David Peall
2016-09-16 12:35:57 UTC
Hi
Zone 1 has been running for a months in a test environment.
Iâm added zone 2 and 3. I updated a TSIG key for domain 2 and then updated the enforcer and it deleted all my domains?
opendnssec version 2.0.1
***@signer1:/etc/opendnssec# ods-enforcer update all
Policy default already up-to-date
Policy lab already up-to-date
Policy default already up-to-date
Policy lab already up-to-date
Deleted zone 1 successfully
Deleted zone 2 successfully
Deleted zone 3 successfully
update all completed in 1 seconds.
***@signer1:/etc/opendnssec# ods-enforcer key list --all --verbose
Keys:
Zone: Keytype: State: Date of next transition: Size: Algorithm: CKA_ID: Repository: KeyTag:
key list completed in 0 seconds.
***@signer1:/etc/opendnssec# ods-enforcer zone list
Database set to: /var/opendnssec/kasp.db
No zones in database.
zone list completed in 0 seconds.
The log file:
Sep 16 14:02:41 signer1 ods-signerd: [xfrd] zone 1 request udp/ixfr=1160916056 to 192.168.x.x
Sep 16 14:02:41 signer1 ods-signerd: [xfrd] zone 1 received too short udp reply from 192.168.x.x, retry tcp
Sep 16 14:02:41 signer1 ods-signerd: [xfrd] zone 1 request tcp/ixfr=1160916056 to 192.168.x.x
Sep 16 14:02:58 signer1 ods-signerd: [xfrd] zone 1 transfer done [notify acquired 1474027361, serial on disk 1160916057, notify serial 1160916057]
Sep 16 14:03:48 signer1 ods-signerd: [STATS] 1 1160916057 RR[count=80 time=35(sec)] NSEC3[count=0 time=0(sec)] RRSIG[new=2 reused=235 time=2(sec) avg=1(sig/sec)] TOTAL[time=50(sec)]
Sep 16 14:04:15 signer1 ods-signerd: [namedb] zone 3 cannot keep SOA SERIAL from input zone (2016091648): previous output SOA SERIAL is 2016091648
âŠ
Sep 16 14:15:41 signer1 ods-signerd: [worker[2]] continue task [read] for zone 1
Sep 16 14:15:41 signer1 ods-signerd: [worker[2]] continue task [sign] for zone 2
Sep 16 14:15:41 signer1 ods-signerd: [worker[1]] continue task [sign] for zone 3
Sep 16 14:15:41 signer1 ods-signerd: [xfrd] zone 2 request axfr to 192.168.x.x
Sep 16 14:15:41 signer1 ods-signerd: [xfrd] bad packet: zone 2 received error code NOTAUTH from 192.168.x.x
Sep 16 14:15:41 signer1 ods-signerd: [xfrd] zone 2, from 192.168.x.x has tsig error (Bad Key)
Sep 16 14:15:41 signer1 ods-signerd: [xfrd] unable to process tsig: xfr zone 2 from 192.168.x.x has bad tsig signature
Sep 16 14:15:41 signer1 ods-signerd: [xfrd] bad packet: zone 2 received bad tsig from 192.168.x.x
Sep 16 14:15:41 signer1 ods-enforcerd: [zonelist_import] zone 2 deleted
Sep 16 14:15:41 signer1 ods-enforcerd: [zonelist_import] zone 3 deleted
Sep 16 14:15:41 signer1 ods-enforcerd: [zonelist_import] zone 1 deleted
âŠ
now in the log file after a stop start:
Sep 16 14:22:12 signer1 ods-signerd: [signconf] zone 2 signconf: RESIGN[PT2H] REFRESH[P3D] VALIDITY[P14D] DENIAL[P14D] KEYSET[PT0S] JITTER[PT12H] OFFSET[PT1H] NSEC[50] DNSKEYTTL[PT1H] SOATTL[PT1H] MINIMUM[PT1H] SERIAL[keep]
Sep 16 14:22:12 signer1 ods-signerd: [signconf] zone 3 signconf: RESIGN[PT2H] REFRESH[P3D] VALIDITY[P14D] DENIAL[P14D] KEYSET[PT0S] JITTER[PT12H] OFFSET[PT1H] NSEC[50] DNSKEYTTL[PT1H] SOATTL[PT1H] MINIMUM[PT1H] SERIAL[keep]
Regards
â
David Peall
Zone 1 has been running for a months in a test environment.
