Re: Signed zone does not get updated 'receive_secure_serial: not exact'
Am 26.12.2012 um 23:31 schrieb Mark Andrews ma...@isc.org: * the record to be removed was not there * the record to be aded was already there This means that the two versions of the zone have become unsyncronized. I did some more tests with another zone. Not sure BIND works as intended there: - zone 'trashheap' gets signed (has serial 7 unsigned and receives serial 8|10 signed subsequently) Dec 27 11:34:12 spectre named[27411]: zone trashheap.net/IN (unsigned): loaded serial 7 Dec 27 11:34:12 spectre named[27411]: any newly configured zones are now loaded Dec 27 11:34:12 spectre named[27411]: zone trashheap.net/IN (signed): loaded serial 7 Dec 27 11:34:12 spectre named[27411]: trashheap.net/IN: dns_diff_apply: update with no effect Dec 27 11:34:12 spectre named[27411]: zone trashheap.net/IN (signed): receive_secure_serial: not exact Dec 27 11:34:12 spectre named[27411]: zone trashheap.net/IN (signed): reconfiguring zone keys Dec 27 11:34:12 spectre named[27411]: zone trashheap.net/IN (signed): next key event: 27-Dec-2012 11:34:12.333 Dec 27 11:34:12 spectre named[27411]: zone trashheap.net/IN (signed): sending notifies (serial 8) Dec 27 11:34:12 spectre named[27411]: client 88.198.49.12#26609/key ns1-acme.spoerlein.net (trashheap.net): transfer of 'trashheap.net/IN': IXFR started: TSIG ns1-acme.spoerlein.net Dec 27 11:34:12 spectre named[27411]: client 88.198.49.12#26609/key ns1-acme.spoerlein.net (trashheap.net): transfer of 'trashheap.net/IN': IXFR ended Dec 27 11:34:17 spectre named[27411]: zone trashheap.net/IN (signed): sending notifies (serial 10) Dec 27 11:34:17 spectre named[27411]: client 88.198.49.12#17597/key ns1-acme.spoerlein.net (trashheap.net): transfer of 'trashheap.net/IN': IXFR started: TSIG ns1-acme.spoerlein.net Dec 27 11:34:17 spectre named[27411]: client 88.198.49.12#17597/key ns1-acme.spoerlein.net (trashheap.net): transfer of 'trashheap.net/IN': IXFR ended - a TXT record is added to zone 'trashheap' via nsupdate - same problem as before: 'receive_secure_serial: not exact' Dec 27 11:37:33 spectre named[27411]: client 188.138.3.243#59506/key tlx.leuxner.net: signer tlx.leuxner.net approved Dec 27 11:37:33 spectre named[27411]: client 188.138.3.243#59506/key tlx.leuxner.net: updating zone 'trashheap.net/IN': adding an RR at '2013._domainkey.trashheap.net' TXT Dec 27 11:37:33 spectre named[27411]: trashheap.net/IN: dns_diff_apply: update with no effect Dec 27 11:37:33 spectre named[27411]: zone trashheap.net/IN (signed): receive_secure_serial: not exact - to mitigate the problem, zone journal is dropped again 'rndc sync -clean trashheap.net' - zone is frozen - unsigned serial is increased (to 9) - zone is unfrozen - zone receives new signed serial (11) Dec 27 11:44:10 spectre named[27411]: received control channel command 'sync -clean trashheap.net' Dec 27 11:44:10 spectre named[27411]: sync: dumping zone 'trashheap.net/IN', removing journal file: success Dec 27 11:45:40 spectre named[27411]: received control channel command 'loadkeys trashheap.net' Dec 27 11:45:40 spectre named[27411]: zone trashheap.net/IN (signed): reconfiguring zone keys Dec 27 11:45:40 spectre named[27411]: zone trashheap.net/IN (signed): next key event: 27-Dec-2012 11:45:40.045 Dec 27 11:46:38 spectre named[27411]: received control channel command 'freeze trashheap.net' Dec 27 11:46:38 spectre named[27411]: freezing zone 'trashheap.net/IN': success Dec 27 11:47:02 spectre named[27411]: received control channel command 'thaw trashheap.net' Dec 27 11:47:02 spectre named[27411]: thawing zone 'trashheap.net/IN': success Dec 27 11:47:02 spectre named[27411]: zone trashheap.net/IN (unsigned): loaded serial 9 Dec 27 11:47:02 spectre named[27411]: zone trashheap.net/IN (signed): serial 11 (unsigned 9) Dec 27 11:47:02 spectre named[27411]: zone trashheap.net/IN (signed): sending notifies (serial 11) Dec 27 11:47:02 spectre named[27411]: client 88.198.49.12#54606/key ns1-acme.spoerlein.net (trashheap.net): transfer