[Opendnssec-user] Re: Zone stuck, not updating

Roman Serbski mefystofel at gmail.com
Mon Nov 3 12:32:02 UTC 2014

On Tue, Oct 28, 2014 at 11:07 AM, Fred Zwarts (KVI) <F.Zwarts at kvi.nl> wrote:
> "Havard Eidnes"  wrote in message
> news:20141028.085444.257704704.he at uninett.no...
>>> We have 12 zones and we see this situation a few times per week. We
>>> have developed a cron script which compares the serial of the unsigned
>>> DNS server with the serial in the /var/opendns/tmp/<zone>.xfrd-state
>>> file. If a mismatch is detected, the work-around is to stop
>>> OpenDNSSEC, delete this file and restart OpenDNSSEC again.
>> Hm.  This, I think, is more frequent than what I'm seeing, but it
>> may be a lack of monitoring on our part...
>>> A similar problem occurs sometimes if the unsigned zone is not
>>> changed for some weeks. OpenDNSSEC then does not update its
>>> state anymore. Then, after some days the zone expires and no
>>> outgoing zone transfers are possible anymore. This case is more
>>> difficult to detect before the expiration of the zone. The
>>> work-around is similar.
>> This sounds strange, and I don't think we've seen this so far.
>> For this to happen, the signer would have to stop answering SOA
>> queries from the "slave" it uses for outgoing zone transfers, I
>> would beleive; well, perhaps also in addition it'd have to stop
>> outgoing zone transfers from happening.  Is that what you've been
>> seeing?
>> Which version of OpenDNSSEC are you running?
> 1.4.6, but it happened also in earlier versions.

Hello Fred,

Same issue here.  We host ~10 zones in a "hidden master > signer >
public slave" setup (OpenDNSSEC 1.4.6 using DNS adapters and running
on FreeBSD 10).  The unsigned zone that hasn't been changed for some
weeks expires hence outgoing zone transfers are no longer working.

Here is the only relevant entry in the logs of the signer:

Nov  3 10:52:20 ns-signer ods-signerd: [axfr] zone domain1.org
expired, not transferring zone

And on the public slave:

[2014-11-03 10:52:55.422] nsd[19847]: error: xfrd: zone domain1.org
received error code SERV FAIL from

Although in my case, I didn't have to clear /var/opendns/tmp/<zone>
and restart OpenDNSSEC -- increasing the serial and reloading the zone
on the hidden master usually does the trick for me.

Do you mind sharing the script that you use to compare the serials?


More information about the Opendnssec-user mailing list