Re: inline-signing: SOA serial out of sync

2018-06-23 Thread Axel Rau 

> Am 21.06.2018 um 08:18 schrieb Stefan Förster via bind-users 
> :
> 
> 
> I used to see something similar (although views were involved), where BIND 
> was not picking up changes to a zone when only included files were changed:
> 
> https://lists.isc.org/pipermail/bind-users/2017-September/099145.html
Thanks for pointing this out.

My problem happened again with bind 9.12.1.
As you can see below, „next key event" is in the past!

Axel

PS:
—-
[hermes:master/signed/lrau.net] root# rndc zonestatus lrau.net
name: lrau.net
type: master
files: master/signed/lrau.net/lrau.net.zone, 
master/signed/lrau.net/caldav.lrau.net.tlsa, 
master/signed/lrau.net/git3.lrau.net.tlsa, 
master/signed/lrau.net/git4.lrau.net.tlsa, 
master/signed/lrau.net/lists3.lrau.net.tlsa, 
master/signed/lrau.net/lists4.lrau.net.tlsa, 
master/signed/lrau.net/mailout3.lrau.net.tlsa, 
master/signed/lrau.net/mailout4.lrau.net.tlsa, 
master/signed/lrau.net/mx3.lrau.net.tlsa, 
master/signed/lrau.net/mx4.lrau.net.tlsa, 
master/signed/lrau.net/timap3.lrau.net.tlsa, 
master/signed/lrau.net/tmx3.lrau.net.tlsa, 
master/signed/lrau.net/acme_challenges.inc
serial: 2018062201
signed serial: 2018062201
nodes: 88
last loaded: Fri, 15 Jun 2018 15:17:08 GMT
secure: yes
inline signing: yes
key maintenance: automatic
next key event: Fri, 22 Jun 2018 21:07:51 GMT
next resign node: _25._tcp.lists4.lrau.net/NSEC
next resign time: Fri, 29 Jun 2018 21:38:07 GMT
dynamic: no
reconfigurable via modzone: no
[hermes:master/signed/lrau.net] root# date
Sat Jun 23 11:08:53 CEST 2018
[hermes:master/signed/lrau.net] root# grep Serial lrau.net.zone
2018062202  ; Serial number
---
PGP-Key:29E99DD6  ☀  computing @ chaos claudius



signature.asc
Description: Message signed with OpenPGP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: inline-signing: SOA serial out of sync

2018-06-20 Thread Stefan Förster via bind-users 

Hi,

* Axel Rau :

Occasionally it happens after rndc reload that the serial in the zone file is 
bigger than that in served SOA.
In this case, named begins serving stale data.
Probability for this to happen increases with size of the journal file.


I used to see something similar (although views were involved), where 
BIND was not picking up changes to a zone when only included files were 
changed:


https://lists.isc.org/pipermail/bind-users/2017-September/099145.html

The setup then was something like:


[data]
$INCLUDE "ns.include"


@ IN NS ...
@ IN NS ...

If needed, I can provide the real zone data. I didn't encounter this 
problem again after I quit using views.



Cheers,
Stefan


signature.asc
Description: PGP signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: inline-signing: SOA serial out of sync

2018-06-19 Thread Axel Rau 

> Am 14.06.2018 um 18:30 schrieb Axel Rau :
> 
> I include the zone file with the 2 included files, a AXFR dump of it and the 
> options and zone statement (which is not in a view) of the server config in a 
> zip archiv.

I saw no comments on the provided data, so I assume, nobody has a clue on this.

To summarise:

Occasionally it happens after rndc reload that the serial in the zone file is 
bigger than that in served SOA.
In this case, named begins serving stale data.
Probability for this to happen increases with size of the journal file.

I’m using auto-dnssec maintain; inline-signing yes; serial-update-method 
increment;
The ARM does not state clearly, which is the base of the increment if the zone 
file changes (file or internal).
In my case, the served serial is based on the zone file and usually bigger than 
that.

