[Opendnssec-user] OpenDNSSEC in ISP environment (lots of small zones)?
Jan-Piet Mens
jpmens at gmail.com
Mon Jan 31 12:52:46 UTC 2011
Tim,
> Set signer verbosity as high as possible and might see the reason the
> zone transfer is failing in syslog.
Well, that was certainly helpful. In a way: :)
$ ods-signer verbosity 9999
$ z=c1008.aa
$ ods-ksmutil zone add --zone $z --policy pol0 -s /tmp/o/signconf/$z -i
/tmp/o/unsigned/$z -o /tmp/o/signed/$z
$ ods-control enforcer notify
No changes to any configs since last reported, but increase of verbosity
causes the system to AXFR the zone ???
Jan 31 13:40:19 sign1 ods-signerd: received command update c1008.aa[15]
Jan 31 13:40:19 sign1 ods-signerd: cmdhandler: updating signer
configuration (c1008.aa)
Jan 31 13:40:19 sign1 ods-signerd: zone fetcher reloaded (pid=9650)
Jan 31 13:40:19 sign1 ods-signerd: read zone list file
/usr/local/stow/opendnssec-1.2.0/etc/opendnssec/zonelist.xml
Jan 31 13:40:19 sign1 ods-signerd: zone fetcher transferred zone
c1008.aa serial 1 successfully
Jan 31 13:40:19 sign1 ods-signerd: received command sign c1008.aa[13]
Jan 31 13:40:19 sign1 ods-signerd: cmdhandler: not working on zone
c1008.aa, updating zone list
Jan 31 13:40:19 sign1 ods-signerd: cmdhandler: updating signer
configuration (c1008.aa)
Jan 31 13:40:19 sign1 ods-signerd: zone fetcher reloaded (pid=9650)
Jan 31 13:40:19 sign1 ods-signerd: read zone list file
/usr/local/stow/opendnssec-1.2.0/etc/opendnssec/zonelist.xml
Jan 31 13:40:19 sign1 ods-signerd: zone fetcher reloaded (pid=9650)
Jan 31 13:40:19 sign1 ods-signerd: fetch zone c1008.aa
Jan 31 13:40:19 sign1 ods-signerd: read zone c1008.aa from input file
adapter /tmp/o/unsigned/c1008.aa
Jan 31 13:40:19 sign1 ods-signerd: zone c1008.aa set SOA TTL to 600
Jan 31 13:40:19 sign1 ods-signerd: zone c1008.aa set SOA MINIMUM to 600
Jan 31 13:40:20 sign1 ods-signerd: publish dnskeys to zone c1008.aa
Jan 31 13:40:20 sign1 ods-signerd: zone c1008.aa set DNSKEY TTL to 3600
Jan 31 13:40:20 sign1 ods-signerd: zone c1008.aa set DNSKEY TTL to 3600
Jan 31 13:40:20 sign1 ods-signerd: update zone c1008.aa
Jan 31 13:40:20 sign1 ods-signerd: zone c1008.aa updated to serial
2011013100
Jan 31 13:40:20 sign1 ods-signerd: nsecify zone c1008.aa
Jan 31 13:40:21 sign1 ods-signerd: sign zone c1008.aa
----------- JP: signed c1008.aa in /tmp/o/signed/c1008.aa --------
Jan 31 13:40:26 sign1 ods-signerd: zone c1008.aa signed, new serial
2011013100
Jan 31 13:40:26 sign1 ods-signerd: write zone c1008.aa serial 2011013100
I then set verbosity to 0, and the initial AXFR for a new zone fails.
Verbosity 0 through 4 fails
Verbosity 5 transfers the zone. That would appear to be a bug.
-JP
More information about the Opendnssec-user
mailing list