[Opendnssec-user] OpenDNSSEC AXFR question

Matthijs Mekking matthijs at NLnetLabs.nl
Fri Jun 25 11:31:51 CEST 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Volker,

Some more things you can try out:
- - Is the zone fetcher actually running? (you can check with ps). If not,
it might be that it could not open the socket for listening (perhaps due
to privileges). The syslog should tell you why it failed.
- - Does the NotifyListen match the notify configuration settings from bind?


Best regards,

Matthijs

On 06/25/2010 11:11 AM, Volker Janzen wrote:
> Hi Matthijs,
> 
> thanks for your reply.
> 
>> If there is no .axfr file, it cannot be moved to be the designated
>> unsigned input file. Was the transfer successful?
> 
> This was the correct question. bind was sending notifies, but no sign of a
> client trying to AXFR. I did not notice that before because I was trying
> to force signing via command line too.
> 
> Investigating with netstat I found out that my NotifyListen directives in
> zonefetch.xml do not result in someone listening on the IP/port
> combination.
> 
> I'm using these zonefetch.xml settings:
> 
> <!-- where to listen for notifies -->
> <!-- DEFAULT: do not listen to notify on specific address -->
> <NotifyListen><IPv4>myFirstIP</IPv4><Port>1234</Port></NotifyListen><NotifyListen><IPv4>mySecondIP</IPv4><Port>53</Port></NotifyListen>
> 
> (Just the first NotifyListen does not make a difference)
> 
> Changing the port to a higher number (I let OpenDNSSEC drop root
> priviledges) does not have an effect either.
> 
> zonefetch.xml is also activated in conf.xml by
> 
> <ZoneFetchFile>/etc/opendnssec/zonefetch.xml</ZoneFetchFile>
> 
> Do you have any ideas what I need to check to find out what's wrong?
> 
> 
> Best regards,
>    Volker Janzen
> 
> 
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJMJHeHAAoJEA8yVCPsQCW5pRsIANxPmLlTJuUwTkvSiU99nJcz
OuYXAs7VoHQo8ySve75+rBm8rhgSKLOMyhqLCKBxb7JFCas36BkWZSBe9uB59GOu
In2ilV9hVWYA1GrpxuVMjvs5YaM5tutLHlJiftQTtHBMR9s2Y5FqJAZZlUnAwy1T
SSalCjavU0wdSVGOL0fVo1qH2KP+0S5Oy8rQ8zKeV2FJ10oWpov0X5BpxJSz+FUM
bRS5k3Q9WB+yK9IkoP0rGkRAhHgtBdNXsSy2mBeCXtWzyO2VqaE3y4dXKrQ6fat+
tCJvi1CUBZWATn61UmM5Xs4FiLDeBk3G9Jka7khlRSDf7QCtwlOGqrD/E+1IyRo=
=Kq7W
-----END PGP SIGNATURE-----



More information about the Opendnssec-user mailing list