[Opendnssec-user] ZSK expired

Casper Gielen c.gielen at uvt.nl
Fri Jan 7 15:09:23 UTC 2011

Op 07-01-11 15:31, Matthijs Mekking schreef:
vacation on Dec 24. Nobody touched the machine after that.
>> The first thing that grabs my attention (in the Dec 21 logs) is that the
>> zone
>> gets scheduled for signing twice. Is this normal?
> No, a zone should always be scheduled at most once in the queue.
> However, I notice the logs do mention twice that a zone is scheduled
> when the zone is added.

Tnx for clarifying

> If it is not scheduled though, it may be that a worker is working on the
> zone. We set a flag, so that we know it may not be scheduled (for
> example, as a result of ods-signer update).
> How did you notice it was scheduled twice? Did you see it by issuing
> ods-signer queue? Or did you see it in the logs? If so, do you still
> have that logs, so I can investigate (offline, if you prefer)?

I saw it in the logs when I started looking for a reason for dnssec
failures on some domains. I do have the entire logfile but it's rather
big (20 megs in total, gzipped).

>> I think I can fix the problem so I'm more interested in what went wrong and
>> how to prevent it than a ready-made solution. Any ideas?
> The only times I had similar issues is when I (accidentally) started two
> signer daemons. The client (ods-signer start) checks if there is already
> a daemon running, however, ods-signerd will kick of without such a check.

There is this hanging signer process. I'm not sure if that really
counts, but I will kill it now.

>  Zone example.net added
> Hence, probably the two log references of the zone being scheduled.
> This can happen:
> - on startup
> - when receiving update [--all]
> - when receiving update <zone>, but <zone> was not found
> However, this line tells me that there was a signed example.net already:
>> Dec 21 12:03:39 metagross ods-signerd: scheduling resign of zone
>> 'example.net' in 4477 seconds
> Did some event occur at this time? Could you reason which of the three
> cases happened (so that we can narrow down the search scope)?

It's very likely the second case, ods-signer sign --all.
I run this command after every zone change which happens a few times
each day. I know it's possible to specify a specific zone to sign but
that does not (yet) fit in our environment.

Thanks for your help so far.
I will know kill the old signer proces and restart the signer daemon,
if anything interesting happens I will post it here.

Casper Gielen <cgielen at uvt.nl> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981  63B8 2214 083C F80E 4AF7

Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20110107/55f7fa3d/attachment.bin>

More information about the Opendnssec-user mailing list