[Opendnssec-user] The signer's expiry handling

Havard Eidnes he at uninett.no
Sun Dec 20 10:02:07 UTC 2015 

BTW,

I upped the log level to 5 (from my default of 3), and it seems
OpenDNSSEC isn't happy with the IXFR packets it receives from its
upstream hidden master, because it looks like that on many
attempts it logs:

Dec 20 10:32:53 ods-host ods-signerd: [xfrd] bad ixfr packet from <hidden-master>

My hidden master runs BIND 9.9.8-P2.

Attached below is a fuller section from the log related to this
event.

It seems these messages:

Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> got update indicating current serial 2014121008 from <hidden-master>
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> try next master

come from xfrd_parse_packet(), and the

Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> xfr packet parsed (res 0)

status of "0" is "XFRD_PKT_BAD".  But as far as I can see, the
only reason it says so is that it gets the same serial# as what
it already has, via this:

        if (!xfrd->msg_do_retransfer &&
            xfrd->serial_disk_acquired && xfrd->serial_disk == serial) {
            ods_log_info("[%s] zone %s got update indicating current "
                "serial %u from %s", xfrd_str, zone->name, serial,
                 xfrd->master->address);
            xfrd->serial_disk_acquired = xfrd_time(xfrd);
            if (xfrd->serial_xfr == serial) {
...
                /* try next master */
                ods_log_debug("[%s] zone %s try next master", xfrd_str,
                    zone->name);
                lock_basic_unlock(&xfrd->serial_lock);
                return XFRD_PKT_BAD;

Doesn't OpenDNSSEC behave like a proper slave, and do an explicit
query for the SOA version and skip attempting a zone transfer
(incremental or otherwise) if the SOA version# is the same as
what it already has?

Instead of a simple message saying "OK, same serial#, skipping
zone transfer since we already have that one", we get this
complicated dance with an attempted incremental zone transfer, a
declaration that the ixfr packet is "bad", and the use of a
failure code to indicate "same serial#"?  Or isn't that what this
does?

Regards,

- Håvard
-------------- next part --------------
Dec 20 10:32:53 ods-host ods-signerd: [netio] no events before the minimum timeout expired
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> make request [udp round 0 master <hidden-master>:0]
Dec 20 10:32:53 ods-host ods-signerd: [domain] tsig sign query with key: hidden-master-ods-host.
Dec 20 10:32:53 ods-host ods-signerd: [domain] tsig sign query with algorithm: hmac-sha256.
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] tsig append rr to request id=27525
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> request udp/ixfr=2014121008 to <hidden-master>
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> sets timer timeout now
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> read data from udp
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> got update indicating current serial 2014121008 from <hidden-master>
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> try next master
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> xfr packet parsed (res 0)
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] bad ixfr packet from <hidden-master>
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> make request [udp round 1 master <hidden-master>:0]
Dec 20 10:32:53 ods-host ods-signerd: [domain] tsig sign query with key: hidden-master-ods-host.
Dec 20 10:32:53 ods-host ods-signerd: [domain] tsig sign query with algorithm: hmac-sha256.
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] tsig append rr to request id=16326
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> request udp/ixfr=2014121008 to <hidden-master>
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> sets timer timeout now
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> read data from udp
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> got update indicating current serial 2014121008 from <hidden-master>
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> try next master
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> xfr packet parsed (res 0)
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] bad ixfr packet from <hidden-master>
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> make request [udp round 2 master <hidden-master>:0]
Dec 20 10:32:53 ods-host ods-signerd: [domain] tsig sign query with key: hidden-master-ods-host.
Dec 20 10:32:53 ods-host ods-signerd: [domain] tsig sign query with algorithm: hmac-sha256.
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] tsig append rr to request id=33825
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> request udp/ixfr=2014121008 to <hidden-master>
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> sets timer timeout now
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> read data from udp
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> got update indicating current serial 2014121008 from <hidden-master>
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> try next master
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> xfr packet parsed (res 0)
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] bad ixfr packet from <hidden-master>
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> sets timer timeout retry 3600
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> make request wait retry
-------------- next part --------------
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user at lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

More information about the Opendnssec-user mailing list