[Opendnssec-user] OpenDNSSEC in ISP environment (lots of small zones)?

Jan-Piet Mens jpmens at gmail.com
Mon Jan 31 12:52:46 UTC 2011 

Tim,

> Set signer verbosity as high as possible and might see the reason the
> zone transfer is failing in syslog.

Well, that was certainly helpful. In a way: :)

$ ods-signer verbosity 9999
$ z=c1008.aa
$ ods-ksmutil zone add --zone $z --policy pol0 -s /tmp/o/signconf/$z -i 
/tmp/o/unsigned/$z -o /tmp/o/signed/$z
$ ods-control enforcer notify

No changes to any configs since last reported, but increase of verbosity 
causes the system to AXFR the zone ???


Jan 31 13:40:19 sign1 ods-signerd: received command update c1008.aa[15]
Jan 31 13:40:19 sign1 ods-signerd: cmdhandler: updating signer 
configuration (c1008.aa)
Jan 31 13:40:19 sign1 ods-signerd: zone fetcher reloaded (pid=9650)
Jan 31 13:40:19 sign1 ods-signerd: read zone list file 
/usr/local/stow/opendnssec-1.2.0/etc/opendnssec/zonelist.xml
Jan 31 13:40:19 sign1 ods-signerd: zone fetcher transferred zone 
c1008.aa serial 1 successfully
Jan 31 13:40:19 sign1 ods-signerd: received command sign c1008.aa[13]
Jan 31 13:40:19 sign1 ods-signerd: cmdhandler: not working on zone 
c1008.aa, updating zone list
Jan 31 13:40:19 sign1 ods-signerd: cmdhandler: updating signer 
configuration (c1008.aa)
Jan 31 13:40:19 sign1 ods-signerd: zone fetcher reloaded (pid=9650)
Jan 31 13:40:19 sign1 ods-signerd: read zone list file 
/usr/local/stow/opendnssec-1.2.0/etc/opendnssec/zonelist.xml
Jan 31 13:40:19 sign1 ods-signerd: zone fetcher reloaded (pid=9650)
Jan 31 13:40:19 sign1 ods-signerd: fetch zone c1008.aa
Jan 31 13:40:19 sign1 ods-signerd: read zone c1008.aa from input file 
adapter /tmp/o/unsigned/c1008.aa
Jan 31 13:40:19 sign1 ods-signerd: zone c1008.aa set SOA TTL to 600
Jan 31 13:40:19 sign1 ods-signerd: zone c1008.aa set SOA MINIMUM to 600
Jan 31 13:40:20 sign1 ods-signerd: publish dnskeys to zone c1008.aa
Jan 31 13:40:20 sign1 ods-signerd: zone c1008.aa set DNSKEY TTL to 3600
Jan 31 13:40:20 sign1 ods-signerd: zone c1008.aa set DNSKEY TTL to 3600
Jan 31 13:40:20 sign1 ods-signerd: update zone c1008.aa
Jan 31 13:40:20 sign1 ods-signerd: zone c1008.aa updated to serial 
2011013100
Jan 31 13:40:20 sign1 ods-signerd: nsecify zone c1008.aa
Jan 31 13:40:21 sign1 ods-signerd: sign zone c1008.aa
----------- JP: signed c1008.aa in /tmp/o/signed/c1008.aa --------
Jan 31 13:40:26 sign1 ods-signerd: zone c1008.aa signed, new serial 
2011013100
Jan 31 13:40:26 sign1 ods-signerd: write zone c1008.aa serial 2011013100

I then set verbosity to 0, and the initial AXFR for a new zone fails.

Verbosity 0 through 4 fails
Verbosity 5 transfers the zone. That would appear to be a bug.

	-JP

More information about the Opendnssec-user mailing list