[Opendnssec-user] ods-signer trying to sign long-removed zones

Stefan Ubbink Stefan.Ubbink at sidn.nl
Tue Jun 15 06:19:09 UTC 2021 

On Tue, 15 Jun 2021 13:47:37 +0800
Philip Paeps via Opendnssec-user <opendnssec-user at lists.opendnssec.org>
wrote:

> On 2021-06-15 13:22:08 (+0800), Philip Paeps via Opendnssec-user
> wrote:
> > This is a zone we used to have a long time ago.  It was deleted
> > from zonelist.xml a long time ago (years).  'ods-enforcer zone
> > list' does not know about this zone.  So the database must have
> > been updated. However .. 'ods-signer zones' does know about this
> > zone.  And it's trying to sign it apparently.
> >
> > There are a couple of other zones in this state.
> >
> > I have tried 'ods-signer update all' and 'ods-signer clear 
> > 1.0.1.0.0.0.0.2.0.5.c.f.7.0.6.2.ip6.arpa'.  Apparently to no avail.
> >
> > Is there a way to help ods-signer forget about these stale zones so 
> > our log files stop growing in vain?  
> 
> I delete some files referencing these zones from 
> /usr/local/opendnssec/var/{signer,signconf}.  That seems to have
> changed the problem.  I am not sure if this is a better or worse
> problem to have.  The logs are now:
> 
> Jun 15 05:40:47 ns-master ods-signerd[11051]: [file] unable to stat
> file
> /usr/local/var/opendnssec/signconf/1.0.1.0.0.0.0.2.0.5.c.f.7.0.6.2.ip6.arpa.xml:
> ods_fopen() failed Jun 15 05:40:47 ns-master ods-signerd[11051]:
> WARNING: unable to sign zone
> 1.0.1.0.0.0.0.2.0.5.c.f.7.0.6.2.ip6.arpa, signconf is not ready Jun
> 15 05:40:47 ns-master ods-signerd[11051]: back-off task [configure]
> for zone 1.0.1.0.0.0.0.2.0.5.c.f.7.0.6.2.ip6.arpa with 480 seconds
> I can restore those files from a ZFS snapshot if that makes the
> problem easier to solve. :)
> 
> ods-signer zones still sees them, ods-enforcer zone list does not.  
> ods-signer queue shows them, ods-enforcer queue does not.

Did you restart OpenDNSSEC (ods-control stop; ods-control start)?

Before restarting ODS, you might want to write the new files for the
signer using the `ods-enforcer signconf` command.

-- 
Stefan Ubbink
DNS & Systems Engineer
Present: Mon, Tue, Wed, Fri
SIDN | Meander 501 | 6825 MD | ARNHEM | The Netherlands
T +31 (0)26 352 55 00
https://www.sidn.nl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20210615/684ca19f/attachment.bin>

More information about the Opendnssec-user mailing list