[Opendnssec-user] Running signer with zone fetcher

Antti Ristimäki aristima at csc.fi
Thu Oct 8 16:06:04 UTC 2009 

Hi Matthijs,

Your fix seems to work. The zone fetcher is now able to bind to a specific 
address and port:

tcp  0 0 a.b.c.160:5353  0.0.0.0:*    LISTEN    1248/zone_fetcher
udp  0 0 a.b.c.160:5353  0.0.0.0:*              1248/zone_fetcher

The remote server port for AXFRs doesn't seem to work, though. I see the 
following message in the log:

OpenDNSSEC signer engine: zone fetcher failed to send SOA query: Could not send or receive, because of network error
OpenDNSSEC signer engine: zone fetcher failed to send SOA query: No nameservers defined in the resolver

In the zonefetch.xml I have the following configuration:

<RequestTransfer>
    <IPv4>a.b.c.d</IPv4><Port>8054</Port>
</RequestTransfer>

BR,

Antti

On Thu, 8 Oct 2009, Matthijs Mekking wrote:
> Hi Antti,
>
> About the <Port>, that is right. The problem with that is that the ldns
> resolver only allows to configure one remote port. It would be best to
> make that nameserver dependent.
>
> However, for now I made a fix that it will fetch the first configured
> <Port> and use that instead of the default 53 port.
>
> I also provided a fix for listening to notifies on one or more specific
> interfaces. However, I don't see the same behavior as you do. It works
> for me:
>
> # netstat -anp | grep 5678
>
> tcp 0 0 213.154.224.??:5678     0.0.0.0:* LISTEN     14268/zone_fetcher
> udp 0 0 213.154.224.??:5678     0.0.0.0:*            14268/zone_fetcher
>
> And if I try to configure not-owned ip addresses, it will fail as expected.
>
> Can you provide me more details about the zonefetch.xml and your system
> if the problem persists?
>
> Best regards,
>
> Matthijs
>
>
> Antti Ristimäki wrote:
>> Hi Matthijs and others,
>>
>> One more thing about zone fetcher. It doesn't seem to understand the
>> <Port> statement in the zonefetch.xml file. At least in our test bed it
>> is always sending the AXFR request to the standard server port 53
>> instead of the port given in zonefetch.xml.
>>
>> In addition, how can one make the zone fetcher listen to NOTIFY messages
>> on a specific address? At least the <IPv4> statement inside the
>> <NotifyListen> statement doesn't seem to do the trick. The <Port>
>> statement works for the listener, but it binds on all possible addresses.
>>
>> Regards,
>>
>> Antti
>>
>>
>>
>>
>>
>> On Wed, 7 Oct 2009, Matthijs Mekking wrote:
>>
>>> Doh,
>>>
>>> it should have been config, not zone_config. Fixed in trunk.
>>>
>>> Matthijs
>>>
>>> Antti Ristimäki wrote:
>>>> Hello,
>>>>
>>>> I have a problem when running the signer with the zone fetcher. In the
>>>> conf.xml, I have the statement
>>>> <ZoneFetchFile>/etc/opendnssec/zonefetch.xml</ZoneFetchFile>.
>>>>
>>>> When trying to run the signer, it logs the following error message:
>>>> Error: Engine instance has no attribute 'zone_config'
>>>>
>>>> If I comment out the statement <ZoneFetchFile> from the conf.xml, the
>>>> signer starts normally.
>>>>
>>>> Any ideas about the reason?
>>>>
>>>> Cheers,
>>>> Antti
> ------------ Output from pgp ------------
> unknown hash: unable to verify signature
>
>

------
Antti Ristimäki
Tietoliikenneasiantuntija, Funet-verkko
CSC - Tieteen tietotekniikan keskus Oy
PL 405, 02101 Espoo
(09) 457 2963, antti.ristimaki at csc.fi

More information about the Opendnssec-user mailing list