Re: Unable to slave root zones

2017-04-07 Thread Thomas Leuxner 
* Mark Knight  2017.04.07 16:36:

> masters {
> 192.5.5.241;// F.ROOT-SERVERS.NET.
> };

Hi Mark,

I had the same issue basically. Tracing the zone transfers with dig it turned 
out they worked for IPv6, but no longer work for IPv4.
So I ended up with this:

masters { 2001:500:2f::f; }; // @f.root-servers.net

Regards
Thomas


signature.asc
Description: Digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: [SOLVED] dns_journal_write_transaction on managed-keys-zone

2013-02-15 Thread Thomas Leuxner 
* Thomas Leuxner t...@leuxner.net 2013.02.11 21:13:

 * Evan Hunt e...@isc.org 2013.02.11 20:30:
 
  I haven't seen this problem before.  Can you share the rest of
  your configuration with me?  You can open a ticket by mailing
  bind9-b...@isc.org.
 
 Config sent.
 
 Regards
 Thomas

Finally found the root of this issue. While the named has been stopped and 
started multiple times during investigation it appears a zombie 'named' process 
has been left running. The init script seems not have noticed this process and 
started without errors all the time, hence I did not notice this state. 
Eventually this created the problem when two instances wanted to write to the 
same log file and produced the errors. Sorry for the noise, but I was under the 
impression that the start/stop scripts 'sanitize' the environment good enough.

I can confirm that both views and the RRLP work fine now.

Cross-Posted to actual Bug Report.

Regards
Thomas


signature.asc
Description: Digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

dns_journal_write_transaction on managed-keys-zone

2013-02-11 Thread Thomas Leuxner 
After introducing views in my BIND 9.9.2-rpz+rl.028.23-P1 configuration the log 
starts to report managed keys errors periodically. Deleting the files does not 
solve the issue.

view internal {
match-clients   { internal_hosts; };
recursion yes;
include /etc/bind/named.conf.default-zones;
};

view external {
match-clients   { any; };
recursion no;
rate-limit {
responses-per-second 5;
window 5;
};
include /etc/bind/named.conf.local;
};


Feb 11 09:06:28 spectre named[5212]: using built-in DLV key for view internal
Feb 11 09:06:28 spectre named[5212]: using built-in root key for view internal
Feb 11 09:06:28 spectre named[5212]: using built-in DLV key for view external
Feb 11 09:06:28 spectre named[5212]: using built-in root key for view external
[...]
Feb 11 10:00:25 spectre named[3978]: malformed transaction: 
3c4623849a49a53911c4a3e48d8cead8a1858960bccdea7a1b978d73ec2f06d7.mkeys.jnl last 
serial 39 != transaction first serial 5
Feb 11 10:00:25 spectre named[3978]: managed-keys-zone/external: 
keyfetch_done:dns_journal_write_transaction - unexpected error
Feb 11 10:00:25 spectre named[3978]: malformed transaction: 
3c4623849a49a53911c4a3e48d8cead8a1858960bccdea7a1b978d73ec2f06d7.mkeys.jnl last 
serial 39 != transaction first serial 5
Feb 11 10:00:25 spectre named[3978]: managed-keys-zone/external: 
keyfetch_done:dns_journal_write_transaction - unexpected error
Feb 11 10:00:25 spectre named[3978]: malformed transaction: 
3bed2cb3a3acf7b6a8ef408420cc682d5520e26976d354254f528c965612054f.mkeys.jnl last 
serial 37 != transaction first serial 5
Feb 11 10:00:25 spectre named[3978]: managed-keys-zone/internal: 
keyfetch_done:dns_journal_write_transaction - unexpected error
Feb 11 10:00:25 spectre named[3978]: malformed transaction: 
3bed2cb3a3acf7b6a8ef408420cc682d5520e26976d354254f528c965612054f.mkeys.jnl last 
serial 37 != transaction first serial 5
Feb 11 10:00:25 spectre named[3978]: managed-keys-zone/internal: 
keyfetch_done:dns_journal_write_transaction - unexpected error

Regards
Thomas


signature.asc
Description: Digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Signed zone does not get updated 'receive_secure_serial: not exact'

2012-12-27 Thread Thomas Leuxner 
Am 26.12.2012 um 23:31 schrieb Mark Andrews ma...@isc.org:

 * the record to be removed was not there
 * the record to be aded was already there
 
 This means that the two versions of the zone have become unsyncronized.

