Re: [knot-dns-users] Zone sign at knotd reload

Fri, 22 Dec 2017 04:45:02 -0800 

Hi Aleš,
thanks for the kjournalprint output! It led strightforwardly to finding the bug in Knot. The bug is always re-creating and re-signing NSEC3PARAM record. We have fixed it. 


Would you be able and willing to check the bugfix for us before we 
release a package? You could either build Knot from current sources 
(branch 2.6), or we could send you a newly-built binaries for your 
architecture (actually, the fix is probably in libknot shared library).


BR,

Libor


Dne 19.12.2017 v 20:38 Aleš Rygl napsal(a):

Hi Libor,

On Friday 15 of December 2017 10:26:09 libor.pel...@nic.cz wrote:

Hi all,

first, we must distinguish two things:

1) on every reload, every zone is attempted to be re-signed. This takes
some CPU time, as the NSEC(3) chain is re-constructed and RRSIGs
validated. Anyway, if we perform reload "often", it "usually" ends up
with the messages "DNSSEC, zone is up-to-date". This is a design feature
of Knot. Is it a problem for you?

This is perfectly clear to me and it is not an issue for me. I like that 
up-to-date status is logged during the startup.


2) when anything in the zone changes, or the zone would re-sign itself
anyway in the meantime, the re-signing ends up with "DNSSEC,
successfully signed". This happens e.g. if zone contents changed, NSEC3
salt updated, some RRSIG nearing its end of validity... If this happens
on "clear" zone, it's a bug. We have de-bugged this behavior in the past
and we also have got a test case covering this. But still it may happen
that there is a bug. The best point to start at is journal contents. In
the changesets it should be visible what changed. You can explore the
journal with "kjournalprint" utility.

This is also clear to me. I am just trying to find the reason for re-sign when 
the zone content was not (externally) updated. I am rather wonder why this is 
happening than complaining.
Thanks for reminding me of kjournalprint. When checking the journal I can see 
(last three changes):

;; Changes between zone versions: 1513694442 -> 1513707970
;;Removed
rozjezdy.cz.            3600    SOA     idunn.t-mobile.cz. 
dss-system.t-mobile.cz. 1513694442 7200 600 1209600 3600
rozjezdy.cz.            3600    RRSIG   SOA 13 2 3600 20180102144042 
20171219131042 53957 rozjezdy.cz. 
Vnzp8R5bJk3sOybu9WoJzf/1ABNuIz3d0WHhbyQ3VDiIzmZwJ13OOUjsqYuD18OqsFO9eFMNJrPccKjMHsDBLw==
rozjezdy.cz.            0       RRSIG   NSEC3PARAM 13 2 0 20180102144042 
20171219131042 53957 rozjezdy.cz. 
9lv+D3biq8FHB2PyTXa98J/31Lf7rdv6KNJNILlm7jsimi0ylSslK6uisLdt5h13jXFRLePs3yWqWMfdBLG8FA==
;;Added
rozjezdy.cz.            3600    SOA     idunn.t-mobile.cz. 
dss-system.t-mobile.cz. 1513707970 7200 600 1209600 3600
rozjezdy.cz.            3600    RRSIG   SOA 13 2 3600 20180102182610 
20171219165610 53957 rozjezdy.cz. 
zG1o9Rc5zeiO2+JDntbkjrs3Cv+LbKgxvyCYB4tnkT8U/5874YPZlX8OGfDhXAo+QjYk8+RMEf3DReIN/gcbOA==
rozjezdy.cz.            0       RRSIG   NSEC3PARAM 13 2 0 20180102182610 
20171219165610 53957 rozjezdy.cz. 
xLDqFtMLVWF8Rwjaq84qj5GATN8ozFKEn1sGUNm4rPvPomChkhpz3z6jAC+jTTawTsCbzfMYkAINIeQpMkLJeA==
;; Changes between zone versions: 1513707970 -> 1513708136
;;Removed
rozjezdy.cz.            3600    SOA     idunn.t-mobile.cz. 
dss-system.t-mobile.cz. 1513707970 7200 600 1209600 3600
rozjezdy.cz.            3600    RRSIG   SOA 13 2 3600 20180102182610 
20171219165610 53957 rozjezdy.cz. 
zG1o9Rc5zeiO2+JDntbkjrs3Cv+LbKgxvyCYB4tnkT8U/5874YPZlX8OGfDhXAo+QjYk8+RMEf3DReIN/gcbOA==
rozjezdy.cz.            0       RRSIG   NSEC3PARAM 13 2 0 20180102182610 
20171219165610 53957 rozjezdy.cz. 
xLDqFtMLVWF8Rwjaq84qj5GATN8ozFKEn1sGUNm4rPvPomChkhpz3z6jAC+jTTawTsCbzfMYkAINIeQpMkLJeA==
;;Added
rozjezdy.cz.            3600    SOA     idunn.t-mobile.cz. 
dss-system.t-mobile.cz. 1513708136 7200 600 1209600 3600
rozjezdy.cz.            3600    RRSIG   SOA 13 2 3600 20180102182856 
20171219165856 53957 rozjezdy.cz. 
GId9nFX7W6zDuhDkXSEoYHL7P2A3tQpr0mlAlJCpGrW2VnxBXlnmMqfVm376PbfN9jijSt3wKHagzz3eS+22DA==
rozjezdy.cz.            0       RRSIG   NSEC3PARAM 13 2 0 20180102182856 
20171219165856 53957 rozjezdy.cz. 
nYEne/00rSqUQtS5p3Lvi7KbeKQvrlPrdiz31WlQoBwMj+Pg5wZdTu1rbacF4vQCjGfdCYgvuU4M1noAlCfZdg==
;; Changes between zone versions: 1513708136 -> 1513708291
;;Removed
rozjezdy.cz.            3600    SOA     idunn.t-mobile.cz. 
dss-system.t-mobile.cz. 1513708136 7200 600 1209600 3600
rozjezdy.cz.            3600    RRSIG   SOA 13 2 3600 20180102182856 
20171219165856 53957 rozjezdy.cz. 
GId9nFX7W6zDuhDkXSEoYHL7P2A3tQpr0mlAlJCpGrW2VnxBXlnmMqfVm376PbfN9jijSt3wKHagzz3eS+22DA==
rozjezdy.cz.            0       RRSIG   NSEC3PARAM 13 2 0 20180102182856 
20171219165856 53957 rozjezdy.cz. 
nYEne/00rSqUQtS5p3Lvi7KbeKQvrlPrdiz31WlQoBwMj+Pg5wZdTu1rbacF4vQCjGfdCYgvuU4M1noAlCfZdg==
;;Added
rozjezdy.cz.            3600    SOA     idunn.t-mobile.cz. 
dss-system.t-mobile.cz. 1513708291 7200 600 1209600 3600
rozjezdy.cz.            3600    RRSIG   SOA 13 2 3600 20180102183131 
20171219170131 53957 rozjezdy.cz. 
KklZfsp8Ztzih04/Weedt1aP5Qa9oxsnj72KuGeeqI1szSvL/l6uGC6Rf6ZZJjrN/A/TQMcJzbkgwIMe6YetYA==
rozjezdy.cz.            0       RRSIG   NSEC3PARAM 13 2 0 20180102183131 
20171219170131 53957 rozjezdy.cz. 
FfE9FhQgr8NWCfKf9d1aA0I8h4cd7CCSRbp0Nkq+BXmLOpRMs862lRSWCNHPxRPqufQvjo34AlroRrTYpevwEg==

I do not understand it: are the changes listed above the cause or the 
consequenceof re-sign?

Regards
Ales


--
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users






















					Reply via email to