[Opendnssec-user] The signer's expiry handling

Havard Eidnes he at uninett.no
Sat Dec 19 08:37:44 UTC 2015 

Hi,

my signer managed to hit the dreaded "soamin not set" assertion
sometime yesterday.

Today I've applied this patch:

The part->soamin assertion seems to trigger.
Be helpful and log the zone name before the assert.

--- signer/src/signer/ixfr.c.orig       2014-12-04 15:17:14.000000000 +0000
+++ signer/src/signer/ixfr.c
@@ -227,7 +227,10 @@ part_print(FILE* fd, ixfr_type* ixfr, si
     }
     ods_log_assert(part->min);
     ods_log_assert(part->plus);
-    ods_log_assert(part->soamin);
+    if (!part->soamin) {
+       ods_log_error("[%s] zone %s no part->soamin", ixfr_str, zone->name);
+       ods_log_assert(part->soamin);
+    }
     ods_log_assert(part->soaplus);
     if (util_rr_print(fd, part->soamin) != ODS_STATUS_OK) {
         zone->adoutbound->error = 1;

Of course this didn't trip when I restarted the signer -- we'll
see when that hits the next time.


However, there is someting wrong with the expiry timer handling
after such a restart.  The zones were "OK" yesterday, and the
signer was operating normally.

However, today, when the signer is restarted while leaving the
files in /var/opendnssec/tmp/ intact, I see log messages of the
type:

Dec 19 09:20:22 hugin ods-signerd: [axfr] zone <zonename> expired at 1814400, and it is now 1450513222: not serving soa

For this particular zone, I see <zonename>.axfr and
<zonename>.backup2 files lying around, both of which appear to be
"outgoing" files, since they have DNSSEC markings.

So why does the signer think the zone has expired, when it was OK
yesterday?  1814400 is the "relative expire time" from the SOA
record, while here it's apparently used as an absolute value,
which is just entirely Wrong.

And in traditional style of the apparently slightly uncooperative
threads of the signer, no attempt is made on the signer's
initiative to re-transfer the zone from the hidden master to mend
what the signer thinks is an expired zone.

I suspect I now again have to manually crank the hidden master to
send notifies for all the signed zones to ods-signerd, so that
the zones are actually re-transferred.  What a crock!

Regards,

- Håvard

More information about the Opendnssec-user mailing list