Re: [Opendnssec-user] The signer's expiry handling

Havard Eidnes Sun, 20 Dec 2015 02:02:53 -0800

BTW,

I upped the log level to 5 (from my default of 3), and it seems
OpenDNSSEC isn't happy with the IXFR packets it receives from its
upstream hidden master, because it looks like that on many
attempts it logs:


Dec 20 10:32:53 ods-host ods-signerd: [xfrd] bad ixfr packet from 
<hidden-master>

My hidden master runs BIND 9.9.8-P2.

Attached below is a fuller section from the log related to this
event.

It seems these messages:

Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> got update indicating 
current serial 2014121008 from <hidden-master>
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> try next master

come from xfrd_parse_packet(), and the

Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> xfr packet parsed (res 
0)

status of "0" is "XFRD_PKT_BAD".  But as far as I can see, the
only reason it says so is that it gets the same serial# as what
it already has, via this:

        if (!xfrd->msg_do_retransfer &&
            xfrd->serial_disk_acquired && xfrd->serial_disk == serial) {
            ods_log_info("[%s] zone %s got update indicating current "
                "serial %u from %s", xfrd_str, zone->name, serial,
                 xfrd->master->address);
            xfrd->serial_disk_acquired = xfrd_time(xfrd);
            if (xfrd->serial_xfr == serial) {
...
                /* try next master */
                ods_log_debug("[%s] zone %s try next master", xfrd_str,
                    zone->name);
                lock_basic_unlock(&xfrd->serial_lock);
                return XFRD_PKT_BAD;

Doesn't OpenDNSSEC behave like a proper slave, and do an explicit
query for the SOA version and skip attempting a zone transfer
(incremental or otherwise) if the SOA version# is the same as
what it already has?

Instead of a simple message saying "OK, same serial#, skipping
zone transfer since we already have that one", we get this
complicated dance with an attempted incremental zone transfer, a
declaration that the ixfr packet is "bad", and the use of a
failure code to indicate "same serial#"?  Or isn't that what this
does?

Regards,

- Håvard

Dec 20 10:32:53 ods-host ods-signerd: [netio] no events before the minimum 
timeout expired
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> make request [udp 
round 0 master <hidden-master>:0]
Dec 20 10:32:53 ods-host ods-signerd: [domain] tsig sign query with key: 
hidden-master-ods-host.
Dec 20 10:32:53 ods-host ods-signerd: [domain] tsig sign query with algorithm: 
hmac-sha256.
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] tsig append rr to request id=27525
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> request 
udp/ixfr=2014121008 to <hidden-master>
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> sets timer timeout now
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> read data from udp
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> got update indicating 
current serial 2014121008 from <hidden-master>
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> try next master
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> xfr packet parsed (res 
0)
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] bad ixfr packet from 
<hidden-master>
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> make request [udp 
round 1 master <hidden-master>:0]
Dec 20 10:32:53 ods-host ods-signerd: [domain] tsig sign query with key: 
hidden-master-ods-host.
Dec 20 10:32:53 ods-host ods-signerd: [domain] tsig sign query with algorithm: 
hmac-sha256.
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] tsig append rr to request id=16326
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> request 
udp/ixfr=2014121008 to <hidden-master>
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> sets timer timeout now
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> read data from udp
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> got update indicating 
current serial 2014121008 from <hidden-master>
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> try next master
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> xfr packet parsed (res 
0)
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] bad ixfr packet from 
<hidden-master>
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> make request [udp 
round 2 master <hidden-master>:0]
Dec 20 10:32:53 ods-host ods-signerd: [domain] tsig sign query with key: 
hidden-master-ods-host.
Dec 20 10:32:53 ods-host ods-signerd: [domain] tsig sign query with algorithm: 
hmac-sha256.
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] tsig append rr to request id=33825
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> request 
udp/ixfr=2014121008 to <hidden-master>
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> sets timer timeout now
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> read data from udp
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> got update indicating 
current serial 2014121008 from <hidden-master>
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> try next master
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> xfr packet parsed (res 
0)
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] bad ixfr packet from 
<hidden-master>
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> sets timer timeout 
retry 3600
Dec 20 10:32:53 ods-host ods-signerd: [xfrd] zone <zone> make request wait retry

_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Re: [Opendnssec-user] The signer's expiry handling

Reply via email to