[Opendnssec-user] Problem replacing CNAME in 1.4.0a2.

Matthijs Mekking matthijs at nlnetlabs.nl
Thu Jun 28 10:30:47 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Fred,

This is not a known issue (well until now that is). I am trying to hit
this, but when I replace a CNAME like that with an A record, the
signer seems happy:

Jun 28 12:26:33 zoidberg ods-signerd: [cmdhandler] received command
sign pletterpet.nl[18]
Jun 28 12:26:33 zoidberg ods-signerd: [cmdhandler] zone pletterpet.nl
scheduled for immediate re-sign
Jun 28 12:26:33 zoidberg ods-signerd: [worker[1]] read zone pletterpet.nl
Jun 28 12:26:33 zoidberg ods-signerd: [adapter] read zone
pletterpet.nl from file input adapter
/opt/opendnssec/var/opendnssec/unsigned/pletterpet.nl
Jun 28 12:26:33 zoidberg ods-signerd: [adapter] zone pletterpet.nl set
soa ttl to 360
Jun 28 12:26:33 zoidberg ods-signerd: [adapter] zone pletterpet.nl set
soa minimum to 360
Jun 28 12:26:33 zoidberg ods-signerd: [adapter] zone pletterpet.nl set
soa serial to 10
Jun 28 12:26:33 zoidberg ods-signerd: [worker[1]] sign zone pletterpet.nl
Jun 28 12:26:33 zoidberg ods-signerd: [worker[1]] write zone pletterpet.nl
Jun 28 12:26:33 zoidberg ods-signerd: [adapter] write zone
pletterpet.nl serial 10 to output file adapter
/opt/opendnssec/var/opendnssec/signed/pletterpet.nl
Jun 28 12:26:33 zoidberg ods-signerd: [STATS] pletterpet.nl RR[count=1
time=0(sec)] NSEC3[count=0 time=0(sec)] RRSIG[new=1 reused=21
time=0(sec) avg=0(sig/sec)] TOTAL[time=0(sec)]

Perhaps you can give me off list the zone contents before and after?

Best regards,

Matthijs

On 06/28/2012 11:42 AM, Fred Zwarts (KVI) wrote:
> We currently use OpenDNSSEC 1.4.0a2 in a Linux SLES11SP2 x86_64 
> environment.
> 
> In one of the zones we had a CNAME record :
> 
> sms.kvi.nl.    CNAME  srv002.kvi.nl.
> 
> For several reasons we changed the it in a new version of the zone
> file into:
> 
> sms.kvi.nl.          A       129.125.37.29
> 
> Of course, also the SOA serial was updated.
> 
> Now the signer refused to sign the new zone file. In the systemlog
> we saw the messages:
> 
> Jun 28 11:15:40 kvivs13 ods-signerd: [rrset] CNAME and other data
> at the same name: <sms.kvi.nl,CNAME> Jun 28 11:15:40 kvivs13
> ods-signerd: [adapter] unable to read file: zonefile contains
> errors Jun 28 11:15:40 kvivs13 ods-signerd: [tools] unable to read
> zone KVI.nl: adapter failed (Conflict detected) Jun 28 11:15:40
> kvivs13 ods-signerd: [worker[1]] backoff task [read] for zone
> KVI.nl with 480 seconds
> 
> We checked and double-checked, but there is no CNAME anymore for 
> sms.kvi.nl in the unsigned zone. We could work around this problem,
> by first deleting all records for sms.kvi.nl, sign the zone,
> introduce the new records for sms.kvi.nl and sign the zone again
> (each time, of course, incrementing the SOA serial).
> 
> I suspect that this is a bug in the code. I could not find it in
> the archives of this mailing list, nor in the KNOWN_ISSUES list, so
> I think it is worthwhile to mention it here.
> 
> Fred.Zwarts.
> 
> _______________________________________________ Opendnssec-user
> mailing list Opendnssec-user at lists.opendnssec.org 
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJP7DJXAAoJEA8yVCPsQCW5GIwIAIm4gUz9/KJJOm5zJBBGTfvN
ROZ7UuTUqv5qd1WPoZAiSvpxxFE0sCx5MAN/NN3Inadiyi+NR0LNzmwqlpWSivFq
nDS0SSPfx5ZQL6KZWbF49rTQe3wG8IukFXWxbXHR4sJXL0sFiDV8iP+uXG3ZXIAk
SLb02RgetZhbGyXQBEI0rF5SAATclDkCOHTQfWPTQU8Mv96izJLE8uQAyoV34Whk
zrZtErQ0coT0htjTvoCt3RHbeOU8QusbKVscksKBWcNNY3tZ7Rm0WY+3T3E+qAGe
LDjetaR1f0Gh8ISy5cSB0b5TL05lilbZan87rVIUhOpGFyf/tp0GCxRKIqHPBo8=
=IcdW
-----END PGP SIGNATURE-----

More information about the Opendnssec-user mailing list