Re: Update returns FORMERR: ran out of space
On Thu, Feb 25, 2010 at 10:02:45AM +1100, Mark Andrews ma...@isc.org wrote a message of 68 lines which said: Try this patch. It resets the scratch space 'data' used by dns_dnssec_sign(). It works fine. Many thanks. Sending update to ::1#8053 Outgoing update query: ;; -HEADER- opcode: UPDATE, status: NOERROR, id: 20340 ;; flags: ; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0 ;; ZONE SECTION: ;toto.fr. IN SOA ;; UPDATE SECTION: toto.fr.3600IN DNSKEY 256 3 8 AwEAAbQuvEyzE/+5giH+QBjynhogDchi4AaB0YPZR79BRLlXLB34pjzw ArvI1dwuqaXW1jwvT5nQ1TDMZHH/qZgBU0X5532zxPi+MOj+Ec3EUp0k clsEz5kHwATTG5paqueAd/0N/1iW8SVqNARsIRlcrTU+DENv1z8hhTQq FVoiefGf Reply from update query: ;; -HEADER- opcode: UPDATE, status: NOERROR, id: 20340 ;; flags: qr ; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 25-Feb-2010 09:54:17.287 update: debug 8: client ::1#50327: updating zone 'toto.fr/IN': prerequisites are OK 25-Feb-2010 09:54:17.287 update: debug 8: client ::1#50327: updating zone 'toto.fr/IN': update section prescan OK 25-Feb-2010 09:54:17.287 update: info: client ::1#50327: updating zone 'toto.fr/IN': adding an RR at 'toto.fr' DNSKEY 25-Feb-2010 09:54:17.287 update: debug 8: client ::1#50327: updating zone 'toto.fr/IN': redundant request ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Update returns FORMERR: ran out of space
On Wed, Feb 24, 2010 at 10:18:31AM +0100, Stephane Bortzmeyer bortzme...@nic.fr wrote a message of 39 lines which said: With 'severity debug 30', all I get is: And, for a successful dynamic update (it works with A records): 24-Feb-2010 14:31:44.803 update: debug 8: client ::1#13202: updating zone 'toto.fr/IN': prerequisites are OK 24-Feb-2010 14:31:44.803 update: debug 8: client ::1#13202: updating zone 'toto.fr/IN': update section prescan OK 24-Feb-2010 14:31:44.803 update: info: client ::1#13202: updating zone 'toto.fr/IN': adding an RR at 'created-dyn-1267018304-26805.toto.fr' A 24-Feb-2010 14:31:44.803 update: debug 3: client ::1#13202: updating zone 'toto.fr/IN': checking for NSEC3PARAM changes 24-Feb-2010 14:31:44.806 update: debug 3: client ::1#13202: updating zone 'toto.fr/IN': updated data signatures 24-Feb-2010 14:31:44.806 update: debug 3: client ::1#13202: updating zone 'toto.fr/IN': removed any orphaned NSEC records 24-Feb-2010 14:31:44.806 update: debug 3: client ::1#13202: updating zone 'toto.fr/IN': rebuilding NSEC3 chains 24-Feb-2010 14:31:44.806 update: debug 3: client ::1#13202: updating zone 'toto.fr/IN': signing rebuilt NSEC3 chain 24-Feb-2010 14:31:44.808 update: debug 8: client ::1#13202: updating zone 'toto.fr/IN': writing journal toto.fr.db.signed.jnl 24-Feb-2010 14:31:44.819 update: debug 8: client ::1#13202: updating zone 'toto.fr/IN': committing update transaction ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Update returns FORMERR: ran out of space
On Wed, Feb 24, 2010 at 10:18:31AM +0100, Stephane Bortzmeyer bortzme...@nic.fr wrote a message of 39 lines which said: 24-Feb-2010 10:17:01.057 update: error: client ::1#45986: updating zone 'toto.fr/IN': RRSIG/NSEC/NSEC3 update failed: ran out of space Adding a fair amount of debugging traces, I can get the line number: 24-Feb-2010 15:04:26.343 update: info: client ::1#60371: updating zone 'toto.fr/IN': error: ran out of space at line 1945 which, in my case, is: /* Calculate the signature, creating a RRSIG RDATA. */ CHECKV(dns_dnssec_sign(name, rdataset, keys[i], inception, expire, mctx, buffer, sig_rdata)); So, the problem lies somewhere in dns_dnssec_sign but my knowledge stops there. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Update returns FORMERR: ran out of space
