As the server configuration was extended, some new operation situations have emerged and
we have to consider how to
handle them...
Thanks,
Daniel
On 12/13/2017 08:46 AM, Aleš Rygl wrote:
Hi Daniel,
I don't understand the following re-sign. Was
it triggered by a zone
change?
Neither me. There was no change to the zone and I have flushed it before
reload (is it ok?):
Dec 12 17:03:34 idunn knotd[4604]: info: [rozjezdy.cz.] control, received command
'zone-status'
Dec 12 17:06:42 idunn knotd[4604]: info: [rozjezdy.cz.] control, received command
'zone-flush'
I have taken this zone as an example. I can see re-sign for many other zones.
In order to simulate it again I did it again. The last change to the zone (caused by
signing) is from yesterday:
-rw-rw---- 1 knot knot 3.6K Dec 12 17:07 db.rozjezdy.cz
Zone status now:
root@idunn:/var/lib/knot/signed# knotc zone-status rozjezdy.cz
[rozjezdy.cz.] role: master | serial: 1513094831 | transaction: none | freeze: no |
refresh: not scheduled | update: not scheduled | expiration: not scheduled | journal
flush: not scheduled | notify: not scheduled | DNSSEC re-sign: +6D2h26m36s | NSEC3 resalt:
+22D7h31m8s | parent DS query: not scheduled
After knotc reload:
root@idunn:~# journalctl -u knot -S "2017-12-13" | grep rozjezdy.cz.
Dec 13 08:07:43 idunn knotd[4604]: info: [rozjezdy.cz.] control, received command
'zone-status'
Dec 13 08:08:16 idunn knotd[4604]: info: [rozjezdy.cz.] control, received command
'zone-status'
Dec 13 08:08:48 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, signing zone
Dec 13 08:08:48 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, key, tag 52375, algorithm
ECDSAP256SHA256, KSK, public, active
Dec 13 08:08:48 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, key, tag 53957, algorithm
ECDSAP256SHA256, public, active
Dec 13 08:08:48 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, signing started
Dec 13 08:08:48 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, successfully signed
Dec 13 08:08:48 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, next signing at
2017-12-19T10:34:52
Dec 13 08:08:48 idunn knotd[4604]: info: [rozjezdy.cz.] zone file updated, serial
1513094831 -> 1513148928
I would expect that zone is up-to-date and no re-sign is necessary. From all the
configured zones following were considered as up-to-date:
root@idunn:~# journalctl -u knot -S "2017-12-13" | grep up-to-date
Dec 13 08:08:46 idunn knotd[4604]: info: [
test.net.] DNSSEC, zone is up-to-date
Dec 13 08:08:46 idunn knotd[4604]: info: [5gnet.cz.] DNSSEC, zone is up-to-date
Dec 13 08:08:46 idunn knotd[4604]: info: [mych5.cz.] DNSSEC, zone is up-to-date
Dec 13 08:08:47 idunn knotd[4604]: info: [tnews.cz.] DNSSEC, zone is up-to-date
Dec 13 08:08:47 idunn knotd[4604]: info: [t-news.cz.] DNSSEC, zone is up-to-date
Dec 13 08:08:47 idunn knotd[4604]: info: [tcrowd.cz.] DNSSEC, zone is up-to-date
Dec 13 08:08:48 idunn knotd[4604]: info: [charger.cz.] DNSSEC, zone is up-to-date
Dec 13 08:08:48 idunn knotd[4604]: info: [tsearch.cz.] DNSSEC, zone is up-to-date
Dec 13 08:08:48 idunn knotd[4604]: info: [bigtelka.cz.] DNSSEC, zone is up-to-date
Dec 13 08:08:48 idunn knotd[4604]: info: [t-sound.cz.] DNSSEC, zone is up-to-date
Dec 13 08:08:48 idunn knotd[4604]: info: [mmsnasim.cz.] DNSSEC, zone is up-to-date
Dec 13 08:08:48 idunn knotd[4604]: info: [t-motion.cz.] DNSSEC, zone is up-to-date
Dec 13 08:08:48 idunn knotd[4604]: info: [t-search.cz.] DNSSEC, zone is up-to-date
Dec 13 08:08:48 idunn knotd[4604]: info: [twistneomezene.cz.] DNSSEC, zone is up-to-date
Dec 13 08:08:48 idunn knotd[4604]: info: [magentovakariera.cz.] DNSSEC, zone is
up-to-date
... and following were re-signed. There were no changes to the zone files at all!
root@idunn:~# journalctl -u knot -S "2017-12-13" | grep signed
Dec 13 08:08:46 idunn knotd[4604]: info: [t-run.cz.] DNSSEC, successfully signed
Dec 13 08:08:47 idunn knotd[4604]: info: [tmusic.cz.] DNSSEC, successfully signed
Dec 13 08:08:48 idunn knotd[4604]: info: [t-crowd.cz.] DNSSEC, successfully signed
Dec 13 08:08:48 idunn knotd[4604]: info: [t-music.cz.] DNSSEC, successfully signed
Dec 13 08:08:48 idunn knotd[4604]: info: [t-press.cz.] DNSSEC, successfully signed
Dec 13 08:08:48 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, successfully signed
Dec 13 08:08:48 idunn knotd[4604]: info: [abctarify.cz.] DNSSEC, successfully signed
Dec 13 08:08:48 idunn knotd[4604]: info: [internet-4g.cz.] DNSSEC, successfully signed
And what is interesting - after a subsequent reload rozjezdy.cz is resigned again :-)
root@idunn:~# journalctl -u knot -S "2017-12-13 8:15" | grep
"rozjezdy.cz.\|reload"
Dec 13 08:38:04 idunn knotd[4604]: info: [rozjezdy.cz.] control, received command
'zone-status'
Dec 13 08:38:11 idunn knotd[4604]: info: control, received command 'reload'
Dec 13 08:38:11 idunn knotd[4604]: info: reloading configuration file
'/etc/knot/knot.conf'
Dec 13 08:38:26 idunn knotd[4604]: info: configuration reloaded
Dec 13 08:38:31 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, signing zone
Dec 13 08:38:31 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, key, tag 52375, algorithm
ECDSAP256SHA256, KSK, public, active
Dec 13 08:38:31 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, key, tag 53957, algorithm
ECDSAP256SHA256, public, active
Dec 13 08:38:31 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, signing started
Dec 13 08:38:31 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, successfully signed
Dec 13 08:38:31 idunn knotd[4604]: info: [rozjezdy.cz.] DNSSEC, next signing at
2017-12-19T10:34:52
Dec 13 08:38:32 idunn knotd[4604]: info: [rozjezdy.cz.] zone file updated, serial
1513148928 -> 1513150711
Of course, in the case of many zones the full
reload takes some time.
How
many zones do you have configured?
I have 23 forward and DNSSEC enabled zones. All
of them are really small, up to 4kB (signed). The server running knotd is rather weak, it
has just 2 cores.
Thanks
Let me know if you need more details, logs or debugging output. I am ready to help you to
clarify this behavior.
Regards
Ales