-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
I would be interested to see the complete logfile, just to look if I see something odd. Perhaps we can arrange something off list. > It's very likely the second case, ods-signer sign --all. Notice that sign --all should not trigger reading the zonelist, but update --all (or start or update <zone>, the latter is often issued by the enforcer) Best regards, Matthijs On 01/07/2011 04:09 PM, Casper Gielen wrote: > Op 07-01-11 15:31, Matthijs Mekking schreef: > vacation on Dec 24. Nobody touched the machine after that. >> >>> The first thing that grabs my attention (in the Dec 21 logs) is that the >>> zone >>> gets scheduled for signing twice. Is this normal? >> >> No, a zone should always be scheduled at most once in the queue. >> However, I notice the logs do mention twice that a zone is scheduled >> when the zone is added. > > Tnx for clarifying > >> >> If it is not scheduled though, it may be that a worker is working on the >> zone. We set a flag, so that we know it may not be scheduled (for >> example, as a result of ods-signer update). >> >> How did you notice it was scheduled twice? Did you see it by issuing >> ods-signer queue? Or did you see it in the logs? If so, do you still >> have that logs, so I can investigate (offline, if you prefer)? > > I saw it in the logs when I started looking for a reason for dnssec > failures on some domains. I do have the entire logfile but it's rather > big (20 megs in total, gzipped). > >>> I think I can fix the problem so I'm more interested in what went wrong and >>> how to prevent it than a ready-made solution. Any ideas? >> >> The only times I had similar issues is when I (accidentally) started two >> signer daemons. The client (ods-signer start) checks if there is already >> a daemon running, however, ods-signerd will kick of without such a check. > > There is this hanging signer process. I'm not sure if that really > counts, but I will kill it now. > > <cut> >> Zone example.net added >> >> Hence, probably the two log references of the zone being scheduled. >> This can happen: >> - on startup >> - when receiving update [--all] >> - when receiving update <zone>, but <zone> was not found >> >> However, this line tells me that there was a signed example.net already: >> >>> Dec 21 12:03:39 metagross ods-signerd: scheduling resign of zone >>> 'example.net' in 4477 seconds >> >> Did some event occur at this time? Could you reason which of the three >> cases happened (so that we can narrow down the search scope)? >> > > It's very likely the second case, ods-signer sign --all. > I run this command after every zone change which happens a few times > each day. I know it's possible to specify a specific zone to sign but > that does not (yet) fit in our environment. > > Thanks for your help so far. > I will know kill the old signer proces and restart the signer daemon, > if anything interesting happens I will post it here. > > > > > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJNJzHCAAoJEA8yVCPsQCW5Ym4H/jbtbnulw/3lyLK5iacp2WKI 8VutXnI95ucxpxgaVXMr1GFEUpfgbjFUmZiMjsetsEnvRKB8e91GPrEoeU/PReBm 9uZf7z5BXRlhE0hh+HzMQlkbZ4cOP23B/pUUmTlg5UGkZqomhFZsSPMs4AbgfgXv P72+NBqnm3X1K7Xibwln6n2JTzZTNON3PmCBTyd2kxoZni2rfS5G4iZctQgsii+S 36LitJCHSWti+0EXqP0aGik68b81krbIX7xMHfw9S/UjLASnjdIGogPLJ5m6yHiV oj2HGNGOf8FgX88P13kcFsxZAhOQIYL1wab9eV73R8VgsGhhg2nRu7vdVIkyvmQ= =R9fl -----END PGP SIGNATURE----- _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
