[Opendnssec-user] auditor bug (again?)

Alex Dalitz AlexD at nominet.org.uk
Tue Feb 21 14:32:10 UTC 2012 

Hi - 

Apologies for the delayed response...

On 12 Feb 2012, at 03:41, Paul Wouters wrote:

> I think this is what is happening to me now....
> 
> I test upgraded an nsd prerelease, and the package change
> made the /etc/nsd dir no longer world readable. As a result,
> ods-signer could no longer read the zone. It died while keeping
> some state in /var/opendnssec/
> 
> This was logged:
> 
> Feb 11 22:34:39 nohats ods-signerd: [adapter] unable to read file
> /etc/nsd/openswan.org: Unable to open file
> 
> After I fixed it, I got:
> 
> Feb 11 22:35:07 nohats ods-auditor[1667]: Auditor started
> Feb 11 22:35:07 nohats ods-auditor[1667]: Auditor starting on openswan.org
> Feb 11 22:35:07 nohats ods-auditor[1667]: SOA differs : from 2012021102 to 2012020607
> Feb 11 22:35:07 nohats ods-auditor[1667]: Auditing openswan.org zone : NSEC SIGNED
> Feb 11 22:35:07 nohats ods-auditor[1667]: SOA serial has decreased - used to be 2012020613 but is now 2012020607
> Feb 11 22:35:07 nohats ods-auditor[1667]: Finished auditing openswan.org zone
> Feb 11 22:35:07 nohats ods-signerd: [tools] audit failed for zone openswan.org
> Feb 11 22:35:07 nohats ods-signerd: [worker[1]] backoff task [read] for zone openswan.org with 60 seconds
> 
> I can guarantee you my serials do not decrease. My money is on
> the auditor comparing the old saved state in /var/opendnssec/
> with the newer serial, assuming it just made that state file,
> concluding a serial warp back in time, and aborting.

>From what you have written, I find it difficult to see how this can be the case.

The auditor is only run by the signer _after_ the zone has been signed. The auditor only saves state in /var/opendnssec/tmp/ when it runs. If it doesn't run, then it can't save state.

Is there any chance that the auditor was run manually after the package change?

Are you able to send the contents and timestamps of the openswan.org files in /var/opendnssec/tmp/, please?

Thanks,


Alex.


> 
> If so, it should really clean out those state files and start from
> scratch, instead of bailing out.
> 
> Paul
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

More information about the Opendnssec-user mailing list