[Opendnssec-user] auditor bug (again?)

Paul Wouters paul at nohats.ca
Sun Feb 12 03:41:35 UTC 2012


I think this is what is happening to me now....

I test upgraded an nsd prerelease, and the package change
made the /etc/nsd dir no longer world readable. As a result,
ods-signer could no longer read the zone. It died while keeping
some state in /var/opendnssec/

This was logged:

Feb 11 22:34:39 nohats ods-signerd: [adapter] unable to read file
/etc/nsd/openswan.org: Unable to open file

After I fixed it, I got:

Feb 11 22:35:07 nohats ods-auditor[1667]: Auditor started
Feb 11 22:35:07 nohats ods-auditor[1667]: Auditor starting on openswan.org
Feb 11 22:35:07 nohats ods-auditor[1667]: SOA differs : from 2012021102 to 2012020607
Feb 11 22:35:07 nohats ods-auditor[1667]: Auditing openswan.org zone : NSEC SIGNED
Feb 11 22:35:07 nohats ods-auditor[1667]: SOA serial has decreased - used to be 2012020613 but is now 2012020607
Feb 11 22:35:07 nohats ods-auditor[1667]: Finished auditing openswan.org zone
Feb 11 22:35:07 nohats ods-signerd: [tools] audit failed for zone openswan.org
Feb 11 22:35:07 nohats ods-signerd: [worker[1]] backoff task [read] for zone openswan.org with 60 seconds

I can guarantee you my serials do not decrease. My money is on
the auditor comparing the old saved state in /var/opendnssec/
with the newer serial, assuming it just made that state file,
concluding a serial warp back in time, and aborting.

If so, it should really clean out those state files and start from
scratch, instead of bailing out.

Paul



More information about the Opendnssec-user mailing list