[Opendnssec-user] ods-signer trying to sign long-removed zones
Philip Paeps
philip at trouble.is
Tue Jun 15 05:47:37 UTC 2021
On 2021-06-15 13:22:08 (+0800), Philip Paeps via Opendnssec-user wrote:
> This is a zone we used to have a long time ago. It was deleted from
> zonelist.xml a long time ago (years). 'ods-enforcer zone list' does
> not know about this zone. So the database must have been updated.
> However .. 'ods-signer zones' does know about this zone. And it's
> trying to sign it apparently.
>
> There are a couple of other zones in this state.
>
> I have tried 'ods-signer update all' and 'ods-signer clear
> 1.0.1.0.0.0.0.2.0.5.c.f.7.0.6.2.ip6.arpa'. Apparently to no avail.
>
> Is there a way to help ods-signer forget about these stale zones so
> our log files stop growing in vain?
I delete some files referencing these zones from
/usr/local/opendnssec/var/{signer,signconf}. That seems to have changed
the problem. I am not sure if this is a better or worse problem to
have. The logs are now:
Jun 15 05:40:47 ns-master ods-signerd[11051]: [file] unable to stat file
/usr/local/var/opendnssec/signconf/1.0.1.0.0.0.0.2.0.5.c.f.7.0.6.2.ip6.arpa.xml:
ods_fopen() failed
Jun 15 05:40:47 ns-master ods-signerd[11051]: WARNING: unable to sign
zone 1.0.1.0.0.0.0.2.0.5.c.f.7.0.6.2.ip6.arpa, signconf is not ready
Jun 15 05:40:47 ns-master ods-signerd[11051]: back-off task [configure]
for zone 1.0.1.0.0.0.0.2.0.5.c.f.7.0.6.2.ip6.arpa with 480 seconds
I can restore those files from a ZFS snapshot if that makes the problem
easier to solve. :)
ods-signer zones still sees them, ods-enforcer zone list does not.
ods-signer queue shows them, ods-enforcer queue does not.
Philip
--
Philip Paeps
Senior Reality Engineer
Alternative Enterprises
More information about the Opendnssec-user
mailing list