Hi Aleš, Could you please set "zone.zonefile-load: difference" (https://www.knot-dns.cz/docs/2.6/singlehtml/index.html#zonefile-load)? As the server configuration was extended, some new operation situations have emerged and we have to consider how to handle them...
Thanks, Daniel On 12/13/2017 08:46 AM, Aleš Rygl wrote: > Hi Daniel, > >> I don't understand the following re-sign. Was it triggered by a zone >> change? > Neither me. There was no change to the zone and I have flushed it before > reload (is it ok?): > > Dec 12 17:03:34 idunn knotd[4604]: info: [rozjezdy.cz.] control, received > command 'zone-status' > Dec 12 17:06:42 idunn knotd[4604]: info: [rozjezdy.cz.] control, received > command 'zone-flush' > > I have taken this zone as an example. I can see re-sign for many other zones. > In order to simulate it again I did it again. The last change to the zone > (caused by signing) is from yesterday: > > -rw-rw---- 1 knot knot 3.6K Dec 12 17:07 db.rozjezdy.cz > > Zone status now: > > root@idunn:/var/lib/knot/signed# knotc zone-status rozjezdy.cz > [rozjezdy.cz.] role: master | serial: 1513094831 | transaction: none | > freeze: no | refresh: not scheduled | update: not scheduled | expiration: not > scheduled | journal flush: not scheduled | notify: not scheduled | DNSSEC > re-sign: +6D2h26m36s | NSEC3 resalt: +22D7h31m8s | parent DS query: not > scheduled > > After knotc reload: > > root@idunn:~# journalctl -u knot -S "2017-12-13" | grep rozjezdy.cz. > Dec 13 08:07:43 idunn knotd[4604]: info: [rozjezdy.cz.] control, received > command 'zone-status' > Dec 13 08:08:16 idunn knotd[4604]: info: [rozjezdy.cz.] control, received > command 'zone-status' > Dec 13 08:08:48 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, signing zone > Dec 13 08:08:48 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, key, tag > 52375, algorithm ECDSAP256SHA256, KSK, public, active > Dec 13 08:08:48 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, key, tag > 53957, algorithm ECDSAP256SHA256, public, active > Dec 13 08:08:48 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, signing > started > Dec 13 08:08:48 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, successfully > signed > Dec 13 08:08:48 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, next signing > at 2017-12-19T10:34:52 > Dec 13 08:08:48 idunn knotd[4604]: info: [rozjezdy.cz.] zone file updated, > serial 1513094831 -> 1513148928 > > I would expect that zone is up-to-date and no re-sign is necessary. From all > the configured zones following were considered as up-to-date: > > root@idunn:~# journalctl -u knot -S "2017-12-13" | grep up-to-date > Dec 13 08:08:46 idunn knotd[4604]: info: [test.net.] DNSSEC, zone is > up-to-date > Dec 13 08:08:46 idunn knotd[4604]: info: [5gnet.cz.] DNSSEC, zone is > up-to-date > Dec 13 08:08:46 idunn knotd[4604]: info: [mych5.cz.] DNSSEC, zone is > up-to-date > Dec 13 08:08:47 idunn knotd[4604]: info: [tnews.cz.] DNSSEC, zone is > up-to-date > Dec 13 08:08:47 idunn knotd[4604]: info: [t-news.cz.] DNSSEC, zone is > up-to-date > Dec 13 08:08:47 idunn knotd[4604]: info: [tcrowd.cz.] DNSSEC, zone is > up-to-date > Dec 13 08:08:48 idunn knotd[4604]: info: [charger.cz.] DNSSEC, zone is > up-to-date > Dec 13 08:08:48 idunn knotd[4604]: info: [tsearch.cz.] DNSSEC, zone is > up-to-date > Dec 13 08:08:48 idunn knotd[4604]: info: [bigtelka.cz.] DNSSEC, zone is > up-to-date > Dec 13 08:08:48 idunn knotd[4604]: info: [t-sound.cz.] DNSSEC, zone is > up-to-date > Dec 13 08:08:48 idunn knotd[4604]: info: [mmsnasim.cz.] DNSSEC, zone is > up-to-date > Dec 13 08:08:48 idunn knotd[4604]: info: [t-motion.cz.] DNSSEC, zone is > up-to-date > Dec 13 08:08:48 idunn knotd[4604]: info: [t-search.cz.] DNSSEC, zone is > up-to-date > Dec 13 08:08:48 idunn knotd[4604]: info: [twistneomezene.cz.] DNSSEC, zone is > up-to-date > Dec 13 08:08:48 idunn knotd[4604]: info: [magentovakariera.cz.] DNSSEC, zone > is up-to-date > > ... and following were re-signed. There were no changes to the zone files at > all! > > root@idunn:~# journalctl -u knot -S "2017-12-13" | grep signed > Dec 13 08:08:46 idunn knotd[4604]: info: [t-run.cz.] DNSSEC, successfully > signed > Dec 13 08:08:47 idunn knotd[4604]: info: [tmusic.cz.] DNSSEC, successfully > signed > Dec 13 08:08:48 idunn knotd[4604]: info: [t-crowd.cz.] DNSSEC, successfully > signed > Dec 13 08:08:48 idunn knotd[4604]: info: [t-music.cz.] DNSSEC, successfully > signed > Dec 13 08:08:48 idunn knotd[4604]: info: [t-press.cz.] DNSSEC, successfully > signed > Dec 13 08:08:48 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, successfully > signed > Dec 13 08:08:48 idunn knotd[4604]: info: [abctarify.cz.] DNSSEC, successfully > signed > Dec 13 08:08:48 idunn knotd[4604]: info: [internet-4g.cz.] DNSSEC, > successfully signed > > And what is interesting - after a subsequent reload rozjezdy.cz is resigned > again :-) > > root@idunn:~# journalctl -u knot -S "2017-12-13 8:15" | grep > "rozjezdy.cz.\|reload" > Dec 13 08:38:04 idunn knotd[4604]: info: [rozjezdy.cz.] control, received > command 'zone-status' > Dec 13 08:38:11 idunn knotd[4604]: info: control, received command 'reload' > Dec 13 08:38:11 idunn knotd[4604]: info: reloading configuration file > '/etc/knot/knot.conf' > Dec 13 08:38:26 idunn knotd[4604]: info: configuration reloaded > Dec 13 08:38:31 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, signing zone > Dec 13 08:38:31 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, key, tag > 52375, algorithm ECDSAP256SHA256, KSK, public, active > Dec 13 08:38:31 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, key, tag > 53957, algorithm ECDSAP256SHA256, public, active > Dec 13 08:38:31 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, signing > started > Dec 13 08:38:31 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, successfully > signed > Dec 13 08:38:31 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, next signing > at 2017-12-19T10:34:52 > Dec 13 08:38:32 idunn knotd[4604]: info: [rozjezdy.cz.] zone file updated, > serial 1513148928 -> 1513150711 > > >> Of course, in the case of many zones the full reload takes some time. >> How >> many zones do you have configured? > I have 23 forward and DNSSEC enabled zones. All of them are really small, up > to 4kB (signed). The server running knotd is rather weak, it has just 2 cores. > >> You should increase the control timeout on the server side: >> https://www.knot-dns.cz/docs/2.6/singlehtml/index.html#timeout >> and also on the client side: >> https://www.knot-dns.cz/docs/2.6/singlehtml/index.html#document-man_knotc > Thanks > > Let me know if you need more details, logs or debugging output. I am ready to > help you to clarify this behavior. > > Regards > Ales -- https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users