[Opendnssec-user] Running signer with zone fetcher

Matthijs Mekking matthijs at NLnetLabs.nl
Fri Oct 9 07:39:49 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Antti,

It works for me...

Are you sure that a.b.c.d. is reachable on port 8054?
The syslog errors indicate that LDNS could not send the wireformat SOA
query on the net (or the other end could not receive it).
The LDNS resolver on its turn, marks the nameserver as rrt_inf (RRT
infinitive) and so the next time it tries reports there are no
nameservers defined.

PS: What operating system do you use?

Best regards,

Matthijs

Antti Ristimäki wrote:
> Hi Matthijs,
> 
> Your fix seems to work. The zone fetcher is now able to bind to a
> specific address and port:
> 
> tcp  0 0 a.b.c.160:5353  0.0.0.0:*    LISTEN    1248/zone_fetcher
> udp  0 0 a.b.c.160:5353  0.0.0.0:*              1248/zone_fetcher
> 
> The remote server port for AXFRs doesn't seem to work, though. I see the
> following message in the log:
> 
> OpenDNSSEC signer engine: zone fetcher failed to send SOA query: Could
> not send or receive, because of network error
> OpenDNSSEC signer engine: zone fetcher failed to send SOA query: No
> nameservers defined in the resolver
> 
> In the zonefetch.xml I have the following configuration:
> 
> <RequestTransfer>
>    <IPv4>a.b.c.d</IPv4><Port>8054</Port>
> </RequestTransfer>
> 
> BR,
> 
> Antti
> 
> On Thu, 8 Oct 2009, Matthijs Mekking wrote:
>> Hi Antti,
>>
>> About the <Port>, that is right. The problem with that is that the ldns
>> resolver only allows to configure one remote port. It would be best to
>> make that nameserver dependent.
>>
>> However, for now I made a fix that it will fetch the first configured
>> <Port> and use that instead of the default 53 port.
>>
>> I also provided a fix for listening to notifies on one or more specific
>> interfaces. However, I don't see the same behavior as you do. It works
>> for me:
>>
>> # netstat -anp | grep 5678
>>
>> tcp 0 0 213.154.224.??:5678     0.0.0.0:* LISTEN     14268/zone_fetcher
>> udp 0 0 213.154.224.??:5678     0.0.0.0:*            14268/zone_fetcher
>>
>> And if I try to configure not-owned ip addresses, it will fail as
>> expected.
>>
>> Can you provide me more details about the zonefetch.xml and your system
>> if the problem persists?
>>
>> Best regards,
>>
>> Matthijs
>>
>>
>> Antti Ristimäki wrote:
>>> Hi Matthijs and others,
>>>
>>> One more thing about zone fetcher. It doesn't seem to understand the
>>> <Port> statement in the zonefetch.xml file. At least in our test bed it
>>> is always sending the AXFR request to the standard server port 53
>>> instead of the port given in zonefetch.xml.
>>>
>>> In addition, how can one make the zone fetcher listen to NOTIFY messages
>>> on a specific address? At least the <IPv4> statement inside the
>>> <NotifyListen> statement doesn't seem to do the trick. The <Port>
>>> statement works for the listener, but it binds on all possible
>>> addresses.
>>>
>>> Regards,
>>>
>>> Antti
>>>
>>>
>>>
>>>
>>>
>>> On Wed, 7 Oct 2009, Matthijs Mekking wrote:
>>>
>>>> Doh,
>>>>
>>>> it should have been config, not zone_config. Fixed in trunk.
>>>>
>>>> Matthijs
>>>>
>>>> Antti Ristimäki wrote:
>>>>> Hello,
>>>>>
>>>>> I have a problem when running the signer with the zone fetcher. In the
>>>>> conf.xml, I have the statement
>>>>> <ZoneFetchFile>/etc/opendnssec/zonefetch.xml</ZoneFetchFile>.
>>>>>
>>>>> When trying to run the signer, it logs the following error message:
>>>>> Error: Engine instance has no attribute 'zone_config'
>>>>>
>>>>> If I comment out the statement <ZoneFetchFile> from the conf.xml, the
>>>>> signer starts normally.
>>>>>
>>>>> Any ideas about the reason?
>>>>>
>>>>> Cheers,
>>>>> Antti
>> ------------ Output from pgp ------------
>> unknown hash: unable to verify signature
>>
>>
> 
> ------
> Antti Ristimäki
> Tietoliikenneasiantuntija, Funet-verkko
> CSC - Tieteen tietotekniikan keskus Oy
> PL 405, 02101 Espoo
> (09) 457 2963, antti.ristimaki at csc.fi

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBAgAGBQJKzujDAAoJEA8yVCPsQCW571kH/3eB89o4mKgXUfOzBiZMgt4z
mADUYfA4fi3Q11vrNbMDtLLn2k0Pb2rIRa/CPHlHymvn6fgnepHjRk4mFTnubLM9
3isR4qRxHW9Do8+lqnFoTXYuaLUydM8xuycSdR/4blaiGMTPA5sV9uAn+ysjjUNp
dgoz1VwUkxX1V3+kZXBB+yYKGCnV9gjL16Vy6WEgewEoK4zf6ub3hV5dCGzLAbk1
8f4LPFiJ4udnRn0yST4VREMTHne2Nh6ly9HGsMv86MWEIQ40rATHRFx0RpnC6no6
Y/IhsHcjN6x6lDRxs1AzlsgThOJcZJzdpymZ/Yx7tjpCWNDzWaM3eUi+Cr6H0W4=
=yN6v
-----END PGP SIGNATURE-----



More information about the Opendnssec-user mailing list