12 Pro
2017
12 Pro
'17
20:47
Hi,
On 2017-12-12 17:19, Aleš Rygl wrote:
Hi,
See the relevant parts of the config and also the log below. There
were no updates to the zone, I have flushed journal to file, performed
zone-status command followed by knotc reload. Then I can see that zone
is re-signed an zone transfer follows (KNOT is a hidden master),
Configuration (just rozjezdy.cz choosen as an example):
policy:
- id: tmcz-default
algorithm: ecdsap256sha256
zsk-lifetime: 30d
ksk-lifetime: 90d
nsec3: on
nsec3-salt-length: 16
cds-cdnskey-publish: always
propagation-delay: 1d
ksk-submission: nic.cz
template:
- id: signed
storage: "/var/lib/knot/signed"
file: "db.%s"
serial-policy: unixtime
disable-any: on
semantic-checks: on
module: mod-rrl/rrl-10
module: mod-stats/custom
notify: idunn-freya
acl: [allowed_transfer]
dnssec-policy: tmcz-default
dnssec-signing: on
zone:
- domain: rozjezdy.cz
template: signed
root@idunn:/etc/knot# knotc zone-status rozjezdy.cz
[rozjezdy.cz.] role: master | serial: 1513089643 | transaction: none |
freeze: no | refresh: not scheduled | update: not scheduled |
expiration: not scheduled | journal flush: not scheduled | notify: not
scheduled | DNSSEC re-sign: +6D17h31m18s | NSEC3 resalt: +22D22h35m50s
| parent DS query: not scheduled
root@idunn:/etc/knot#
root@idunn:~# journalctl -u knot -f | grep rozjezdy
Dec 12 17:03:34 idunn knotd[4604]: info: [rozjezdy.cz.] control,
received command 'zone-status'
Dec 12 17:06:42 idunn knotd[4604]: info: [rozjezdy.cz.] control,
received command 'zone-flush'
I don't understand the following re-sign. Was it triggered by a zone
change?
Dec 12 17:07:11 idunn knotd[4604]: info:
[rozjezdy.cz.] DNSSEC, signing
zone
Dec 12 17:07:11 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, key,
tag 52375, algorithm ECDSAP256SHA256, KSK, public, active
Dec 12 17:07:11 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, key,
tag 53957, algorithm ECDSAP256SHA256, public, active
Dec 12 17:07:11 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, signing
started
Dec 12 17:07:11 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC,
successfully signed
Dec 12 17:07:11 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, next
signing at 2017-12-19T10:34:52
Dec 12 17:07:11 idunn knotd[4604]: info: [rozjezdy.cz.] zone file
updated, serial 1513089643 -> 1513094831
Dec 12 17:07:12 idunn knotd[4604]: info: [rozjezdy.cz.] notify,
outgoing, 93.153.117.50@53: serial 1513094831
Dec 12 17:07:13 idunn knotd[4604]: info: [rozjezdy.cz.] IXFR,
outgoing, 93.153.117.50@40241: started, serial 1513089643 ->
1513094831
Dec 12 17:07:13 idunn knotd[4604]: info: [rozjezdy.cz.] IXFR,
outgoing, 93.153.117.50@40241: finished, 0.00 seconds, 1 messages, 705
bytes
Dec 12 17:07:14 idunn knotd[4604]: info: [rozjezdy.cz.] IXFR,
outgoing, 93.153.117.20@40111: started, serial 1513089643 ->
1513094831
Dec 12 17:07:14 idunn knotd[4604]: info: [rozjezdy.cz.] IXFR,
outgoing, 93.153.117.20@40111: finished, 0.00 seconds, 1 messages, 705
bytes
root@idunn:/etc/knot# knotc zone-status rozjezdy.cz
[rozjezdy.cz.] role: master | serial: 1513094831 | transaction: none |
freeze: no | refresh: not scheduled | update: not scheduled |
