Same here See also https://serverfault.com/questions/897894/bind-is-not-resigning-dnssec-zone-after-zone-update-and-service-restart
Ale On Thu 23/Jan/2020 09:57:02 +0100 Jukka Pakkanen wrote: > Yes, that worked. Also had to delete the .jnl, to prevent the "not exact" > error.. > > Jukka > > -----Alkuperäinen viesti----- > Lähettäjä: Mark Andrews <ma...@isc.org> > Lähetetty: 23. tammikuuta 2020 0:53 > Vastaanottaja: Jukka Pakkanen <jukka.pakka...@qnet.fi> > Kopio: bind-us...@isc.org; Browne, Stuart <stuart.browne@team.neustar> > Aihe: Re: DNSSEC zones not updated > > On the master stop the server, remove the signed zones and restart. The > server will regenerate the signed zones and the slaves will answer in the > meantime. I’ve opened a ticket to add a code path to address the reported > error automatically. > > Marl > >> On 23 Jan 2020, at 10:21, Jukka Pakkanen <jukka.pakka...@qnet.fi> wrote: >> >> Unfortunately here a reload or a restart Does not fix it. And the problem of >> course is critical... no zone updates are working. So if no reason and fix >> is quickly found, need to step back and remove dnssec altogether. >> >> Get Outlook for Android >> >> From: Browne, Stuart <Stuart.Browne@team.neustar> >> Sent: Thursday, January 23, 2020 12:14:29 AM >> To: Jukka Pakkanen <jukka.pakka...@qnet.fi>; bind-us...@isc.org >> <bind-us...@isc.org> >> Subject: RE: DNSSEC zones not updated >> >> Sadly, no ideas other than a shared experience. It's not just the Windows >> release nor is it just the 9.14 series of releases; we've been witnessing >> this since the 9.10 releases on Linux (whilst using inline-signing). I don't >> recall off the top of my head if we saw it in the 9.9 series; even for my >> memory that is too many iterations ago. >> >> It isn't a regular occurrence by any means and it is fixed with a service >> restart. Sadly we only see this in our production environment and coupled >> with the time between the occurrence of the issue and the detection of the >> issue, getting decent debugging information has been challenging (which is >> why we haven't done much else about it other than restarting it when we see >> it occur). >> >> Stuart >> >> From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf >> Of Jukka Pakkanen >> Sent: Thursday, 23 January 2020 9:41 AM >> To: Jukka Pakkanen; bind-us...@isc.org >> Subject: VS: DNSSEC zones not updated >> >> Anyone, any ideas? >> >> >> Lähettäjä: bind-users <bind-users-boun...@lists.isc.org> Puolesta >> Jukka Pakkanen >> Lähetetty: 22. tammikuuta 2020 13:30 >> Vastaanottaja: bind-us...@isc.org >> Aihe: Re: DNSSEC zones not updated >> >> And we also get after a change and a reload the "secure_serial: not exact" >> error, of course because the signed zone is not in sync with the non-signed >> anymore. So I guess the question is why it is not signing automatically >> after updates to zone. >> >> >> Get Outlook for Android >> From: jukka.pakka...@qnet.fi <jukka.pakka...@qnet.fi> >> Sent: Wednesday, January 22, 2020 1:13:11 PM >> To: Ondřej Surý <ond...@isc.org> >> Cc: bind-us...@isc.org <bind-us...@isc.org> >> Subject: Re: DNSSEC zones not updated >> >> Yed we have quite several times by now when trying to find the culprit. >> Also the whole windows 2019 server. And it is not only this domain/zone, but >> all of them. >> >> Get Outlook for Android >> >> From: Ondřej Surý <ond...@isc.org> >> Sent: Wednesday, January 22, 2020 1:08:22 PM >> To: Jukka Pakkanen <jukka.pakka...@qnet.fi> >> Cc: bind-us...@isc.org <bind-us...@isc.org> >> Subject: Re: DNSSEC zones not updated >> >> Hi, >> >> did you try stopping BIND, removing journal files and then starting BIND >> again? >> >> If the signed copy of the zone got corrupted in the memory, you might be >> dumping the corrupted version on disk again with `rndc reload`. >> >> Ondrej >> -- >> Ondřej Surý >> ond...@isc.org >> >> > On 22 Jan 2020, at 12:11, Jukka Pakkanen <jukka.pakka...@qnet.fi> wrote: >> > >> > >> > Running BIND 9.14.9 Windows. The zone data is not updated for some >> > reason anymore, and same problem in all our signed zones. Example >> > "gemtrade.fi": >> > >> > zone "gemtrade.fi" { >> > type master; >> > file "named.gemtrade"; >> > inline-signing yes; >> > auto-dnssec maintain; >> > }; >> > >> > >> > ; >> > ; File: named.gemtrade >> > ; >> > $TTL 60 >> > @ IN SOA ns1.qnet.fi. helpdesk.qnet.fi. ( >> > 202001234 ; serial number >> > 28800 ; refresh every 12 hours >> > 7200 ; retry after 2 hours >> > 604800 ; expire after 2 weeks >> > 33600) ; default ttl is 2 days >> > gemtrade.fi. IN A 62.142.217.154 >> > IN MX 55 qntsrv8.qnet.fi. >> > IN MX 25 qntsrv9.qnet.fi. >> > IN NS ns1.qnet.fi. >> > IN NS ns2.qnet.fi. >> > IN NS ns3.qnet.fi. >> > www IN A 62.142.217.154 >> > _autodiscover._tcp IN SRV 0 5 443 mail.qnet.fi. >> > localhost.gemtrade.fi. IN A 127.0.0.1 >> > >> > >> > Used to work fine, now no matter what change I make to the zone file and >> > reload, it does not show up in queries, but the old data, weeks behind. >> > The SOA & serial numbers *are* updating in the queries, but the actual >> > records not. Example the MX records, currently I have priorities 55 and >> > 25, still inquiries return the old 20 and 20. Same with any records, the >> > changes does not get updated. >> > >> > Deleting the .jnl file does not help, after "rndc reload gemtrade.fi" a >> > new .jnl file is created, but queries still return old data. >> > >> > The named process has all possible rights in the file structure. >> > >> > What might be wrong? >> > >> > _______________________________________________ >> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> > unsubscribe from this list >> > >> > bind-users mailing list >> > bind-users@lists.isc.org >> > https://lists.isc.org/mailman/listinfo/bind-users >> >> _______________________________________________ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
