[Opendnssec-user] Zone stuck, not updating

Havard Eidnes he at uninett.no
Wed Oct 29 15:18:50 UTC 2014 

>> I'm using DNS zone transfers in and out of OpenDNSSEC with OpenDNSSEC
>> version 1.4.6.  It looks like one of the zones have become wedged, and
>> OpenDNSSEC refuses to transfer a new copy, despite a new SOA being
>> announced via DNS notify.  ods-signerd logs:
>>
>> <timestamp+host> ods-signerd: [query] ignore notify from a.b.c.d: zone
>> xxx.yyy.no transfer in progress
>
> This may be a bit misleading log message: The query code checks
> whether there is already a notify acquired. If so, there is a check to
> see if the incoming notify has a serial newer than OpenDNSSEC knows
> of. If not, it will log this message.
>
> "Look, I got a notify already and need to transfer anyway" was perhaps
> a better log message. Or perhaps "updated notify serial to
> <new_serial>".

Hmm...  That doesn't match with the observed behaviour.  What I saw
was that I did an update of the zone on the hidden master, but the new
zone with the updated SOA version number (for the SOA versioning
regime between the hidden master and OpenDNSSEC) was not being
transferred to the OpenDNSSEC host.  This state persisted for at least
a day, until the user who requested the additions complained that they
were still not visible in the public DNS, and an investigation
confirmed this -- the distribution master which is at the exit portion
of OpenDNSSEC didn't have the newly added records.

Hm, I may have read the code in query_process_notify() wrong, and my
initial explanation of the bug was possibly wrong.  But at least I'm
pretty certain of my observed behaviour: changes from the hidden
master did not make it through OpenDNSSEC and out to the publication
master, and stopping OpenDNSSEC, removing the xfrd.state file and
restarting OpenDNSSEC fixed the logjam.

> Perhaps the bug is that there is a corner case that the
> notify_acquired was not reset properly?

Maybe.

Sigh, I need to investigate more.  Luckily, I left the few other zones
which have gotten stuck this way alone, so I have something to observe
right away.

Regards,

- Håvard

More information about the Opendnssec-user mailing list