[Opendnssec-user] serial "keep" failure blocks signing forever

Paul Wouters paul at nohats.ca
Thu Sep 20 05:25:07 UTC 2012


Hi,

When using a serial policy of keep, opendnssec can get into a state from
which it never recovers without human intervention.

Say you use unsigned serials of YYYYMMDDHH. The second time you sign
within the same hour, you will get:

Sep 20 01:23:30 signer01 ods-signerd: [namedb] cannot keep SOA SERIAL from input zone  (2012092001): previous output SOA SERIAL is 2012092001
Sep 20 01:23:30 signer01 ods-signerd: [adapter] unable to add rr to zone XXX: failed to replace soa serial rdata (Conflict detected)

I'd prefer that specifying "keep" means "yes I know the serial might not
increase, just continue.

But the real problem is that when you reach the next hour, and your
unsigned serial moved to 2012092002, the current sign job for
2012092001 is still partially done within opendnssec, and it will not
update the soa serial from the new unsigned zone, so again it aborts,
hour after hour, until a human cleans up the files in signed/* and tmp/*

Paul



More information about the Opendnssec-user mailing list