Iâm added zone 2 and 3. I updated a TSIG key for domain 2 and then updated the enforcer and it deleted all my domains?
opendnssec version 2.0.1
***@signer1:/etc/opendnssec# ods-enforcer update all
Policy default already up-to-date
Policy lab already up-to-date
Policy default already up-to-date
Policy lab already up-to-date
Deleted zone 1 successfully
Deleted zone 2 successfully
Deleted zone 3 successfully
update all completed in 1 seconds.
***@signer1:/etc/opendnssec# ods-enforcer key list --all --verbose
Keys:
Zone: Keytype: State: Date of next transition: Size: Algorithm: CKA_ID: Repository: KeyTag:
key list completed in 0 seconds.
***@signer1:/etc/opendnssec# ods-enforcer zone list
Database set to: /var/opendnssec/kasp.db
No zones in database.
zone list completed in 0 seconds.
The log file:
Sep 16 14:02:41 signer1 ods-signerd: [xfrd] zone 1 request udp/ixfr=1160916056 to 192.168.x.x
Sep 16 14:02:41 signer1 ods-signerd: [xfrd] zone 1 received too short udp reply from 192.168.x.x, retry tcp
Sep 16 14:02:41 signer1 ods-signerd: [xfrd] zone 1 request tcp/ixfr=1160916056 to 192.168.x.x
Sep 16 14:02:58 signer1 ods-signerd: [xfrd] zone 1 transfer done [notify acquired 1474027361, serial on disk 1160916057, notify serial 1160916057]
Sep 16 14:03:48 signer1 ods-signerd: [STATS] 1 1160916057 RR[count=80 time=35(sec)] NSEC3[count=0 time=0(sec)] RRSIG[new=2 reused=235 time=2(sec) avg=1(sig/sec)] TOTAL[time=50(sec)]
Sep 16 14:04:15 signer1 ods-signerd: [namedb] zone 3 cannot keep SOA SERIAL from input zone (2016091648): previous output SOA SERIAL is 2016091648
âŠ
Sep 16 14:15:41 signer1 ods-signerd: [worker[2]] continue task [read] for zone 1
Sep 16 14:15:41 signer1 ods-signerd: [worker[2]] continue task [sign] for zone 2
Sep 16 14:15:41 signer1 ods-signerd: [worker[1]] continue task [sign] for zone 3
Sep 16 14:15:41 signer1 ods-signerd: [xfrd] zone 2 request axfr to 192.168.x.x
Sep 16 14:15:41 signer1 ods-signerd: [xfrd] bad packet: zone 2 received error code NOTAUTH from 192.168.x.x
Sep 16 14:15:41 signer1 ods-signerd: [xfrd] zone 2, from 192.168.x.x has tsig error (Bad Key)
Sep 16 14:15:41 signer1 ods-signerd: [xfrd] unable to process tsig: xfr zone 2 from 192.168.x.x has bad tsig signature
Sep 16 14:15:41 signer1 ods-signerd: [xfrd] bad packet: zone 2 received bad tsig from 192.168.x.x
Sep 16 14:15:41 signer1 ods-enforcerd: [zonelist_import] zone 2 deleted
Sep 16 14:15:41 signer1 ods-enforcerd: [zonelist_import] zone 3 deleted
Sep 16 14:15:41 signer1 ods-enforcerd: [zonelist_import] zone 1 deleted
âŠ
now in the log file after a stop start:
Sep 16 14:22:12 signer1 ods-signerd: [signconf] zone 2 signconf: RESIGN[PT2H] REFRESH[P3D] VALIDITY[P14D] DENIAL[P14D] KEYSET[PT0S] JITTER[PT12H] OFFSET[PT1H] NSEC[50] DNSKEYTTL[PT1H] SOATTL[PT1H] MINIMUM[PT1H] SERIAL[keep]
Sep 16 14:22:12 signer1 ods-signerd: [signconf] zone 3 signconf: RESIGN[PT2H] REFRESH[P3D] VALIDITY[P14D] DENIAL[P14D] KEYSET[PT0S] JITTER[PT12H] OFFSET[PT1H] NSEC[50] DNSKEYTTL[PT1H] SOATTL[PT1H] MINIMUM[PT1H] SERIAL[keep]
Regards
â
David Peall