On 2014-07-10 at 12:33 -0400, Phil Pennock wrote: > Folks, in a moment of gross stupidity I added "--delete-delay" to an > rsync invocation in a deploy script, to remove master zonefiles from > the server which are no longer needed. I forgot that the DNSSEC > auto-maintain journal files are in that directory too. > > Seeing little things like this: > > deleting db.spodhuis.org.signed.jnl > deleting db.spodhuis.org.signed > deleting db.spodhuis.org.jnl > deleting db.spodhuis.org.jbk > > worry me. So, I still have all of the DNSSEC keyfiles (different > directory, and in private git pushed to backup storage anyway). I still > have a running server instance. > > Is there any way to get back the on-disk state files for the > auto-maintained zones, so that I can recover from my mistake cleanly? > (There's about 20 domains). > > Using `rndc sync` or `rndc sync spodhuis.org` does not recreate the > journal file. Log file lines and `rndc zonestatus` below. > > What are my options to recover?
For the archives: I did later solve this problem. Using `rndc sign $zone` recreated the journal file on disk, with the correct SOA serial number: the in-memory copy was used to create the SOA for the new journal. The important bit was to override the "next key event" by just forcing an immediate re-signing. I have since been able to `rndc reconfig` and then also perform a full restart, and the zones are still serving correctly. So even though `named-journalprint $zonefile.signed.jnl` only shows "del" records for SOAs with serial numbers higher than recorded in the master zonefile as stored in git, on startup bind reconciles the zonefile and the journal and works anyway. (And yes, the fully dynamic zone I had is in a different directory and is frozen/thaw'd around backup time anyway, so I could still have recovered that aspect, had the failure occurred there). Regards, -Phil
pgp0RP4e70HyI.pgp
Description: PGP signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
