[nsd-users] zone has (not?) expired

W.C.A. Wijngaards wouter at NLnetLabs.nl
Wed May 26 12:56:40 UTC 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Tom,

My best guess is that this higher serial number, was sent with a Notify
to NSD, and it stored this in the /var/lib/nsd/slave/* files.  When NSD
gets a serial number which it cannot achieve, it tries to get as close
as possible, and does not end the polling process.  Thus, it did pick up
the older updates, because they were closer to this unattainable lofty
goal it had.  It did poll (using the normal retry timer, but not waiting
for the refresh timer any more), but also listened to the incoming
notifies, which it only took as a sign it could step a little closer.
In the end the expire timer expired(?), but somehow the frequent 'steps
closer' kept the zones up to date and prevented it from marking the
zones as SERVFAIL due to expiry (?) ...  These last bits are not
completely up to snuff I agree, but not that threatening either.

This is only an assumption, perhaps different things conspired.

Best regards,
   Wouter

On 05/26/2010 02:37 PM, Tom Hendrikx wrote:
> Hi,
> 
> Since some time I'm seeing a lot of these messages in my slave nsd logs:
> 
> 2010-05-26T13:20:15+02:00 julie nsd[11593]: xfrd: zone example.com has
> expired
> 
> This happens only for domains that are DNSSEC signed (with opendnssec).
> When I doublecheck, serials are all up-to-date, and other tasks such as
> patching updates back to the zone file on disk succeeds. In short: I see
> no issues with my zones.
> 
> I tried downgrading the master and slave from 3.2.5 back to 3.2.4, but
> that did not help. A second slave running NSD 3.2.2 is seeing the same
> log messages, but it is unknown since when they are present there (I
> assume around the same time). Pushing log level up to 2 or more, or
> enabling  --enable-checking at compile-time does not show any messages
> when forcing an update on the slave.
> 
> In the end I seemed to have solved this by:
> - stopping slave nsd
> - deleting /var/lib/nsd/slave/* (slave zone files)
> - deleting /var/db/nsd/* (all db and state files)
> - run nsdc rebuild, forcing zone transfers
> - start nsd.
> 
> Besides all actual data, this has cleaned out all historic data too.
> This leads me to believe that in a distant past, (probably before I
> started signing my zones with opendnssec) I used a serial higher than
> the current ones. The commit history in the zone files written by
> nsd/nsd-patch didn't show this, however.
> 
> Any ideas as to what was/is wrong?
> 
> Regards,
> 	Tom
> _______________________________________________
> nsd-users mailing list
> nsd-users at NLnetLabs.nl
> http://open.nlnetlabs.nl/mailman/listinfo/nsd-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkv9GocACgkQkDLqNwOhpPihhwCgro89VfX7TUg/I5L+xwBz2zuW
huYAnA7YuFjfFgaDLLH6r6LFB1TZFzxV
=0iK8
-----END PGP SIGNATURE-----



More information about the nsd-users mailing list