In message 20100224091831.ga3...@nic.fr, Stephane Bortzmeyer writes: On Wed, Feb 24, 2010 at 11:32:35AM +1100, Mark Andrews ma...@isc.org wrote a message of 35 lines which said: Turn the debugging up to 3. With 'severity debug 30', all I get is: 24-Feb-2010 10:17:01.047 update: debug 8: client ::1#45986: updating zone 'to to.fr/IN': prerequisites are OK 24-Feb-2010 10:17:01.047 update: debug 8: client ::1#45986: updating zone 'to to.fr/IN': update section prescan OK 24-Feb-2010 10:17:01.047 update: info: client ::1#45986: updating zone 'toto. fr/IN': adding an RR at 'toto.fr' DNSKEY 24-Feb-2010 10:17:01.048 update: debug 3: client ::1#45986: updating zone 'to to.fr/IN': checking for NSEC3PARAM changes 24-Feb-2010 10:17:01.057 update: error: client ::1#45986: updating zone 'toto .fr/IN': RRSIG/NSEC/NSEC3 update failed: ran out of space 24-Feb-2010 10:17:01.057 update: debug 8: client ::1#45986: updating zone 'to to.fr/IN': rolling back I log 'dnssec' events: logging { channel debugging { file /tmp/bind-dnssec.log versions 2 size 5m; severity debug 30; print-time yes; print-severity yes; print-category yes; }; category update { debugging; }; category dnssec { debugging; }; }; But I do not see them in the log. You won't see DNSSEC events as DNSSEC basically covers validation. Try this patch. It resets the scratch space 'data' used by dns_dnssec_sign(). Index: bin/named/update.c === RCS file: /proj/cvs/prod/bind9/bin/named/update.c,v retrieving revision 1.176.4.3 diff -u -r1.176.4.3 update.c --- bin/named/update.c 30 Dec 2009 03:55:03 - 1.176.4.3 +++ bin/named/update.c 24 Feb 2010 22:58:21 - @@ -1941,6 +1941,7 @@ CHECK(update_one_rr(db, ver, diff, DNS_DIFFOP_ADDRESIGN, name, rdataset.ttl, sig_rdata)); dns_rdata_reset(sig_rdata); + isc_buffer_init(buffer, data, sizeof(data)); added_sig = ISC_TRUE; } if (!added_sig) { -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Update returns FORMERR: ran out of space
On Tue, Feb 23, 2010 at 02:56:15PM +0100, Stephane Bortzmeyer bortzme...@nic.fr wrote a message of 17 lines which said: Trying to add/delete DNSSEC keys with dynamic update (first time I try that), the nsupdate client gets a FORMERR and BIND logs: Some details: * I use NSEC3 with opt-out * I checked with a completely new zone, with an empty history (same problem) * I checked the ARM which says that dynupdating DNSKEY is supported ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Update returns FORMERR: ran out of space
In message 20100223135615.ga30...@nic.fr, Stephane Bortzmeyer writes: Trying to add/delete DNSSEC keys with dynamic update (first time I try that), the nsupdate client gets a FORMERR and BIND logs: Feb 23 14:53:24 jezabel named[10174]: client ::1#29411: updating zone 'bortzm eyer.fr/IN': RRSIG/NSEC/NSEC3 update failed: ran out of space I checked the disk space (plenty) but I suspect that the problem is more complicated. Turn the debugging up to 3. The log message is a result of update_signatures() detecting a error. ran out of space usually means a fixed sized buffer is not big enough or the change exceeded a architectual limit of the protocol. Mark I can add A records just fine: Feb 23 14:55:46 jezabel named[10174]: client ::1#51231: updating zone 'bortzm eyer.fr/IN': adding an RR at 'created-dyn-1266933346-8636.bortzmeyer.fr' A BIND 9.7.0 built with '--without-idnlib' '--without-dlz' '--without-idn' '--w ith-libxml2=yes' '--enable-openssl' ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users