Recently we upgraded to ods 2.01. from 1.4.10. During key roll-overs we
never needed to update our input zones as long as we used version 1.
This night ods was still in the process of retiring the backup keys, used in
version 1.4.10, when it started a ZSK key roll-over. After that the signer
refused to sign zones.
The log file shows messages from the signer each hour, see the attachment.
The fix was easy, we incremented the serial of the input zone.
The log message "If this is the result of a key rollover ..." suggests (at
least to me) that it is normal that a manual intervention is needed during a
roll-over, but we are not used to it.
Is this a bug, or is it the intended behavior?
Are there new options to be included in the configuration?
2016-09-16T05:03:06.542733+02:00 kvir07 ods-signerd: [namedb] zone KVI.nl
cannot keep SOA SERIAL from input zone (2016090700): previous output SOA
SERIAL is 2016091511
2016-09-16T05:03:06.543058+02:00 kvir07 ods-signerd: [adapter] unable to add
soa to zone KVI.nl: failed to replace soa serial rdata (Conflict detected)
2016-09-16T05:03:06.543216+02:00 kvir07 ods-signerd: [adapter] If this is
the result of a key rollover, please increment the serial in the unsigned
2016-09-16T05:03:06.543368+02:00 kvir07 ods-signerd: [adapter] unable to add
rr: failed to process soa record
2016-09-16T05:03:06.543514+02:00 kvir07 ods-signerd: [adapter] error adding
RR at line 672: KVI.nl. IN SOA DNS1.KVI.nl.
HOSTMASTER.KVI.nl. 2016090700 12h
1h 4d 3h
2016-09-16T05:03:06.543662+02:00 kvir07 ods-signerd: [tools] unable to read
zone KVI.nl: adapter failed (Conflict detected)
2016-09-16T05:03:06.543807+02:00 kvir07 ods-signerd: [worker] CRITICAL:
failed to sign zone KVI.nl: Conflict detected
2016-09-16T05:03:06.543953+02:00 kvir07 ods-signerd: [worker] backoff
task [read] for zone KVI.nl with 3600 seconds
Opendnssec-user mailing list