[Opendnssec-user] Signing a largish zone...

Mark Elkins mje at posix.co.za
Wed Mar 5 17:57:01 UTC 2014


I'm running opendnssec (version 1.4.1) on three virtual Gentoo machines.
OpenDNSSEC is meant to be a bump on the wire...

I'm trying to sign three zones,
One small - 19 NS delegations, not much else
One medium - 630 lines in the zone - all sorts of stuff.
One Large - just under a million NS Delegations, of which about 20 have
DS records..


The large zone is logging in syslog:

ods-signerd: [worker[1]] sign zone co.za failed: processed 53355 of
54355 RRsets
ods-signerd: [worker[1]] CRITICAL: failed to sign zone co.za: General
error
ods-signerd: [worker[1]] backoff task [sign] for zone co.za with 60
seconds
ods-signerd: [engine] signer shutdown


That doesn't look good to me. Where can I find out more?

My setup is...

Box1, running BIND 9.9.4 - Master for all three domain

Box2, OpenDNSSEC. set up for NSEC3, OptOut...

Box3, running BIND 9.9.4, Slave for the three domains.

I also have the feeling that Notifies get lost from Box1 to Box2...
(unless I stop/start)
Can't "dig" Box2 (OpenDNSSEC) anymore either...
yet...

addns.xml: contains...

   <ProvideTransfer>
        <Peer><Prefix>::1</Prefix></Peer>            
        <Peer><Prefix>160.124.48.43</Prefix></Peer>
        <Peer><Prefix>2001:42a0:1000:48::43</Prefix></Peer>
   </ProvideTransfer>

(Can one use "0.0.0.0" as a wildcard???)

Then I stop and start and then I can "dig" again... 
-- 
  .  .     ___. .__      Posix Systems - Sth Africa
 /| /|       / /__       mje at posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496





More information about the Opendnssec-user mailing list