[Opendnssec-user] The signer's expiry handling

Havard Eidnes he at uninett.no
Sat Dec 19 12:49:12 UTC 2015 

>> my signer managed to hit the dreaded "soamin not set" assertion 
>> sometime yesterday.
>
> My analysis so far points to that this assertion is not caused by by
> the state in tmp on disk. (Although something seems not quite right in
> the *.ixfr files you send me. I'm looking at that separately.)

That's strange, because the assertion goes away when I wipe the
contents of /var/opendnssec/tmp/ and start "from scratch".

> I can image one scenario that would cause this assertion to hit,
> though I'm not sure if it is at all possible.
>
> - The zone on the hidden master changes (e.g. a record is added) but
>   the SOA record's serial is not incremented.

That's unlikely to happen.  We have a setup which automates the
maintenance of the SOA version numbers before the name server is
signalled to reload the zone.

So if this is a precondition to your theory, I suspect it doesn't
apply in our case.

> - The signer does a XFR from the hidden master anyway. (maybe it is
>   somehow forced by the user? This is the unknown part)

1) I don't know how to signal to ods-signerd that it should do a
   zone transfer by interacting with the signer.  I only know to
   do it via "rndc notify <zonename>" on the hidden master.

2) OpenDNSSEC should behave like any slave name server: if the SOA
   version number hasn't changed, it should NEVER initiate a zone
   transfer, and at least not an incremental zone transfer.  That is,
   if it has a copy of the zone.  It should not be possible for
   OpenDNSSEC to know the old SOA version number and *not* have a copy
   of the zone(?)

> - The signer figures out the differences with the zone on disk and
>   writes this to the ixfr structure. But this diff does not contain the
>   SOA since it had not been updated. Causing soamin not to be set.
> - Later when writing the .ixfr file the assertion fires.

Also known as "lack of robustness", possibly caused by bad choices
performed earlier (initiating a zone transfer even though the SOA was
not updated).

> Do you reckon a similar scenario would apply to your situation?

I don't understand how it can.

>> So why does the signer think the zone has expired, when it was OK 
>> yesterday?  1814400 is the "relative expire time" from the SOA 
>> record, while here it's apparently used as an absolute value, which
>> is just entirely Wrong.
>
> That looks bad! We'll look in to it.

Thanks!  I suspect this has something to do with one of the files it
uses to offset the expire value is missing.  In steady-state I see
three files per zone: .axfr, .backup2, and .ixfr.  None of these
appear to be a copy of the incoming zone, all of them already contain
DNSSEC data added by OpenDNSSEC.


I think the entire "takeaway" from this set of experiences is that the
problems I'm experiencing more or less all have to do with the mode I
chose to run OpenDNSSEC in: "zone transfer in, zone transfer out",
that it's newish functionality in OpenDNSSEC (new in 1.4?), and that
it's ... not quite fully baked yet -- it appears to need a lot more
testing, bugfixing, integration, stabilization and attention.


Regards,

- Håvard

More information about the Opendnssec-user mailing list