Discussion:
[Opendnssec-user] XFR with YADIFA: UNPROCESSABLE_MESSAGE
Djordje Antic
2016-03-29 23:46:08 UTC
Permalink
Hi,

I have a DNS setup that looks like this:

Hidden master (BIND) [xfr]-> DNSSEC signer (OpenDNSSEC) [xfr]-> 4x
Public slaves (NSD, BIND, YADIFA, KNOT).

NSD, BIND and KNOT machines are receiving and serving zones without
problems, but YADIFA is not. This problem does not occur when set to
update directly from hidden master, but it loses the DNSSEC
'bump-in-the-wire' and thus serving unsigned zones.

Versions:
BIND: 9.10.3
OpenDNSSEC 1.4.9
YADIFA 2.1.6


YADIFA log:

2016-03-29 15:22:39.127905 | server | I | slave: example.com. AXFR
query to the master
2016-03-29 15:22:39.127907 | server | 6 | acquire:
***@00007FB5017F3970 rc=3
2016-03-29 15:22:39.127927 | server | 6 | release:
***@00007FB5017F3970 rc=2
2016-03-29 15:22:39.127929 | server | I | axfr: example.com.:
transfer will be signed with key 'key2.'
2016-03-29 15:22:39.128492 | server | 6 | acquire:
***@00007FB5017F3970 rc=3
2016-03-29 15:22:39.128495 | server | 6 | release:
***@00007FB5017F3970 rc=2
2016-03-29 15:22:39.131463 | server | D | axfr: example.com.: AXFR
stream copy init failed: UNPROCESSABLE_MESSAGE
2016-03-29 15:22:39.131499 | server | E | slave: query error for
domain example.com. from master at 11.22.33.44#53:
UNPROCESSABLE_MESSAGE
2016-03-29 15:22:39.131502 | server | 6 |
zone_lock(***@00007FB5017F3970, 86)
2016-03-29 15:22:39.131503 | server | D | database_service: enqueue
operation DATABASE_SERVICE_ZONE_DOWNLOADED_EVENT on example.com.:
UNPROCESSABLE_MESSAGE
2016-03-29 15:22:39.131506 | server | 6 |
zone_unlock(***@00007FB5017F3970, 86)
2016-03-29 15:22:39.131507 | server | 6 | release:
***@00007FB5017F3970 rc=1
2016-03-29 15:22:39.131903 | server | 6 | acquire:
***@00007FB5017F3970 rc=2
2016-03-29 15:22:39.131905 | server | E | database: failed to
download the zone for example.com.: UNPROCESSABLE_MESSAGE
2016-03-29 15:22:39.131906 | server | 6 |
zone_lock(***@00007FB5017F3970, 89)


OpenDNSSEC log:

Mar 29 15:22:39 ods ods-signerd: [socket] handle incoming tcp connection
Mar 29 15:22:39 ods ods-signerd: [netio] handler added
Mar 29 15:22:39 ods ods-signerd: [socket] incoming tcp message
Mar 29 15:22:39 ods ods-signerd: [socket] TCP_READ: reset query
Mar 29 15:22:39 ods ods-signerd: [socket] TCP_READ: bytes transmitted
2 (received 2)
Mar 29 15:22:39 ods ods-signerd: [socket] TCP_READ: bytes transmitted
108 (received 106)
Mar 29 15:22:39 ods ods-signerd: [query] tsig OK
Mar 29 15:22:39 ods ods-signerd: [query] incoming query qtype=AXFR for
zone example.com
Mar 29 15:22:39 ods ods-signerd: [acl] match 55.66.77.88
Mar 29 15:22:39 ods ods-signerd: [query] incoming axfr request for
zone example.com
Mar 29 15:22:39 ods ods-signerd: [file] openfile example.com.axfr count 1
Mar 29 15:22:39 ods ods-signerd: [axfr] set soa in axfr zone example.com
Mar 29 15:22:39 ods ods-signerd: [axfr] axfr zone example.com is done
Mar 29 15:22:39 ods ods-signerd: [axfr] return part axfr zone example.com
Mar 29 15:22:39 ods ods-signerd: [socket] query processed qstate=2
Mar 29 15:22:39 ods ods-signerd: [query] add tsig ok
Mar 29 15:22:39 ods ods-signerd: [socket] TCP_READ: new tcplen 4654
Mar 29 15:22:39 ods ods-signerd: [socket] TCP_WRITE: bytes transmitted
2 (sent 2)
Mar 29 15:22:39 ods ods-signerd: [socket] TCP_WRITE: bytes transmitted 4656
Mar 29 15:22:39 ods ods-signerd: [socket] TCP_WRITE: tcplen 4654
Mar 29 15:22:39 ods ods-signerd: [socket] TCP_WRITE: sizeof tcplen 2
Mar 29 15:22:39 ods ods-signerd: [axfr] zone transfer example.com completed
Mar 29 15:22:39 ods ods-signerd: [socket] incoming tcp message
Mar 29 15:22:39 ods ods-signerd: [socket] TCP_READ: reset query
Mar 29 15:22:39 ods ods-signerd: [netio] handler removed