Question: Could the problem arise by incrementing the serial without changing 
the zone data?
(Occasionally this could happen with my script)

I have upgraded to bind 9.12.1P2 and look forward. . .

Thanks, Axel
---
PGP-Key:29E99DD6  ☀  computing @ chaos claudius



signature.asc
Description: Message signed with OpenPGP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: inline-signing: SOA serial out of sync

2018-06-14 Thread Axel Rau 
Am 14.06.2018 um 17:14 schrieb Matthew Pounsett :On 14 June 2018 at 10:16, Axel Rau  wrote:Am 14.06.2018 um 16:12 schrieb Alan Clegg :Additionally, I read this as "the records changed are in an includedfile" -- is the serial number in the "including" zone being incremented?Yes.I think at this point you're going to need to provide a lot more detail about your configuration, and what's special about these zones.  It sounds like this is not a straightforward configuration, and it’s hard to figure out from the bits and pieces you've provided what could be going wrong.The only thing, which may be special are include files, which may be empty from time to time (used for acme challenge responses).I include the zone file with the 2 included files, a AXFR dump of it and the options and zone statement (which is not in a view) of the server config in a zip archiv.<>
Axel
---PGP-Key:29E99DD6  ☀  computing @ chaos claudius



signature.asc
Description: Message signed with OpenPGP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: inline-signing: SOA serial out of sync

2018-06-14 Thread Matthew Pounsett 
On 14 June 2018 at 10:16, Axel Rau  wrote:

>
> Am 14.06.2018 um 16:12 schrieb Alan Clegg :
>
> Additionally, I read this as "the records changed are in an included
> file" -- is the serial number in the "including" zone being incremented?
>
> Yes.
>
> I think at this point you're going to need to provide a lot more detail
about your configuration, and what's special about these zones.  It sounds
like this is not a straightforward configuration, and it's hard to figure
out from the bits and pieces you've provided what could be going wrong.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: inline-signing: SOA serial out of sync

2018-06-14 Thread Axel Rau 

> Am 14.06.2018 um 15:44 schrieb Matthew Pounsett :
> 
> This now sounds very different from the original report.  Are you saying that 
> the zone started with two TLSA records, you changed it to have only one, 
> reloaded the zone, but then none were present?
Yes.
> 
> That's a very different problem from just not picking up a zone update.
> 
> Have you checked the logs for errors during zone loading?  

 zone nussberg.de/IN (signed): reconfiguring zone keys
 zone nussberg.de/IN (signed): next key event: 13-Jun-2018 21:05:10.419
 zone nussberg.de/IN (unsigned): loaded serial 2018061301
 zone nussberg.de/IN (signed): receive_secure_serial: not exact
 zone nussberg.de/IN (signed): reconfiguring zone keys
 zone nussberg.de/IN (signed): next key event: 13-Jun-2018 22:05:10.428

Axel
---
PGP-Key:29E99DD6  ☀  computing @ chaos claudius

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: inline-signing: SOA serial out of sync

2018-06-14 Thread Axel Rau 

> Am 14.06.2018 um 16:12 schrieb Alan Clegg :
> 
> Additionally, I read this as "the records changed are in an included
> file" -- is the serial number in the "including" zone being incremented?
Yes.

Axel
---
PGP-Key:29E99DD6  ☀  computing @ chaos claudius



signature.asc
Description: Message signed with OpenPGP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: inline-signing: SOA serial out of sync

2018-06-14 Thread Alan Clegg 
On 6/14/18 9:44 AM, Matthew Pounsett wrote:

> It just happened again. An included zone file has been changed from
> 2 TLSA RRs to one:

[...]

> This now sounds very different from the original report.  Are you saying
> that the zone started with two TLSA records, you changed it to have only
> one, reloaded the zone, but then none were present?
> 
> That's a very different problem from just not picking up a zone update.
> 
> Have you checked the logs for errors during zone loading?  

Additionally, I read this as "the records changed are in an included
file" -- is the serial number in the "including" zone being incremented?

