[Opendnssec-user] Running signer with zone fetcher

Matthijs Mekking matthijs at NLnetLabs.nl
Mon Oct 12 07:40:18 UTC 2009

Hash: SHA1

Antti Ristimäki wrote:
> Hi Matthijs,
> Yes, the server is reachable on port 8054 and AXFR query with dig, for
> example, works. The zone fetcher will obviously use the <NotifyListen>
> address as a source address when querying for AXFR?

No. The NotifyListen is only for listening to NOTIFY messages. When
quering for AXFR, a new socket will be created that can have a different
address structure. I think you request a feature to set the outgoing
interface for AXFR?

Best regards,


> The problem still exists and the zone fetcher logs the same error
> message. However, I'll keep on investigating, whether the error is
> related to my system or configuration.
> I'm using RHEL5.
> Best regards,
> Antti
> On Fri, 9 Oct 2009, Matthijs Mekking wrote:
>> Hi Antti,
>> It works for me...
>> Are you sure that a.b.c.d. is reachable on port 8054?
>> The syslog errors indicate that LDNS could not send the wireformat SOA
>> query on the net (or the other end could not receive it).
>> The LDNS resolver on its turn, marks the nameserver as rrt_inf (RRT
>> infinitive) and so the next time it tries reports there are no
>> nameservers defined.
>> PS: What operating system do you use?
>> Best regards,
>> Matthijs
>> Antti Ristimäki wrote:
>>> Hi Matthijs,
>>> Your fix seems to work. The zone fetcher is now able to bind to a
>>> specific address and port:
>>> tcp  0 0 a.b.c.160:5353*    LISTEN    1248/zone_fetcher
>>> udp  0 0 a.b.c.160:5353*              1248/zone_fetcher
>>> The remote server port for AXFRs doesn't seem to work, though. I see the
>>> following message in the log:
>>> OpenDNSSEC signer engine: zone fetcher failed to send SOA query: Could
>>> not send or receive, because of network error
>>> OpenDNSSEC signer engine: zone fetcher failed to send SOA query: No
>>> nameservers defined in the resolver
>>> In the zonefetch.xml I have the following configuration:
>>> <RequestTransfer>
>>>    <IPv4>a.b.c.d</IPv4><Port>8054</Port>
>>> </RequestTransfer>
>>> BR,
>>> Antti
>>> On Thu, 8 Oct 2009, Matthijs Mekking wrote:
>>>> Hi Antti,
>>>> About the <Port>, that is right. The problem with that is that the ldns
>>>> resolver only allows to configure one remote port. It would be best to
>>>> make that nameserver dependent.
>>>> However, for now I made a fix that it will fetch the first configured
>>>> <Port> and use that instead of the default 53 port.
>>>> I also provided a fix for listening to notifies on one or more specific
>>>> interfaces. However, I don't see the same behavior as you do. It works
>>>> for me:
>>>> # netstat -anp | grep 5678
>>>> tcp 0 0 213.154.224.??:5678* LISTEN     14268/zone_fetcher
>>>> udp 0 0 213.154.224.??:5678*            14268/zone_fetcher
>>>> And if I try to configure not-owned ip addresses, it will fail as
>>>> expected.
>>>> Can you provide me more details about the zonefetch.xml and your system
>>>> if the problem persists?
>>>> Best regards,
>>>> Matthijs
>>>> Antti Ristimäki wrote:
>>>>> Hi Matthijs and others,
>>>>> One more thing about zone fetcher. It doesn't seem to understand the
>>>>> <Port> statement in the zonefetch.xml file. At least in our test
>>>>> bed it
>>>>> is always sending the AXFR request to the standard server port 53
>>>>> instead of the port given in zonefetch.xml.
>>>>> In addition, how can one make the zone fetcher listen to NOTIFY
>>>>> messages
>>>>> on a specific address? At least the <IPv4> statement inside the
>>>>> <NotifyListen> statement doesn't seem to do the trick. The <Port>
>>>>> statement works for the listener, but it binds on all possible
>>>>> addresses.
>>>>> Regards,
>>>>> Antti

Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the Opendnssec-user mailing list