Regards,
Djordje
Maurice
2016-03-30 14:53:50 UTC
Permalink
Hello,

I was wondering if there is a way to restore the KASP database from the
zonelist.xml and signconf files, including keys and states ?

Regards,
--
Maurice Mahieu
System Engineer | ***@info.nl <mailto:***@info.nl> | +31 (0)20
53 09 111 <tel:+31205309111>
info.nl <http://www.info.nl> /making platforms work/
<http://www.info.nl/nl?utm_source=e-mail_sig&utm_medium=e-mail&utm_term=connecting_the_dots&utm_campaign=info_sig>

Sint Antoniesbreestraat 16 | 1011 HB Amsterdam | +31 (0)20 530 91 00
<tel:+31205309100>
Facebook <https://www.facebook.com/infonl> | Twitter
<https://twitter.com/infonl> | LinkedIn
<https://www.linkedin.com/company/info.nl> | Google+
<https://plus.google.com/+infonl/>
Rick van Rein
2016-03-30 16:33:21 UTC
Permalink
Hi Maurice,
Post by Maurice
I was wondering if there is a way to restore the KASP database from
the zonelist.xml and signconf files, including keys and states ?
That would not work; you should use the backups instead. The database holds information on what should be rolled into which state when; the sources you mention are just a "here & now" reflection of the database's schedule.

Having said that, you might be able to pull off a hack where you filled in safe values for the database fields that you failed to restore; but on the whole this sounds like a one-time recovery hack and certainly not a generic tool that would be able to replace database backups.

-Rick
Maurice
2016-03-31 07:56:46 UTC
Permalink
Ok thanks,

I won't try this at home :-)


Regards,

Maurice
Post by Rick van Rein
Hi Maurice,
Post by Maurice
I was wondering if there is a way to restore the KASP database from
the zonelist.xml and signconf files, including keys and states ?
That would not work; you should use the backups instead. The database holds information on what should be rolled into which state when; the sources you mention are just a "here & now" reflection of the database's schedule.
Having said that, you might be able to pull off a hack where you filled in safe values for the database fields that you failed to restore; but on the whole this sounds like a one-time recovery hack and certainly not a generic tool that would be able to replace database backups.
-Rick
--
Maurice Mahieu
System Engineer | ***@info.nl <mailto:***@info.nl> | +31 (0)20
53 09 111 <tel:+31205309111>
info.nl <http://www.info.nl> /making platforms work/
<http://www.info.nl/nl?utm_source=e-mail_sig&utm_medium=e-mail&utm_term=connecting_the_dots&utm_campaign=info_sig>

Sint Antoniesbreestraat 16 | 1011 HB Amsterdam | +31 (0)20 530 91 00
<tel:+31205309100>
Facebook <https://www.facebook.com/infonl> | Twitter
<https://twitter.com/infonl> | LinkedIn
<https://www.linkedin.com/company/info.nl> | Google+
<https://plus.google.com/+infonl/>
Berry A.W. van Halderen
2016-04-05 12:14:39 UTC
Permalink
Post by Djordje Antic
Hidden master (BIND) [xfr]-> DNSSEC signer (OpenDNSSEC) [xfr]-> 4x
Public slaves (NSD, BIND, YADIFA, KNOT).
NSD, BIND and KNOT machines are receiving and serving zones without
problems, but YADIFA is not. This problem does not occur when set to
update directly from hidden master, but it loses the DNSSEC
'bump-in-the-wire' and thus serving unsigned zones.
BIND: 9.10.3
OpenDNSSEC 1.4.9
YADIFA 2.1.6
We do not have direct experience with yadifa. How I interpret the log
is that OpenDNSSEC has fully transfered the zone and gets the okay.
Yadifa has received the AXFR fully and stored it. However when it
further starts to process the zone file there is a generic error.
This is not something easy to inspect without having to set-up an
environment with yadifa ourselves. You might want to increase the
logging level of yadifa to get more information.