AlanC



signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: inline-signing: SOA serial out of sync

2018-06-14 Thread Matthew Pounsett 
On 14 June 2018 at 06:27, Axel Rau  wrote:

>
> Am 07.06.2018 um 13:36 schrieb Axel Rau :
>
>
> occasionally named 9.11.3 fails to increment SOA serial like here:
>
> file: 2018060605 dns: 2018060604
>
>
> It just happened again. An included zone file has been changed from 2 TLSA
> RRs to one:
> - - -
> _443._tcp.git.nussberg.de. 3600 IN TLSA 3 0 1
> DAE0AC343A6694DEAF0BAB42FC8A6B1F82E42799654BD667B458DC91655C6AB4
> - - -
> After reload no TLSAs are picked up by the server:
> - - -
> [hermes:local/etc/rc.d] root# dig AXFR nussberg.de. @localhost | grep TLSA
> [hermes:local/etc/rc.d] root#
>

This now sounds very different from the original report.  Are you saying
that the zone started with two TLSA records, you changed it to have only
one, reloaded the zone, but then none were present?

That's a very different problem from just not picking up a zone update.

Have you checked the logs for errors during zone loading?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: inline-signing: SOA serial out of sync

2018-06-14 Thread Axel Rau 

> Am 07.06.2018 um 13:36 schrieb Axel Rau :
> 
> 
> occasionally named 9.11.3 fails to increment SOA serial like here:
> 
>   file: 2018060605 dns: 2018060604


It just happened again. An included zone file has been changed from 2 TLSA RRs 
to one:
- - -
_443._tcp.git.nussberg.de. 3600 IN TLSA 3 0 1 
DAE0AC343A6694DEAF0BAB42FC8A6B1F82E42799654BD667B458DC91655C6AB4
- - -
After reload no TLSAs are picked up by the server:
- - -
[hermes:local/etc/rc.d] root# dig AXFR nussberg.de. @localhost | grep TLSA
[hermes:local/etc/rc.d] root#
- - -
Zone status:
- - -
[hermes:local/etc/rc.d] root# rndc zonestatus nussberg.de
name: nussberg.de
type: master
files: master/signed/nussberg.de/nussberg.de.zone, 
master/signed/nussberg.de/git.nussberg.de.tlsa, 
master/signed/nussberg.de/acme_challenges.inc
serial: 2018061301
signed serial: 2018060702
nodes: 12
last loaded: Tue, 05 Jun 2018 07:08:59 GMT
secure: yes
inline signing: yes
key maintenance: automatic
next key event: Thu, 14 Jun 2018 10:05:11 GMT
next resign node: email1._domainkey.nussberg.de/TXT
next resign time: Sun, 17 Jun 2018 19:29:37 GMT
dynamic: no
reconfigurable via modzone: no
- - -
What else can I collect to help fixing this?

Thanks, Axel

PS: Why does
dig TLSA _443._tcp.git.nussberg.de. @localhost
not work at all?
---
PGP-Key:29E99DD6  ☀  computing @ chaos claudius

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: inline-signing: SOA serial out of sync

2018-06-09 Thread Axel Rau 
Hi Matthew,

sorry for my late answer.

> Am 07.06.2018 um 15:31 schrieb Matthew Pounsett :
> 
> 
> 
> On 7 June 2018 at 07:36, Axel Rau  wrote:
> Hi all,
> 
> occasionally named 9.11.3 fails to increment SOA serial like here:
> 
> file: 2018060605 dns: 2018060604
> 
> zone file was edited by script and a rndc reload given.
> [...] 
> Manual fixing requires another cycle with zone file editing:
> 
>  
> You don't say this clearly, but it sounds like you're reporting more than 
> just the serial not updating.  Is that correct?
Yes.
> Are there actual updates to the zone that are not being picked up?
Yes, that’s the point. If the problem happens, the signing machinery is blocked 
until resolved manually.
I don’t know the reason. named-checkzone reported no errors, but in case of 
syntax-errors, named behaves similar.
>   As Tony says, the serial number can differ from the file to what's served 
> by the name server when the name server is doing automatic signing.
> 
> Can you clarify which it is?
I hope, I did (-:

