[Opendnssec-user] Running signer with zone fetcher

Antti Ristimäki aristima at csc.fi
Thu Oct 8 16:06:04 UTC 2009

Hi Matthijs,

Your fix seems to work. The zone fetcher is now able to bind to a specific 
address and port:

tcp  0 0 a.b.c.160:5353*    LISTEN    1248/zone_fetcher
udp  0 0 a.b.c.160:5353*              1248/zone_fetcher

The remote server port for AXFRs doesn't seem to work, though. I see the 
following message in the log:

OpenDNSSEC signer engine: zone fetcher failed to send SOA query: Could not send or receive, because of network error
OpenDNSSEC signer engine: zone fetcher failed to send SOA query: No nameservers defined in the resolver

In the zonefetch.xml I have the following configuration:




On Thu, 8 Oct 2009, Matthijs Mekking wrote:
> Hi Antti,
> About the <Port>, that is right. The problem with that is that the ldns
> resolver only allows to configure one remote port. It would be best to
> make that nameserver dependent.
> However, for now I made a fix that it will fetch the first configured
> <Port> and use that instead of the default 53 port.
> I also provided a fix for listening to notifies on one or more specific
> interfaces. However, I don't see the same behavior as you do. It works
> for me:
> # netstat -anp | grep 5678
> tcp 0 0 213.154.224.??:5678* LISTEN     14268/zone_fetcher
> udp 0 0 213.154.224.??:5678*            14268/zone_fetcher
> And if I try to configure not-owned ip addresses, it will fail as expected.
> Can you provide me more details about the zonefetch.xml and your system
> if the problem persists?
> Best regards,
> Matthijs
> Antti Ristimäki wrote:
>> Hi Matthijs and others,
>> One more thing about zone fetcher. It doesn't seem to understand the
>> <Port> statement in the zonefetch.xml file. At least in our test bed it
>> is always sending the AXFR request to the standard server port 53
>> instead of the port given in zonefetch.xml.
>> In addition, how can one make the zone fetcher listen to NOTIFY messages
>> on a specific address? At least the <IPv4> statement inside the
>> <NotifyListen> statement doesn't seem to do the trick. The <Port>
>> statement works for the listener, but it binds on all possible addresses.
>> Regards,
>> Antti
>> On Wed, 7 Oct 2009, Matthijs Mekking wrote:
>>> Doh,
>>> it should have been config, not zone_config. Fixed in trunk.
>>> Matthijs
>>> Antti Ristimäki wrote:
>>>> Hello,
>>>> I have a problem when running the signer with the zone fetcher. In the
>>>> conf.xml, I have the statement
>>>> <ZoneFetchFile>/etc/opendnssec/zonefetch.xml</ZoneFetchFile>.
>>>> When trying to run the signer, it logs the following error message:
>>>> Error: Engine instance has no attribute 'zone_config'
>>>> If I comment out the statement <ZoneFetchFile> from the conf.xml, the
>>>> signer starts normally.
>>>> Any ideas about the reason?
>>>> Cheers,
>>>> Antti
> ------------ Output from pgp ------------
> unknown hash: unable to verify signature

Antti Ristimäki
Tietoliikenneasiantuntija, Funet-verkko
CSC - Tieteen tietotekniikan keskus Oy
PL 405, 02101 Espoo
(09) 457 2963, antti.ristimaki at csc.fi

More information about the Opendnssec-user mailing list