[Opendnssec-user] Re: Notify debugging

Fred.Zwarts F.Zwarts at KVI.nl
Thu May 15 15:26:49 UTC 2014 

Further research shows the following:
The zone has been updated a few times on the system with the unsigned zones.
The log of the source system of the unsigned zone shows that today the zone 
has been transfered to the opendnssec system (more than once):

dns-xfr-out.log:14-May-2014 16:25:13.018 xfer-out: info: client 
2001:610:1a08:14:129:125:4:4#48614: transfer of 'rug.nl/IN': AXFR-style IXFR 
started
dns-xfr-out.log:14-May-2014 16:25:13.021 xfer-out: info: client 
2001:610:1a08:14:129:125:4:4#48614: transfer of 'rug.nl/IN': AXFR-style IXFR 
ended
dns-xfr-out.log:15-May-2014 13:19:05.931 xfer-out: info: client 
2001:610:1a08:14:129:125:4:4#60612: transfer of 'rug.nl/IN': AXFR started
dns-xfr-out.log:15-May-2014 13:19:05.933 xfer-out: info: client 
2001:610:1a08:14:129:125:4:4#60612: transfer of 'rug.nl/IN': AXFR ended
dns-xfr-out.log:15-May-2014 13:34:08.815 xfer-out: info: client 
2001:610:1a08:14:129:125:4:4#50744: transfer of 'rug.nl/IN': AXFR started
dns-xfr-out.log:15-May-2014 13:34:08.817 xfer-out: info: client 
2001:610:1a08:14:129:125:4:4#50744: transfer of 'rug.nl/IN': AXFR ended
dns-xfr-out.log:15-May-2014 15:09:05.020 xfer-out: info: client 
2001:610:1a08:14:129:125:4:4#49736: transfer of 'rug.nl/IN': IXFR ended
dns-xfr-out.log:15-May-2014 15:09:35.028 xfer-out: info: client 
129.125.4.4#58485: transfer of 'rug.nl/IN': IXFR ended
dns-xfr-out.log:15-May-2014 15:10:05.066 xfer-out: info: client 
2001:610:1a08:14:129:125:4:4#49738: transfer of 'rug.nl/IN': IXFR ended
dns-xfr-out.log:15-May-2014 15:10:35.070 xfer-out: info: client 
129.125.4.4#58487: transfer of 'rug.nl/IN': IXFR ended
dns-xfr-out.log:15-May-2014 15:11:05.073 xfer-out: info: client 
2001:610:1a08:14:129:125:4:4#49740: transfer of 'rug.nl/IN': IXFR ended
dns-xfr-out.log:15-May-2014 15:11:35.076 xfer-out: info: client 
129.125.4.4#58489: transfer of 'rug.nl/IN': IXFR ended
dns-xfr-out.log:15-May-2014 16:06:59.019 xfer-out: info: client 
2001:610:1a08:14:129:125:4:4#49800: transfer of 'rug.nl/IN': IXFR ended
dns-xfr-out.log:15-May-2014 16:07:29.023 xfer-out: info: client 
129.125.4.4#58549: transfer of 'rug.nl/IN': IXFR ended
dns-xfr-out.log:15-May-2014 16:07:59.026 xfer-out: info: client 
2001:610:1a08:14:129:125:4:4#49802: transfer of 'rug.nl/IN': IXFR ended
dns-xfr-out.log:15-May-2014 16:08:29.029 xfer-out: info: client 
129.125.4.4#58551: transfer of 'rug.nl/IN': IXFR ended
dns-xfr-out.log:15-May-2014 16:08:59.032 xfer-out: info: client 
2001:610:1a08:14:129:125:4:4#49804: transfer of 'rug.nl/IN': IXFR ended
dns-xfr-out.log:15-May-2014 16:09:29.036 xfer-out: info: client 
129.125.4.4#58557: transfer of 'rug.nl/IN': IXFR ended
dns-xfr-out.log:15-May-2014 16:26:48.438 xfer-out: info: client 
2001:610:1a08:14:129:125:4:4#40189: transfer of 'rug.nl/IN': AXFR started
dns-xfr-out.log:15-May-2014 16:26:48.440 xfer-out: info: client 
2001:610:1a08:14:129:125:4:4#40189: transfer of 'rug.nl/IN': AXFR ended
dns-xfr-out.log:15-May-2014 16:44:24.493 xfer-out: info: client 
2001:610:1a08:14:129:125:4:4#55538: transfer of 'rug.nl/IN': AXFR started
dns-xfr-out.log:15-May-2014 16:44:24.495 xfer-out: info: client 
2001:610:1a08:14:129:125:4:4#55538: transfer of 'rug.nl/IN': AXFR ended
dns-xfr-out.log:15-May-2014 16:45:11.785 xfer-out: info: client 
2001:610:1a08:14:129:125:4:4#55411: transfer of 'rug.nl/IN': AXFR started
dns-xfr-out.log:15-May-2014 16:45:11.788 xfer-out: info: client 
2001:610:1a08:14:129:125:4:4#55411: transfer of 'rug.nl/IN': AXFR ended

The /var/opendnssec/tmp/rug.nl-xfrd-state file still shows the old soa 
serial 2014051506, where the unsigned system is already at 2014051520.

;OpenDNSSEC-backup-v3
;;Zone: name rug.nl ttl 2152792320 mname ns.RUG.NL. rname 
hostmaster.nic.RUG.NL. serial 3002862456 refresh 14400 retry 3600 expire 
1209600 minimum 600
;;Master: num 0 next -1 round -1 timeout 1400166392
;;Serial: xfr 2014051506 1400145700 notify 0 0 disk 2014051506 1400145700
;OpenDNSSEC-backup-v3

To me it looks as if opendnssec receives the zone, but does not process it.
Any other ideas to diagnose this problem?



"Fred.Zwarts"  schreef in bericht news:ll28lt$bch$1 at ger.gmane.org...
>
>We use adapters in addns.xml  to receive the unsigned zones via zone 
>transfers. This worked well. An update of the zone on the source server was 
>received and processed by opendnssec in a few seconds.
>Recently I installed ods 1.4.5. I now have the impression that a notify 
>from the source system is not received by opendnssec any more. In the logs 
>of the source system, I see that a notify is sent, but opendnssec does not 
>read the new zone with a zone transfer. I have two questions:
>
>1) In the log files notify messages are not mentioned at all. The logging 
>verbosity in config.xml is set to 3. Is there a verbosity that will show 
>logging of incoming notify messages for further diagnostics?
>
>2) Is there a way to force opendnssec to read the new zone with a zone 
>transfer?
>
>
>BTW, in the log files I see for many zones messages like :
>May 15 09:58:09 dns ods-signerd: [axfr] axfr fallback zone erdg.usor.nl
>May 15 09:58:09 dns ods-signerd: [axfr] zone erdg.usor.nl journal not found 
>for serial 2014051501
>May 15 09:58:09 dns ods-signerd: [axfr] axfr fallback zone erdg.usor.nl
>In an attempt to force a zone transfer, I restarted both the enforcer and 
>the signer daemons. For some zones I see in the log file messages like:
>May 15 12:11:48 dns ods-signerd: [backup] bad ixfr journal: trailing RRs 
>after final SOA
>May 15 12:11:51 dns ods-signerd: [zone] corrupted journal file zone 
>erdg.usor.nl, skipping (General error)
>
>Is this normal? If not, should I do something to fix it, or is it fixed 
>automatically?
>(Note, this i not the zone that has a problem with the notify, but I 
>mention it, because it could indicate a more general problem.)

More information about the Opendnssec-user mailing list