On 2021-06-15 14:19:09 (+0800), Stefan Ubbink wrote:
On Tue, 15 Jun 2021 13:47:37 +0800
Philip Paeps via Opendnssec-user
<opendnssec-user@lists.opendnssec.org>
wrote:
On 2021-06-15 13:22:08 (+0800), Philip Paeps via Opendnssec-user
wrote:
This is a zone we used to have a long time ago. It was deleted
from zonelist.xml a long time ago (years). 'ods-enforcer zone
list' does not know about this zone. So the database must have
been updated. However .. 'ods-signer zones' does know about this
zone. And it's trying to sign it apparently.
There are a couple of other zones in this state.
I have tried 'ods-signer update all' and 'ods-signer clear
1.0.1.0.0.0.0.2.0.5.c.f.7.0.6.2.ip6.arpa'. Apparently to no avail.
Is there a way to help ods-signer forget about these stale zones so
our log files stop growing in vain?
I delete some files referencing these zones from
/usr/local/opendnssec/var/{signer,signconf}. That seems to have
changed the problem. I am not sure if this is a better or worse
problem to have. The logs are now:
Jun 15 05:40:47 ns-master ods-signerd[11051]: [file] unable to stat
file
/usr/local/var/opendnssec/signconf/1.0.1.0.0.0.0.2.0.5.c.f.7.0.6.2.ip6.arpa.xml:
ods_fopen() failed Jun 15 05:40:47 ns-master ods-signerd[11051]:
WARNING: unable to sign zone
1.0.1.0.0.0.0.2.0.5.c.f.7.0.6.2.ip6.arpa, signconf is not ready Jun
15 05:40:47 ns-master ods-signerd[11051]: back-off task [configure]
for zone 1.0.1.0.0.0.0.2.0.5.c.f.7.0.6.2.ip6.arpa with 480 seconds
I can restore those files from a ZFS snapshot if that makes the
problem easier to solve. :)
ods-signer zones still sees them, ods-enforcer zone list does not.
ods-signer queue shows them, ods-enforcer queue does not.
Did you restart OpenDNSSEC (ods-control stop; ods-control start)?
Before restarting ODS, you might want to write the new files for the
signer using the `ods-enforcer signconf` command.
Yeah. I restarted the entire jail several times.
But it looks like the problem was that we were stuck in a kind of
intermediate state. I am guessing that ods-enforcer crashed while
deleting the zones and that zones.xml file was not correctly updated.
Looking through /usr/local/var/opendnssec, we seem to be carrying quite
a lot of stale state around. That's probably going to haunt us when we
least expect it.
I wonder, is there an authoritative list of "intermediate" or "state"
files OpenDNSSEC needs/wants/creates/tracks? While I'm watching this
jail closely, I should take the opportunity to tidy up.
Philip
--
Philip Paeps
Senior Reality Engineer
Alternative Enterprises
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
