[Opendnssec-user] OpenDNSSEC in ISP environment (lots of small zones)?

Jan-Piet Mens jpmens at gmail.com
Fri Jan 28 15:16:40 UTC 2011


Hello Simon,

 > what we did to achieve this amount of zones is the following:

Thank you for your explanation. We originally avoided the MySQL route 
because its OpenDNSSEC support is explicitly marked as being 
*experimental*, but have now taken up on your suggestion and have wiped 
everything, and rebuilt with MySQL support. The whole system now does 
indeed feel a little snappier (how's that for an un-technical term :-)

Interestingly, what now fails, at least upon initially adding a zone, 
are incoming AXFR. We first thought this had to do with long pathnames 
and an limitation of the appropriate database columns, but that doesn't 
apply.


$ z=c1006.aa
$ods-ksmutil zone add --zone $z --policy pol0 -s /tmp/o/signconf/$z -i 
/tmp/o/unsigned/$z -o /tmp/o/signed/$z
$ ods-ksmutil update all

# ods-control enforcer notify


Jan 28 16:09:59 sign1 ods-enforcerd: Zone c1006.aa found.
Jan 28 16:09:59 sign1 ods-enforcerd: Policy for c1006.aa set to pol0.
Jan 28 16:09:59 sign1 ods-enforcerd: Config will be output to 
/tmp/o/signconf/c1006.aa.
Jan 28 16:10:00 sign1 ods-enforcerd: INFO: Promoting ZSK from publish to 
active as this is the first pass for the zone
Jan 28 16:10:00 sign1 ods-enforcerd: WARNING: Making non-backed up ZSK 
active, PLEASE make sure that you know the potential problems of using 
keys which are not recoverable
Jan 28 16:10:00 sign1 ods-signerd: cmdhandler: updating signer 
configuration (c1006.aa)
Jan 28 16:10:00 sign1 ods-signerd: zone fetcher reloaded (pid=22101)
Jan 28 16:10:00 sign1 ods-signerd: zone fetcher AXFR for c1006.aa failed
Jan 28 16:10:00 sign1 ods-signerd: AXFR for new zone c1006.aa failed
Jan 28 16:10:00 sign1 ods-signerd: zone fetcher reloaded (pid=22101)
Jan 28 16:10:00 sign1 ods-signerd: unable to open file 
/tmp/o/unsigned/c1006.aa.axfr for reading: No such file or directory
Jan 28 16:10:00 sign1 ods-signerd: unable to copy axfr file 
/tmp/o/unsigned/c1006.aa.axfr to /tmp/o/unsigned/c1006.aa
Jan 28 16:10:00 sign1 ods-signerd: task [read zone c1006.aa] failed
Jan 28 16:10:00 sign1 ods-enforcerd: Disconnecting from Database...
Jan 28 16:10:00 sign1 ods-enforcerd: Sleeping for 3600 seconds.

The zone actually is transferred from it's master server:

28-Jan-2011 16:10:02.497 transfer of 'c1006.aa/IN': AXFR started
28-Jan-2011 16:10:02.500 transfer of 'c1006.aa/IN': AXFR ended

However, it isn't stored anywhere:

$ find /tmp/o -ls
2140361    4 drwxrwxrwx   5 root     root         4096 Jan 28 15:35 /tmp/o
2140362    4 drwxrwxrwx   2 root     root         4096 Jan 28 16:02 
/tmp/o/signed
2140365    4 drwxrwxrwx   2 root     root         4096 Jan 28 16:10 
/tmp/o/signconf
2140363    4 -rw-r--r--   1 opendnssec opendnssec      950 Jan 28 16:10 
/tmp/o/signconf/c1006.aa
2140364    4 drwxrwxrwx   2 root     root         4096 Jan 28 16:10 
/tmp/o/unsigned

If I stop and start OpenDNSSEC, I see the following:

Jan 28 16:12:22 sign1 ods-enforcerd: Zone c1006.aa found.
Jan 28 16:12:22 sign1 ods-enforcerd: Policy for c1006.aa set to pol0.
Jan 28 16:12:22 sign1 ods-enforcerd: Config will be output to 
/tmp/o/signconf/c1006.aa.
Jan 28 16:12:22 sign1 ods-enforcerd: WARNING: key rollover not completed 
as there are no keys in the 'ready' state; ods-enforcerd will try again 
when it runs next
Jan 28 16:12:22 sign1 ods-enforcerd: No change to: /tmp/o/signconf/c1006.aa
Jan 28 16:12:22 sign1 ods-enforcerd: Disconnecting from Database...
Jan 28 16:12:22 sign1 ods-enforcerd: Sleeping for 3600 seconds.
----------- JP: signed c1006.aa in /tmp/o/signed/c1006.aa --------
Jan 28 16:12:23 sign1 ods-signerd: [STATS] c1006.aa RR[count=613 
time=0(sec)] NSEC3[count=205 time=0(sec)] RRSIG[new=820 reused=0 
time=1(sec) avg=820(sig/sec)] AUDIT[time=0(sec)] TOTAL[time=1(sec)]

The zone is (again?) transferred, stored and correctly signed; I see the 
c1006.aa.axfr file (belonging to root) and the resulting signed zone 
file in /signed, belonging to 'opendnssec'.

Any idea why incoming zone transfers are having a problem since 
switching to MySQL ?

Thanks,

	-JP









More information about the Opendnssec-user mailing list