[Opendnssec-user] serial "keep" failure blocks signing forever
Matthijs Mekking
matthijs at nlnetlabs.nl
Thu Sep 20 07:48:48 UTC 2012
On 09/20/2012 07:25 AM, Paul Wouters wrote:
>
> Hi,
>
> When using a serial policy of keep, opendnssec can get into a state from
> which it never recovers without human intervention.
>
> Say you use unsigned serials of YYYYMMDDHH. The second time you sign
> within the same hour, you will get:
>
> Sep 20 01:23:30 signer01 ods-signerd: [namedb] cannot keep SOA SERIAL
> from input zone (2012092001): previous output SOA SERIAL is 2012092001
> Sep 20 01:23:30 signer01 ods-signerd: [adapter] unable to add rr to zone
> XXX: failed to replace soa serial rdata (Conflict detected)
>
> I'd prefer that specifying "keep" means "yes I know the serial might not
> increase, just continue.
No. keep is meant to be to have human intervention. If you want the
serial to increase, use counter.
Do you perhaps propose a new serial policy
"keep-unless-resign-is-needed" (needs a better name I guess), that does
this behavior?
> But the real problem is that when you reach the next hour, and your
> unsigned serial moved to 2012092002, the current sign job for
> 2012092001 is still partially done within opendnssec, and it will not
> update the soa serial from the new unsigned zone, so again it aborts,
> hour after hour, until a human cleans up the files in signed/* and tmp/*
I assume you updated the serial and afterwards ran ods-signer sign zone?
Best regards,
Matthijs
>
> Paul
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 551 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20120920/bdd0cc84/attachment.bin>
More information about the Opendnssec-user
mailing list