[Opendnssec-user] Immediate sign & locking issue (1.4.0a2)

Sander Smeenk ssmeenk at freshdot.net
Fri Jun 29 20:19:00 UTC 2012


when i add a zone to ODS i want it signed on disk immediately.
This is why i currently add zones with this command sequence:
  ods-ksmutil zone add $zone
  ods-ksmutil update zonelist
  ods-signer sign $zone

I started developing with ODS1.3.2 and it would sometimes bail on the
ods-signer command if i did not run the 'update zonelist' immediately
after adding a zone. I recall 'zone not found' errors.
It was reproducable and the zonelist update fixed it back then.

With 5 zones this is all nice but with plenty more zones
the 'update zonelist' command takes quite some time to complete.
Or is it the enforcer?

The enforcer seems to be triggered through the 'update zonelist'
command to process *all* the zones, not just the recently added one.
This seems to introduce a deadlock situation if the enforcer finds KSKs
to be published, executes <DelegatedSignerSubmitCommand> and the
<DSSubCmd> itself wants to use ods-ksmutil to look up stuff.
This situation seems to locks up tight on my setup on kasp.db.lock.

Oddly, if the normal scheduled enforcer run publishes DS through the
exact same <DSSubCmd> this seems to work just fine...

Is ODS not designed to do immediate sign after add or am i messing
things up here? Should i run something else to satisfy conditions for
the sign call? My config is in sqlite3 and stored on an NFS mount, as
are all the (un)signed zones. Would switching to MySQL improve this
situation at all?

Thanks for reading, :)
| If a chemist dies, you barium.
| 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7  FBD6 F3A9 9442 20CC 6CD2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20120629/5bfa1283/attachment.bin>

More information about the Opendnssec-user mailing list