[Opendnssec-user] OpenDNSSEC in ISP environment (lots of small zones)?

[Tim Dykes]

Not the result I was expecting! but Ill take the credit none the less!


Tim Dykes

H: 02 8006 2033
M: 041 962 0603
E: ttdykes at gmail.com


On Mon, Jan 31, 2011 at 11:52 PM, Jan-Piet Mens <jpmens at gmail.com> wrote:

> Tim,
>
>
>  Set signer verbosity as high as possible and might see the reason the
>> zone transfer is failing in syslog.
>>
>
> Well, that was certainly helpful. In a way: :)
>
> $ ods-signer verbosity 9999
> $ z=c1008.aa
>
> $ ods-ksmutil zone add --zone $z --policy pol0 -s /tmp/o/signconf/$z -i
> /tmp/o/unsigned/$z -o /tmp/o/signed/$z
> $ ods-control enforcer notify
>
> No changes to any configs since last reported, but increase of verbosity
> causes the system to AXFR the zone ???
>
>
> Jan 31 13:40:19 sign1 ods-signerd: received command update c1008.aa[15]
> Jan 31 13:40:19 sign1 ods-signerd: cmdhandler: updating signer
> configuration (c1008.aa)
> Jan 31 13:40:19 sign1 ods-signerd: zone fetcher reloaded (pid=9650)
> Jan 31 13:40:19 sign1 ods-signerd: read zone list file
> /usr/local/stow/opendnssec-1.2.0/etc/opendnssec/zonelist.xml
> Jan 31 13:40:19 sign1 ods-signerd: zone fetcher transferred zone c1008.aa
> serial 1 successfully
> Jan 31 13:40:19 sign1 ods-signerd: received command sign c1008.aa[13]
> Jan 31 13:40:19 sign1 ods-signerd: cmdhandler: not working on zone
> c1008.aa, updating zone list
> Jan 31 13:40:19 sign1 ods-signerd: cmdhandler: updating signer
> configuration (c1008.aa)
> Jan 31 13:40:19 sign1 ods-signerd: zone fetcher reloaded (pid=9650)
> Jan 31 13:40:19 sign1 ods-signerd: read zone list file
> /usr/local/stow/opendnssec-1.2.0/etc/opendnssec/zonelist.xml
> Jan 31 13:40:19 sign1 ods-signerd: zone fetcher reloaded (pid=9650)
> Jan 31 13:40:19 sign1 ods-signerd: fetch zone c1008.aa
> Jan 31 13:40:19 sign1 ods-signerd: read zone c1008.aa from input file
> adapter /tmp/o/unsigned/c1008.aa
> Jan 31 13:40:19 sign1 ods-signerd: zone c1008.aa set SOA TTL to 600
> Jan 31 13:40:19 sign1 ods-signerd: zone c1008.aa set SOA MINIMUM to 600
> Jan 31 13:40:20 sign1 ods-signerd: publish dnskeys to zone c1008.aa
> Jan 31 13:40:20 sign1 ods-signerd: zone c1008.aa set DNSKEY TTL to 3600
> Jan 31 13:40:20 sign1 ods-signerd: zone c1008.aa set DNSKEY TTL to 3600
> Jan 31 13:40:20 sign1 ods-signerd: update zone c1008.aa
> Jan 31 13:40:20 sign1 ods-signerd: zone c1008.aa updated to serial
> 2011013100
> Jan 31 13:40:20 sign1 ods-signerd: nsecify zone c1008.aa
> Jan 31 13:40:21 sign1 ods-signerd: sign zone c1008.aa
> ----------- JP: signed c1008.aa in /tmp/o/signed/c1008.aa --------
> Jan 31 13:40:26 sign1 ods-signerd: zone c1008.aa signed, new serial
> 2011013100
> Jan 31 13:40:26 sign1 ods-signerd: write zone c1008.aa serial 2011013100
>
> I then set verbosity to 0, and the initial AXFR for a new zone fails.
>
> Verbosity 0 through 4 fails
> Verbosity 5 transfers the zone. That would appear to be a bug.
>
>        -JP
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20110131/c46467a9/attachment.htm>