Recently we upgraded to ods 2.01. from 1.4.10. During key roll-overs we never needed to update our input zones as long as we used version 1. This night ods was still in the process of retiring the backup keys, used in version 1.4.10, when it started a ZSK key roll-over. After that the signer refused to sign zones.
The log file shows messages from the signer each hour, see the attachment.
The fix was easy, we incremented the serial of the input zone.

The log message "If this is the result of a key rollover ..." suggests (at least to me) that it is normal that a manual intervention is needed during a roll-over, but we are not used to it.
Is this a bug, or is it the intended behavior?
Are there new options to be included in the configuration?
2016-09-16T05:03:06.542733+02:00 kvir07 ods-signerd: [namedb] zone
cannot keep SOA SERIAL from input zone  (2016090700): previous output SOA
SERIAL is 2016091511
2016-09-16T05:03:06.543058+02:00 kvir07 ods-signerd: [adapter] unable to add
soa to zone failed to replace soa serial rdata (Conflict detected)
2016-09-16T05:03:06.543216+02:00 kvir07 ods-signerd: [adapter] If this is
the result of a key rollover, please increment the serial in the unsigned
2016-09-16T05:03:06.543368+02:00 kvir07 ods-signerd: [adapter] unable to add
rr: failed to process soa record
2016-09-16T05:03:06.543514+02:00 kvir07 ods-signerd: [adapter] error adding
RR at line 672:             IN        SOA                                           2016090700 12h
1h 4d                                                  3h
2016-09-16T05:03:06.543662+02:00 kvir07 ods-signerd: [tools] unable to read
zone adapter failed (Conflict detected)
2016-09-16T05:03:06.543807+02:00 kvir07 ods-signerd: [worker[2]] CRITICAL:
failed to sign zone Conflict detected
2016-09-16T05:03:06.543953+02:00 kvir07 ods-signerd: [worker[2]] backoff
task [read] for zone with 3600 seconds
Opendnssec-user mailing list

Reply via email to