[Opendnssec-user] Zone updates with 1.4.14

Yuri Schaeffer yuri at nlnetlabs.nl
Thu Jul 6 15:44:22 UTC 2017


Hi Roman,

I'm not 100% sure what you mean. I think you are saying that you used to
see a daily resign of expired signatures but now you don't. Is that correct?
Did OpenDNSSEC did a full resign after you upgraded? - This might
explain why no signatures are expiring /yet/. Can you share your
kasp.xml and conf.xml (beware! conf may contain passwords/pins). I could
take a look and assert your expectations.

//Yuri

On 05-07-17 16:20, Roman Serbski wrote:
> Hello,
> 
> Hidden master (NSD 4.1.0), signer (OpenDNSSEC 1.4.6 using DNS
> adapters), and public DNS (NSD 4.1.0), all under FreeBSD 10.0-STABLE.
> 
> I'm planning to update the whole setup to the latest NSD 4.1.16,
> OpenDNSSEC 1.4.14, FreeBSD 11, therefore I cloned all servers and
> performed an update in the lab.
> 
> Everything is working fine except that it seems that I lost automatic
> zone updates performed by OpenDNSSEC. In 1.4.6, there was one update
> per day, per zone. In 1.4.14 I don't see any updates for three days
> already.
> 
> My kasp.conf remained unchanged:
> 
> <Zone>
>  <PropagationDelay>PT43200S</PropagationDelay>
>   <SOA>
>    <TTL>PT3600S</TTL>
>    <Minimum>PT3600S</Minimum>
>    <Serial>datecounter</Serial>
>   </SOA>
> </Zone>
> 
> - if I manually bump the serial on hidden master, and reload the zone,
> it's instantly reflected on the public DNS;
> - automatic ZSK roll-over triggers SOA increment as well;
> - shutting down OpenDNSSEC, clearing of /var/opendnssec/tmp/, and
> starting OpenDNSSEC triggers updates too.
> 
> I see constant communication between the hidden master and the signer:
> 
> [2017-07-03 12:34:45.090] nsd[6547]: info: axfr for mydomain.org. from
> 192.168.60.203
> 
> Jul  3 12:34:45 SRV-SIGNER-CLONE ods-signerd: [xfrd] zone mydomain.org
> request axfr to 192.168.60.202
> Jul  3 12:34:45 SRV-SIGNER-CLONE ods-signerd: [xfrd] zone mydomain.org
> got update indicating current serial 2017033002 from 192.168.60.202
> 
> But no updates between the signer and the public DNS.
> 
> Thank you in advance.
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20170706/353b40e1/attachment.bin>


More information about the Opendnssec-user mailing list