Hi

Zone 1 has been running for a months in a test environment.

I’m added zone 2 and 3.  I updated a TSIG key for domain 2 and then updated the 
enforcer and it deleted all my domains?

opendnssec version 2.0.1


root@signer1:/etc/opendnssec# ods-enforcer update all
Policy default already up-to-date
Policy lab already up-to-date
Policy default already up-to-date
Policy lab already up-to-date
Deleted zone 1 successfully
Deleted zone 2 successfully
Deleted zone 3 successfully
update all completed in 1 seconds.

root@signer1:/etc/opendnssec# ods-enforcer key list --all --verbose
Keys:
Zone:                           Keytype: State:    Date of next transition: 
Size: Algorithm: CKA_ID:                          Repository: KeyTag:
key list completed in 0 seconds.

root@signer1:/etc/opendnssec# ods-enforcer zone list        
Database set to: /var/opendnssec/kasp.db
No zones in database.
zone list completed in 0 seconds.


The log file:
Sep 16 14:02:41 signer1 ods-signerd: [xfrd] zone 1 request udp/ixfr=1160916056 
to 192.168.x.x
Sep 16 14:02:41 signer1 ods-signerd: [xfrd] zone 1 received too short udp reply 
from 192.168.x.x, retry tcp
Sep 16 14:02:41 signer1 ods-signerd: [xfrd] zone 1 request tcp/ixfr=1160916056 
to 192.168.x.x
Sep 16 14:02:58 signer1 ods-signerd: [xfrd] zone 1 transfer done [notify 
acquired 1474027361, serial on disk 1160916057, notify serial 1160916057]
Sep 16 14:03:48 signer1 ods-signerd: [STATS] 1 1160916057 RR[count=80 
time=35(sec)] NSEC3[count=0 time=0(sec)] RRSIG[new=2 reused=235 time=2(sec) 
avg=1(sig/sec)] TOTAL[time=50(sec)]
Sep 16 14:04:15 signer1 ods-signerd: [namedb] zone 3 cannot keep SOA SERIAL 
from input zone  (2016091648): previous output SOA SERIAL is 2016091648
…
Sep 16 14:15:41 signer1 ods-signerd: [worker[2]] continue task [read] for zone 1
Sep 16 14:15:41 signer1 ods-signerd: [worker[2]] continue task [sign] for zone 2
Sep 16 14:15:41 signer1 ods-signerd: [worker[1]] continue task [sign] for zone 3
Sep 16 14:15:41 signer1 ods-signerd: [xfrd] zone 2 request axfr to 192.168.x.x
Sep 16 14:15:41 signer1 ods-signerd: [xfrd] bad packet: zone 2 received error 
code NOTAUTH from 192.168.x.x
Sep 16 14:15:41 signer1 ods-signerd: [xfrd] zone 2, from 192.168.x.x has tsig 
error (Bad Key)
Sep 16 14:15:41 signer1 ods-signerd: [xfrd] unable to process tsig: xfr zone 2 
from 192.168.x.x has bad tsig signature
Sep 16 14:15:41 signer1 ods-signerd: [xfrd] bad packet: zone 2 received bad 
tsig from 192.168.x.x
Sep 16 14:15:41 signer1 ods-enforcerd: [zonelist_import] zone 2 deleted
Sep 16 14:15:41 signer1 ods-enforcerd: [zonelist_import] zone 3 deleted
Sep 16 14:15:41 signer1 ods-enforcerd: [zonelist_import] zone 1 deleted
…

now in the log file after a stop start:
Sep 16 14:22:12 signer1 ods-signerd: [signconf] zone 2 signconf: RESIGN[PT2H] 
REFRESH[P3D] VALIDITY[P14D] DENIAL[P14D] KEYSET[PT0S] JITTER[PT12H] 
OFFSET[PT1H] NSEC[50] DNSKEYTTL[PT1H] SOATTL[PT1H] MINIMUM[PT1H] SERIAL[keep]
Sep 16 14:22:12 signer1 ods-signerd: [signconf] zone 3 signconf: RESIGN[PT2H] 
REFRESH[P3D] VALIDITY[P14D] DENIAL[P14D] KEYSET[PT0S] JITTER[PT12H] 
OFFSET[PT1H] NSEC[50] DNSKEYTTL[PT1H] SOATTL[PT1H] MINIMUM[PT1H] SERIAL[keep]

Regards
—
David Peall

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Reply via email to