[Opendnssec-user] XFR with YADIFA: UNPROCESSABLE_MESSAGE

Djordje Antic djordje.antic at gmail.com
Thu Apr 28 13:31:51 UTC 2016


Hi,

If anyone else encounters this, the solution is to rebuild Yadifa with
"--enable-non-aa-axfr-support" .\configure flag. According to the
manual, it "Allows AXFR answer from master without AA bit set
(Microsoft DNS)". OpenDNSSEC streams are now accepted and Yadifa is
serving received zones with DNSSEC signatures.

Regards,
Djordje

On Wed, Mar 30, 2016 at 1:46 AM, Djordje Antic <djordje.antic at gmail.com> wrote:
> Hi,
>
> I have a DNS setup that looks like this:
>
> Hidden master (BIND) [xfr]-> DNSSEC signer (OpenDNSSEC) [xfr]-> 4x
> Public slaves (NSD, BIND, YADIFA, KNOT).
>
> NSD, BIND and KNOT machines are receiving and serving zones without
> problems, but YADIFA is not. This problem does not occur when set to
> update directly from hidden master, but it loses the DNSSEC
> 'bump-in-the-wire' and thus serving unsigned zones.
>
> Versions:
> BIND: 9.10.3
> OpenDNSSEC 1.4.9
> YADIFA 2.1.6
>
>
> YADIFA log:
>
> 2016-03-29 15:22:39.127905 | server   | I | slave: example.com. AXFR
> query to the master
> 2016-03-29 15:22:39.127907 | server   | 6 | acquire:
> example.com. at 00007FB5017F3970 rc=3
> 2016-03-29 15:22:39.127927 | server   | 6 | release:
> example.com. at 00007FB5017F3970 rc=2
> 2016-03-29 15:22:39.127929 | server   | I | axfr: example.com.:
> transfer will be signed with key 'key2.'
> 2016-03-29 15:22:39.128492 | server   | 6 | acquire:
> example.com. at 00007FB5017F3970 rc=3
> 2016-03-29 15:22:39.128495 | server   | 6 | release:
> example.com. at 00007FB5017F3970 rc=2
> 2016-03-29 15:22:39.131463 | server   | D | axfr: example.com.: AXFR
> stream copy init failed: UNPROCESSABLE_MESSAGE
> 2016-03-29 15:22:39.131499 | server   | E | slave: query error for
> domain example.com. from master at 11.22.33.44#53:
> UNPROCESSABLE_MESSAGE
> 2016-03-29 15:22:39.131502 | server   | 6 |
> zone_lock(example.com. at 00007FB5017F3970, 86)
> 2016-03-29 15:22:39.131503 | server   | D | database_service: enqueue
> operation DATABASE_SERVICE_ZONE_DOWNLOADED_EVENT on example.com.:
> UNPROCESSABLE_MESSAGE
> 2016-03-29 15:22:39.131506 | server   | 6 |
> zone_unlock(example.com. at 00007FB5017F3970, 86)
> 2016-03-29 15:22:39.131507 | server   | 6 | release:
> example.com. at 00007FB5017F3970 rc=1
> 2016-03-29 15:22:39.131903 | server   | 6 | acquire:
> example.com. at 00007FB5017F3970 rc=2
> 2016-03-29 15:22:39.131905 | server   | E | database: failed to
> download the zone for example.com.: UNPROCESSABLE_MESSAGE
> 2016-03-29 15:22:39.131906 | server   | 6 |
> zone_lock(example.com. at 00007FB5017F3970, 89)
>
>
> OpenDNSSEC log:
>
> Mar 29 15:22:39 ods ods-signerd: [socket] handle incoming tcp connection
> Mar 29 15:22:39 ods ods-signerd: [netio] handler added
> Mar 29 15:22:39 ods ods-signerd: [socket] incoming tcp message
> Mar 29 15:22:39 ods ods-signerd: [socket] TCP_READ: reset query
> Mar 29 15:22:39 ods ods-signerd: [socket] TCP_READ: bytes transmitted
> 2 (received 2)
> Mar 29 15:22:39 ods ods-signerd: [socket] TCP_READ: bytes transmitted
> 108 (received 106)
> Mar 29 15:22:39 ods ods-signerd: [query] tsig OK
> Mar 29 15:22:39 ods ods-signerd: [query] incoming query qtype=AXFR for
> zone example.com
> Mar 29 15:22:39 ods ods-signerd: [acl] match 55.66.77.88
> Mar 29 15:22:39 ods ods-signerd: [query] incoming axfr request for
> zone example.com
> Mar 29 15:22:39 ods ods-signerd: [file] openfile example.com.axfr count 1
> Mar 29 15:22:39 ods ods-signerd: [axfr] set soa in axfr zone example.com
> Mar 29 15:22:39 ods ods-signerd: [axfr] axfr zone example.com is done
> Mar 29 15:22:39 ods ods-signerd: [axfr] return part axfr zone example.com
> Mar 29 15:22:39 ods ods-signerd: [socket] query processed qstate=2
> Mar 29 15:22:39 ods ods-signerd: [query] add tsig ok
> Mar 29 15:22:39 ods ods-signerd: [socket] TCP_READ: new tcplen 4654
> Mar 29 15:22:39 ods ods-signerd: [socket] TCP_WRITE: bytes transmitted
> 2 (sent 2)
> Mar 29 15:22:39 ods ods-signerd: [socket] TCP_WRITE: bytes transmitted 4656
> Mar 29 15:22:39 ods ods-signerd: [socket] TCP_WRITE: tcplen 4654
> Mar 29 15:22:39 ods ods-signerd: [socket] TCP_WRITE: sizeof tcplen 2
> Mar 29 15:22:39 ods ods-signerd: [axfr] zone transfer example.com completed
> Mar 29 15:22:39 ods ods-signerd: [socket] incoming tcp message
> Mar 29 15:22:39 ods ods-signerd: [socket] TCP_READ: reset query
> Mar 29 15:22:39 ods ods-signerd: [netio] handler removed
>
>
> Regards,
> Djordje



More information about the Opendnssec-user mailing list