[Opendnssec-user] Running signer with zone fetcher
aristima at csc.fi
Thu Oct 8 16:06:04 UTC 2009
Your fix seems to work. The zone fetcher is now able to bind to a specific
address and port:
tcp 0 0 a.b.c.160:5353 0.0.0.0:* LISTEN 1248/zone_fetcher
udp 0 0 a.b.c.160:5353 0.0.0.0:* 1248/zone_fetcher
The remote server port for AXFRs doesn't seem to work, though. I see the
following message in the log:
OpenDNSSEC signer engine: zone fetcher failed to send SOA query: Could not send or receive, because of network error
OpenDNSSEC signer engine: zone fetcher failed to send SOA query: No nameservers defined in the resolver
In the zonefetch.xml I have the following configuration:
On Thu, 8 Oct 2009, Matthijs Mekking wrote:
> Hi Antti,
> About the <Port>, that is right. The problem with that is that the ldns
> resolver only allows to configure one remote port. It would be best to
> make that nameserver dependent.
> However, for now I made a fix that it will fetch the first configured
> <Port> and use that instead of the default 53 port.
> I also provided a fix for listening to notifies on one or more specific
> interfaces. However, I don't see the same behavior as you do. It works
> for me:
> # netstat -anp | grep 5678
> tcp 0 0 213.154.224.??:5678 0.0.0.0:* LISTEN 14268/zone_fetcher
> udp 0 0 213.154.224.??:5678 0.0.0.0:* 14268/zone_fetcher
> And if I try to configure not-owned ip addresses, it will fail as expected.
> Can you provide me more details about the zonefetch.xml and your system
> if the problem persists?
> Best regards,
> Antti Ristimäki wrote:
>> Hi Matthijs and others,
>> One more thing about zone fetcher. It doesn't seem to understand the
>> <Port> statement in the zonefetch.xml file. At least in our test bed it
>> is always sending the AXFR request to the standard server port 53
>> instead of the port given in zonefetch.xml.
>> In addition, how can one make the zone fetcher listen to NOTIFY messages
>> on a specific address? At least the <IPv4> statement inside the
>> <NotifyListen> statement doesn't seem to do the trick. The <Port>
>> statement works for the listener, but it binds on all possible addresses.
>> On Wed, 7 Oct 2009, Matthijs Mekking wrote:
>>> it should have been config, not zone_config. Fixed in trunk.
>>> Antti Ristimäki wrote:
>>>> I have a problem when running the signer with the zone fetcher. In the
>>>> conf.xml, I have the statement
>>>> When trying to run the signer, it logs the following error message:
>>>> Error: Engine instance has no attribute 'zone_config'
>>>> If I comment out the statement <ZoneFetchFile> from the conf.xml, the
>>>> signer starts normally.
>>>> Any ideas about the reason?
> ------------ Output from pgp ------------
> unknown hash: unable to verify signature
CSC - Tieteen tietotekniikan keskus Oy
PL 405, 02101 Espoo
(09) 457 2963, antti.ristimaki at csc.fi
More information about the Opendnssec-user