[Opendnssec-user] Signing a largish zone...

Matthijs Mekking matthijs at nlnetlabs.nl
Mon Mar 10 14:03:01 UTC 2014


Hi Mark,

We have fixed some zone transfer related bugs in the upcoming 1.4.4 
which I believe will resolve these problems. Keep an eye on our announce 
list.

Best regards,
   Matthijs

On 05-03-14 18:57, Mark Elkins wrote:
> I'm running opendnssec (version 1.4.1) on three virtual Gentoo machines.
> OpenDNSSEC is meant to be a bump on the wire...
>
> I'm trying to sign three zones,
> One small - 19 NS delegations, not much else
> One medium - 630 lines in the zone - all sorts of stuff.
> One Large - just under a million NS Delegations, of which about 20 have
> DS records..
>
>
> The large zone is logging in syslog:
>
> ods-signerd: [worker[1]] sign zone co.za failed: processed 53355 of
> 54355 RRsets
> ods-signerd: [worker[1]] CRITICAL: failed to sign zone co.za: General
> error
> ods-signerd: [worker[1]] backoff task [sign] for zone co.za with 60
> seconds
> ods-signerd: [engine] signer shutdown
>
>
> That doesn't look good to me. Where can I find out more?
>
> My setup is...
>
> Box1, running BIND 9.9.4 - Master for all three domain
>
> Box2, OpenDNSSEC. set up for NSEC3, OptOut...
>
> Box3, running BIND 9.9.4, Slave for the three domains.
>
> I also have the feeling that Notifies get lost from Box1 to Box2...
> (unless I stop/start)
> Can't "dig" Box2 (OpenDNSSEC) anymore either...
> yet...
>
> addns.xml: contains...
>
>     <ProvideTransfer>
>          <Peer><Prefix>::1</Prefix></Peer>
>          <Peer><Prefix>160.124.48.43</Prefix></Peer>
>          <Peer><Prefix>2001:42a0:1000:48::43</Prefix></Peer>
>     </ProvideTransfer>
>
> (Can one use "0.0.0.0" as a wildcard???)
>
> Then I stop and start and then I can "dig" again...
>




More information about the Opendnssec-user mailing list