[Opendnssec-user] Me and my opendnssec...

Ulrich-Lorenz Schlüter audiomobster at gmail.com
Thu Aug 29 08:51:31 UTC 2019 

Hi Abdulkareem and list,
Am 28.08.19 um 18:56 schrieb Abdulkareem H. Ali:
> Hi Uli,
> 
> On 28/08/2019 15:40, Ulrich-Lorenz Schlüter wrote:
>> Hi list,
>>
>> 1. When the DNS adapter is used, will there ever be files in
>> /var/opendnssec/unsigned & /var/opendnssec/signed?
> 
> OpenDNSSec (ods) will only write into the signed dir.
> 
> 
> By default, ods will look for the unsigned zone file in
> `/var/opendnssec/unsigned` directory and will only do reads from it, and
> writes the signed file into `/var/opendnssec/signed` dir.
This is the corresponding folder structure:
ls /var/opendnssec/*
/var/opendnssec/kasp.db  /var/opendnssec/kasp.db.backup
/var/opendnssec/kasp.db.our_lock
/var/opendnssec/enforcer:
zones.xml
/var/opendnssec/signconf:
sycosys.de.xml
/var/opendnssec/signed:
/var/opendnssec/signer:
sycosys.de.axfr  sycosys.de.backup2  sycosys.de.ixfr
/var/opendnssec/tmp:
/var/opendnssec/unsigned:

The files in '/var/opendnssec/signer' are all signed.
I was assuming this is due to using the DNS adaptor instead of the FILE
adaptor when triggering a:
'ods-enforcer zone add -z sycosys.de -j DNS -q DNS'
Is this explained anywhere in the documentation?
>> 2. I can not interpret this log. Would someone be so kind?
>>
>> Aug 28 16:22:45 one ods-signerd[901]: [tools] notify nameserver:
>> /usr/sbin/rndc
>> Aug 28 16:22:45 one ods-signerd[901]: [tools] notify nameserver process
>> forked
>> Aug 28 16:22:45 one ods-signerd[901]: [tools] notify nameserver ok
>> Aug 28 16:22:45 one ods-signerd[901]: [tools] log stats for zone
>> sycosys.de serial 1567002165
>> Aug 28 16:22:45 one ods-signerd[901]: [STATS] sycosys.de 1567002165
>> RR[count=0 time=0(sec)] NSEC3[count=0 time=0(sec)] RRSIG[new=13 reused=0
>> time=0(sec) avg=0(sig/sec)] TOTAL[time=0(sec)]
> 
> 
> The lines above show what looks like a normal signing operation of
> `sycosys.de`, and these are the last lines in the log of that process.
> The `notify` is perhaps in your conf.xml config with the `Notify`
> directive in xml brackets. I'm guessing that you have a local bind
> instance running so you're using `rndc` to reload the zone. Btw, this
> `notify` isn't an actual DNS notify type query, it's just a directive
> for ODS to hit a script or a program after it finishes signing a zone.
> In this case, it's running rndc to perhaps reload the signed zone file
> into bind.
> 
> I think you have your logging level turned up, so you might want to
> consider lower logging number if you don't want to see that much of a
> detail. Also a directive in `conf.xml` with <Verbosity> directive.
> 
> 
> The lines below looks like more in line with actual DNS notifies packets
> to transfer the sycosys.de zone and then ods will authenticate XFRs with
> the tsig key of `opendnssec-out`. We don't really use ods it self to do
> those, so someone else can give a better indepth explanation about it.
> 
> 
>> Aug 28 16:22:45 one ods-signerd[901]: [tools] forward a notify
>> Aug 28 16:22:45 one ods-signerd[901]: [dnshandler] forwarded notify: 6
>> bytes sent
>> Aug 28 16:22:45 one ods-signerd[901]: [file] open file
>> file=sycosys.de.backup2.tmp mode=writing
>> Aug 28 16:22:45 one ods-signerd[901]: [xfrhandler] read forwarded dns
>> packet: 6 bytes received
>> Aug 28 16:22:45 one ods-signerd[901]: [xfrhandler] netio dispatch
>> Aug 28 16:22:45 one ods-signerd[901]: [netio] dispatch timeout event
>> without checking for other events
>> Aug 28 16:22:45 one ods-signerd[901]: [notify] handle notify for zone
>> sycosys.de
>> Aug 28 16:22:45 one ods-signerd[901]: [notify] notify timeout for zone
>> sycosys.de
>> Aug 28 16:22:45 one ods-signerd[901]: [domain] tsig sign notify with
>> key: opendnssec-out.
>> Aug 28 16:22:45 one ods-signerd[901]: [domain] tsig sign notify with
>> algorithm: hmac-sha256.
>> Aug 28 16:22:45 one ods-signerd[901]: [notify] tsig append rr to notify
>> id=19564
>> Aug 28 16:22:45 one ods-signerd[901]: [file] openfile
>> sycosys.de.backup2.tmp count 1
>> Aug 28 16:22:45 one ods-signerd[901]: [notify] send 190 bytes over udp
>> to 127.0.0.1
>> Aug 28 16:22:45 one ods-signerd[901]: [scheduler] schedule task [sign]
>> for sycosys.de
>> Aug 28 16:22:45 one ods-signerd[901]: [worker[1]] finished working
>> Aug 28 16:22:45 one ods-signerd[901]: [worker[1]]: report for duty
>> Aug 28 16:22:45 one ods-signerd[901]: [socket] incoming udp message
>> Aug 28 16:22:45 one ods-signerd[901]: [notify] notify retry 1 for zone
>> sycosys.de sent to 127.0.0.1
>> Aug 28 16:22:45 one ods-signerd[901]: [xfrhandler] netio dispatch
>> Aug 28 16:22:45 one ods-signerd[901]: [notify] handle notify for zone
>> sycosys.de
>> Aug 28 16:22:45 one ods-signerd[901]: [notify] read notify ok for zone
>> sycosys.de
>> Aug 28 16:22:45 one ods-signerd[901]: [notify] zone sycosys.de secondary
>> 127.0.0.1 notify reply ok
>> Aug 28 16:22:45 one ods-signerd[901]: [notify] zone sycosys.de no more
>> secondaries, disable notify
>> Aug 28 16:22:45 one ods-signerd[901]: [notify] notify for zone
>> sycosys.de disabled
>> Aug 28 16:22:45 one ods-signerd[901]: [xfrhandler] netio dispatch
>> Aug 28 16:22:45 one ods-signerd[901]: [tsig] parse: not TSIG or not ANY
>> but 2048:41
>> Aug 28 16:22:45 one ods-signerd[901]: [tsig] parse: not TSIG or not ANY
>> but 14:2304
>> Aug 28 16:22:45 one ods-signerd[901]: [query] too many additional rrs
>> Aug 28 16:22:45 one ods-signerd[901]: [query] formerr
>> Aug 28 16:22:45 one ods-signerd[901]: [socket] query processed qstate=0
>> Aug 28 16:22:45 one ods-signerd[901]: [query] add edns opt ok
>> Aug 28 16:22:45 one ods-signerd[901]: [socket] sending 141 bytes over udp
>> Aug 28 16:22:45 one ods-signerd[901]: [dnshandler] netio dispatch
>>
>> Thanks & regards
>> Uli
>> _______________________________________________
>> Opendnssec-user mailing list
>> Opendnssec-user at lists.opendnssec.org
>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
> 
> 
> HTH,
> 
> Kareem.
> 
>

More information about the Opendnssec-user mailing list