Mark Elkins
2016-09-08 15:01:13 UTC
I'm having a problem with ODS 2.0.1 and I'm using the DNS Adapter.
Setup is:
vhost1 (160.124.48.41) - runs BIND 9.10.4-P2 - has an unsigned zone
which I keep updating.
vhost2 (160.124.48.42) - runs ODS-2.0.1, it accepts inbound XFR from
vhost1. This had been working just fine.
vhost3 (160.124.48.43) - runs BIND 9.10.4-P2 - pretends to be a
Distribution master. This always gets the latest zones that ODS offers.
I have a test zone "edu.za" that gets updated whenever necessary. its
actually an AXFR from a live master. Real changes are infrequent,
probably twice a week but the SOA is updated every night. Of course
today there have been 4 changes in one day.
Thus "vhost1" gets a new zone once an hour and sends an "rndc reload"
whenever the EDU.ZA zone changes. EDU.ZA is actually signed with BIND -
hence I strip those records.
Cron Entry:
18 * * * * dig @160.124.xxx.xxx edu.za axfr | egrep -v
'RRSIG|NSEC|NSEC3|NSEC3PARAM|DNSKEY|^;' > /etc/ns.d/pri/edu.za/db.edu.za
&& rndc reload
----------------
I have a script that runs on vhost3 that does an AXFR from both vhost1
(unsigned) and vhost3 (signed). This script does various sanity checks.
I've attached it. Its run from cron at the same frequency that the
signer is configured to run - in this test case - every 10 minutes.
One check is that the signed zone should contain all the records of the
signed zone. Its seeing differences of stuff added to the unsigned zone
that never appear in the signed zone. The SOA Serial is now higher in
the unsigned zone (2016090804) than the signed zone (2016084331) - and I
am not seeing an ?XFR from vhost1 (Unsigned) to vhost2 (ODS).
On vhost1 (Unsigned, BIND), I've tried "rndc notify edu.za" - the
named.conf snippet includes:
zone "web.za" {
type master;
file "pri/edu.za/db.web.za";
notify explicit;
also-notify { 160.124.48.42; };
};
The intention is to *only* send notifies to 160.124.48.42 and not to any
listed Nameservers, ie be explicit like NSD.
Thus - I presume that vhost2 (on 160.124.48.42) would be correctly
notified.
The "rndc notify" gave me:
08-Sep-2016 13:03:04.022 received control channel command 'reload'
08-Sep-2016 13:03:04.023 zone edu.za/IN: loaded serial 2016090805
08-Sep-2016 13:03:04.023 zone edu.za/IN: sending notifies (serial
2016090805)
-oOo-
1 - Where can I see logs that would show such an action taking place (an
explicit NOTIFY) on the ODS machine?
2 - Can I get ODS to do an explicit query for a changed SOA?
(equivalent of: ods-signer sign edu.za - but for DNS {IA}XFR )
-oOo-
Incidentally - just a few minutes ago (after multiple hours of chasing
my tail) - there was an IXFR request from vhost2 (ODS) to the vhost1
(BIND) machine - so now everything is OK (The script no longer
complains) - but the delay is still unexplained.
08-Sep-2016 14:32:37.980 client 160.124.48.42#50396 (edu.za): transfer
of 'edu.za/IN': AXFR-style IXFR started (serial 2016090805)
08-Sep-2016 14:32:37.981 client 160.124.48.42#50396 (edu.za): transfer
of 'edu.za/IN': AXFR-style IXFR ended
ps - very pleased to see IXFR working! (as opposed to just AXFR)
Setup is:
vhost1 (160.124.48.41) - runs BIND 9.10.4-P2 - has an unsigned zone
which I keep updating.
vhost2 (160.124.48.42) - runs ODS-2.0.1, it accepts inbound XFR from
vhost1. This had been working just fine.
vhost3 (160.124.48.43) - runs BIND 9.10.4-P2 - pretends to be a
Distribution master. This always gets the latest zones that ODS offers.
I have a test zone "edu.za" that gets updated whenever necessary. its
actually an AXFR from a live master. Real changes are infrequent,
probably twice a week but the SOA is updated every night. Of course
today there have been 4 changes in one day.
Thus "vhost1" gets a new zone once an hour and sends an "rndc reload"
whenever the EDU.ZA zone changes. EDU.ZA is actually signed with BIND -
hence I strip those records.
Cron Entry:
18 * * * * dig @160.124.xxx.xxx edu.za axfr | egrep -v
'RRSIG|NSEC|NSEC3|NSEC3PARAM|DNSKEY|^;' > /etc/ns.d/pri/edu.za/db.edu.za
&& rndc reload
----------------
I have a script that runs on vhost3 that does an AXFR from both vhost1
(unsigned) and vhost3 (signed). This script does various sanity checks.
I've attached it. Its run from cron at the same frequency that the
signer is configured to run - in this test case - every 10 minutes.
One check is that the signed zone should contain all the records of the
signed zone. Its seeing differences of stuff added to the unsigned zone
that never appear in the signed zone. The SOA Serial is now higher in
the unsigned zone (2016090804) than the signed zone (2016084331) - and I
am not seeing an ?XFR from vhost1 (Unsigned) to vhost2 (ODS).
On vhost1 (Unsigned, BIND), I've tried "rndc notify edu.za" - the
named.conf snippet includes:
zone "web.za" {
type master;
file "pri/edu.za/db.web.za";
notify explicit;
also-notify { 160.124.48.42; };
};
The intention is to *only* send notifies to 160.124.48.42 and not to any
listed Nameservers, ie be explicit like NSD.
Thus - I presume that vhost2 (on 160.124.48.42) would be correctly
notified.
The "rndc notify" gave me:
08-Sep-2016 13:03:04.022 received control channel command 'reload'
08-Sep-2016 13:03:04.023 zone edu.za/IN: loaded serial 2016090805
08-Sep-2016 13:03:04.023 zone edu.za/IN: sending notifies (serial
2016090805)
-oOo-
1 - Where can I see logs that would show such an action taking place (an
explicit NOTIFY) on the ODS machine?
2 - Can I get ODS to do an explicit query for a changed SOA?
(equivalent of: ods-signer sign edu.za - but for DNS {IA}XFR )
-oOo-
Incidentally - just a few minutes ago (after multiple hours of chasing
my tail) - there was an IXFR request from vhost2 (ODS) to the vhost1
(BIND) machine - so now everything is OK (The script no longer
complains) - but the delay is still unexplained.
08-Sep-2016 14:32:37.980 client 160.124.48.42#50396 (edu.za): transfer
of 'edu.za/IN': AXFR-style IXFR started (serial 2016090805)
08-Sep-2016 14:32:37.981 client 160.124.48.42#50396 (edu.za): transfer
of 'edu.za/IN': AXFR-style IXFR ended
ps - very pleased to see IXFR working! (as opposed to just AXFR)
--
Mark James ELKINS - Posix Systems - (South) Africa
***@posix.co.za Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
Mark James ELKINS - Posix Systems - (South) Africa
***@posix.co.za Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za