[Opendnssec-user] Re: XFR debugging (was: Notify debugging)

Fred.Zwarts F.Zwarts at KVI.nl
Thu Sep 25 07:37:20 UTC 2014 

"Fred Zwarts, KVI, Groningen"  schreef in bericht 
news:42037E788A9B4313B3545379EA96110F at Lenovo...
>
>Now there is a similar, though slightly different problem with another zone 
>kvi-cart.rug.nl.
>The signer responded with servfail when requested for the SOA record, or 
>for zone transfers for this zone.
>In the systlog, there where a log of messages like:
>
>May 16 20:32:42 dns ods-signerd: [axfr] zone kvi-cart.rug.nl expired at 
>1400245434, and it is now 1400265162: not serving soa
>May 16 20:32:42 dns ods-signerd: [axfr] zone kvi-cart.rug.nl expired at 
>1400245434, and it is now 1400265162: not serving soa
>May 16 20:32:42 dns ods-signerd: [axfr] zone kvi-cart.rug.nl expired at 
>1400245434, and it is now 1400265162: not serving soa
>May 16 20:32:43 dns ods-signerd: [axfr] zone kvi-cart.rug.nl expired at 
>1400245434, and it is now 1400265163: not serving soa
>May 16 20:32:43 dns ods-signerd: [axfr] zone kvi-cart.rug.nl expired at 
>1400245434, and it is now 1400265163: not serving soa
>May 16 20:32:43 dns ods-signerd: [axfr] zone kvi-cart.rug.nl expired at 
>1400245434, and it is now 1400265163: not serving soa
>
>Apparently, also for this zone the transfers of the unsigned zone where not 
>processed correctly, but we did not notice it until the zone expired.
>So, I used the same work-around and now the zone is served correctly.
>
>I have the impression, that something is wrong with the processing of the 
>incoming zone transfers and I would like to know what I can do to further 
>diagnose this problem, before yet another zone will pop up with a similar 
>problem.
>
>Fred.Zwarts.
>
>-----Oorspronkelijk bericht----- 
>From: Rick van Rein
>Sent: Thursday, May 15, 2014 10:43 PM
>To: Fred.Zwarts
>Cc: opendnssec-user at lists.opendnssec.org
>Subject: Re: [Opendnssec-user] Notify debugging
>
>Hi Fred,
>
>> The /var/opendnssec/tmp/rug.nl-xfrd-state file still shows the old soa 
>> serial 2014051506, where the unsigned system is already at 2014051520.
>> To me it looks as if opendnssec receives the zone, but does not process 
>> it.
>> Any other ideas to diagnose this problem?
>
>Can you have a look at /var/opendnssec/unsigned/rug.nl* ?
>
>If the zone changes arrive (I assume the mutliple arrivals are due to zone 
>updates, each resulting in a NOTIFY) then you should find it there, 
>probably as rug.nl.axfr.
>
>That should help you distinguish if it is a transport problem or a 
>signer-trigger problem.
>
>You can manually trigger resigning to see if it is a matter of the new 
>arrival not triggering the signer properly, with
>ods-signer sign rug.nl
>
>-Rick

In the mean time we upgraded to opendnssec-1.4.6.
The last few days I had again problems with zone transfers for several 
zones.
The first symptom is that the signer gives a SERVFAIL error when requested 
for the SOA record of the (signed) zone.
In the log files I see messages like:

Sep 24 09:40:53 dns ods-signerd: [axfr] zone erdg.usor.nl expired at 
1411534059, and it is now 1411544453: not serving soa
Sep 24 09:41:03 dns ods-signerd: [axfr] zone erdg.usor.nl expired at 
1411534059, and it is now 1411544463: not serving soa
Sep 24 09:41:03 dns ods-signerd: [axfr] zone erdg.usor.nl expired, not 
transferring zone
Sep 24 09:41:13 dns ods-signerd: [axfr] zone erdg.usor.nl expired, not 
transferring zone
Sep 24 09:41:13 dns ods-signerd: [axfr] zone erdg.usor.nl expired at 
1411534059, and it is now 1411544473: not serving soa

The signer, in turn, gets these zones (unsigned) from another system. When I 
log in on the opendnssec system, there is no problem to get these zones from 
this other systems with e.g., dig. The unsigned zone has not been changed 
for several weeks.

In other cases, where the unsigned zones are updates more frequently, we 
some times notice that updates are not processed bu opendnssec. It looks as 
if for some reason, opendnssec stops to refresh the zones.

As I learned in May, the work around is to stop opendnssec, delete the files 
associated with the zone in /var/opendnssec/tmp and start opendnssec. I have 
automated this work-around in a cron job, but I would, of course, prefer to 
have a real solution for this problem. My question is whether version 1.4.6 
has more logging options to diagnose why it stop doing zone transfers to 
refresh the zones.

More information about the Opendnssec-user mailing list