[Opendnssec-user] The signer's expiry handling

Sat Dec 19 11:51:21 UTC 2015

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> my signer managed to hit the dreaded "soamin not set" assertion 
> sometime yesterday.

My analysis so far points to that this assertion is not caused by by
the state in tmp on disk. (Although something seems not quite right in
the *.ixfr files you send me. I'm looking at that separately.)

I can image one scenario that would cause this assertion to hit,
though I'm not sure if it is at all possible.

- - The zone on the hidden master changes (e.g. a record is added) but
the SOA record's serial is not incremented.
- - The signer does a XFR from the hidden master anyway. (maybe it is
somehow forced by the user? This is the unknown part)
- - The signer figures out the differences with the zone on disk and
writes this to the ixfr structure. But this diff does not contain the
SOA since it had not been updated. Causing soamin not to be set.
- - Later when writing the .ixfr file the assertion fires.

Do you reckon a similar scenario would apply to your situation?

> Today I've applied this patch:
> 
> The part->soamin assertion seems to trigger. Be helpful and log the
> zone name before the assert.
> 
> --- signer/src/signer/ixfr.c.orig       2014-12-04
> 15:17:14.000000000 +0000 +++ signer/src/signer/ixfr.c @@ -227,7
> +227,10 @@ part_print(FILE* fd, ixfr_type* ixfr, si } 
> ods_log_assert(part->min); ods_log_assert(part->plus); -
> ods_log_assert(part->soamin); +    if (!part->soamin) { +
> ods_log_error("[%s] zone %s no part->soamin", ixfr_str,
> zone->name); +       ods_log_assert(part->soamin); +    } 
> ods_log_assert(part->soaplus); if (util_rr_print(fd, part->soamin)
> != ODS_STATUS_OK) { zone->adoutbound->error = 1;
> 
> Of course this didn't trip when I restarted the signer -- we'll see
> when that hits the next time.
> 
> 
> However, there is someting wrong with the expiry timer handling 
> after such a restart.  The zones were "OK" yesterday, and the 
> signer was operating normally.
> 
> However, today, when the signer is restarted while leaving the 
> files in /var/opendnssec/tmp/ intact, I see log messages of the 
> type:
> 
> Dec 19 09:20:22 hugin ods-signerd: [axfr] zone <zonename> expired
> at 1814400, and it is now 1450513222: not serving soa
> 
> For this particular zone, I see <zonename>.axfr and 
> <zonename>.backup2 files lying around, both of which appear to be 
> "outgoing" files, since they have DNSSEC markings.
> 
> So why does the signer think the zone has expired, when it was OK 
> yesterday?  1814400 is the "relative expire time" from the SOA 
> record, while here it's apparently used as an absolute value, which
> is just entirely Wrong.

That looks bad! We'll look in to it.

//Yuri

> And in traditional style of the apparently slightly uncooperative 
> threads of the signer, no attempt is made on the signer's 
> initiative to re-transfer the zone from the hidden master to mend 
> what the signer thinks is an expired zone.
> 
> I suspect I now again have to manually crank the hidden master to 
> send notifies for all the signed zones to ods-signerd, so that the
> zones are actually re-transferred.  What a crock!
> 
> Regards,
> 
> - Håvard _______________________________________________ 
> Opendnssec-user mailing list Opendnssec-user at lists.opendnssec.org 
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlZ1RLkACgkQI3PTR4mhavhtvwCgjEBVfp1Hf7SJ7ywAl7W8x+nv
dD4AoISSzYexQlab9HGEWTxdMsEz256E
=ZwDj
-----END PGP SIGNATURE-----