[Opendnssec-user] Same SOA#, different content?!?
Havard Eidnes
he at uninett.no
Thu Mar 22 17:02:10 UTC 2018
> On 03/22/2018 03:13 PM, Havard Eidnes wrote:
>> recently our ods-signerd crashed due to me removing a zone from
>> our setup -- the crash happened 5-10 minutes later, and has been
>> reported as a bug. (We're on OpenDNSSEC 1.4.13, with zone
>> transfers in and out.)
>>
>> Following this crash I had to remove our /var/opendnssec/tmp
>> directory to "start from a clean slate" (actually, I saved the
>> old dir after a false start, where I saw in the log e.g.
>
> The tmp directory contains some vital information regarding the
> current SOA serial. Unfortunate its naming is tmp still in 1.4,
> but it is actually a working directory.
> Because of the crash you might have had no other option to
> remove its content, but this might be the cause of a subsequent
> problems.
Mm, OK, I sort of guessed it; good to have it confirmed.
> A future major release will actually seperate out primary SOA
> serial information from the more volatile signature "tmp"
> storage.
OK, good. But that's not in 2.x yet, I presume?
Because ...
>> Mar 14 14:58:02 tilfeldigvis ods-signerd: [axfr] zone 60.39.128.in-addr.arpa expired at 1518409250, and it is now 1521035882: not serving soa (serial_xfr_acquired=1517804450, expire=604800)
This sort of log entry is what scared me to move away the tmp/
contents. Not serving the zone to downstream name servers
despite there not being any problems whatsoever is raising a big
red flag in my view. OpenDNSSEC is severely mis-calculating the
expiry of the zone file, but perhaps this is transient and is
considered "normal" during startup? (I would say it's nothing
but normal behaviour for a DNS name server under any circumstance.)
Regards,
- Håvard
More information about the Opendnssec-user
mailing list