Op 07-01-11 15:31, Matthijs Mekking schreef: vacation on Dec 24. Nobody touched the machine after that. > >> The first thing that grabs my attention (in the Dec 21 logs) is that the >> zone >> gets scheduled for signing twice. Is this normal? > > No, a zone should always be scheduled at most once in the queue. > However, I notice the logs do mention twice that a zone is scheduled > when the zone is added.
Tnx for clarifying > > If it is not scheduled though, it may be that a worker is working on the > zone. We set a flag, so that we know it may not be scheduled (for > example, as a result of ods-signer update). > > How did you notice it was scheduled twice? Did you see it by issuing > ods-signer queue? Or did you see it in the logs? If so, do you still > have that logs, so I can investigate (offline, if you prefer)? I saw it in the logs when I started looking for a reason for dnssec failures on some domains. I do have the entire logfile but it's rather big (20 megs in total, gzipped). >> I think I can fix the problem so I'm more interested in what went wrong and >> how to prevent it than a ready-made solution. Any ideas? > > The only times I had similar issues is when I (accidentally) started two > signer daemons. The client (ods-signer start) checks if there is already > a daemon running, however, ods-signerd will kick of without such a check. There is this hanging signer process. I'm not sure if that really counts, but I will kill it now. <cut> > Zone example.net added > > Hence, probably the two log references of the zone being scheduled. > This can happen: > - on startup > - when receiving update [--all] > - when receiving update <zone>, but <zone> was not found > > However, this line tells me that there was a signed example.net already: > >> Dec 21 12:03:39 metagross ods-signerd: scheduling resign of zone >> 'example.net' in 4477 seconds > > Did some event occur at this time? Could you reason which of the three > cases happened (so that we can narrow down the search scope)? > It's very likely the second case, ods-signer sign --all. I run this command after every zone change which happens a few times each day. I know it's possible to specify a specific zone to sign but that does not (yet) fit in our environment. Thanks for your help so far. I will know kill the old signer proces and restart the signer daemon, if anything interesting happens I will post it here. -- Casper Gielen <[email protected]> | LIS UNIX PGP fingerprint = 16BD 2C9F 8156 C242 F981 63B8 2214 083C F80E 4AF7 Universiteit van Tilburg | Postbus 90153, 5000 LE Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
