[Opendnssec-user] ZSK expired

Matthijs Mekking matthijs at NLnetLabs.nl
Fri Jan 7 15:31:14 UTC 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I would be interested to see the complete logfile, just to look if I see
something odd. Perhaps we can arrange something off list.

> It's very likely the second case, ods-signer sign --all.

Notice that sign --all should not trigger reading the zonelist, but
update --all (or start or update <zone>, the latter is often issued by
the enforcer)

Best regards,

Matthijs

On 01/07/2011 04:09 PM, Casper Gielen wrote:
> Op 07-01-11 15:31, Matthijs Mekking schreef:
> vacation on Dec 24. Nobody touched the machine after that.
>>
>>> The first thing that grabs my attention (in the Dec 21 logs) is that the
>>> zone
>>> gets scheduled for signing twice. Is this normal?
>>
>> No, a zone should always be scheduled at most once in the queue.
>> However, I notice the logs do mention twice that a zone is scheduled
>> when the zone is added.
> 
> Tnx for clarifying
> 
>>
>> If it is not scheduled though, it may be that a worker is working on the
>> zone. We set a flag, so that we know it may not be scheduled (for
>> example, as a result of ods-signer update).
>>
>> How did you notice it was scheduled twice? Did you see it by issuing
>> ods-signer queue? Or did you see it in the logs? If so, do you still
>> have that logs, so I can investigate (offline, if you prefer)?
> 
> I saw it in the logs when I started looking for a reason for dnssec
> failures on some domains. I do have the entire logfile but it's rather
> big (20 megs in total, gzipped).
> 
>>> I think I can fix the problem so I'm more interested in what went wrong and
>>> how to prevent it than a ready-made solution. Any ideas?
>>
>> The only times I had similar issues is when I (accidentally) started two
>> signer daemons. The client (ods-signer start) checks if there is already
>> a daemon running, however, ods-signerd will kick of without such a check.
> 
> There is this hanging signer process. I'm not sure if that really
> counts, but I will kill it now.
> 
> <cut>
>>  Zone example.net added
>>
>> Hence, probably the two log references of the zone being scheduled.
>> This can happen:
>> - on startup
>> - when receiving update [--all]
>> - when receiving update <zone>, but <zone> was not found
>>
>> However, this line tells me that there was a signed example.net already:
>>
>>> Dec 21 12:03:39 metagross ods-signerd: scheduling resign of zone
>>> 'example.net' in 4477 seconds
>>
>> Did some event occur at this time? Could you reason which of the three
>> cases happened (so that we can narrow down the search scope)?
>>
> 
> It's very likely the second case, ods-signer sign --all.
> I run this command after every zone change which happens a few times
> each day. I know it's possible to specify a specific zone to sign but
> that does not (yet) fit in our environment.
> 
> Thanks for your help so far.
> I will know kill the old signer proces and restart the signer daemon,
> if anything interesting happens I will post it here.
> 
> 
> 
> 
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJNJzHCAAoJEA8yVCPsQCW5Ym4H/jbtbnulw/3lyLK5iacp2WKI
8VutXnI95ucxpxgaVXMr1GFEUpfgbjFUmZiMjsetsEnvRKB8e91GPrEoeU/PReBm
9uZf7z5BXRlhE0hh+HzMQlkbZ4cOP23B/pUUmTlg5UGkZqomhFZsSPMs4AbgfgXv
P72+NBqnm3X1K7Xibwln6n2JTzZTNON3PmCBTyd2kxoZni2rfS5G4iZctQgsii+S
36LitJCHSWti+0EXqP0aGik68b81krbIX7xMHfw9S/UjLASnjdIGogPLJ5m6yHiV
oj2HGNGOf8FgX88P13kcFsxZAhOQIYL1wab9eV73R8VgsGhhg2nRu7vdVIkyvmQ=
=R9fl
-----END PGP SIGNATURE-----



More information about the Opendnssec-user mailing list