[Opendnssec-user] Notify debugging
Fred Zwarts, KVI, Groningen
F.Zwarts at KVI.nl
Fri May 16 19:56:07 UTC 2014
Now there is a similar, though slightly different problem with another zone
kvi-cart.rug.nl.
The signer responded with servfail when requested for the SOA record, or for
zone transfers for this zone.
In the systlog, there where a log of messages like:
May 16 20:32:42 dns ods-signerd: [axfr] zone kvi-cart.rug.nl expired at
1400245434, and it is now 1400265162: not serving soa
May 16 20:32:42 dns ods-signerd: [axfr] zone kvi-cart.rug.nl expired at
1400245434, and it is now 1400265162: not serving soa
May 16 20:32:42 dns ods-signerd: [axfr] zone kvi-cart.rug.nl expired at
1400245434, and it is now 1400265162: not serving soa
May 16 20:32:43 dns ods-signerd: [axfr] zone kvi-cart.rug.nl expired at
1400245434, and it is now 1400265163: not serving soa
May 16 20:32:43 dns ods-signerd: [axfr] zone kvi-cart.rug.nl expired at
1400245434, and it is now 1400265163: not serving soa
May 16 20:32:43 dns ods-signerd: [axfr] zone kvi-cart.rug.nl expired at
1400245434, and it is now 1400265163: not serving soa
Apparently, also for this zone the transfers of the unsigned zone where not
processed correctly, but we did not notice it until the zone expired.
So, I used the same work-around and now the zone is served correctly.
I have the impression, that something is wrong with the processing of the
incoming zone transfers and I would like to know what I can do to further
diagnose this problem, before yet another zone will pop up with a similar
problem.
Fred.Zwarts.
-----Oorspronkelijk bericht-----
From: Rick van Rein
Sent: Thursday, May 15, 2014 10:43 PM
To: Fred.Zwarts
Cc: opendnssec-user at lists.opendnssec.org
Subject: Re: [Opendnssec-user] Notify debugging
Hi Fred,
> The /var/opendnssec/tmp/rug.nl-xfrd-state file still shows the old soa
> serial 2014051506, where the unsigned system is already at 2014051520.
> To me it looks as if opendnssec receives the zone, but does not process
> it.
> Any other ideas to diagnose this problem?
Can you have a look at /var/opendnssec/unsigned/rug.nl* ?
If the zone changes arrive (I assume the mutliple arrivals are due to zone
updates, each resulting in a NOTIFY) then you should find it there, probably
as rug.nl.axfr.
That should help you distinguish if it is a transport problem or a
signer-trigger problem.
You can manually trigger resigning to see if it is a matter of the new
arrival not triggering the signer properly, with
ods-signer sign rug.nl
-Rick
More information about the Opendnssec-user
mailing list