There is nothing special with this zone file:

- - -
[hermes:~] root# rndc zonestatus lrau.net
name: lrau.net
type: master
files: master/signed/lrau.net/lrau.net.zone, 
master/signed/lrau.net/caldav.lrau.net.tlsa, 
master/signed/lrau.net/git3.lrau.net.tlsa, 
master/signed/lrau.net/git4.lrau.net.tlsa, 
master/signed/lrau.net/lists3.lrau.net.tlsa, 
master/signed/lrau.net/lists4.lrau.net.tlsa, 
master/signed/lrau.net/mailout3.lrau.net.tlsa, 
master/signed/lrau.net/mailout4.lrau.net.tlsa, 
master/signed/lrau.net/mx3.lrau.net.tlsa, 
master/signed/lrau.net/mx4.lrau.net.tlsa, 
master/signed/lrau.net/timap3.lrau.net.tlsa, 
master/signed/lrau.net/tmx3.lrau.net.tlsa, 
master/signed/lrau.net/acme_challenges.inc
serial: 2018060805
signed serial: 2018060805
nodes: 88
last loaded: Thu, 07 Jun 2018 10:37:34 GMT
secure: yes
inline signing: yes
key maintenance: automatic
next key event: Sat, 09 Jun 2018 13:08:21 GMT
next resign node: gw2.m6d2.lrau.net/NSEC
next resign time: Fri, 29 Jun 2018 21:38:07 GMT
dynamic: no
reconfigurable via modzone: no

[hermes:local/etc/namedb] root# named-checkzone lrau.net 
/usr/local/etc/namedb/master/signed/lrau.net/lrau.net.zone 
zone lrau.net/IN: loaded serial 2018060805
OK
- - -

Thanks, Axel
---
PGP-Key:29E99DD6  ☀  computing @ chaos claudius

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: inline-signing: SOA serial out of sync

2018-06-09 Thread Axel Rau 
Hi Tony,

sorry for the late replay.

> Am 07.06.2018 um 14:20 schrieb Tony Finch :
> 
> Axel Rau  wrote:
>> 
>> occasionally named 9.11.3 fails to increment SOA serial like here:
>> 
>>  file: 2018060605 dns: 2018060604
> 
> With inline signing the signed and unsigned zones have separate serial
> numbers, so this is normal. If I understand inline-signing correctly, when
> you only modify the unsigned zone's serial number, that is not a big
> enough change to require an update to the signed version of the zone.
I changed a RR and the serial. Immediately after such a change, both
serials are usually equal, which my script checks.
If thea are different, this usually indicates some error with signing.
> 
> You can use `rndc zonestatus` to see the server's view of both serial
> numbers.
I see.
> 
> You can use `rndc signing -serial` to set the serial number of the signed
> zone.
> 
> You might want to set `serial-update-method` if you want something more
> meaningful than an increment for each update (e.g. `date`).


OK.

Thanks for responding,
Axel
---
PGP-Key:29E99DD6  ☀  computing @ chaos claudius

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: inline-signing: SOA serial out of sync

2018-06-07 Thread Matthew Pounsett 
On 7 June 2018 at 07:36, Axel Rau  wrote:

> Hi all,
>
> occasionally named 9.11.3 fails to increment SOA serial like here:
>
> file: 2018060605 dns: 2018060604
>
> zone file was edited by script and a rndc reload given.
>
[...]

> Manual fixing requires another cycle with zone file editing:
>
>
You don't say this clearly, but it sounds like you're reporting more than
just the serial not updating.  Is that correct?  Are there actual updates
to the zone that are not being picked up?  As Tony says, the serial number
can differ from the file to what's served by the name server when the name
server is doing automatic signing.