I did some more tests with another zone. Not sure BIND works as intended there:

- zone 'trashheap' gets signed (has serial 7 unsigned and receives serial 8|10 
signed subsequently)

Dec 27 11:34:12 spectre named[27411]: zone trashheap.net/IN (unsigned): loaded 
serial 7
Dec 27 11:34:12 spectre named[27411]: any newly configured zones are now loaded
Dec 27 11:34:12 spectre named[27411]: zone trashheap.net/IN (signed): loaded 
serial 7
Dec 27 11:34:12 spectre named[27411]: trashheap.net/IN: dns_diff_apply: update 
with no effect
Dec 27 11:34:12 spectre named[27411]: zone trashheap.net/IN (signed): 
receive_secure_serial: not exact
Dec 27 11:34:12 spectre named[27411]: zone trashheap.net/IN (signed): 
reconfiguring zone keys
Dec 27 11:34:12 spectre named[27411]: zone trashheap.net/IN (signed): next key 
event: 27-Dec-2012 11:34:12.333
Dec 27 11:34:12 spectre named[27411]: zone trashheap.net/IN (signed): sending 
notifies (serial 8)
Dec 27 11:34:12 spectre named[27411]: client 88.198.49.12#26609/key 
ns1-acme.spoerlein.net (trashheap.net): transfer of 'trashheap.net/IN': IXFR 
started: TSIG ns1-acme.spoerlein.net
Dec 27 11:34:12 spectre named[27411]: client 88.198.49.12#26609/key 
ns1-acme.spoerlein.net (trashheap.net): transfer of 'trashheap.net/IN': IXFR 
ended
Dec 27 11:34:17 spectre named[27411]: zone trashheap.net/IN (signed): sending 
notifies (serial 10)
Dec 27 11:34:17 spectre named[27411]: client 88.198.49.12#17597/key 
ns1-acme.spoerlein.net (trashheap.net): transfer of 'trashheap.net/IN': IXFR 
started: TSIG ns1-acme.spoerlein.net
Dec 27 11:34:17 spectre named[27411]: client 88.198.49.12#17597/key 
ns1-acme.spoerlein.net (trashheap.net): transfer of 'trashheap.net/IN': IXFR 
ended

- a TXT record is added to zone 'trashheap' via nsupdate
- same problem as before: 'receive_secure_serial: not exact'

Dec 27 11:37:33 spectre named[27411]: client 188.138.3.243#59506/key 
tlx.leuxner.net: signer tlx.leuxner.net approved
Dec 27 11:37:33 spectre named[27411]: client 188.138.3.243#59506/key 
tlx.leuxner.net: updating zone 'trashheap.net/IN': adding an RR at 
'2013._domainkey.trashheap.net' TXT
Dec 27 11:37:33 spectre named[27411]: trashheap.net/IN: dns_diff_apply: update 
with no effect
Dec 27 11:37:33 spectre named[27411]: zone trashheap.net/IN (signed): 
receive_secure_serial: not exact

- to mitigate the problem, zone journal is dropped again 'rndc sync -clean 
trashheap.net'
- zone is frozen
- unsigned serial is increased (to 9)
- zone is unfrozen
- zone receives new signed serial (11)

