[Opendnssec-user] Running signer with zone fetcher

Antti Ristimäki aristima at csc.fi
Fri Oct 9 14:21:45 UTC 2009


Hi Matthijs,

Yes, the server is reachable on port 8054 and AXFR query with dig, for 
example, works. The zone fetcher will obviously use the <NotifyListen> 
address as a source address when querying for AXFR?

The problem still exists and the zone fetcher logs the same error message. 
However, I'll keep on investigating, whether the error is related to my 
system or configuration.

I'm using RHEL5.

Best regards,

Antti

On Fri, 9 Oct 2009, Matthijs Mekking wrote:
> Hi Antti,
>
> It works for me...
>
> Are you sure that a.b.c.d. is reachable on port 8054?
> The syslog errors indicate that LDNS could not send the wireformat SOA
> query on the net (or the other end could not receive it).
> The LDNS resolver on its turn, marks the nameserver as rrt_inf (RRT
> infinitive) and so the next time it tries reports there are no
> nameservers defined.
>
> PS: What operating system do you use?
>
> Best regards,
>
> Matthijs
>
> Antti Ristimäki wrote:
>> Hi Matthijs,
>>
>> Your fix seems to work. The zone fetcher is now able to bind to a
>> specific address and port:
>>
>> tcp  0 0 a.b.c.160:5353  0.0.0.0:*    LISTEN    1248/zone_fetcher
>> udp  0 0 a.b.c.160:5353  0.0.0.0:*              1248/zone_fetcher
>>
>> The remote server port for AXFRs doesn't seem to work, though. I see the
>> following message in the log:
>>
>> OpenDNSSEC signer engine: zone fetcher failed to send SOA query: Could
>> not send or receive, because of network error
>> OpenDNSSEC signer engine: zone fetcher failed to send SOA query: No
>> nameservers defined in the resolver
>>
>> In the zonefetch.xml I have the following configuration:
>>
>> <RequestTransfer>
>>    <IPv4>a.b.c.d</IPv4><Port>8054</Port>
>> </RequestTransfer>
>>
>> BR,
>>
>> Antti
>>
>> On Thu, 8 Oct 2009, Matthijs Mekking wrote:
>>> Hi Antti,
>>>
>>> About the <Port>, that is right. The problem with that is that the ldns
>>> resolver only allows to configure one remote port. It would be best to
>>> make that nameserver dependent.
>>>
>>> However, for now I made a fix that it will fetch the first configured
>>> <Port> and use that instead of the default 53 port.
>>>
>>> I also provided a fix for listening to notifies on one or more specific
>>> interfaces. However, I don't see the same behavior as you do. It works
>>> for me:
>>>
>>> # netstat -anp | grep 5678
>>>
>>> tcp 0 0 213.154.224.??:5678     0.0.0.0:* LISTEN     14268/zone_fetcher
>>> udp 0 0 213.154.224.??:5678     0.0.0.0:*            14268/zone_fetcher
>>>
>>> And if I try to configure not-owned ip addresses, it will fail as
>>> expected.
>>>
>>> Can you provide me more details about the zonefetch.xml and your system
>>> if the problem persists?
>>>
>>> Best regards,
>>>
>>> Matthijs
>>>
>>>
>>> Antti Ristimäki wrote:
>>>> Hi Matthijs and others,
>>>>
>>>> One more thing about zone fetcher. It doesn't seem to understand the
>>>> <Port> statement in the zonefetch.xml file. At least in our test bed it
>>>> is always sending the AXFR request to the standard server port 53
>>>> instead of the port given in zonefetch.xml.
>>>>
>>>> In addition, how can one make the zone fetcher listen to NOTIFY messages
>>>> on a specific address? At least the <IPv4> statement inside the
>>>> <NotifyListen> statement doesn't seem to do the trick. The <Port>
>>>> statement works for the listener, but it binds on all possible
>>>> addresses.
>>>>
>>>> Regards,
>>>>
>>>> Antti
>>>>
>>>>
>>>>


More information about the Opendnssec-user mailing list