The yadifa log also indicate it wants to sign the zone itself too.
That is --in your set-up-- not something you want. This at least
needs to be changed. It may also be a hint towards your problem,
perhaps yadifa expects an unsigned zone or can only handle unsigned
data. And it rejects the pre-signed zone.

This is something you can get help for from the yadifa mailing list.

With kind regards,
Berry van Halderen
Post by Djordje Antic
2016-03-29 15:22:39.127905 | server | I | slave: example.com. AXFR
query to the master
transfer will be signed with key 'key2.'
2016-03-29 15:22:39.131463 | server | D | axfr: example.com.: AXFR
stream copy init failed: UNPROCESSABLE_MESSAGE
2016-03-29 15:22:39.131499 | server | E | slave: query error for
UNPROCESSABLE_MESSAGE
2016-03-29 15:22:39.131502 | server | 6 |
2016-03-29 15:22:39.131503 | server | D | database_service: enqueue
UNPROCESSABLE_MESSAGE
2016-03-29 15:22:39.131506 | server | 6 |
2016-03-29 15:22:39.131905 | server | E | database: failed to
download the zone for example.com.: UNPROCESSABLE_MESSAGE
2016-03-29 15:22:39.131906 | server | 6 |
Mar 29 15:22:39 ods ods-signerd: [socket] handle incoming tcp connection
Mar 29 15:22:39 ods ods-signerd: [netio] handler added
Mar 29 15:22:39 ods ods-signerd: [socket] incoming tcp message
Mar 29 15:22:39 ods ods-signerd: [socket] TCP_READ: reset query
Mar 29 15:22:39 ods ods-signerd: [socket] TCP_READ: bytes transmitted
2 (received 2)
Mar 29 15:22:39 ods ods-signerd: [socket] TCP_READ: bytes transmitted
108 (received 106)
Mar 29 15:22:39 ods ods-signerd: [query] tsig OK
Mar 29 15:22:39 ods ods-signerd: [query] incoming query qtype=AXFR for
zone example.com
Mar 29 15:22:39 ods ods-signerd: [acl] match 55.66.77.88
Mar 29 15:22:39 ods ods-signerd: [query] incoming axfr request for
zone example.com
Mar 29 15:22:39 ods ods-signerd: [file] openfile example.com.axfr count 1
Mar 29 15:22:39 ods ods-signerd: [axfr] set soa in axfr zone example.com
Mar 29 15:22:39 ods ods-signerd: [axfr] axfr zone example.com is done
Mar 29 15:22:39 ods ods-signerd: [axfr] return part axfr zone example.com
Mar 29 15:22:39 ods ods-signerd: [socket] query processed qstate=2
Mar 29 15:22:39 ods ods-signerd: [query] add tsig ok
Mar 29 15:22:39 ods ods-signerd: [socket] TCP_READ: new tcplen 4654
Mar 29 15:22:39 ods ods-signerd: [socket] TCP_WRITE: bytes transmitted
2 (sent 2)
Mar 29 15:22:39 ods ods-signerd: [socket] TCP_WRITE: bytes transmitted 4656
Mar 29 15:22:39 ods ods-signerd: [socket] TCP_WRITE: tcplen 4654
Mar 29 15:22:39 ods ods-signerd: [socket] TCP_WRITE: sizeof tcplen 2
Mar 29 15:22:39 ods ods-signerd: [axfr] zone transfer example.com completed
Mar 29 15:22:39 ods ods-signerd: [socket] incoming tcp message
Mar 29 15:22:39 ods ods-signerd: [socket] TCP_READ: reset query
Mar 29 15:22:39 ods ods-signerd: [netio] handler removed
Regards,
Djordje
_______________________________________________
Opendnssec-user mailing list
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
Djordje Antic
2016-04-28 13:31:51 UTC
Permalink
Hi,

If anyone else encounters this, the solution is to rebuild Yadifa with
"--enable-non-aa-axfr-support" .\configure flag. According to the
manual, it "Allows AXFR answer from master without AA bit set
(Microsoft DNS)". OpenDNSSEC streams are now accepted and Yadifa is
serving received zones with DNSSEC signatures.