expiration: not scheduled | journal flush: not scheduled | notify: not
scheduled | DNSSEC re-sign: +6D17h27m3s | NSEC3 resalt: +22D22h31m35s
| parent DS query: not scheduled
root@idunn:/etc/knot#
I have not checked it in a detail nevertheless is seems that all zones
are re-signed:
Dec 12 17:03:34 idunn knotd[4604]: info: [rozjezdy.cz.] control,
received command 'zone-status'
Dec 12 17:06:42 idunn knotd[4604]: info: [rozjezdy.cz.] control,
received command 'zone-flush'
Dec 12 17:07:01 idunn knotd[4604]: info: control, received command
'reload'
Dec 12 17:07:01 idunn knotd[4604]: info: reloading configuration file
'/etc/knot/knot.conf'
Dec 12 17:07:08 idunn knotd[4604]: info: configuration reloaded
Dec 12 17:07:08 idunn knotd[4604]: info: [test.net.] DNSSEC, signing
zone
Dec 12 17:07:08 idunn knotd[4604]: info: [5gnet.cz.] DNSSEC, signing
zone
Dec 12 17:07:09 idunn knotd[4604]: info: [test.net.] DNSSEC, key, tag
31290, algorithm ECDSAP256SHA256, KSK, public, ready, active
Dec 12 17:07:09 idunn knotd[4604]: info: [5gnet.cz.] DNSSEC, key, tag
50849, algorithm ECDSAP256SHA256, KSK, public, active
Dec 12 17:07:09 idunn knotd[4604]: info: [test.net.] DNSSEC, key, tag
51884, algorithm ECDSAP256SHA256, public, active
Dec 12 17:07:09 idunn knotd[4604]: info: [5gnet.cz.] DNSSEC, key, tag
40637, algorithm ECDSAP256SHA256, public, active
Dec 12 17:07:10 idunn knotd[4604]: info: [test.net.] DNSSEC, signing
started
Dec 12 17:07:10 idunn knotd[4604]: info: [test.net.] DNSSEC, zone is
up-to-date
Dec 12 17:07:10 idunn knotd[4604]: info: [test.net.] DNSSEC, next
signing at 2017-12-14T13:22:15
Dec 12 17:07:10 idunn knotd[4604]: info: [mych5.cz.] DNSSEC, signing
zone
Dec 12 17:07:10 idunn knotd[4604]: info: [mych5.cz.] DNSSEC, key, tag
53237, algorithm ECDSAP256SHA256, KSK, public, active
Dec 12 17:07:10 idunn knotd[4604]: info: [mych5.cz.] DNSSEC, key, tag
36052, algorithm ECDSAP256SHA256, public, active
Dec 12 17:07:10 idunn knotd[4604]: info: [5gnet.cz.] DNSSEC, signing
started
Dec 12 17:07:10 idunn knotd[4604]: info: [5gnet.cz.] DNSSEC, zone is
up-to-date
Dec 12 17:07:10 idunn knotd[4604]: info: [5gnet.cz.] DNSSEC, next
signing at 2017-12-15T14:01:52
Dec 12 17:07:10 idunn knotd[4604]: info: [t-run.cz.] DNSSEC, signing
zone
Dec 12 17:07:10 idunn knotd[4604]: info: [t-run.cz.] DNSSEC, key, tag
11563, algorithm ECDSAP256SHA256, KSK, public, active
Dec 12 17:07:10 idunn knotd[4604]: info: [t-run.cz.] DNSSEC, key, tag
39847, algorithm ECDSAP256SHA256, public, active
Dec 12 17:07:10 idunn knotd[4604]: info: [mych5.cz.] DNSSEC, signing
started
Dec 12 17:07:10 idunn knotd[4604]: info: [mych5.cz.] DNSSEC, zone is
up-to-date
Dec 12 17:07:10 idunn knotd[4604]: info: [mych5.cz.] DNSSEC, next
signing at 2017-12-15T08:26:15
Dec 12 17:07:10 idunn knotd[4604]: info: [tnews.cz.] DNSSEC, signing
zone
Dec 12 17:07:10 idunn knotd[4604]: info: [tnews.cz.] DNSSEC, key, tag
30976, algorithm ECDSAP256SHA256, KSK, public, ready, active
Dec 12 17:07:10 idunn knotd[4604]: info: [tnews.cz.] DNSSEC, key, tag
26699, algorithm ECDSAP256SHA256, public, active
Dec 12 17:07:11 idunn knotd[4604]: info: [t-run.cz.] DNSSEC, signing
started
Dec 12 17:07:11 idunn knotd[4604]: info: [tnews.cz.] DNSSEC, signing
