[Opendnssec-user] Re: Zone stuck, not updating

Havard Eidnes he at uninett.no
Tue Oct 28 07:54:44 UTC 2014

> We have 12 zones and we see this situation a few times per week. We
> have developed a cron script which compares the serial of the unsigned
> DNS server with the serial in the /var/opendns/tmp/<zone>.xfrd-state
> file. If a mismatch is detected, the work-around is to stop
> OpenDNSSEC, delete this file and restart OpenDNSSEC again.

Hm.  This, I think, is more frequent than what I'm seeing, but it
may be a lack of monitoring on our part...

> A similar problem occurs sometimes if the unsigned zone is not
> changed for some weeks. OpenDNSSEC then does not update its
> state anymore. Then, after some days the zone expires and no
> outgoing zone transfers are possible anymore. This case is more
> difficult to detect before the expiration of the zone. The
> work-around is similar.

This sounds strange, and I don't think we've seen this so far.
For this to happen, the signer would have to stop answering SOA
queries from the "slave" it uses for outgoing zone transfers, I
would beleive; well, perhaps also in addition it'd have to stop
outgoing zone transfers from happening.  Is that what you've been

Which version of OpenDNSSEC are you running?


- Håvard

More information about the Opendnssec-user mailing list