[Opendnssec-user] Me and my opendnssec...

Abdulkareem H. Ali kareem.ali at centralnic.com
Wed Aug 28 16:56:33 UTC 2019 

Hi Uli,

On 28/08/2019 15:40, Ulrich-Lorenz Schlüter wrote:
> Hi list,
>
> 1. When the DNS adapter is used, will there ever be files in
> /var/opendnssec/unsigned & /var/opendnssec/signed?

OpenDNSSec (ods) will only write into the signed dir.


By default, ods will look for the unsigned zone file in
`/var/opendnssec/unsigned` directory and will only do reads from it, and
writes the signed file into `/var/opendnssec/signed` dir.


> 2. I can not interpret this log. Would someone be so kind?
>
> Aug 28 16:22:45 one ods-signerd[901]: [tools] notify nameserver:
> /usr/sbin/rndc
> Aug 28 16:22:45 one ods-signerd[901]: [tools] notify nameserver process
> forked
> Aug 28 16:22:45 one ods-signerd[901]: [tools] notify nameserver ok
> Aug 28 16:22:45 one ods-signerd[901]: [tools] log stats for zone
> sycosys.de serial 1567002165
> Aug 28 16:22:45 one ods-signerd[901]: [STATS] sycosys.de 1567002165
> RR[count=0 time=0(sec)] NSEC3[count=0 time=0(sec)] RRSIG[new=13 reused=0
> time=0(sec) avg=0(sig/sec)] TOTAL[time=0(sec)]


The lines above show what looks like a normal signing operation of
`sycosys.de`, and these are the last lines in the log of that process.
The `notify` is perhaps in your conf.xml config with the `Notify`
directive in xml brackets. I'm guessing that you have a local bind
instance running so you're using `rndc` to reload the zone. Btw, this
`notify` isn't an actual DNS notify type query, it's just a directive
for ODS to hit a script or a program after it finishes signing a zone.
In this case, it's running rndc to perhaps reload the signed zone file
into bind.

I think you have your logging level turned up, so you might want to
consider lower logging number if you don't want to see that much of a
detail. Also a directive in `conf.xml` with <Verbosity> directive.


The lines below looks like more in line with actual DNS notifies packets
to transfer the sycosys.de zone and then ods will authenticate XFRs with
the tsig key of `opendnssec-out`. We don't really use ods it self to do
those, so someone else can give a better indepth explanation about it.


> Aug 28 16:22:45 one ods-signerd[901]: [tools] forward a notify
> Aug 28 16:22:45 one ods-signerd[901]: [dnshandler] forwarded notify: 6
> bytes sent
> Aug 28 16:22:45 one ods-signerd[901]: [file] open file
> file=sycosys.de.backup2.tmp mode=writing
> Aug 28 16:22:45 one ods-signerd[901]: [xfrhandler] read forwarded dns
> packet: 6 bytes received
> Aug 28 16:22:45 one ods-signerd[901]: [xfrhandler] netio dispatch
> Aug 28 16:22:45 one ods-signerd[901]: [netio] dispatch timeout event
> without checking for other events
> Aug 28 16:22:45 one ods-signerd[901]: [notify] handle notify for zone
> sycosys.de
> Aug 28 16:22:45 one ods-signerd[901]: [notify] notify timeout for zone
> sycosys.de
> Aug 28 16:22:45 one ods-signerd[901]: [domain] tsig sign notify with
> key: opendnssec-out.
> Aug 28 16:22:45 one ods-signerd[901]: [domain] tsig sign notify with
> algorithm: hmac-sha256.
> Aug 28 16:22:45 one ods-signerd[901]: [notify] tsig append rr to notify
> id=19564
> Aug 28 16:22:45 one ods-signerd[901]: [file] openfile
> sycosys.de.backup2.tmp count 1
> Aug 28 16:22:45 one ods-signerd[901]: [notify] send 190 bytes over udp
> to 127.0.0.1
> Aug 28 16:22:45 one ods-signerd[901]: [scheduler] schedule task [sign]
> for sycosys.de
> Aug 28 16:22:45 one ods-signerd[901]: [worker[1]] finished working
> Aug 28 16:22:45 one ods-signerd[901]: [worker[1]]: report for duty
> Aug 28 16:22:45 one ods-signerd[901]: [socket] incoming udp message
> Aug 28 16:22:45 one ods-signerd[901]: [notify] notify retry 1 for zone
> sycosys.de sent to 127.0.0.1
> Aug 28 16:22:45 one ods-signerd[901]: [xfrhandler] netio dispatch
> Aug 28 16:22:45 one ods-signerd[901]: [notify] handle notify for zone
> sycosys.de
> Aug 28 16:22:45 one ods-signerd[901]: [notify] read notify ok for zone
> sycosys.de
> Aug 28 16:22:45 one ods-signerd[901]: [notify] zone sycosys.de secondary
> 127.0.0.1 notify reply ok
> Aug 28 16:22:45 one ods-signerd[901]: [notify] zone sycosys.de no more
> secondaries, disable notify
> Aug 28 16:22:45 one ods-signerd[901]: [notify] notify for zone
> sycosys.de disabled
> Aug 28 16:22:45 one ods-signerd[901]: [xfrhandler] netio dispatch
> Aug 28 16:22:45 one ods-signerd[901]: [tsig] parse: not TSIG or not ANY
> but 2048:41
> Aug 28 16:22:45 one ods-signerd[901]: [tsig] parse: not TSIG or not ANY
> but 14:2304
> Aug 28 16:22:45 one ods-signerd[901]: [query] too many additional rrs
> Aug 28 16:22:45 one ods-signerd[901]: [query] formerr
> Aug 28 16:22:45 one ods-signerd[901]: [socket] query processed qstate=0
> Aug 28 16:22:45 one ods-signerd[901]: [query] add edns opt ok
> Aug 28 16:22:45 one ods-signerd[901]: [socket] sending 141 bytes over udp
> Aug 28 16:22:45 one ods-signerd[901]: [dnshandler] netio dispatch
>
> Thanks & regards
> Uli
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user


HTH,

Kareem.


-- 
Abdulkareem H. Ali
Operations Team Leader
CentralNic Group PLC
London Stock Exchange Symbol: CNIC

+44 20 3388 0600
www.CentralNic.com

CentralNic Group PLC is a company registered in England and Wales with
company number 8576358. Registered Offices:  CentralNic, 4th Floor, Saddlers House, 44 Gutter Lane, London, EC2V 6BR.

More information about the Opendnssec-user mailing list