[Opendnssec-user] Problem replacing CNAME in 1.4.0a2.
Matthijs Mekking
matthijs at nlnetlabs.nl
Thu Jun 28 10:30:47 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Fred,
This is not a known issue (well until now that is). I am trying to hit
this, but when I replace a CNAME like that with an A record, the
signer seems happy:
Jun 28 12:26:33 zoidberg ods-signerd: [cmdhandler] received command
sign pletterpet.nl[18]
Jun 28 12:26:33 zoidberg ods-signerd: [cmdhandler] zone pletterpet.nl
scheduled for immediate re-sign
Jun 28 12:26:33 zoidberg ods-signerd: [worker[1]] read zone pletterpet.nl
Jun 28 12:26:33 zoidberg ods-signerd: [adapter] read zone
pletterpet.nl from file input adapter
/opt/opendnssec/var/opendnssec/unsigned/pletterpet.nl
Jun 28 12:26:33 zoidberg ods-signerd: [adapter] zone pletterpet.nl set
soa ttl to 360
Jun 28 12:26:33 zoidberg ods-signerd: [adapter] zone pletterpet.nl set
soa minimum to 360
Jun 28 12:26:33 zoidberg ods-signerd: [adapter] zone pletterpet.nl set
soa serial to 10
Jun 28 12:26:33 zoidberg ods-signerd: [worker[1]] sign zone pletterpet.nl
Jun 28 12:26:33 zoidberg ods-signerd: [worker[1]] write zone pletterpet.nl
Jun 28 12:26:33 zoidberg ods-signerd: [adapter] write zone
pletterpet.nl serial 10 to output file adapter
/opt/opendnssec/var/opendnssec/signed/pletterpet.nl
Jun 28 12:26:33 zoidberg ods-signerd: [STATS] pletterpet.nl RR[count=1
time=0(sec)] NSEC3[count=0 time=0(sec)] RRSIG[new=1 reused=21
time=0(sec) avg=0(sig/sec)] TOTAL[time=0(sec)]
Perhaps you can give me off list the zone contents before and after?
Best regards,
Matthijs
On 06/28/2012 11:42 AM, Fred Zwarts (KVI) wrote:
> We currently use OpenDNSSEC 1.4.0a2 in a Linux SLES11SP2 x86_64
> environment.
>
> In one of the zones we had a CNAME record :
>
> sms.kvi.nl. CNAME srv002.kvi.nl.
>
> For several reasons we changed the it in a new version of the zone
> file into:
>
> sms.kvi.nl. A 129.125.37.29
>
> Of course, also the SOA serial was updated.
>
> Now the signer refused to sign the new zone file. In the systemlog
> we saw the messages:
>
> Jun 28 11:15:40 kvivs13 ods-signerd: [rrset] CNAME and other data
> at the same name: <sms.kvi.nl,CNAME> Jun 28 11:15:40 kvivs13
> ods-signerd: [adapter] unable to read file: zonefile contains
> errors Jun 28 11:15:40 kvivs13 ods-signerd: [tools] unable to read
> zone KVI.nl: adapter failed (Conflict detected) Jun 28 11:15:40
> kvivs13 ods-signerd: [worker[1]] backoff task [read] for zone
> KVI.nl with 480 seconds
>
> We checked and double-checked, but there is no CNAME anymore for
> sms.kvi.nl in the unsigned zone. We could work around this problem,
> by first deleting all records for sms.kvi.nl, sign the zone,
> introduce the new records for sms.kvi.nl and sign the zone again
> (each time, of course, incrementing the SOA serial).
>
> I suspect that this is a bug in the code. I could not find it in
> the archives of this mailing list, nor in the KNOWN_ISSUES list, so
> I think it is worthwhile to mention it here.
>
> Fred.Zwarts.
>
> _______________________________________________ Opendnssec-user
> mailing list Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJP7DJXAAoJEA8yVCPsQCW5GIwIAIm4gUz9/KJJOm5zJBBGTfvN
ROZ7UuTUqv5qd1WPoZAiSvpxxFE0sCx5MAN/NN3Inadiyi+NR0LNzmwqlpWSivFq
nDS0SSPfx5ZQL6KZWbF49rTQe3wG8IukFXWxbXHR4sJXL0sFiDV8iP+uXG3ZXIAk
SLb02RgetZhbGyXQBEI0rF5SAATclDkCOHTQfWPTQU8Mv96izJLE8uQAyoV34Whk
zrZtErQ0coT0htjTvoCt3RHbeOU8QusbKVscksKBWcNNY3tZ7Rm0WY+3T3E+qAGe
LDjetaR1f0Gh8ISy5cSB0b5TL05lilbZan87rVIUhOpGFyf/tp0GCxRKIqHPBo8=
=IcdW
-----END PGP SIGNATURE-----
More information about the Opendnssec-user
mailing list