[Opendnssec-user] ods-signerd: robustness & resource demands?

Berry A.W. van Halderen berry at nlnetlabs.nl
Mon Nov 16 08:15:37 UTC 2015 

On 10/15/2015 04:20 PM, Havard Eidnes wrote:
> today we observed another problem in our OpenDNSSEC installation.  As
> mentioned earlier, we run with an "axfr in, axfr out" configuration.
> 
> For our signed zones, we add a "_original-serial" TXT record, which
> contains the serial number from the SOA record from the hidden master,
> and we periodically run a check that what is published by our
> publishing master (the name server "after" OpenDNSSEC) is publishing
> the same _original-serial record which our hidden master is doing.
> This thus monitors that zone data is propagating properly through our
> OpenDNSSEC installation.

Thanks for this insight in your set-up.  It is a handy approach.

> Today this check fired for three of our zones.  Re-updating the zone
> on the hidden master (+ which automatically bumps the SOA serial and
> sends a notify to OpenDNSSEC) did apparently *not* cause the updated
> zone to be transferred to OpenDNSSEC, though the update was noted in
> the log file, the zone which came out at the other end still had the
> old _original-serial TXT record.
> 
> And then when I came to restart OpenDNSSEC the old problem with it
> being unable to restart, the signer falls down over an assertion:
> 
> Oct 15 15:35:43 hugin ods-signerd: [xfrd] zone fyrkat.no request tcp/ixfr=2015101306 to 158.38.130.4
> Oct 15 15:35:43 hugin ods-signerd: [xfrd] zone fyrkat.no transfer done [notify acquired 0, serial on disk 2015101500, notify serial 0]
> Oct 15 15:35:50 hugin ods-signerd: signer/ixfr.c:230: part_print: assertion part->soamin failed

Looking at the log, indicates me that the notify was picked up and the
zone got processed, but trying to send out the zone over axfr failed.

> and I ended up having to move away all the tmp/ files in OpenDNSSEC
> before it could again be successfully started.

It might be interesting to see how the processed zone ended up, which
should be part of one of the files in the tmp/ directory.  It is
possible to share it with us?

> Am I alone in having problems restarting OpenDNSSEC when it's used in
> the "axfr in, axfr out" mode?

It is indeed specific to the axfr out mode.  We need to further look
into this.  It is a proper set-up you have.

With kind regards,
Berry van Halderen

More information about the Opendnssec-user mailing list