[Opendnssec-user] Whats wrong in my ods 2.0o.1 setup.

Yuri Schaeffer yuri at nlnetlabs.nl
Mon Aug 15 08:56:55 UTC 2016

Hi Fred,

> This morning I am confused again. I see the following:

> It is now Mon Aug 15 09:06:33 2016 (1471244793 seconds since epoch)
> Next task scheduled Sat Aug 13 14:22:00 2016 (1471090920 seconds since
> epoch)
> The enforcer has scheduled a task in the past. How is that possible?

I'm not 100% sure. But I do a hunch. Somehow the scheduler missed the
event work needs to be done. The worker threads wait indefinitely to get
a signal but the signal was never actually delivered by the OS.

I'll set up a test system to see if I can recreate the issue and test my
proposed fix. In the mean time what should get you out of this situation
is a user interaction which causes the enforcer to reschedule things. An
'ods-enforcer enforce' will do that, without any adverse effects. Please
let me know if you see this issue regularly.

> 2016-08-10T11:56:24.269750+02:00 kvivs20 ods-signerd: [namedb] zone
> KVI.nl cannot keep SOA SERIAL from input zone  (2014042300): previous
> output SOA SERIAL is 201608100 3

> These messages started early in the morning, continued for about 4 hours
> (about 10 times for each domain with increasing intervals between 1
> minute and one hour) and then stopped, without any change in the
> configuration. Also the input zones were not changed. Is this something
> to worry about?
> Are we assumed to increment the serial of the unsigned zone during a
> rollover?

No. the signer will do the SOA serial management for you. *unless* you
specify so in the kasp. In that case you should do it yourself.


A better value would probably be 'datecounter'.

	use an increasing counter (but use the serial from the
	unsigned zone if possible)
	use increasing counter in YYYYMMDDxx format (xx is
	incremented within each day)
	the serial number is set to the "Unix time" (seconds
	since 00:00 on 1 January 1970 (UTC)) at which the signer is run.
	keep the serial from the unsigned zone (do not resign unless
	it has been incremented)

> At the moment everything looks normal. The unsigned zone is still
> unchanged and the signed zone is dated Aug 15 08:33  and shows a serial
> of 2016081504.

I'm unsure as why it got better if the policy did not change. By the way
this part (signer code) is almost unchanged from 1.4.10, so I do not
expect any new bugs here.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20160815/8b864c41/attachment.bin>

More information about the Opendnssec-user mailing list