[nsd-users] zone has (not?) expired
Tom Hendrikx
tom at whyscream.net
Wed May 26 12:37:06 UTC 2010
Hi,
Since some time I'm seeing a lot of these messages in my slave nsd logs:
2010-05-26T13:20:15+02:00 julie nsd[11593]: xfrd: zone example.com has
expired
This happens only for domains that are DNSSEC signed (with opendnssec).
When I doublecheck, serials are all up-to-date, and other tasks such as
patching updates back to the zone file on disk succeeds. In short: I see
no issues with my zones.
I tried downgrading the master and slave from 3.2.5 back to 3.2.4, but
that did not help. A second slave running NSD 3.2.2 is seeing the same
log messages, but it is unknown since when they are present there (I
assume around the same time). Pushing log level up to 2 or more, or
enabling --enable-checking at compile-time does not show any messages
when forcing an update on the slave.
In the end I seemed to have solved this by:
- stopping slave nsd
- deleting /var/lib/nsd/slave/* (slave zone files)
- deleting /var/db/nsd/* (all db and state files)
- run nsdc rebuild, forcing zone transfers
- start nsd.
Besides all actual data, this has cleaned out all historic data too.
This leads me to believe that in a distant past, (probably before I
started signing my zones with opendnssec) I used a serial higher than
the current ones. The commit history in the zone files written by
nsd/nsd-patch didn't show this, however.
Any ideas as to what was/is wrong?
Regards,
Tom
More information about the nsd-users
mailing list