Can you clarify which it is?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: inline-signing: SOA serial out of sync

2018-06-07 Thread Tony Finch 
Axel Rau  wrote:
>
> occasionally named 9.11.3 fails to increment SOA serial like here:
>
>   file: 2018060605 dns: 2018060604

With inline signing the signed and unsigned zones have separate serial
numbers, so this is normal. If I understand inline-signing correctly, when
you only modify the unsigned zone's serial number, that is not a big
enough change to require an update to the signed version of the zone.

You can use `rndc zonestatus` to see the server's view of both serial
numbers.

You can use `rndc signing -serial` to set the serial number of the signed
zone.

You might want to set `serial-update-method` if you want something more
meaningful than an increment for each update (e.g. `date`).

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/
champion the freedom, dignity, and well-being of individuals
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

inline-signing: SOA serial out of sync

2018-06-07 Thread Axel Rau 
Hi all,

occasionally named 9.11.3 fails to increment SOA serial like here:

file: 2018060605 dns: 2018060604

zone file was edited by script and a rndc reload given.
This usually works perfect, but here:

Only entry in log file:

notify: debug 3: zone lrau.net/IN (signed): sending notify to …

Config detail:

key-directory "master/signed/lrau.net/";
auto-dnssec maintain;
inline-signing yes;
dnssec-secure-to-insecure no;

Manual fixing requires another cycle with zone file editing:

——-——-
[hermes:master/signed/lrau.net] root# service named stop
Stopping named.
Waiting for PIDS: 37110.
[hermes:master/signed/lrau.net] root# ls -l *.jbk *.jnl *.signed
-rw-r--r--  1 bind  pki_op 512 Jan 11 13:12 lrau.net.zone.jbk
-rw-r--r--  1 bind  pki_op   16409 Jun  6 21:05 lrau.net.zone.jnl
-rw-r--r--  1 bind  pki_op   50263 Jun  6 21:19 lrau.net.zone.signed
-rw-r--r--  1 bind  pki_op  682052 Jun  6 21:05 lrau.net.zone.signed.jnl
[hermes:master/signed/lrau.net] root# rm *.jbk *.jnl *.signed
[hermes:master/signed/lrau.net] root# service named start
Starting named.
[hermes:master/signed/lrau.net] root# ls -l *.jbk *.jnl *.signed
-rw-r--r--  1 bind  pki_op512 Jun  7 12:37 lrau.net.zone.jbk
-rw-r--r--  1 bind  pki_op   8222 Jun  7 12:37 lrau.net.zone.signed
-rw-r--r--  1 bind  pki_op  57521 Jun  7 12:37 lrau.net.zone.signed.jnl
[hermes:master/signed/lrau.net] root# dig SOA lrau.net @localhost

; <<>> DiG 9.11.3 <<>> SOA lrau.net @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36163
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 7

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 9abf10cb4372b10e0eae26085b190b0d3486a4bef440b95c (good)
;; QUESTION SECTION:
;lrau.net.  IN  SOA

;; ANSWER SECTION:
lrau.net.   86400   IN  SOA ns4.lrau.net. 
hostmaster.lrau.net. 2018060632 86400 7200 604800 3600
. . .
[hermes:local/etc/namedb] root# named-checkzone lrau.net 
master/signed/lrau.net/lrau.net.zone
zone lrau.net/IN: loaded serial 2018060606  << still not in 
sync
OK

# edited zone file manually (serial set to 2018060640):

[hermes:master/signed/lrau.net] root# rndc reload
server reload successful
[hermes:local/etc/namedb] root# named-checkzone lrau.net 
master/signed/lrau.net/lrau.net.zone
zone lrau.net/IN: loaded serial 2018060640
OK
[hermes:master/signed/lrau.net] root# dig SOA lrau.net. @localhost
. . .
;; ANSWER SECTION:
lrau.net.   86400   IN  SOA ns4.lrau.net. 
hostmaster.lrau.net. 2018060640 86400 7200 604800 3600
——


What is going wrong here?
What can I do to get this fixed?

Thanks, Axel
---
PGP-Key:29E99DD6  ☀  computing @ chaos claudius

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users