started
Dec 12 17:07:11 idunn knotd[4604]: info: [t-run.cz.] DNSSEC,
successfully signed
Dec 12 17:07:11 idunn knotd[4604]: info: [tnews.cz.] DNSSEC, zone is
up-to-date
Dec 12 17:07:11 idunn knotd[4604]: info: [tnews.cz.] DNSSEC, next
signing at 2017-12-19T16:39:13
Dec 12 17:07:11 idunn knotd[4604]: info: [t-news.cz.] DNSSEC, signing
zone
Dec 12 17:07:11 idunn knotd[4604]: info: [t-news.cz.] DNSSEC, key, tag
26662, algorithm ECDSAP256SHA256, KSK, public, ready, active
Dec 12 17:07:11 idunn knotd[4604]: info: [t-news.cz.] DNSSEC, key, tag
38793, algorithm ECDSAP256SHA256, public, active
Dec 12 17:07:11 idunn knotd[4604]: info: [t-news.cz.] DNSSEC, signing
started
Dec 12 17:07:11 idunn knotd[4604]: info: [t-news.cz.] DNSSEC, zone is
up-to-date
Dec 12 17:07:11 idunn knotd[4604]: info: [t-news.cz.] DNSSEC, next
signing at 2017-12-19T16:39:13
Dec 12 17:07:11 idunn knotd[4604]: info: [tcrowd.cz.] DNSSEC, signing
zone
Dec 12 17:07:11 idunn knotd[4604]: info: [tcrowd.cz.] DNSSEC, key, tag
1752, algorithm ECDSAP256SHA256, KSK, public, ready, active
Dec 12 17:07:11 idunn knotd[4604]: info: [tcrowd.cz.] DNSSEC, key, tag
30878, algorithm ECDSAP256SHA256, public, active
Dec 12 17:07:11 idunn knotd[4604]: info: [t-run.cz.] DNSSEC, next
signing at 2017-12-13T09:52:40
Dec 12 17:07:11 idunn knotd[4604]: info: [tmusic.cz.] DNSSEC, signing
zone
Ok, during the server reload all zones are checked for re-sign
necessity:
Dec 12 17:07:10 idunn knotd[4604]: info: [test.net.] DNSSEC, signing
started
If the zone wasn't re-signed, this message is logged:
Dec 12 17:07:10 idunn knotd[4604]: info: [test.net.] DNSSEC, zone is
up-to-date
Of course, in the case of many zones the full reload takes some time.
How
many zones do you have configured?
You should increase the control timeout on the server side:
https://www.knot-dns.cz/docs/2.6/singlehtml/index.html#timeout
and also on the client side:
https://www.knot-dns.cz/docs/2.6/singlehtml/index.html#document-man_knotc
Regards
Ales
On úterý 12. prosince 2017 15:27:22 CET Daniel Salzman wrote:
Hi,
If the zone is up-to-date, then there is no re-sign during server
reload.
Are the changes stored in the journal/zonefile? Could you send me
some relating parts of the log?
Daniel
On 12/12/2017 03:20 PM, Aleš Rygl wrote:
_______________________________________________
knot-dns-users mailing list
knot-dns-users(a)lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users Hi everybody,
I would have a question related to zone signing. Whenever I reload knot
config using knotc reload it starts to resign all DNSSEC enabled zones.
It makes the daemon sometimes unresponsive to knotc utility.
root@idunn:# knotc reload
error: failed to control (connection timeout)
Is it a design intent to sign zones while reloading config? Is it really
needed? It invokes zone transfers, consumes resources, etc.
Thanks for answer
With regards
Ales
_______________________________________________
knot-dns-users mailing list
knot-dns-users(a)lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users
_______________________________________________
knot-dns-users mailing list
knot-dns-users(a)lists.nic.cz
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users