of 'trashheap.net/IN': IXFR started: TSIG ns1-acme.spoerlein.net Dec 27 11:47:02 spectre named[27411]: client 88.198.49.12#54606/key ns1-acme.spoerlein.net (trashheap.net): transfer of 'trashheap.net/IN': IXFR ended - another TXT record is added and propagation works going forward Dec 27 12:03:21 spectre named[27411]: client 188.138.3.243#13188/key tlx.leuxner.net: updating zone 'trashheap.net/IN': adding an RR at '2014._domainkey.trashheap.net' TXT Dec 27 12:03:21 spectre named[27411]: zone trashheap.net/IN (signed): serial 12 (unsigned 10) Dec 27 12:03:21 spectre named[27411]: zone trashheap.net/IN (signed): sending notifies (serial 12) Regards Thomas smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Signed zone does not get updated 'receive_secure_serial: not exact'
In message 0fac2f01-3384-45da-8ad9-738fb175b...@leuxner.net, Thomas Leuxner writes: Hi, I'm having the problem that after rolling a dynamic update on one of the zones - a newly signed zone - the signed zone does not get updated, but mocks about the serial being 'not exact'. The above sentence is not proper English which makes it hard to determine what you actually did. It is not mocking about the serial being 'not exact'. What it is complaining about is that when the change you just applied to the unsigned version of the zone is applied to the signed version it found one of: * the record to be removed was not there * the record to be aded was already there This means that the two versions of the zone have become unsyncronized. Dec 26 07:39:26 spectre named[23831]: client 188.138.3.243#16192/key = tlx.leuxner.net: signer tlx.leuxner.net approved Dec 26 07:39:26 spectre named[23831]: client 188.138.3.243#16192/key = tlx.leuxner.net: updating zone 'leuxner.net/IN':deleting rrset at = '2012._domainkey.leuxner.net' TXT Dec 26 07:39:26 spectre named[23831]: client 188.138.3.243#16192/key = tlx.leuxner.net: updating zone 'leuxner.net/IN': adding an RR at = '2012._domainkey.leuxner.net' TXT Dec 26 07:39:26 spectre named[23831]: zone leuxner.net/IN (signed): = receive_secure_serial: not exact What am I doing wrong (9.9.2-P1)? Regards Thomas -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Signed zone does not get updated 'receive_secure_serial: not exact'
Am 26.12.2012 um 23:31 schrieb Mark Andrews ma...@isc.org: What it is complaining about is that when the change you just applied to the unsigned version of the zone is applied to the signed version it found one of: * the record to be removed was not there * the record to be aded was already there This means that the two versions of the zone have become unsyncronized. Thanks. Not sure how they became unsynchronized. Looking at other posts, removing the journal and increasing the serial makes the problem go away: $ rndc sync -clean leuxner.net $ rndc stop increase serial on unsigned version Dec 26 09:01:16 spectre named[23831]: sync: dumping zone 'leuxner.net/IN', removing journal file: success Dec 26 09:03:16 spectre named[23831]: received control channel command 'stop' Regards Thomas smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Signed zone does not get updated 'receive_secure_serial: not exact'
Hi, I'm having the problem that after rolling a dynamic update on one of the zones - a newly signed zone - the signed zone does not get updated, but mocks about the serial being 'not exact'. Dec 26 07:39:26 spectre named[23831]: client 188.138.3.243#16192/key tlx.leuxner.net: signer tlx.leuxner.net approved Dec 26 07:39:26 spectre named[23831]: client 188.138.3.243#16192/key tlx.leuxner.net: updating zone 'leuxner.net/IN':deleting rrset at '2012._domainkey.leuxner.net' TXT Dec 26 07:39:26 spectre named[23831]: client 188.138.3.243#16192/key tlx.leuxner.net: updating zone 'leuxner.net/IN': adding an RR at '2012._domainkey.leuxner.net' TXT Dec 26 07:39:26 spectre named[23831]: zone leuxner.net/IN (signed): receive_secure_serial: not exact What am I doing wrong (9.9.2-P1)? Regards Thomas smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
