[Opendnssec-user] ods-signer trying to sign long-removed zones

Philip Paeps philip at trouble.is
Tue Jun 15 08:43:48 UTC 2021


On 2021-06-15 14:19:09 (+0800), Stefan Ubbink wrote:

> On Tue, 15 Jun 2021 13:47:37 +0800
> Philip Paeps via Opendnssec-user 
> <opendnssec-user at lists.opendnssec.org>
> wrote:
>
>> On 2021-06-15 13:22:08 (+0800), Philip Paeps via Opendnssec-user
>> wrote:
>>> This is a zone we used to have a long time ago.  It was deleted
>>> from zonelist.xml a long time ago (years).  'ods-enforcer zone
>>> list' does not know about this zone.  So the database must have
>>> been updated. However .. 'ods-signer zones' does know about this
>>> zone.  And it's trying to sign it apparently.
>>>
>>> There are a couple of other zones in this state.
>>>
>>> I have tried 'ods-signer update all' and 'ods-signer clear
>>> 1.0.1.0.0.0.0.2.0.5.c.f.7.0.6.2.ip6.arpa'.  Apparently to no avail.
>>>
>>> Is there a way to help ods-signer forget about these stale zones so
>>> our log files stop growing in vain?
>>
>> I delete some files referencing these zones from
>> /usr/local/opendnssec/var/{signer,signconf}.  That seems to have
>> changed the problem.  I am not sure if this is a better or worse
>> problem to have.  The logs are now:
>>
>> Jun 15 05:40:47 ns-master ods-signerd[11051]: [file] unable to stat
>> file
>> /usr/local/var/opendnssec/signconf/1.0.1.0.0.0.0.2.0.5.c.f.7.0.6.2.ip6.arpa.xml:
>> ods_fopen() failed Jun 15 05:40:47 ns-master ods-signerd[11051]:
>> WARNING: unable to sign zone
>> 1.0.1.0.0.0.0.2.0.5.c.f.7.0.6.2.ip6.arpa, signconf is not ready Jun
>> 15 05:40:47 ns-master ods-signerd[11051]: back-off task [configure]
>> for zone 1.0.1.0.0.0.0.2.0.5.c.f.7.0.6.2.ip6.arpa with 480 seconds
>> I can restore those files from a ZFS snapshot if that makes the
>> problem easier to solve. :)
>>
>> ods-signer zones still sees them, ods-enforcer zone list does not.
>> ods-signer queue shows them, ods-enforcer queue does not.
>
> Did you restart OpenDNSSEC (ods-control stop; ods-control start)?
>
> Before restarting ODS, you might want to write the new files for the
> signer using the `ods-enforcer signconf` command.

Yeah.  I restarted the entire jail several times.

But it looks like the problem was that we were stuck in a kind of 
intermediate state.  I am guessing that ods-enforcer crashed while 
deleting the zones and that zones.xml file was not correctly updated.

Looking through /usr/local/var/opendnssec, we seem to be carrying quite 
a lot of stale state around.  That's probably going to haunt us when we 
least expect it.

I wonder, is there an authoritative list of "intermediate" or "state" 
files OpenDNSSEC needs/wants/creates/tracks?  While I'm watching this 
jail closely, I should take the opportunity to tidy up.

Philip

-- 
Philip Paeps
Senior Reality Engineer
Alternative Enterprises
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20210615/ba8c85bd/attachment.htm>


More information about the Opendnssec-user mailing list