Re: Signed zone does not get updated 'receive_secure_serial: not exact'

Thomas Leuxner Thu, 27 Dec 2012 03:09:32 -0800

Am 26.12.2012 um 23:31 schrieb Mark Andrews <ma...@isc.org>:

> * the record to be removed was not there
> * the record to be aded was already there
> 
> This means that the two versions of the zone have become unsyncronized.


I did some more tests with another zone. Not sure BIND works as intended there:

- zone 'trashheap' gets signed (has serial 7 unsigned and receives serial 8|10 
signed subsequently)

Dec 27 11:34:12 spectre named[27411]: zone trashheap.net/IN (unsigned): loaded 
serial 7
Dec 27 11:34:12 spectre named[27411]: any newly configured zones are now loaded
Dec 27 11:34:12 spectre named[27411]: zone trashheap.net/IN (signed): loaded 
serial 7
Dec 27 11:34:12 spectre named[27411]: trashheap.net/IN: dns_diff_apply: update 
with no effect
Dec 27 11:34:12 spectre named[27411]: zone trashheap.net/IN (signed): 
receive_secure_serial: not exact
Dec 27 11:34:12 spectre named[27411]: zone trashheap.net/IN (signed): 
reconfiguring zone keys
Dec 27 11:34:12 spectre named[27411]: zone trashheap.net/IN (signed): next key 
event: 27-Dec-2012 11:34:12.333
Dec 27 11:34:12 spectre named[27411]: zone trashheap.net/IN (signed): sending 
notifies (serial 8)
Dec 27 11:34:12 spectre named[27411]: client 88.198.49.12#26609/key 
ns1-acme.spoerlein.net (trashheap.net): transfer of 'trashheap.net/IN': IXFR 
started: TSIG ns1-acme.spoerlein.net
Dec 27 11:34:12 spectre named[27411]: client 88.198.49.12#26609/key 
ns1-acme.spoerlein.net (trashheap.net): transfer of 'trashheap.net/IN': IXFR 
ended
Dec 27 11:34:17 spectre named[27411]: zone trashheap.net/IN (signed): sending 
notifies (serial 10)
Dec 27 11:34:17 spectre named[27411]: client 88.198.49.12#17597/key 
ns1-acme.spoerlein.net (trashheap.net): transfer of 'trashheap.net/IN': IXFR 
started: TSIG ns1-acme.spoerlein.net
Dec 27 11:34:17 spectre named[27411]: client 88.198.49.12#17597/key 
ns1-acme.spoerlein.net (trashheap.net): transfer of 'trashheap.net/IN': IXFR 
ended

- a TXT record is added to zone 'trashheap' via nsupdate
- same problem as before: 'receive_secure_serial: not exact'

Dec 27 11:37:33 spectre named[27411]: client 188.138.3.243#59506/key 
tlx.leuxner.net: signer "tlx.leuxner.net" approved
Dec 27 11:37:33 spectre named[27411]: client 188.138.3.243#59506/key 
tlx.leuxner.net: updating zone 'trashheap.net/IN': adding an RR at 
'2013._domainkey.trashheap.net' TXT
Dec 27 11:37:33 spectre named[27411]: trashheap.net/IN: dns_diff_apply: update 
with no effect
Dec 27 11:37:33 spectre named[27411]: zone trashheap.net/IN (signed): 
receive_secure_serial: not exact

- to mitigate the problem, zone journal is dropped again 'rndc sync -clean 
trashheap.net'
- zone is frozen
- unsigned serial is increased (to 9)
- zone is unfrozen
- zone receives new signed serial (11)

Dec 27 11:44:10 spectre named[27411]: received control channel command 'sync 
-clean trashheap.net'
Dec 27 11:44:10 spectre named[27411]: sync: dumping zone 'trashheap.net/IN', 
removing journal file: success
Dec 27 11:45:40 spectre named[27411]: received control channel command 
'loadkeys trashheap.net'
Dec 27 11:45:40 spectre named[27411]: zone trashheap.net/IN (signed): 
reconfiguring zone keys
Dec 27 11:45:40 spectre named[27411]: zone trashheap.net/IN (signed): next key 
event: 27-Dec-2012 11:45:40.045
Dec 27 11:46:38 spectre named[27411]: received control channel command 'freeze 
trashheap.net'
Dec 27 11:46:38 spectre named[27411]: freezing zone 'trashheap.net/IN': success
Dec 27 11:47:02 spectre named[27411]: received control channel command 'thaw 
trashheap.net'
Dec 27 11:47:02 spectre named[27411]: thawing zone 'trashheap.net/IN': success
Dec 27 11:47:02 spectre named[27411]: zone trashheap.net/IN (unsigned): loaded 
serial 9
Dec 27 11:47:02 spectre named[27411]: zone trashheap.net/IN (signed): serial 11 
(unsigned 9)
Dec 27 11:47:02 spectre named[27411]: zone trashheap.net/IN (signed): sending 
notifies (serial 11)
Dec 27 11:47:02 spectre named[27411]: client 88.198.49.12#54606/key 
ns1-acme.spoerlein.net (trashheap.net): transfer of 'trashheap.net/IN': IXFR 
started: TSIG ns1-acme.spoerlein.net
Dec 27 11:47:02 spectre named[27411]: client 88.198.49.12#54606/key 
ns1-acme.spoerlein.net (trashheap.net): transfer of 'trashheap.net/IN': IXFR 
ended

- another TXT record is added and propagation works going forward

Dec 27 12:03:21 spectre named[27411]: client 188.138.3.243#13188/key 
tlx.leuxner.net: updating zone 'trashheap.net/IN': adding an RR at 
'2014._domainkey.trashheap.net' TXT
Dec 27 12:03:21 spectre named[27411]: zone trashheap.net/IN (signed): serial 12 
(unsigned 10)
Dec 27 12:03:21 spectre named[27411]: zone trashheap.net/IN (signed): sending 
notifies (serial 12)

Regards
Thomas

smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Signed zone does not get updated 'receive_secure_serial: not exact'

Reply via email to