[Opendnssec-user] zonefetcher issues
B C
brettlists at gmail.com
Fri Nov 6 13:38:01 UTC 2009
Well the zone doesn't use TSIG so I removed that part of the config and that
has done the trick.
Thanks for pointing out my error :)
Brett
On Fri, Nov 6, 2009 at 1:19 PM, Matthijs Mekking <matthijs at nlnetlabs.nl>wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> Is the TSIG name/algorithm/secret in the zonefetch.xml correct?
>
> Best regards,
>
> Matthijs
>
> B C wrote:
> > So I changed my config file to read:
> >
> > <NotifyListen><IPv4>213.248.208.95</IPv4><Port>53</Port></NotifyListen>
> >
> > Nov 6 13:06:20 test-signer1 ods-signerd: Run command:
> > '/usr/libexec/opendnssec/zone_fetcher -c /etc/opendnssec/zonefetch.xml
> > -z /etc/opendnssec/zonelist.xml -d -f local0'
> > Nov 6 13:06:21 OpenDNSSEC signer engine: zone fetcher started
> > Nov 6 13:06:21 OpenDNSSEC signer engine: zone fetcher AXFR for uk failed
> >
> > The zonefetcher is now running but is not fetching the zone
> >
> > I see the following when a notify arrives:
> >
> > Nov 6 13:09:20 OpenDNSSEC signer engine: zone fetcher received NOTIFY
> > for zone uk
> > Nov 6 13:09:20 OpenDNSSEC signer engine: zone fetcher AXFR for uk failed
> >
> > Brett
> >
> > 2009/11/6 Antti Ristimäki <aristima at csc.fi <mailto:aristima at csc.fi>>
> >
> > Hi,
> >
> > I had previously also some problems with zone fetcher. Now I have
> > explicitly configured the interface, on which the zone fetcher should
> > listen for notify messages. This can be done by adding the <IPv4>
> > statement between the <NotifyListen> statements. For example:
> >
> > <NotifyListen><IPv4>a.b.c.d</IPv4><Port>53</Port></NotifyListen>
> >
> > Could it be possible that you have a name server instance running on
> > port 53? That might be the reason why zone fetcher fails to bind the
> > interface.
> >
> > Regards,
> > Antti
> >
> > On Fri, 2009-11-06 at 14:38 +0200, B C wrote:
> > > Today is the first day that I've tried to use zonefetcher so it
> > could be something I am doing wrong :)
> > >
> > > I have this in my config:
> > >
> > > <?xml version="1.0" encoding="UTF-8"?>
> > >
> > > <!-- $Id: zonefetch.xml.in
> > <http://zonefetch.xml.in><http://zonefetch.xml.in> 1920 2009-09-30
> > 07:49:39Z matthijs $ -->
> > >
> > > <ZoneFetch>
> > > <!-- where to listen for notifies -->
> > > <!-- DEFAULT: do not listen to notify on specific address
> -->
> > > <NotifyListen><Port>53</Port></NotifyListen>
> > >
> > > <!-- default inbound AXFR settings
> > > (per zone setting not yet implemented) -->
> > > <Default>
> > > <!-- TSIG secret for inbound AXFR -->
> > > <!-- DEFAULT: don't use TSIG -->
> > > <TSIG>
> > > <Name>secret.example.com
> > <http://secret.example.com><http://secret.example.com>.</Name>
> > >
> > > <!--
> > http://www.iana.org/assignments/tsig-algorithm-names -->
> > > <Algorithm>hmac-sha256</Algorithm>
> > >
> > > <!-- base64 encoded secret -->
> > >
> > <Secret>sw0nMPCswVbes1tmQTm1pcMmpNRK+oGMYN+qKNR/BwQ=</Secret>
> > > </TSIG>
> > >
> > > <!-- address of host to request AXFR from -->
> > > <!-- incoming NOTIFY has to match this address as
> > well -->
> > > <!-- DEFAULT: none -->
> > > <RequestTransfer>
> > > <IPv4>213.248.208.91</IPv4><Port>53</Port>
> > > </RequestTransfer>
> > > </Default>
> > > </ZoneFetch>
> > >
> > >
> > > There is nothing using port53 on this box but when I run ods-start
> > I see the following in the error log:
> > >
> > > Nov 6 12:34:30 test-signer1 ods-signerd: Run command:
> > '/usr/libexec/opendnssec/zone_fetcher -c
> > /etc/opendnssec/zonefetch.xml -z /etc/opendnssec/zonelist.xml -d -f
> > local0'
> > > Nov 6 12:34:30 OpenDNSSEC signer engine: zone fetcher started
> > > Nov 6 12:34:30 OpenDNSSEC signer engine: zone fetcher AXFR for uk
> > failed
> > > Nov 6 12:34:30 OpenDNSSEC signer engine: zone fetcher can't bind
> > UDP socket: Address already in use
> > > Nov 6 12:34:30 OpenDNSSEC signer engine: zone fetcher failed to
> > initialize sockets
> > > Nov 6 12:34:30 OpenDNSSEC signer engine: zone fetcher exiting...
> > >
> > > After this I do see:
> > >
> > > -rw-r--r-- 1 root root 0 Nov 6 12:34 uk.axfr.29621
> > >
> > > in
> > >
> > > /var/opendnssec/unsigned/
> > >
> > >
> > > If I do a dig @213.248.208.91
> > <http://213.248.208.91><http://213.248.208.91> uk axfr all is fine
> > >
> > >
> > > Did i miss something or is there a bug here?
> > >
> > >
> > > Brett
> >
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Opendnssec-user mailing list
> > Opendnssec-user at lists.opendnssec.org
> > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iQEcBAEBAgAGBQJK9CJgAAoJEA8yVCPsQCW5StoH/2xnduQiYchh3EY8Arovq6Du
> glRTFktvjU3gwT6HPgmGGcLuWXLvovxpf+ENU+Km8LmOWpiACvLLAarin8Uyvpzg
> 1vavzmXusr6X46wQilFt9c24kyPHm06cTqgHN5VnpzEdgleLOAbHXYrNF/fv+has
> eUZQJUqVy986s8MAjfpPvMFBVKJ+fqHBknUUfzY40xURC9pv3F1IVzq/NjVitoev
> cWWAWn9wmaXinEAO44z9roKhRkFsgoUo27fSNHtQriUiVpYQ/RjwA1KkgW7vkqQo
> CTdeFFuvIPDrWXy1Tyafx/V5oDqHGPGNfbbHpR3iuU5llAYocv95fErZAsM/ApM=
> =0SHY
> -----END PGP SIGNATURE-----
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20091106/f4c2b742/attachment.htm>
More information about the Opendnssec-user
mailing list