[Opendnssec-user] Zone updates with 1.4.14

Discussion:

Roman Serbski

2017-07-05 14:20:54 UTC

Hello,

Hidden master (NSD 4.1.0), signer (OpenDNSSEC 1.4.6 using DNS
adapters), and public DNS (NSD 4.1.0), all under FreeBSD 10.0-STABLE.

I'm planning to update the whole setup to the latest NSD 4.1.16,
OpenDNSSEC 1.4.14, FreeBSD 11, therefore I cloned all servers and
performed an update in the lab.

Everything is working fine except that it seems that I lost automatic
zone updates performed by OpenDNSSEC. In 1.4.6, there was one update
per day, per zone. In 1.4.14 I don't see any updates for three days
already.

My kasp.conf remained unchanged:

<Zone>
<PropagationDelay>PT43200S</PropagationDelay>
<SOA>
<TTL>PT3600S</TTL>
<Minimum>PT3600S</Minimum>
<Serial>datecounter</Serial>
</SOA>
</Zone>

- if I manually bump the serial on hidden master, and reload the zone,
it's instantly reflected on the public DNS;
- automatic ZSK roll-over triggers SOA increment as well;
- shutting down OpenDNSSEC, clearing of /var/opendnssec/tmp/, and
starting OpenDNSSEC triggers updates too.

I see constant communication between the hidden master and the signer:

[2017-07-03 12:34:45.090] nsd[6547]: info: axfr for mydomain.org. from
192.168.60.203

Jul 3 12:34:45 SRV-SIGNER-CLONE ods-signerd: [xfrd] zone mydomain.org
request axfr to 192.168.60.202
Jul 3 12:34:45 SRV-SIGNER-CLONE ods-signerd: [xfrd] zone mydomain.org
got update indicating current serial 2017033002 from 192.168.60.202

But no updates between the signer and the public DNS.

Thank you in advance.

Yuri Schaeffer

2017-07-06 15:44:22 UTC

Permalink

Hi Roman,

I'm not 100% sure what you mean. I think you are saying that you used to
see a daily resign of expired signatures but now you don't. Is that correct?
Did OpenDNSSEC did a full resign after you upgraded? - This might
explain why no signatures are expiring /yet/. Can you share your
kasp.xml and conf.xml (beware! conf may contain passwords/pins). I could
take a look and assert your expectations.

//Yuri

Post by Roman Serbski
Hello,
Hidden master (NSD 4.1.0), signer (OpenDNSSEC 1.4.6 using DNS
adapters), and public DNS (NSD 4.1.0), all under FreeBSD 10.0-STABLE.
I'm planning to update the whole setup to the latest NSD 4.1.16,
OpenDNSSEC 1.4.14, FreeBSD 11, therefore I cloned all servers and
performed an update in the lab.
Everything is working fine except that it seems that I lost automatic
zone updates performed by OpenDNSSEC. In 1.4.6, there was one update
per day, per zone. In 1.4.14 I don't see any updates for three days
already.
<Zone>
<PropagationDelay>PT43200S</PropagationDelay>
<SOA>
<TTL>PT3600S</TTL>
<Minimum>PT3600S</Minimum>
<Serial>datecounter</Serial>
</SOA>
</Zone>
- if I manually bump the serial on hidden master, and reload the zone,
it's instantly reflected on the public DNS;
- automatic ZSK roll-over triggers SOA increment as well;
- shutting down OpenDNSSEC, clearing of /var/opendnssec/tmp/, and
starting OpenDNSSEC triggers updates too.
[2017-07-03 12:34:45.090] nsd[6547]: info: axfr for mydomain.org. from
192.168.60.203
Jul 3 12:34:45 SRV-SIGNER-CLONE ods-signerd: [xfrd] zone mydomain.org
request axfr to 192.168.60.202
Jul 3 12:34:45 SRV-SIGNER-CLONE ods-signerd: [xfrd] zone mydomain.org
got update indicating current serial 2017033002 from 192.168.60.202
But no updates between the signer and the public DNS.
Thank you in advance.
_______________________________________________
Opendnssec-user mailing list
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Roman Serbski

2017-07-07 08:28:09 UTC

Permalink

Post by Yuri Schaeffer
Hi Roman,
I'm not 100% sure what you mean. I think you are saying that you used to
see a daily resign of expired signatures but now you don't. Is that correct?
Did OpenDNSSEC did a full resign after you upgraded? - This might
explain why no signatures are expiring /yet/. Can you share your
kasp.xml and conf.xml (beware! conf may contain passwords/pins). I could
take a look and assert your expectations.

Hi Yuri,

Thanks for your reply, and sorry for the confusion. Daily resigns is
exactly what I miss after the update.

On 2nd of July I stopped OpenDNSSEC and emptied
/usr/local/var/opendnssec/tmp/. Once started, all zones were resigned,
and I can see the SOA for all zones set to 2017070200 on the public
DNS. Since then there was nothing resigned, except for one zone with
ZSK renewed.

My kasp.xml and conf.xml are attached.

Thank you in advance.

Yuri Schaeffer

2017-07-07 09:33:19 UTC

Permalink

Post by Roman Serbski
On 2nd of July I stopped OpenDNSSEC and emptied
/usr/local/var/opendnssec/tmp/. Once started, all zones were resigned,
and I can see the SOA for all zones set to 2017070200 on the public
DNS. Since then there was nothing resigned, except for one zone with
ZSK renewed.

Right. So on the 2nd of July everything was signed from scratch. You
configured a 14 day validity with a 12 hour jitter. If there are no
changes to the zone from now the first signature to expire should be
around the 15th or 16th of July. So this is perfectly expected behaviour.

After some time this jitter will accumulate and spread the expiring of
signatures to a more even distribution. External changes to the zone
will speed up this process.

//Yuri

Roman Serbski

2017-07-07 10:23:33 UTC

Permalink

Post by Yuri Schaeffer
Right. So on the 2nd of July everything was signed from scratch. You
configured a 14 day validity with a 12 hour jitter. If there are no
changes to the zone from now the first signature to expire should be
around the 15th or 16th of July. So this is perfectly expected behaviour.
After some time this jitter will accumulate and spread the expiring of
signatures to a more even distribution. External changes to the zone
will speed up this process.

Many thanks Yuri.

I was confused by 1.4.6 behavior then, because it does sign all zones
every day (same config). Perhaps it was actually fixed somewhere after
1.4.6, and this is now expected.

On another subject: since we're planning to update the production
environment in any case, would you recommend to switch to 2.1.1, or
it's still considered as a development branch?

Thank you and have a nice weekend.

Yuri Schaeffer

2017-07-07 10:32:02 UTC

Permalink

Post by Roman Serbski
I was confused by 1.4.6 behavior then, because it does sign all zones
every day (same config). Perhaps it was actually fixed somewhere after
1.4.6, and this is now expected.

It system behaves the same. You just supplied it with different input.
You'll see the daily resigning you are used to in a couple of weeks /
months.

Post by Roman Serbski
On another subject: since we're planning to update the production
environment in any case, would you recommend to switch to 2.1.1, or
it's still considered as a development branch?

2.1.1 is very much production ready and I recommend upgrading to it.

//Yuri