[Opendnssec-user] time issues

Fredrik Pettai pettai at nordu.net
Mon Jan 9 11:54:40 UTC 2012


On Jan 9, 2012, at 11:25 , Rickard Bellgrim wrote:
>> This SOA drift started to occur again then auditor don't like the zone due to ldns bug affected zone.
> 
> This is not the previous ldns bug and the Auditor does not give an
> error. This line is just an info message.
> 
> It is indeed a strange behavior of the SOA serial. Could you tell us
> more about your setup?

What conf do you need to see?

> Is the system only signing a single zone?

No

> Are you signing multiple zones, but only a single zone have the problem?

Yes, multiple, but only a few got bad by the ldns bug incident...

>> Jan  4 20:48:53 hidden-master ods-auditor[9934]: SOA differs : from 2012010402 to 2012010404
>> Jan  5 12:56:07 hidden-master ods-auditor[10443]: SOA differs : from 2012010402 to 2012010500
>> Jan  5 12:56:08 hidden-master ods-auditor[8937]: SOA differs : from 2012010402 to 2012010500
>> Jan  5 12:56:08 hidden-master ods-auditor[19982]: SOA differs : from 2012010402 to 2012010500
>> Jan  5 13:06:02 hidden-master ods-auditor[19565]: SOA differs : from 2012010402 to 2012010500
>> Jan  6 20:49:32 hidden-master ods-auditor[13302]: SOA differs : from 2011121300 to 2012010600
>> Jan  6 20:49:32 hidden-master ods-auditor[11034]: SOA differs : from 2011121302 to 2012010600
>> Jan  6 20:49:32 hidden-master ods-auditor[22569]: SOA differs : from 2011121300 to 2012010600
> 
> The inbound serial was decreased. How come?

First I removed audit so the zone was let thru, just to check what would happen, and it got signed with that strange SOA datecounter. 
Then I stopped OpenDNSSEC, removed all the tmpfiles + the signed zone and restarted OpenDNSSEC. After that the datecounter got back to normal datecounting again. And finally, I re-enabled the auditor again. 
(This zone was never published outside of OpenDNSSEC, so the SOA decrease doesn't really matter.)

> It is also strange that
> the outbound serial is the same in some cases. Aren't these log
> messages from multiple zones?

Sorry, a cut & paste error...

> The Auditor does not log an audit in a single line. Each audit
> produces multiple lines, which can be mixed up since they are not
> tagged with the zone name. Only the first message is tagged.

A feature request maybe: that lines get tagged with zone name for easy grep:ing? 

>> Jan  8 00:14:33 hidden-master ods-auditor[14179]: SOA differs : from 2012010402 to 2012011197
>> Jan  8 00:16:38 hidden-master ods-auditor[25128]: SOA differs : from 2012010402 to 2012011594
>> Jan  8 00:20:33 hidden-master ods-auditor[16118]: SOA differs : from 2012010402 to 2012011991
>> Jan  8 00:28:33 hidden-master ods-auditor[17482]: SOA differs : from 2012010402 to 2012012388
>> Jan  8 00:44:33 hidden-master ods-auditor[28203]: SOA differs : from 2012010402 to 2012012785
>> Jan  8 01:16:34 hidden-master ods-auditor[14082]: SOA differs : from 2012010402 to 2012013182
>> Jan  8 02:16:39 hidden-master ods-auditor[8155]: SOA differs : from 2012010402 to 2012013579
>> Jan  8 03:16:40 hidden-master ods-auditor[27955]: SOA differs : from 2012010402 to 2012013976
>> Jan  8 04:16:39 hidden-master ods-auditor[12804]: SOA differs : from 2012010402 to 2012014373
>> Jan  8 05:16:41 hidden-master ods-auditor[25100]: SOA differs : from 2012010402 to 2012014770
>> Jan  8 06:16:43 hidden-master ods-auditor[15671]: SOA differs : from 2012010402 to 2012015167
>> Jan  8 07:16:46 hidden-master ods-auditor[9411]: SOA differs : from 2012010402 to 2012015564
>> Jan  8 08:16:48 hidden-master ods-auditor[15142]: SOA differs : from 2012010402 to 2012015961
>> Jan  8 09:16:50 hidden-master ods-auditor[15927]: SOA differs : from 2012010402 to 2012016358
>> Jan  8 10:16:52 hidden-master ods-auditor[29363]: SOA differs : from 2012010402 to 2012016755
>> Jan  8 11:16:55 hidden-master ods-auditor[6845]: SOA differs : from 2012010402 to 2012017152
>> Jan  8 12:16:56 hidden-master ods-auditor[7580]: SOA differs : from 2012010402 to 2012017549
>> Jan  8 13:16:58 hidden-master ods-auditor[23128]: SOA differs : from 2012010402 to 2012017946
>> Jan  8 14:13:58 hidden-master ods-auditor[9620]: SOA differs : from 2012010402 to 2012018343
>> Jan  8 14:14:00 hidden-master ods-auditor[16325]: SOA differs : from 2012010402 to 2012010801
>> Jan  8 14:14:59 hidden-master ods-auditor[171]: SOA differs : from 2012010402 to 2012018740
>> Jan  8 14:17:02 hidden-master ods-auditor[1802]: SOA differs : from 2012010402 to 2012019137
>> Jan  8 14:21:03 hidden-master ods-auditor[16026]: SOA differs : from 2012010402 to 2012019534
>> Jan  8 14:29:03 hidden-master ods-auditor[18635]: SOA differs : from 2012010402 to 2012019931
>> Jan  8 14:45:04 hidden-master ods-auditor[27469]: SOA differs : from 2012010402 to 2012020328
>> Jan  8 15:17:05 hidden-master ods-auditor[12833]: SOA differs : from 2012010402 to 2012020725
>> Jan  8 16:17:05 hidden-master ods-auditor[28069]: SOA differs : from 2012010402 to 2012021122
>> Jan  8 17:17:03 hidden-master ods-auditor[15089]: SOA differs : from 2012010402 to 2012021519
>> Jan  8 18:17:06 hidden-master ods-auditor[9696]: SOA differs : from 2012010402 to 2012021916
>> Jan  8 19:17:08 hidden-master ods-auditor[24329]: SOA differs : from 2012010402 to 2012022313
>> Jan  8 20:17:08 hidden-master ods-auditor[10180]: SOA differs : from 2012010402 to 2012022710
> 
> These values are really strange.

Yep, I know...

/P


More information about the Opendnssec-user mailing list