Dec 27 11:44:10 spectre named[27411]: received control channel command 'sync 
-clean trashheap.net'
Dec 27 11:44:10 spectre named[27411]: sync: dumping zone 'trashheap.net/IN', 
removing journal file: success
Dec 27 11:45:40 spectre named[27411]: received control channel command 
'loadkeys trashheap.net'
Dec 27 11:45:40 spectre named[27411]: zone trashheap.net/IN (signed): 
reconfiguring zone keys
Dec 27 11:45:40 spectre named[27411]: zone trashheap.net/IN (signed): next key 
event: 27-Dec-2012 11:45:40.045
Dec 27 11:46:38 spectre named[27411]: received control channel command 'freeze 
trashheap.net'
Dec 27 11:46:38 spectre named[27411]: freezing zone 'trashheap.net/IN': success
Dec 27 11:47:02 spectre named[27411]: received control channel command 'thaw 
trashheap.net'
Dec 27 11:47:02 spectre named[27411]: thawing zone 'trashheap.net/IN': success
Dec 27 11:47:02 spectre named[27411]: zone trashheap.net/IN (unsigned): loaded 
serial 9
Dec 27 11:47:02 spectre named[27411]: zone trashheap.net/IN (signed): serial 11 
(unsigned 9)
Dec 27 11:47:02 spectre named[27411]: zone trashheap.net/IN (signed): sending 
notifies (serial 11)
Dec 27 11:47:02 spectre named[27411]: client 88.198.49.12#54606/key 
ns1-acme.spoerlein.net (trashheap.net): transfer of 'trashheap.net/IN': IXFR 
started: TSIG ns1-acme.spoerlein.net
Dec 27 11:47:02 spectre named[27411]: client 88.198.49.12#54606/key 
ns1-acme.spoerlein.net (trashheap.net): transfer of 'trashheap.net/IN': IXFR 
ended

- another TXT record is added and propagation works going forward

Dec 27 12:03:21 spectre named[27411]: client 188.138.3.243#13188/key 
tlx.leuxner.net: updating zone 'trashheap.net/IN': adding an RR at 
'2014._domainkey.trashheap.net' TXT
Dec 27 12:03:21 spectre named[27411]: zone trashheap.net/IN (signed): serial 12 
(unsigned 10)
Dec 27 12:03:21 spectre named[27411]: zone trashheap.net/IN (signed): sending 
notifies (serial 12)

Regards
Thomas



smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Signed zone does not get updated 'receive_secure_serial: not exact'

2012-12-26 Thread Thomas Leuxner 
Am 26.12.2012 um 23:31 schrieb Mark Andrews ma...@isc.org:

  What it is complaining about is that when the change you just applied to the
 unsigned version of the zone is applied to the signed version it
 found one of:
 
 * the record to be removed was not there
 * the record to be aded was already there
 
 This means that the two versions of the zone have become unsyncronized.

Thanks. Not sure how they became unsynchronized. Looking at other posts, 
removing the journal and increasing the serial makes the problem go away:

$ rndc sync -clean leuxner.net
$ rndc stop
increase serial on unsigned version

Dec 26 09:01:16 spectre named[23831]: sync: dumping zone 'leuxner.net/IN', 
removing journal file: success
Dec 26 09:03:16 spectre named[23831]: received control channel command 'stop'

Regards
Thomas

smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Signed zone does not get updated 'receive_secure_serial: not exact'

2012-12-25 Thread Thomas Leuxner 
Hi,

I'm having the problem that after rolling a dynamic update on one of the zones 
- a newly signed zone - the signed zone does not get updated, but mocks about 
the serial being 'not exact'.

Dec 26 07:39:26 spectre named[23831]: client 188.138.3.243#16192/key 
tlx.leuxner.net: signer tlx.leuxner.net approved
Dec 26 07:39:26 spectre named[23831]: client 188.138.3.243#16192/key 
tlx.leuxner.net: updating zone 'leuxner.net/IN':deleting rrset at 
'2012._domainkey.leuxner.net' TXT
Dec 26 07:39:26 spectre named[23831]: client 188.138.3.243#16192/key 
tlx.leuxner.net: updating zone 'leuxner.net/IN': adding an RR at 
'2012._domainkey.leuxner.net' TXT
Dec 26 07:39:26 spectre named[23831]: zone leuxner.net/IN (signed): 
receive_secure_serial: not exact

What am I doing wrong (9.9.2-P1)?

Regards
Thomas


smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users