[Opendnssec-user] XFR with YADIFA: UNPROCESSABLE_MESSAGE

Berry A.W. van Halderen berry at nlnetlabs.nl
Tue Apr 5 12:14:39 UTC 2016


On 03/30/2016 01:46 AM, Djordje Antic wrote:
> I have a DNS setup that looks like this:
> 
> Hidden master (BIND) [xfr]-> DNSSEC signer (OpenDNSSEC) [xfr]-> 4x
> Public slaves (NSD, BIND, YADIFA, KNOT).
> 
> NSD, BIND and KNOT machines are receiving and serving zones without
> problems, but YADIFA is not. This problem does not occur when set to
> update directly from hidden master, but it loses the DNSSEC
> 'bump-in-the-wire' and thus serving unsigned zones.
> 
> Versions:
> BIND: 9.10.3
> OpenDNSSEC 1.4.9
> YADIFA 2.1.6

We do not have direct experience with yadifa.  How I interpret the log
is that OpenDNSSEC has fully transfered the zone and gets the okay.
Yadifa has received the AXFR fully and stored it.  However when it
further starts to process the zone file there is a generic error.
This is not something easy to inspect without having to set-up an
environment with yadifa ourselves.  You might want to increase the
logging level of yadifa to get more information.

The yadifa log also indicate it wants to sign the zone itself too.
That is --in your set-up-- not something you want.  This at least
needs to be changed.  It may also be a hint towards your problem,
perhaps yadifa expects an unsigned zone or can only handle unsigned
data.  And it rejects the pre-signed zone.

This is something you can get help for from the yadifa mailing list.

With kind regards,
Berry van Halderen

> 
> YADIFA log:
> 
> 2016-03-29 15:22:39.127905 | server   | I | slave: example.com. AXFR
> query to the master
> 2016-03-29 15:22:39.127907 | server   | 6 | acquire:
> example.com. at 00007FB5017F3970 rc=3
> 2016-03-29 15:22:39.127927 | server   | 6 | release:
> example.com. at 00007FB5017F3970 rc=2
> 2016-03-29 15:22:39.127929 | server   | I | axfr: example.com.:
> transfer will be signed with key 'key2.'
> 2016-03-29 15:22:39.128492 | server   | 6 | acquire:
> example.com. at 00007FB5017F3970 rc=3
> 2016-03-29 15:22:39.128495 | server   | 6 | release:
> example.com. at 00007FB5017F3970 rc=2
> 2016-03-29 15:22:39.131463 | server   | D | axfr: example.com.: AXFR
> stream copy init failed: UNPROCESSABLE_MESSAGE
> 2016-03-29 15:22:39.131499 | server   | E | slave: query error for
> domain example.com. from master at 11.22.33.44#53:
> UNPROCESSABLE_MESSAGE
> 2016-03-29 15:22:39.131502 | server   | 6 |
> zone_lock(example.com. at 00007FB5017F3970, 86)
> 2016-03-29 15:22:39.131503 | server   | D | database_service: enqueue
> operation DATABASE_SERVICE_ZONE_DOWNLOADED_EVENT on example.com.:
> UNPROCESSABLE_MESSAGE
> 2016-03-29 15:22:39.131506 | server   | 6 |
> zone_unlock(example.com. at 00007FB5017F3970, 86)
> 2016-03-29 15:22:39.131507 | server   | 6 | release:
> example.com. at 00007FB5017F3970 rc=1
> 2016-03-29 15:22:39.131903 | server   | 6 | acquire:
> example.com. at 00007FB5017F3970 rc=2
> 2016-03-29 15:22:39.131905 | server   | E | database: failed to
> download the zone for example.com.: UNPROCESSABLE_MESSAGE
> 2016-03-29 15:22:39.131906 | server   | 6 |
> zone_lock(example.com. at 00007FB5017F3970, 89)
> 
> 
> OpenDNSSEC log:
> 
> Mar 29 15:22:39 ods ods-signerd: [socket] handle incoming tcp connection
> Mar 29 15:22:39 ods ods-signerd: [netio] handler added
> Mar 29 15:22:39 ods ods-signerd: [socket] incoming tcp message
> Mar 29 15:22:39 ods ods-signerd: [socket] TCP_READ: reset query
> Mar 29 15:22:39 ods ods-signerd: [socket] TCP_READ: bytes transmitted
> 2 (received 2)
> Mar 29 15:22:39 ods ods-signerd: [socket] TCP_READ: bytes transmitted
> 108 (received 106)
> Mar 29 15:22:39 ods ods-signerd: [query] tsig OK
> Mar 29 15:22:39 ods ods-signerd: [query] incoming query qtype=AXFR for
> zone example.com
> Mar 29 15:22:39 ods ods-signerd: [acl] match 55.66.77.88
> Mar 29 15:22:39 ods ods-signerd: [query] incoming axfr request for
> zone example.com
> Mar 29 15:22:39 ods ods-signerd: [file] openfile example.com.axfr count 1
> Mar 29 15:22:39 ods ods-signerd: [axfr] set soa in axfr zone example.com
> Mar 29 15:22:39 ods ods-signerd: [axfr] axfr zone example.com is done
> Mar 29 15:22:39 ods ods-signerd: [axfr] return part axfr zone example.com
> Mar 29 15:22:39 ods ods-signerd: [socket] query processed qstate=2
> Mar 29 15:22:39 ods ods-signerd: [query] add tsig ok
> Mar 29 15:22:39 ods ods-signerd: [socket] TCP_READ: new tcplen 4654
> Mar 29 15:22:39 ods ods-signerd: [socket] TCP_WRITE: bytes transmitted
> 2 (sent 2)
> Mar 29 15:22:39 ods ods-signerd: [socket] TCP_WRITE: bytes transmitted 4656
> Mar 29 15:22:39 ods ods-signerd: [socket] TCP_WRITE: tcplen 4654
> Mar 29 15:22:39 ods ods-signerd: [socket] TCP_WRITE: sizeof tcplen 2
> Mar 29 15:22:39 ods ods-signerd: [axfr] zone transfer example.com completed
> Mar 29 15:22:39 ods ods-signerd: [socket] incoming tcp message
> Mar 29 15:22:39 ods ods-signerd: [socket] TCP_READ: reset query
> Mar 29 15:22:39 ods ods-signerd: [netio] handler removed
> 
> 
> Regards,
> Djordje
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
> 




More information about the Opendnssec-user mailing list