On the master stop the server, remove the signed zones and restart. The server will regenerate the signed zones and the slaves will answer in the meantime. I’ve opened a ticket to add a code path to address the reported error automatically.
Marl > On 23 Jan 2020, at 10:21, Jukka Pakkanen <jukka.pakka...@qnet.fi> wrote: > > Unfortunately here a reload or a restart Does not fix it. And the problem of > course is critical... no zone updates are working. So if no reason and fix is > quickly found, need to step back and remove dnssec altogether. > > Get Outlook for Android > > From: Browne, Stuart <Stuart.Browne@team.neustar> > Sent: Thursday, January 23, 2020 12:14:29 AM > To: Jukka Pakkanen <jukka.pakka...@qnet.fi>; bind-us...@isc.org > <bind-us...@isc.org> > Subject: RE: DNSSEC zones not updated > > Sadly, no ideas other than a shared experience. It's not just the Windows > release nor is it just the 9.14 series of releases; we've been witnessing > this since the 9.10 releases on Linux (whilst using inline-signing). I don't > recall off the top of my head if we saw it in the 9.9 series; even for my > memory that is too many iterations ago. > > It isn't a regular occurrence by any means and it is fixed with a service > restart. Sadly we only see this in our production environment and coupled > with the time between the occurrence of the issue and the detection of the > issue, getting decent debugging information has been challenging (which is > why we haven't done much else about it other than restarting it when we see > it occur). > > Stuart > > From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Jukka > Pakkanen > Sent: Thursday, 23 January 2020 9:41 AM > To: Jukka Pakkanen; bind-us...@isc.org > Subject: VS: DNSSEC zones not updated > > Anyone, any ideas? > > > Lähettäjä: bind-users <bind-users-boun...@lists.isc.org> Puolesta Jukka > Pakkanen > Lähetetty: 22. tammikuuta 2020 13:30 > Vastaanottaja: bind-us...@isc.org > Aihe: Re: DNSSEC zones not updated > > And we also get after a change and a reload the "secure_serial: not exact" > error, of course because the signed zone is not in sync with the non-signed > anymore. So I guess the question is why it is not signing automatically after > updates to zone. > > > Get Outlook for Android > From: jukka.pakka...@qnet.fi <jukka.pakka...@qnet.fi> > Sent: Wednesday, January 22, 2020 1:13:11 PM > To: Ondřej Surý <ond...@isc.org> > Cc: bind-us...@isc.org <bind-us...@isc.org> > Subject: Re: DNSSEC zones not updated > > Yed we have quite several times by now when trying to find the culprit. Also > the whole windows 2019 server. And it is not only this domain/zone, but all > of them. > > Get Outlook for Android > > From: Ondřej Surý <ond...@isc.org> > Sent: Wednesday, January 22, 2020 1:08:22 PM > To: Jukka Pakkanen <jukka.pakka...@qnet.fi> > Cc: bind-us...@isc.org <bind-us...@isc.org> > Subject: Re: DNSSEC zones not updated > > Hi, > > did you try stopping BIND, removing journal files and then starting BIND > again? > > If the signed copy of the zone got corrupted in the memory, you might be > dumping the corrupted version on disk again with `rndc reload`. > > Ondrej > -- > Ondřej Surý > ond...@isc.org > > > On 22 Jan 2020, at 12:11, Jukka Pakkanen <jukka.pakka...@qnet.fi> wrote: > > > > > > Running BIND 9.14.9 Windows. The zone data is not updated for some reason > > anymore, and same problem in all our signed zones. Example "gemtrade.fi": > > > > zone "gemtrade.fi" { > > type master; > > file "named.gemtrade"; > > inline-signing yes; > > auto-dnssec maintain; > > }; > > > > > > ; > > ; File: named.gemtrade > > ; > > $TTL 60 > > @ IN SOA ns1.qnet.fi. helpdesk.qnet.fi. ( > > 202001234 ; serial number > > 28800 ; refresh every 12 hours > > 7200 ; retry after 2 hours > > 604800 ; expire after 2 weeks > > 33600) ; default ttl is 2 days > > gemtrade.fi. IN A 62.142.217.154 > > IN MX 55 qntsrv8.qnet.fi. > > IN MX 25 qntsrv9.qnet.fi. > > IN NS ns1.qnet.fi. > > IN NS ns2.qnet.fi. > > IN NS ns3.qnet.fi. > > www IN A 62.142.217.154 > > _autodiscover._tcp IN SRV 0 5 443 mail.qnet.fi. > > localhost.gemtrade.fi. IN A 127.0.0.1 > > > > > > Used to work fine, now no matter what change I make to the zone file and > > reload, it does not show up in queries, but the old data, weeks behind. > > The SOA & serial numbers *are* updating in the queries, but the actual > > records not. Example the MX records, currently I have priorities 55 and > > 25, still inquiries return the old 20 and 20. Same with any records, the > > changes does not get updated. > > > > Deleting the .jnl file does not help, after "rndc reload gemtrade.fi" a new > > .jnl file is created, but queries still return old data. > > > > The named process has all possible rights in the file structure. > > > > What might be wrong? > > > > _______________________________________________ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > > unsubscribe from this list > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
