[Opendnssec-user] Notify debugging

Matthijs Mekking matthijs at nlnetlabs.nl
Mon May 19 09:57:55 UTC 2014

Hi Fred,

On 05/15/2014 01:33 PM, Fred.Zwarts wrote:
> We use adapters in addns.xml  to receive the unsigned zones via zone
> transfers. This worked well. An update of the zone on the source server
> was received and processed by opendnssec in a few seconds.
> Recently I installed ods 1.4.5. I now have the impression that a notify
> from the source system is not received by opendnssec any more. In the
> logs of the source system, I see that a notify is sent, but opendnssec
> does not read the new zone with a zone transfer. I have two questions:
> 1) In the log files notify messages are not mentioned at all. The
> logging verbosity in config.xml is set to 3. Is there a verbosity that
> will show logging of incoming notify messages for further diagnostics?

Unfortunately not right now. I have added this and this will be included
in version 1.4.6. It is at LOG_ERR level, so no need to increase the
verbosity for this.

> 2) Is there a way to force opendnssec to read the new zone with a zone
> transfer?

No. You can remove the /tmp working directory and restart the signer. I
know this is not ideal, I think it would be useful if we add a
"ods-signer notify zone" command.

> BTW, in the log files I see for many zones messages like :
> May 15 09:58:09 dns ods-signerd: [axfr] axfr fallback zone erdg.usor.nl
> May 15 09:58:09 dns ods-signerd: [axfr] zone erdg.usor.nl journal not
> found for serial 2014051501
> May 15 09:58:09 dns ods-signerd: [axfr] axfr fallback zone erdg.usor.nl

This means that there is no way for the signer to construct an
incremental zone transfer for the serial 2014051501. Either there is no
<zone>.ixfr file, or it no longer contains that part. The signer
maintains three parts, effectively allowing incremental zone transfers
for 3 versions back. This is nothing critical: in any other case a full
zone transfer is given back.

> In an attempt to force a zone transfer, I restarted both the enforcer
> and the signer daemons. For some zones I see in the log file messages like:
> May 15 12:11:48 dns ods-signerd: [backup] bad ixfr journal: trailing RRs
> after final SOA
> May 15 12:11:51 dns ods-signerd: [zone] corrupted journal file zone
> erdg.usor.nl, skipping (General error)

This means that the journal contains more records (additions/deletions)
than we know of.

> Is this normal? If not, should I do something to fix it, or is it fixed
> automatically?
> (Note, this i not the zone that has a problem with the notify, but I
> mention it, because it could indicate a more general problem.)

It should not happen too often. But the journal file could have been
written before the backup file and than this may occur. If it happens
too often, we should tighten the two actions more together.

Best regards,

> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

More information about the Opendnssec-user mailing list