[Opendnssec-user] Running signer with zone fetcher

Matthijs Mekking matthijs at NLnetLabs.nl
Mon Oct 12 07:40:18 UTC 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Antti Ristimäki wrote:
> Hi Matthijs,
> 
> Yes, the server is reachable on port 8054 and AXFR query with dig, for
> example, works. The zone fetcher will obviously use the <NotifyListen>
> address as a source address when querying for AXFR?

No. The NotifyListen is only for listening to NOTIFY messages. When
quering for AXFR, a new socket will be created that can have a different
address structure. I think you request a feature to set the outgoing
interface for AXFR?

Best regards,

Matthijs

> 
> The problem still exists and the zone fetcher logs the same error
> message. However, I'll keep on investigating, whether the error is
> related to my system or configuration.
> 
> I'm using RHEL5.
> 
> Best regards,
> 
> Antti
> 
> On Fri, 9 Oct 2009, Matthijs Mekking wrote:
>> Hi Antti,
>>
>> It works for me...
>>
>> Are you sure that a.b.c.d. is reachable on port 8054?
>> The syslog errors indicate that LDNS could not send the wireformat SOA
>> query on the net (or the other end could not receive it).
>> The LDNS resolver on its turn, marks the nameserver as rrt_inf (RRT
>> infinitive) and so the next time it tries reports there are no
>> nameservers defined.
>>
>> PS: What operating system do you use?
>>
>> Best regards,
>>
>> Matthijs
>>
>> Antti Ristimäki wrote:
>>> Hi Matthijs,
>>>
>>> Your fix seems to work. The zone fetcher is now able to bind to a
>>> specific address and port:
>>>
>>> tcp  0 0 a.b.c.160:5353  0.0.0.0:*    LISTEN    1248/zone_fetcher
>>> udp  0 0 a.b.c.160:5353  0.0.0.0:*              1248/zone_fetcher
>>>
>>> The remote server port for AXFRs doesn't seem to work, though. I see the
>>> following message in the log:
>>>
>>> OpenDNSSEC signer engine: zone fetcher failed to send SOA query: Could
>>> not send or receive, because of network error
>>> OpenDNSSEC signer engine: zone fetcher failed to send SOA query: No
>>> nameservers defined in the resolver
>>>
>>> In the zonefetch.xml I have the following configuration:
>>>
>>> <RequestTransfer>
>>>    <IPv4>a.b.c.d</IPv4><Port>8054</Port>
>>> </RequestTransfer>
>>>
>>> BR,
>>>
>>> Antti
>>>
>>> On Thu, 8 Oct 2009, Matthijs Mekking wrote:
>>>> Hi Antti,
>>>>
>>>> About the <Port>, that is right. The problem with that is that the ldns
>>>> resolver only allows to configure one remote port. It would be best to
>>>> make that nameserver dependent.
>>>>
>>>> However, for now I made a fix that it will fetch the first configured
>>>> <Port> and use that instead of the default 53 port.
>>>>
>>>> I also provided a fix for listening to notifies on one or more specific
>>>> interfaces. However, I don't see the same behavior as you do. It works
>>>> for me:
>>>>
>>>> # netstat -anp | grep 5678
>>>>
>>>> tcp 0 0 213.154.224.??:5678     0.0.0.0:* LISTEN     14268/zone_fetcher
>>>> udp 0 0 213.154.224.??:5678     0.0.0.0:*            14268/zone_fetcher
>>>>
>>>> And if I try to configure not-owned ip addresses, it will fail as
>>>> expected.
>>>>
>>>> Can you provide me more details about the zonefetch.xml and your system
>>>> if the problem persists?
>>>>
>>>> Best regards,
>>>>
>>>> Matthijs
>>>>
>>>>
>>>> Antti Ristimäki wrote:
>>>>> Hi Matthijs and others,
>>>>>
>>>>> One more thing about zone fetcher. It doesn't seem to understand the
>>>>> <Port> statement in the zonefetch.xml file. At least in our test
>>>>> bed it
>>>>> is always sending the AXFR request to the standard server port 53
>>>>> instead of the port given in zonefetch.xml.
>>>>>
>>>>> In addition, how can one make the zone fetcher listen to NOTIFY
>>>>> messages
>>>>> on a specific address? At least the <IPv4> statement inside the
>>>>> <NotifyListen> statement doesn't seem to do the trick. The <Port>
>>>>> statement works for the listener, but it binds on all possible
>>>>> addresses.
>>>>>
>>>>> Regards,
>>>>>
>>>>> Antti
>>>>>
>>>>>
>>>>>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBAgAGBQJK0t1fAAoJEA8yVCPsQCW5T9AH+gP5GeZEqZOABfq4rlRUpfuE
L6EBBpxLQ5X2rQyfDrd0Ne/kPwU55PpyiExOGDv2NzSZ4/1rDTAxVsXcFX9emUQR
R060ofknzUDAHoWuwpAu0GuIAEzG5AErPf5wTtY+d9fXB8k0pgzLivKtxzh1X0G/
Oaee1oiw0T4ED2syjGz572ZaGH24UlbZoZtRR9AtQqSwN8BREKmjZYW7tcLYyiqQ
5SX0dOtWb44O+qBmjypLqko9x2yTeO2ozWmZn1u1KJE5ObuGZz/auJacH5phGFHA
By6QXwpBYeHDKu/TzuhSsRg9nV1z+1Ea8tYdoeLXSh8l+enR7qfeL3TMlQW5xy4=
=42JB
-----END PGP SIGNATURE-----

More information about the Opendnssec-user mailing list