[Opendnssec-user] Re: Zone stuck, not updating

Fred Zwarts (KVI) F.Zwarts at KVI.nl
Tue Oct 28 10:07:13 UTC 2014

"Havard Eidnes"  wrote in message 
news:20141028.085444.257704704.he at uninett.no...
>> We have 12 zones and we see this situation a few times per week. We
>> have developed a cron script which compares the serial of the unsigned
>> DNS server with the serial in the /var/opendns/tmp/<zone>.xfrd-state
>> file. If a mismatch is detected, the work-around is to stop
>> OpenDNSSEC, delete this file and restart OpenDNSSEC again.
>Hm.  This, I think, is more frequent than what I'm seeing, but it
>may be a lack of monitoring on our part...
>> A similar problem occurs sometimes if the unsigned zone is not
>> changed for some weeks. OpenDNSSEC then does not update its
>> state anymore. Then, after some days the zone expires and no
>> outgoing zone transfers are possible anymore. This case is more
>> difficult to detect before the expiration of the zone. The
>> work-around is similar.
>This sounds strange, and I don't think we've seen this so far.
>For this to happen, the signer would have to stop answering SOA
>queries from the "slave" it uses for outgoing zone transfers, I
>would beleive; well, perhaps also in addition it'd have to stop
>outgoing zone transfers from happening.  Is that what you've been
>Which version of OpenDNSSEC are you running?

1.4.6, but it happened also in earlier versions. 

More information about the Opendnssec-user mailing list