[Opendnssec-user] ZSK expired
c.gielen at uvt.nl
Fri Jan 7 15:09:23 UTC 2011
Op 07-01-11 15:31, Matthijs Mekking schreef:
vacation on Dec 24. Nobody touched the machine after that.
>> The first thing that grabs my attention (in the Dec 21 logs) is that the
>> gets scheduled for signing twice. Is this normal?
> No, a zone should always be scheduled at most once in the queue.
> However, I notice the logs do mention twice that a zone is scheduled
> when the zone is added.
Tnx for clarifying
> If it is not scheduled though, it may be that a worker is working on the
> zone. We set a flag, so that we know it may not be scheduled (for
> example, as a result of ods-signer update).
> How did you notice it was scheduled twice? Did you see it by issuing
> ods-signer queue? Or did you see it in the logs? If so, do you still
> have that logs, so I can investigate (offline, if you prefer)?
I saw it in the logs when I started looking for a reason for dnssec
failures on some domains. I do have the entire logfile but it's rather
big (20 megs in total, gzipped).
>> I think I can fix the problem so I'm more interested in what went wrong and
>> how to prevent it than a ready-made solution. Any ideas?
> The only times I had similar issues is when I (accidentally) started two
> signer daemons. The client (ods-signer start) checks if there is already
> a daemon running, however, ods-signerd will kick of without such a check.
There is this hanging signer process. I'm not sure if that really
counts, but I will kill it now.
> Zone example.net added
> Hence, probably the two log references of the zone being scheduled.
> This can happen:
> - on startup
> - when receiving update [--all]
> - when receiving update <zone>, but <zone> was not found
> However, this line tells me that there was a signed example.net already:
>> Dec 21 12:03:39 metagross ods-signerd: scheduling resign of zone
>> 'example.net' in 4477 seconds
> Did some event occur at this time? Could you reason which of the three
> cases happened (so that we can narrow down the search scope)?
It's very likely the second case, ods-signer sign --all.
I run this command after every zone change which happens a few times
each day. I know it's possible to specify a specific zone to sign but
that does not (yet) fit in our environment.
Thanks for your help so far.
I will know kill the old signer proces and restart the signer daemon,
if anything interesting happens I will post it here.
Casper Gielen <cgielen at uvt.nl> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981 63B8 2214 083C F80E 4AF7
Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 262 bytes
Desc: OpenPGP digital signature
More information about the Opendnssec-user