[Opendnssec-user] serial "keep" failure blocks signing forever
Paul Wouters
paul at nohats.ca
Thu Sep 20 16:36:23 UTC 2012
On Thu, 20 Sep 2012, Matthijs Mekking wrote:
>> I'd prefer that specifying "keep" means "yes I know the serial might not
>> increase, just continue.
>
> No. keep is meant to be to have human intervention. If you want the
> serial to increase, use counter.
What I want mostly, is "best effort" :) If the human specifies "keep",
and it would mean the serial should increase but cannot, for it to sign
the new data and use the "kept" serial number. Precisely for cases like
here.
> Do you perhaps propose a new serial policy
> "keep-unless-resign-is-needed" (needs a better name I guess), that does
> this behavior?
In our case that is not needed normally, because we don't sign more then
once an hour and the serial icnreases every hour. It is only when we
manually run a second sign job within the same hour that the job gets
aborted over the "keep" serial issue, and subsequent jobs in the next
hours all fail until human intervention. I don't even mind so much that
the 2nd job within the same hour would fail - its the (stupid) sysadmin
policy. But it should not cause the system to remain broken until a human
cleans out some tmp files.
>> But the real problem is that when you reach the next hour, and your
>> unsigned serial moved to 2012092002, the current sign job for
>> 2012092001 is still partially done within opendnssec, and it will not
>> update the soa serial from the new unsigned zone, so again it aborts,
>> hour after hour, until a human cleans up the files in signed/* and tmp/*
>
> I assume you updated the serial and afterwards ran ods-signer sign zone?
Yes. And I think it is first trying to complete/recover from the previous sign job
Paul
More information about the Opendnssec-user
mailing list