[Opendnssec-user] Problem with signer in 1.4.0a2

Matthijs Mekking matthijs at nlnetlabs.nl
Wed Jun 27 12:06:15 UTC 2012

Hash: SHA1

Hi Fred,

On 06/27/2012 11:32 AM, Fred Zwarts (KVI) wrote:
> Yesterday I upgraded our test system from 1.3.8 via 1.4.0a1 to
> 1.4.0a2 (on a Linux SLES11SP2 x86_64 system). Everything seems to
> run nice. I the log file I see every now and then a [STATS] message
> that says that some new signatures were generated for the different
> zones in this configuration. There are, however, a few things that
> worry me.
> The command "ods-control signer queue" tells for all zones "I will 
> [configure] zone". It used to say "I will [sign] zone". In the
> system log I see messages like "ods-signerd: [worker[4]] backoff
> task [configure] for zone". What does that mean?

"I will [configure] zone" means the signer will load the signer
configuration file at the given time. The backoff messages indicate
that it fails to do so, and retries (with a backoff timer).

> If I use "ods-control signer sign --all", then the messages in the 
> system log change. I still see at regular intervals messages
> telling that new signatures are generated, but know the backoff
> message show [read] instead of [configure]. Also "ods-control
> signer queue" now tells for all zones "I will [read] zone". What
> does that mean?

So apparently, it is able to read the signer configuration files, but
not able to read the unsigned zones. What is in your zonelist.xml? Is
it correct with the unsigned zone locations? Are the permissions ok?
The logs should also be able to tell you why the configure/read task
has failed. Perhaps with higher verbosity.

> Finally, if I attempt to clear a zone with e.g. "ods-control
> signer clear KVI.nl", then the signer exits prematurely. In the
> system log I see the following messages (I did it three times):

I have created a ticket for this:


I believe this issue is fixed in the just committed r6461 in trunk.

Best regards,

> Jun 27 11:00:16 KVIVS13 kernel: [1967938.619844]
> do_general_protection: 21 callbacks suppressed Jun 27 11:00:16
> KVIVS13 kernel: [1967938.619849] ods-signerd[20578] general
> protection ip:415d98 sp:7f32027fb610 error:0 in 
> ods-signerd[400000+53000] Jun 27 11:01:51 KVIVS13 kernel:
> [1968033.673677] ods-signerd[20679] general protection ip:415d98
> sp:7f80d9443610 error:0 in ods-signerd[400000+53000] Jun 27
> 11:22:23 KVIVS13 kernel: [1969265.342103] ods-signerd[20999] 
> general protection ip:415d98 sp:7f95b4e4f610 error:0 in 
> ods-signerd[400000+53000]
> After restarting the ods-signerd, the queue shows again the "I
> will [configure] zone" messages.
> I wonder how serious these messages are. Is this a problem with
> the software or a corruption of my configuration? It looks as if
> the signing process is still running OK, as long as I do not touch
> it.
> _______________________________________________ Opendnssec-user
> mailing list Opendnssec-user at lists.opendnssec.org 
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the Opendnssec-user mailing list