>> I'm using DNS zone transfers in and out of OpenDNSSEC with OpenDNSSEC >> version 1.4.6. It looks like one of the zones have become wedged, and >> OpenDNSSEC refuses to transfer a new copy, despite a new SOA being >> announced via DNS notify. ods-signerd logs: >> >> <timestamp+host> ods-signerd: [query] ignore notify from a.b.c.d: zone >> xxx.yyy.no transfer in progress > > This may be a bit misleading log message: The query code checks > whether there is already a notify acquired. If so, there is a check to > see if the incoming notify has a serial newer than OpenDNSSEC knows > of. If not, it will log this message. > > "Look, I got a notify already and need to transfer anyway" was perhaps > a better log message. Or perhaps "updated notify serial to > <new_serial>".
Hmm... That doesn't match with the observed behaviour. What I saw was that I did an update of the zone on the hidden master, but the new zone with the updated SOA version number (for the SOA versioning regime between the hidden master and OpenDNSSEC) was not being transferred to the OpenDNSSEC host. This state persisted for at least a day, until the user who requested the additions complained that they were still not visible in the public DNS, and an investigation confirmed this -- the distribution master which is at the exit portion of OpenDNSSEC didn't have the newly added records. Hm, I may have read the code in query_process_notify() wrong, and my initial explanation of the bug was possibly wrong. But at least I'm pretty certain of my observed behaviour: changes from the hidden master did not make it through OpenDNSSEC and out to the publication master, and stopping OpenDNSSEC, removing the xfrd.state file and restarting OpenDNSSEC fixed the logjam. > Perhaps the bug is that there is a corner case that the > notify_acquired was not reset properly? Maybe. Sigh, I need to investigate more. Luckily, I left the few other zones which have gotten stuck this way alone, so I have something to observe right away. Regards, - HÃ¥vard _______________________________________________ Opendnssec-user mailing list Opendnssec-user@lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
