signer1 ods-signerd: Run command: '/usr/libexec/opendnssec/zone_fetcher -c /etc/opendnssec/zonefetch.xml -z /etc/opendnssec/zonelist.xml -d -f local0'
> Nov  6 13:06:21 OpenDNSSEC signer engine: zone fetcher started
> Nov  6 13:06:21 OpenDNSSEC signer engine: zone fetcher AXFR for uk failed
> 
> The zonefetcher is now running but is not fetching the zone
> 
> I see the following when a notify arrives:
> 
> Nov  6 13:09:20 OpenDNSSEC signer engine: zone fetcher received NOTIFY for zone uk
> Nov  6 13:09:20 OpenDNSSEC signer engine: zone fetcher AXFR for uk failed
> 
> Brett
> 
> 2009/11/6 Antti Ristimäki <aristima at csc.fi<mailto:aristima at csc.fi>>
> Hi,
> 
> I had previously also some problems with zone fetcher. Now I have
> explicitly configured the interface, on which the zone fetcher should
> listen for notify messages. This can be done by adding the <IPv4>
> statement between the <NotifyListen> statements. For example:
> 
> <NotifyListen><IPv4>a.b.c.d</IPv4><Port>53</Port></NotifyListen>
> 
> Could it be possible that you have a name server instance running on
> port 53? That might be the reason why zone fetcher fails to bind the
> interface.
> 
> Regards,
> Antti
> 
> On Fri, 2009-11-06 at 14:38 +0200, B C wrote:
> > Today is the first day that I've tried to use zonefetcher so it could be something I am doing wrong :)
> >
> > I have this in my config:
> >
> > <?xml version="1.0" encoding="UTF-8"?>
> >
> > <!-- $Id: zonefetch.xml.in<http://zonefetch.xml.in><http://zonefetch.xml.in> 1920 2009-09-30 07:49:39Z matthijs $ -->
> >
> > <ZoneFetch>
> >         <!-- where to listen for notifies -->
> >         <!-- DEFAULT: do not listen to notify on specific address -->
> >         <NotifyListen><Port>53</Port></NotifyListen>
> >
> >         <!-- default inbound AXFR settings
> >              (per zone setting not yet implemented) -->
> >         <Default>
> >                 <!-- TSIG secret for inbound AXFR -->
> >                 <!-- DEFAULT: don't use TSIG -->
> >                 <TSIG>
> >                         <Name>secret.example.com<http://secret.example.com><http://secret.example.com>.</Name>
> >
> >                         <!-- http://www.iana.org/assignments/tsig-algorithm-names -->
> >                         <Algorithm>hmac-sha256</Algorithm>
> >
> >                         <!-- base64 encoded secret -->
> >                         <Secret>sw0nMPCswVbes1tmQTm1pcMmpNRK+oGMYN+qKNR/BwQ=</Secret>
> >                 </TSIG>
> >
> >                 <!-- address of host to request AXFR from -->
> >                 <!-- incoming NOTIFY has to match this address as well -->
> >                 <!-- DEFAULT: none -->
> >                 <RequestTransfer>
> >                         <IPv4>213.248.208.91</IPv4><Port>53</Port>
> >                 </RequestTransfer>
> >         </Default>
> > </ZoneFetch>
> >
> >
> > There is nothing using port53 on this box but when I run ods-start I see the following in the error log:
> >
> > Nov  6 12:34:30 test-signer1 ods-signerd: Run command: '/usr/libexec/opendnssec/zone_fetcher -c /etc/opendnssec/zonefetch.xml -z /etc/opendnssec/zonelist.xml -d -f local0'
> > Nov  6 12:34:30 OpenDNSSEC signer engine: zone fetcher started
> > Nov  6 12:34:30 OpenDNSSEC signer engine: zone fetcher AXFR for uk failed
> > Nov  6 12:34:30 OpenDNSSEC signer engine: zone fetcher can't bind UDP socket: Address already in use
> > Nov  6 12:34:30 OpenDNSSEC signer engine: zone fetcher failed to initialize sockets
> > Nov  6 12:34:30 OpenDNSSEC signer engine: zone fetcher exiting...
> >
> > After this I do see:
> >
> > -rw-r--r-- 1 root root 0 Nov  6 12:34 uk.axfr.29621
> >
> > in
> >
> > /var/opendnssec/unsigned/
> >
> >
> > If I do a dig @213.248.208.91<http://213.248.208.91><http://213.248.208.91> uk axfr all is fine
> >
> >
> > Did i miss something or is there a bug here?
> >
> >
> > Brett
> 
>

More information about the Opendnssec-user mailing list