18 Říj
2018
18 Říj
'18
12:36
Hi Daniel,
The test was done using version 2.7.2. Tonight it got updated to 2.7.3, but I
don't see any difference with the new version
$ knotc -f zone-purge example.org. +timers
OK
$ knotc zone-sign example.org
OK
log output:
Okt 18 12:02:15 backroad knotd[15628]: info: [example.org.] control, received command
'zone-sign'
Okt 18 12:02:15 backroad knotd[15628]: info: [example.org.] DNSSEC, dropping previous
signatures, re-signing zone
Okt 18 12:02:15 backroad knotd[15628]: info: [example.org.] DNSSEC, key, tag 63845,
algorithm RSASHA256, KSK, public, ready, active
Okt 18 12:02:15 backroad knotd[15628]: info: [example.org.] DNSSEC, key, tag 61195,
algorithm RSASHA256, public, active
Okt 18 12:02:15 backroad knotd[15628]: info: [example.org.] DNSSEC, signing started
Okt 18 12:02:15 backroad knotd[15628]: info: [example.org.] DNSSEC, successfully signed
Okt 18 12:02:15 backroad knotd[15628]: info: [example.org.] DNSSEC, next signing at
2018-10-25T12:02:15
Okt 18 12:02:15 backroad knotd[15628]: info: [example.org.] zone file updated, serial
1539856881 -> 1539856935
$ ./test_ddns.sh
gives:
Okt 18 12:03:19 backroad knotd[15628]: info: [example.org.] DDNS, processing 1 updates
Okt 18 12:03:19 backroad knotd[15628]: info: [example.org.] DNSSEC, zone is up-to-date
Okt 18 12:03:19 backroad knotd[15628]: info: [example.org.] DNSSEC, next signing at
1970-01-01T01:00:00
Okt 18 12:03:19 backroad knotd[15628]: info: [example.org.] DDNS, finished, no changes to
the zone were made
Okt 18 12:03:19 backroad knotd[15628]: info: [example.org.] DDNS, processing 1 updates
Okt 18 12:03:19 backroad knotd[15628]: info: [example.org.] DNSSEC, successfully signed
Okt 18 12:03:19 backroad knotd[15628]: info: [example.org.] DNSSEC, next signing at
2018-10-25T12:03:19
Okt 18 12:03:19 backroad knotd[15628]: info: [example.org.] DDNS, update finished, serial
1539856935 -> 1539856999, 0.02 seconds
Okt 18 12:03:19 backroad knotd[15628]: info: [example.org.] zone file updated, serial
1539856935 -> 1539856999
Okt 18 12:03:19 backroad knotd[15628]: info: [example.org.] DDNS, processing 1 updates
Okt 18 12:03:19 backroad knotd[15628]: info: [example.org.] DNSSEC, zone is up-to-date
Okt 18 12:03:19 backroad knotd[15628]: info: [example.org.] DNSSEC, next signing at
1970-01-01T01:00:00
Okt 18 12:03:19 backroad knotd[15628]: info: [example.org.] DDNS, finished, no changes to
the zone were made
$ knotc zone-status example.org
[example.org.] role: master | serial: 1539856999 | transaction: none | freeze: no |
refresh: not scheduled | update: not scheduled | expiration: not scheduled | journal
flush: not scheduled | notify: not scheduled | DNSSEC re-sign: not scheduled | NSEC3
resalt: +29D10h47m51s | parent DS query: not scheduled
Thanks,
Maxi
On Donnerstag, 18. Oktober 2018 09:49:22 CEST daniel.salzman(a)nic.cz wrote:
Hi,
What is your version of Knot?
Could you please:
- Purge the timers `knotc -f zone-purge example.org. +timers`
- Re-sign the zone `knotc zone-sign example.org`
- Repeat your test
?
Thanks,
Daniel
On 2018-10-17 23:25, Maximilian Engelhardt wrote:
> Hi,
>
> I'm using a zone with DNSSEC signing enabled that is updated using
> DDNS.
>
> The update procedure is very simple and looks like this:
> ==> test_ddns.sh <==
> #! /bin/sh
>
> ZONE="example.org."
>
> cat << EOF | nsupdate
> server localhost
> zone ${ZONE}
>
> update delete ${ZONE} A
> update add ${ZONE} 60 IN A 127.0.0.1
>
> send
> quit
> EOF
>
> And the corresponding output in the knot log is this:
>
> Okt 17 22:58:46 backroad knotd[14134]: info: [example.org.] DDNS,
> processing 1 updates
> Okt 17 22:58:46 backroad knotd[14134]: info: [example.org.] DNSSEC,
> zone is up-to-date
> Okt 17 22:58:46 backroad knotd[14134]: info: [example.org.] DNSSEC,
> next signing at 1970-01-01T01:00:00
> Okt 17 22:58:46 backroad knotd[14134]: info: [example.org.] DDNS,
> finished, no changes to the zone were made
> Okt 17 22:58:46 backroad knotd[14134]: info: [example.org.] DDNS,
> processing 1 updates
> Okt 17 22:58:46 backroad knotd[14134]: info: [example.org.] DNSSEC,
> successfully signed
> Okt 17 22:58:46 backroad knotd[14134]: info: [example.org.] DNSSEC,
> next signing at 2018-10-24T22:58:46
> Okt 17 22:58:46 backroad knotd[14134]: info: [example.org.] DDNS,
> update finished, serial 1539809849 -> 1539809926, 0.02 seconds
> Okt 17 22:58:46 backroad knotd[14134]: info: [example.org.] DDNS,
> processing 1 updates
> Okt 17 22:58:46 backroad knotd[14134]: info: [example.org.] DNSSEC,
> zone is up-to-date
> Okt 17 22:58:46 backroad knotd[14134]: info: [example.org.] DNSSEC,
> next signing at 1970-01-01T01:00:00
> Okt 17 22:58:46 backroad knotd[14134]: info: [example.org.] DDNS,
> finished, no changes to the zone were made
> Okt 17 22:58:46 backroad knotd[14134]: info: [example.org.] zone file
> updated, serial 1539809849 -> 1539809926
>
> I'm wondering if the "next signing at 1970-01-01T01:00:00" output is
> correct
> as this seems suspicious to me.
>
> Running "knotc zone-status example.org" gives the following output:
> [example.org.] role: master | serial: 1539809926 | transaction: none |
> freeze: no | refresh: not scheduled | update: not scheduled |
> expiration: not scheduled | journal flush: not scheduled | notify: not
> scheduled | DNSSEC re-sign: not scheduled | NSEC3 resalt:
> +29D23h53m28s | parent DS query: not scheduled
>
> Is this expected behavior or a bug in knot?
>
> I can give more information or create a proper bugreport if needed.
>
> I also recently had the problem that knot didn't respond to ddns
> updates until
> it was restarted. I don't know if this is related or a different
> problem,
> however I currently don't have more information about this.
>
> Thanks,
> Maxi