Unfortunately here a reload or a restart Does not fix it. And the problem of course is critical... no zone updates are working. So if no reason and fix is quickly found, need to step back and remove dnssec altogether.
Get Outlook for Android<https://aka.ms/ghei36> ________________________________ From: Browne, Stuart <Stuart.Browne@team.neustar> Sent: Thursday, January 23, 2020 12:14:29 AM To: Jukka Pakkanen <jukka.pakka...@qnet.fi>; bind-us...@isc.org <bind-us...@isc.org> Subject: RE: DNSSEC zones not updated Sadly, no ideas other than a shared experience. It's not just the Windows release nor is it just the 9.14 series of releases; we've been witnessing this since the 9.10 releases on Linux (whilst using inline-signing). I don't recall off the top of my head if we saw it in the 9.9 series; even for my memory that is too many iterations ago. It isn't a regular occurrence by any means and it is fixed with a service restart. Sadly we only see this in our production environment and coupled with the time between the occurrence of the issue and the detection of the issue, getting decent debugging information has been challenging (which is why we haven't done much else about it other than restarting it when we see it occur). Stuart From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Jukka Pakkanen Sent: Thursday, 23 January 2020 9:41 AM To: Jukka Pakkanen; bind-us...@isc.org Subject: VS: DNSSEC zones not updated Anyone, any ideas? Lähettäjä: bind-users <bind-users-boun...@lists.isc.org<mailto:bind-users-boun...@lists.isc.org>> Puolesta Jukka Pakkanen Lähetetty: 22. tammikuuta 2020 13:30 Vastaanottaja: bind-us...@isc.org<mailto:bind-us...@isc.org> Aihe: Re: DNSSEC zones not updated And we also get after a change and a reload the "secure_serial: not exact" error, of course because the signed zone is not in sync with the non-signed anymore. So I guess the question is why it is not signing automatically after updates to zone. Get Outlook for Android<https://urldefense.proofpoint.com/v2/url?u=https-3A__aka.ms_ghei36&d=DwMFBA&c=MOptNlVtIETeDALC_lULrw&r=udvvbouEjrWNUMab5xo_vLbUE6LRGu5fmxLhrDvVJS8&m=PK_XLg7WPDTgkiPV9YpjwlSSDRG_2lshTvKCwLxitGg&s=8lAQcjrPuFc7OPf0OgqsKjo4MdT2JO0gs41J86WasWM&e=> ________________________________ From: jukka.pakka...@qnet.fi<mailto:jukka.pakka...@qnet.fi> <jukka.pakka...@qnet.fi<mailto:jukka.pakka...@qnet.fi>> Sent: Wednesday, January 22, 2020 1:13:11 PM To: Ondřej Surý <ond...@isc.org<mailto:ond...@isc.org>> Cc: bind-us...@isc.org<mailto:bind-us...@isc.org> <bind-us...@isc.org<mailto:bind-us...@isc.org>> Subject: Re: DNSSEC zones not updated Yed we have quite several times by now when trying to find the culprit. Also the whole windows 2019 server. And it is not only this domain/zone, but all of them. Get Outlook for Android<https://urldefense.proofpoint.com/v2/url?u=https-3A__aka.ms_ghei36&d=DwMFBA&c=MOptNlVtIETeDALC_lULrw&r=udvvbouEjrWNUMab5xo_vLbUE6LRGu5fmxLhrDvVJS8&m=PK_XLg7WPDTgkiPV9YpjwlSSDRG_2lshTvKCwLxitGg&s=8lAQcjrPuFc7OPf0OgqsKjo4MdT2JO0gs41J86WasWM&e=> ________________________________ From: Ondřej Surý <ond...@isc.org<mailto:ond...@isc.org>> Sent: Wednesday, January 22, 2020 1:08:22 PM To: Jukka Pakkanen <jukka.pakka...@qnet.fi<mailto:jukka.pakka...@qnet.fi>> Cc: bind-us...@isc.org<mailto:bind-us...@isc.org> <bind-us...@isc.org<mailto:bind-us...@isc.org>> Subject: Re: DNSSEC zones not updated Hi, did you try stopping BIND, removing journal files and then starting BIND again? If the signed copy of the zone got corrupted in the memory, you might be dumping the corrupted version on disk again with `rndc reload`. Ondrej -- Ondřej Surý ond...@isc.org<mailto:ond...@isc.org> > On 22 Jan 2020, at 12:11, Jukka Pakkanen > <jukka.pakka...@qnet.fi<mailto:jukka.pakka...@qnet.fi>> wrote: > > > Running BIND 9.14.9 Windows. The zone data is not updated for some reason > anymore, and same problem in all our signed zones. Example "gemtrade.fi": > > zone "gemtrade.fi" { > type master; > file "named.gemtrade"; > inline-signing yes; > auto-dnssec maintain; > }; > > > ; > ; File: named.gemtrade > ; > $TTL 60 > @ IN SOA ns1.qnet.fi. helpdesk.qnet.fi. ( > 202001234 ; serial number > 28800 ; refresh every 12 hours > 7200 ; retry after 2 hours > 604800 ; expire after 2 weeks > 33600) ; default ttl is 2 days > gemtrade.fi. IN A 62.142.217.154 > IN MX 55 qntsrv8.qnet.fi. > IN MX 25 qntsrv9.qnet.fi. > IN NS ns1.qnet.fi. > IN NS ns2.qnet.fi. > IN NS ns3.qnet.fi. > www IN A 62.142.217.154 > _autodiscover._tcp IN SRV 0 5 443 mail.qnet.fi. > localhost.gemtrade.fi. IN A 127.0.0.1 > > > Used to work fine, now no matter what change I make to the zone file and > reload, it does not show up in queries, but the old data, weeks behind. The > SOA & serial numbers *are* updating in the queries, but the actual records > not. Example the MX records, currently I have priorities 55 and 25, still > inquiries return the old 20 and 20. Same with any records, the changes does > not get updated. > > Deleting the .jnl file does not help, after "rndc reload gemtrade.fi" a new > .jnl file is created, but queries still return old data. > > The named process has all possible rights in the file structure. > > What might be wrong? > > _______________________________________________ > Please visit > https://lists.isc.org/mailman/listinfo/bind-users<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.isc.org_mailman_listinfo_bind-2Dusers&d=DwMFBA&c=MOptNlVtIETeDALC_lULrw&r=udvvbouEjrWNUMab5xo_vLbUE6LRGu5fmxLhrDvVJS8&m=PK_XLg7WPDTgkiPV9YpjwlSSDRG_2lshTvKCwLxitGg&s=mbV3mxfK-h02YUVBQ34CsAeVt-aYVaqCPH6Dj2VPmOU&e=> > to unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org<mailto:bind-users@lists.isc.org> > https://lists.isc.org/mailman/listinfo/bind-users<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.isc.org_mailman_listinfo_bind-2Dusers&d=DwMFBA&c=MOptNlVtIETeDALC_lULrw&r=udvvbouEjrWNUMab5xo_vLbUE6LRGu5fmxLhrDvVJS8&m=PK_XLg7WPDTgkiPV9YpjwlSSDRG_2lshTvKCwLxitGg&s=mbV3mxfK-h02YUVBQ34CsAeVt-aYVaqCPH6Dj2VPmOU&e=>
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