Regards,
Djordje
Post by Djordje Antic
Hi,
Hidden master (BIND) [xfr]-> DNSSEC signer (OpenDNSSEC) [xfr]-> 4x
Public slaves (NSD, BIND, YADIFA, KNOT).
NSD, BIND and KNOT machines are receiving and serving zones without
problems, but YADIFA is not. This problem does not occur when set to
update directly from hidden master, but it loses the DNSSEC
'bump-in-the-wire' and thus serving unsigned zones.
BIND: 9.10.3
OpenDNSSEC 1.4.9
YADIFA 2.1.6
2016-03-29 15:22:39.127905 | server | I | slave: example.com. AXFR
query to the master
transfer will be signed with key 'key2.'
2016-03-29 15:22:39.131463 | server | D | axfr: example.com.: AXFR
stream copy init failed: UNPROCESSABLE_MESSAGE
2016-03-29 15:22:39.131499 | server | E | slave: query error for
UNPROCESSABLE_MESSAGE
2016-03-29 15:22:39.131502 | server | 6 |
2016-03-29 15:22:39.131503 | server | D | database_service: enqueue
UNPROCESSABLE_MESSAGE
2016-03-29 15:22:39.131506 | server | 6 |
2016-03-29 15:22:39.131905 | server | E | database: failed to
download the zone for example.com.: UNPROCESSABLE_MESSAGE
2016-03-29 15:22:39.131906 | server | 6 |
Mar 29 15:22:39 ods ods-signerd: [socket] handle incoming tcp connection
Mar 29 15:22:39 ods ods-signerd: [netio] handler added
Mar 29 15:22:39 ods ods-signerd: [socket] incoming tcp message
Mar 29 15:22:39 ods ods-signerd: [socket] TCP_READ: reset query
Mar 29 15:22:39 ods ods-signerd: [socket] TCP_READ: bytes transmitted
2 (received 2)
Mar 29 15:22:39 ods ods-signerd: [socket] TCP_READ: bytes transmitted
108 (received 106)
Mar 29 15:22:39 ods ods-signerd: [query] tsig OK
Mar 29 15:22:39 ods ods-signerd: [query] incoming query qtype=AXFR for
zone example.com
Mar 29 15:22:39 ods ods-signerd: [acl] match 55.66.77.88
Mar 29 15:22:39 ods ods-signerd: [query] incoming axfr request for
zone example.com
Mar 29 15:22:39 ods ods-signerd: [file] openfile example.com.axfr count 1
Mar 29 15:22:39 ods ods-signerd: [axfr] set soa in axfr zone example.com
Mar 29 15:22:39 ods ods-signerd: [axfr] axfr zone example.com is done
Mar 29 15:22:39 ods ods-signerd: [axfr] return part axfr zone example.com
Mar 29 15:22:39 ods ods-signerd: [socket] query processed qstate=2
Mar 29 15:22:39 ods ods-signerd: [query] add tsig ok
Mar 29 15:22:39 ods ods-signerd: [socket] TCP_READ: new tcplen 4654
Mar 29 15:22:39 ods ods-signerd: [socket] TCP_WRITE: bytes transmitted
2 (sent 2)
Mar 29 15:22:39 ods ods-signerd: [socket] TCP_WRITE: bytes transmitted 4656
Mar 29 15:22:39 ods ods-signerd: [socket] TCP_WRITE: tcplen 4654
Mar 29 15:22:39 ods ods-signerd: [socket] TCP_WRITE: sizeof tcplen 2
Mar 29 15:22:39 ods ods-signerd: [axfr] zone transfer example.com completed
Mar 29 15:22:39 ods ods-signerd: [socket] incoming tcp message
Mar 29 15:22:39 ods ods-signerd: [socket] TCP_READ: reset query
Mar 29 15:22:39 ods ods-signerd: [netio] handler removed
Regards,
Djordje
Loading...