[Opendnssec-user] addns.xml update deletes all domains

David Peall david at dnservices.co.za
Fri Sep 16 12:35:57 UTC 2016 

Hi

Zone 1 has been running for a months in a test environment.

I’m added zone 2 and 3.  I updated a TSIG key for domain 2 and then updated the enforcer and it deleted all my domains?

opendnssec version 2.0.1


root at signer1:/etc/opendnssec# ods-enforcer update all
Policy default already up-to-date
Policy lab already up-to-date
Policy default already up-to-date
Policy lab already up-to-date
Deleted zone 1 successfully
Deleted zone 2 successfully
Deleted zone 3 successfully
update all completed in 1 seconds.

root at signer1:/etc/opendnssec# ods-enforcer key list --all --verbose
Keys:
Zone:                           Keytype: State:    Date of next transition: Size: Algorithm: CKA_ID:                          Repository: KeyTag:
key list completed in 0 seconds.

root at signer1:/etc/opendnssec# ods-enforcer zone list        
Database set to: /var/opendnssec/kasp.db
No zones in database.
zone list completed in 0 seconds.


The log file:
Sep 16 14:02:41 signer1 ods-signerd: [xfrd] zone 1 request udp/ixfr=1160916056 to 192.168.x.x
Sep 16 14:02:41 signer1 ods-signerd: [xfrd] zone 1 received too short udp reply from 192.168.x.x, retry tcp
Sep 16 14:02:41 signer1 ods-signerd: [xfrd] zone 1 request tcp/ixfr=1160916056 to 192.168.x.x
Sep 16 14:02:58 signer1 ods-signerd: [xfrd] zone 1 transfer done [notify acquired 1474027361, serial on disk 1160916057, notify serial 1160916057]
Sep 16 14:03:48 signer1 ods-signerd: [STATS] 1 1160916057 RR[count=80 time=35(sec)] NSEC3[count=0 time=0(sec)] RRSIG[new=2 reused=235 time=2(sec) avg=1(sig/sec)] TOTAL[time=50(sec)]
Sep 16 14:04:15 signer1 ods-signerd: [namedb] zone 3 cannot keep SOA SERIAL from input zone  (2016091648): previous output SOA SERIAL is 2016091648
…
Sep 16 14:15:41 signer1 ods-signerd: [worker[2]] continue task [read] for zone 1
Sep 16 14:15:41 signer1 ods-signerd: [worker[2]] continue task [sign] for zone 2
Sep 16 14:15:41 signer1 ods-signerd: [worker[1]] continue task [sign] for zone 3
Sep 16 14:15:41 signer1 ods-signerd: [xfrd] zone 2 request axfr to 192.168.x.x
Sep 16 14:15:41 signer1 ods-signerd: [xfrd] bad packet: zone 2 received error code NOTAUTH from 192.168.x.x
Sep 16 14:15:41 signer1 ods-signerd: [xfrd] zone 2, from 192.168.x.x has tsig error (Bad Key)
Sep 16 14:15:41 signer1 ods-signerd: [xfrd] unable to process tsig: xfr zone 2 from 192.168.x.x has bad tsig signature
Sep 16 14:15:41 signer1 ods-signerd: [xfrd] bad packet: zone 2 received bad tsig from 192.168.x.x
Sep 16 14:15:41 signer1 ods-enforcerd: [zonelist_import] zone 2 deleted
Sep 16 14:15:41 signer1 ods-enforcerd: [zonelist_import] zone 3 deleted
Sep 16 14:15:41 signer1 ods-enforcerd: [zonelist_import] zone 1 deleted
…

now in the log file after a stop start:
Sep 16 14:22:12 signer1 ods-signerd: [signconf] zone 2 signconf: RESIGN[PT2H] REFRESH[P3D] VALIDITY[P14D] DENIAL[P14D] KEYSET[PT0S] JITTER[PT12H] OFFSET[PT1H] NSEC[50] DNSKEYTTL[PT1H] SOATTL[PT1H] MINIMUM[PT1H] SERIAL[keep]
Sep 16 14:22:12 signer1 ods-signerd: [signconf] zone 3 signconf: RESIGN[PT2H] REFRESH[P3D] VALIDITY[P14D] DENIAL[P14D] KEYSET[PT0S] JITTER[PT12H] OFFSET[PT1H] NSEC[50] DNSKEYTTL[PT1H] SOATTL[PT1H] MINIMUM[PT1H] SERIAL[keep]

Regards
—
David Peall

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20160916/430fa5f4/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4354 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20160916/430fa5f4/attachment.bin>

More information about the Opendnssec-user mailing list