[Opendnssec-user] zonefetcher issues

B C brettlists at gmail.com
Fri Nov 6 13:38:01 UTC 2009


Well the zone doesn't use TSIG so I removed that part of the config and that
has done the trick.

Thanks for pointing out my error :)

Brett



On Fri, Nov 6, 2009 at 1:19 PM, Matthijs Mekking <matthijs at nlnetlabs.nl>wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> Is the TSIG name/algorithm/secret in the zonefetch.xml correct?
>
> Best regards,
>
> Matthijs
>
> B C wrote:
> > So I changed my config file to read:
> >
> > <NotifyListen><IPv4>213.248.208.95</IPv4><Port>53</Port></NotifyListen>
> >
> > Nov  6 13:06:20 test-signer1 ods-signerd: Run command:
> > '/usr/libexec/opendnssec/zone_fetcher -c /etc/opendnssec/zonefetch.xml
> > -z /etc/opendnssec/zonelist.xml -d -f local0'
> > Nov  6 13:06:21 OpenDNSSEC signer engine: zone fetcher started
> > Nov  6 13:06:21 OpenDNSSEC signer engine: zone fetcher AXFR for uk failed
> >
> > The zonefetcher is now running but is not fetching the zone
> >
> > I see the following when a notify arrives:
> >
> > Nov  6 13:09:20 OpenDNSSEC signer engine: zone fetcher received NOTIFY
> > for zone uk
> > Nov  6 13:09:20 OpenDNSSEC signer engine: zone fetcher AXFR for uk failed
> >
> > Brett
> >
> > 2009/11/6 Antti Ristimäki <aristima at csc.fi <mailto:aristima at csc.fi>>
> >
> >     Hi,
> >
> >     I had previously also some problems with zone fetcher. Now I have
> >     explicitly configured the interface, on which the zone fetcher should
> >     listen for notify messages. This can be done by adding the <IPv4>
> >     statement between the <NotifyListen> statements. For example:
> >
> >     <NotifyListen><IPv4>a.b.c.d</IPv4><Port>53</Port></NotifyListen>
> >
> >     Could it be possible that you have a name server instance running on
> >     port 53? That might be the reason why zone fetcher fails to bind the
> >     interface.
> >
> >     Regards,
> >     Antti
> >
> >     On Fri, 2009-11-06 at 14:38 +0200, B C wrote:
> >     > Today is the first day that I've tried to use zonefetcher so it
> >     could be something I am doing wrong :)
> >     >
> >     > I have this in my config:
> >     >
> >     > <?xml version="1.0" encoding="UTF-8"?>
> >     >
> >     > <!-- $Id: zonefetch.xml.in
> >     <http://zonefetch.xml.in><http://zonefetch.xml.in> 1920 2009-09-30
> >     07:49:39Z matthijs $ -->
> >     >
> >     > <ZoneFetch>
> >     >         <!-- where to listen for notifies -->
> >     >         <!-- DEFAULT: do not listen to notify on specific address
> -->
> >     >         <NotifyListen><Port>53</Port></NotifyListen>
> >     >
> >     >         <!-- default inbound AXFR settings
> >     >              (per zone setting not yet implemented) -->
> >     >         <Default>
> >     >                 <!-- TSIG secret for inbound AXFR -->
> >     >                 <!-- DEFAULT: don't use TSIG -->
> >     >                 <TSIG>
> >     >                         <Name>secret.example.com
> >     <http://secret.example.com><http://secret.example.com>.</Name>
> >     >
> >     >                         <!--
> >     http://www.iana.org/assignments/tsig-algorithm-names -->
> >     >                         <Algorithm>hmac-sha256</Algorithm>
> >     >
> >     >                         <!-- base64 encoded secret -->
> >     >
> >     <Secret>sw0nMPCswVbes1tmQTm1pcMmpNRK+oGMYN+qKNR/BwQ=</Secret>
> >     >                 </TSIG>
> >     >
> >     >                 <!-- address of host to request AXFR from -->
> >     >                 <!-- incoming NOTIFY has to match this address as
> >     well -->
> >     >                 <!-- DEFAULT: none -->
> >     >                 <RequestTransfer>
> >     >                         <IPv4>213.248.208.91</IPv4><Port>53</Port>
> >     >                 </RequestTransfer>
> >     >         </Default>
> >     > </ZoneFetch>
> >     >
> >     >
> >     > There is nothing using port53 on this box but when I run ods-start
> >     I see the following in the error log:
> >     >
> >     > Nov  6 12:34:30 test-signer1 ods-signerd: Run command:
> >     '/usr/libexec/opendnssec/zone_fetcher -c
> >     /etc/opendnssec/zonefetch.xml -z /etc/opendnssec/zonelist.xml -d -f
> >     local0'
> >     > Nov  6 12:34:30 OpenDNSSEC signer engine: zone fetcher started
> >     > Nov  6 12:34:30 OpenDNSSEC signer engine: zone fetcher AXFR for uk
> >     failed
> >     > Nov  6 12:34:30 OpenDNSSEC signer engine: zone fetcher can't bind
> >     UDP socket: Address already in use
> >     > Nov  6 12:34:30 OpenDNSSEC signer engine: zone fetcher failed to
> >     initialize sockets
> >     > Nov  6 12:34:30 OpenDNSSEC signer engine: zone fetcher exiting...
> >     >
> >     > After this I do see:
> >     >
> >     > -rw-r--r-- 1 root root 0 Nov  6 12:34 uk.axfr.29621
> >     >
> >     > in
> >     >
> >     > /var/opendnssec/unsigned/
> >     >
> >     >
> >     > If I do a dig @213.248.208.91
> >     <http://213.248.208.91><http://213.248.208.91> uk axfr all is fine
> >     >
> >     >
> >     > Did i miss something or is there a bug here?
> >     >
> >     >
> >     > Brett
> >
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Opendnssec-user mailing list
> > Opendnssec-user at lists.opendnssec.org
> > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iQEcBAEBAgAGBQJK9CJgAAoJEA8yVCPsQCW5StoH/2xnduQiYchh3EY8Arovq6Du
> glRTFktvjU3gwT6HPgmGGcLuWXLvovxpf+ENU+Km8LmOWpiACvLLAarin8Uyvpzg
> 1vavzmXusr6X46wQilFt9c24kyPHm06cTqgHN5VnpzEdgleLOAbHXYrNF/fv+has
> eUZQJUqVy986s8MAjfpPvMFBVKJ+fqHBknUUfzY40xURC9pv3F1IVzq/NjVitoev
> cWWAWn9wmaXinEAO44z9roKhRkFsgoUo27fSNHtQriUiVpYQ/RjwA1KkgW7vkqQo
> CTdeFFuvIPDrWXy1Tyafx/V5oDqHGPGNfbbHpR3iuU5llAYocv95fErZAsM/ApM=
> =0SHY
> -----END PGP SIGNATURE-----
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20091106/f4c2b742/attachment.htm>


More information about the Opendnssec-user mailing list