[Opendnssec-user] Notify debugging

Fred Zwarts, KVI, Groningen F.Zwarts at KVI.nl
Fri May 16 19:56:07 UTC 2014 

Now there is a similar, though slightly different problem with another zone 
kvi-cart.rug.nl.
The signer responded with servfail when requested for the SOA record, or for 
zone transfers for this zone.
In the systlog, there where a log of messages like:

May 16 20:32:42 dns ods-signerd: [axfr] zone kvi-cart.rug.nl expired at 
1400245434, and it is now 1400265162: not serving soa
May 16 20:32:42 dns ods-signerd: [axfr] zone kvi-cart.rug.nl expired at 
1400245434, and it is now 1400265162: not serving soa
May 16 20:32:42 dns ods-signerd: [axfr] zone kvi-cart.rug.nl expired at 
1400245434, and it is now 1400265162: not serving soa
May 16 20:32:43 dns ods-signerd: [axfr] zone kvi-cart.rug.nl expired at 
1400245434, and it is now 1400265163: not serving soa
May 16 20:32:43 dns ods-signerd: [axfr] zone kvi-cart.rug.nl expired at 
1400245434, and it is now 1400265163: not serving soa
May 16 20:32:43 dns ods-signerd: [axfr] zone kvi-cart.rug.nl expired at 
1400245434, and it is now 1400265163: not serving soa

Apparently, also for this zone the transfers of the unsigned zone where not 
processed correctly, but we did not notice it until the zone expired.
So, I used the same work-around and now the zone is served correctly.

I have the impression, that something is wrong with the processing of the 
incoming zone transfers and I would like to know what I can do to further 
diagnose this problem, before yet another zone will pop up with a similar 
problem.

Fred.Zwarts.

-----Oorspronkelijk bericht----- 
From: Rick van Rein
Sent: Thursday, May 15, 2014 10:43 PM
To: Fred.Zwarts
Cc: opendnssec-user at lists.opendnssec.org
Subject: Re: [Opendnssec-user] Notify debugging

Hi Fred,

> The /var/opendnssec/tmp/rug.nl-xfrd-state file still shows the old soa 
> serial 2014051506, where the unsigned system is already at 2014051520.
> To me it looks as if opendnssec receives the zone, but does not process 
> it.
> Any other ideas to diagnose this problem?

Can you have a look at /var/opendnssec/unsigned/rug.nl* ?

If the zone changes arrive (I assume the mutliple arrivals are due to zone 
updates, each resulting in a NOTIFY) then you should find it there, probably 
as rug.nl.axfr.

That should help you distinguish if it is a transport problem or a 
signer-trigger problem.

You can manually trigger resigning to see if it is a matter of the new 
arrival not triggering the signer properly, with
ods-signer sign rug.nl

-Rick

More information about the Opendnssec-user mailing list