Hi Uli, On 28/08/2019 15:40, Ulrich-Lorenz Schlüter wrote: > Hi list, > > 1. When the DNS adapter is used, will there ever be files in > /var/opendnssec/unsigned & /var/opendnssec/signed?
OpenDNSSec (ods) will only write into the signed dir. By default, ods will look for the unsigned zone file in `/var/opendnssec/unsigned` directory and will only do reads from it, and writes the signed file into `/var/opendnssec/signed` dir. > 2. I can not interpret this log. Would someone be so kind? > > Aug 28 16:22:45 one ods-signerd[901]: [tools] notify nameserver: > /usr/sbin/rndc > Aug 28 16:22:45 one ods-signerd[901]: [tools] notify nameserver process > forked > Aug 28 16:22:45 one ods-signerd[901]: [tools] notify nameserver ok > Aug 28 16:22:45 one ods-signerd[901]: [tools] log stats for zone > sycosys.de serial 1567002165 > Aug 28 16:22:45 one ods-signerd[901]: [STATS] sycosys.de 1567002165 > RR[count=0 time=0(sec)] NSEC3[count=0 time=0(sec)] RRSIG[new=13 reused=0 > time=0(sec) avg=0(sig/sec)] TOTAL[time=0(sec)] The lines above show what looks like a normal signing operation of `sycosys.de`, and these are the last lines in the log of that process. The `notify` is perhaps in your conf.xml config with the `Notify` directive in xml brackets. I'm guessing that you have a local bind instance running so you're using `rndc` to reload the zone. Btw, this `notify` isn't an actual DNS notify type query, it's just a directive for ODS to hit a script or a program after it finishes signing a zone. In this case, it's running rndc to perhaps reload the signed zone file into bind. I think you have your logging level turned up, so you might want to consider lower logging number if you don't want to see that much of a detail. Also a directive in `conf.xml` with <Verbosity> directive. The lines below looks like more in line with actual DNS notifies packets to transfer the sycosys.de zone and then ods will authenticate XFRs with the tsig key of `opendnssec-out`. We don't really use ods it self to do those, so someone else can give a better indepth explanation about it. > Aug 28 16:22:45 one ods-signerd[901]: [tools] forward a notify > Aug 28 16:22:45 one ods-signerd[901]: [dnshandler] forwarded notify: 6 > bytes sent > Aug 28 16:22:45 one ods-signerd[901]: [file] open file > file=sycosys.de.backup2.tmp mode=writing > Aug 28 16:22:45 one ods-signerd[901]: [xfrhandler] read forwarded dns > packet: 6 bytes received > Aug 28 16:22:45 one ods-signerd[901]: [xfrhandler] netio dispatch > Aug 28 16:22:45 one ods-signerd[901]: [netio] dispatch timeout event > without checking for other events > Aug 28 16:22:45 one ods-signerd[901]: [notify] handle notify for zone > sycosys.de > Aug 28 16:22:45 one ods-signerd[901]: [notify] notify timeout for zone > sycosys.de > Aug 28 16:22:45 one ods-signerd[901]: [domain] tsig sign notify with > key: opendnssec-out. > Aug 28 16:22:45 one ods-signerd[901]: [domain] tsig sign notify with > algorithm: hmac-sha256. > Aug 28 16:22:45 one ods-signerd[901]: [notify] tsig append rr to notify > id=19564 > Aug 28 16:22:45 one ods-signerd[901]: [file] openfile > sycosys.de.backup2.tmp count 1 > Aug 28 16:22:45 one ods-signerd[901]: [notify] send 190 bytes over udp > to 127.0.0.1 > Aug 28 16:22:45 one ods-signerd[901]: [scheduler] schedule task [sign] > for sycosys.de > Aug 28 16:22:45 one ods-signerd[901]: [worker[1]] finished working > Aug 28 16:22:45 one ods-signerd[901]: [worker[1]]: report for duty > Aug 28 16:22:45 one ods-signerd[901]: [socket] incoming udp message > Aug 28 16:22:45 one ods-signerd[901]: [notify] notify retry 1 for zone > sycosys.de sent to 127.0.0.1 > Aug 28 16:22:45 one ods-signerd[901]: [xfrhandler] netio dispatch > Aug 28 16:22:45 one ods-signerd[901]: [notify] handle notify for zone > sycosys.de > Aug 28 16:22:45 one ods-signerd[901]: [notify] read notify ok for zone > sycosys.de > Aug 28 16:22:45 one ods-signerd[901]: [notify] zone sycosys.de secondary > 127.0.0.1 notify reply ok > Aug 28 16:22:45 one ods-signerd[901]: [notify] zone sycosys.de no more > secondaries, disable notify > Aug 28 16:22:45 one ods-signerd[901]: [notify] notify for zone > sycosys.de disabled > Aug 28 16:22:45 one ods-signerd[901]: [xfrhandler] netio dispatch > Aug 28 16:22:45 one ods-signerd[901]: [tsig] parse: not TSIG or not ANY > but 2048:41 > Aug 28 16:22:45 one ods-signerd[901]: [tsig] parse: not TSIG or not ANY > but 14:2304 > Aug 28 16:22:45 one ods-signerd[901]: [query] too many additional rrs > Aug 28 16:22:45 one ods-signerd[901]: [query] formerr > Aug 28 16:22:45 one ods-signerd[901]: [socket] query processed qstate=0 > Aug 28 16:22:45 one ods-signerd[901]: [query] add edns opt ok > Aug 28 16:22:45 one ods-signerd[901]: [socket] sending 141 bytes over udp > Aug 28 16:22:45 one ods-signerd[901]: [dnshandler] netio dispatch > > Thanks & regards > Uli > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user HTH, Kareem. -- Abdulkareem H. Ali Operations Team Leader CentralNic Group PLC London Stock Exchange Symbol: CNIC +44 20 3388 0600 www.CentralNic.com CentralNic Group PLC is a company registered in England and Wales with company number 8576358. Registered Offices: CentralNic, 4th Floor, Saddlers House, 44 Gutter Lane, London, EC2V 6BR. _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
