Signed zone does not get updated 'receive_secure_serial: not exact'

Thomas Leuxner tlx at leuxner.net
Thu Dec 27 11:08:05 UTC 2012 

Am 26.12.2012 um 23:31 schrieb Mark Andrews <marka at isc.org>:

> * the record to be removed was not there
> * the record to be aded was already there
> 
> This means that the two versions of the zone have become unsyncronized.

I did some more tests with another zone. Not sure BIND works as intended there:

- zone 'trashheap' gets signed (has serial 7 unsigned and receives serial 8|10 signed subsequently)

Dec 27 11:34:12 spectre named[27411]: zone trashheap.net/IN (unsigned): loaded serial 7
Dec 27 11:34:12 spectre named[27411]: any newly configured zones are now loaded
Dec 27 11:34:12 spectre named[27411]: zone trashheap.net/IN (signed): loaded serial 7
Dec 27 11:34:12 spectre named[27411]: trashheap.net/IN: dns_diff_apply: update with no effect
Dec 27 11:34:12 spectre named[27411]: zone trashheap.net/IN (signed): receive_secure_serial: not exact
Dec 27 11:34:12 spectre named[27411]: zone trashheap.net/IN (signed): reconfiguring zone keys
Dec 27 11:34:12 spectre named[27411]: zone trashheap.net/IN (signed): next key event: 27-Dec-2012 11:34:12.333
Dec 27 11:34:12 spectre named[27411]: zone trashheap.net/IN (signed): sending notifies (serial 8)
Dec 27 11:34:12 spectre named[27411]: client 88.198.49.12#26609/key ns1-acme.spoerlein.net (trashheap.net): transfer of 'trashheap.net/IN': IXFR started: TSIG ns1-acme.spoerlein.net
Dec 27 11:34:12 spectre named[27411]: client 88.198.49.12#26609/key ns1-acme.spoerlein.net (trashheap.net): transfer of 'trashheap.net/IN': IXFR ended
Dec 27 11:34:17 spectre named[27411]: zone trashheap.net/IN (signed): sending notifies (serial 10)
Dec 27 11:34:17 spectre named[27411]: client 88.198.49.12#17597/key ns1-acme.spoerlein.net (trashheap.net): transfer of 'trashheap.net/IN': IXFR started: TSIG ns1-acme.spoerlein.net
Dec 27 11:34:17 spectre named[27411]: client 88.198.49.12#17597/key ns1-acme.spoerlein.net (trashheap.net): transfer of 'trashheap.net/IN': IXFR ended

- a TXT record is added to zone 'trashheap' via nsupdate
- same problem as before: 'receive_secure_serial: not exact'

Dec 27 11:37:33 spectre named[27411]: client 188.138.3.243#59506/key tlx.leuxner.net: signer "tlx.leuxner.net" approved
Dec 27 11:37:33 spectre named[27411]: client 188.138.3.243#59506/key tlx.leuxner.net: updating zone 'trashheap.net/IN': adding an RR at '2013._domainkey.trashheap.net' TXT
Dec 27 11:37:33 spectre named[27411]: trashheap.net/IN: dns_diff_apply: update with no effect
Dec 27 11:37:33 spectre named[27411]: zone trashheap.net/IN (signed): receive_secure_serial: not exact

- to mitigate the problem, zone journal is dropped again 'rndc sync -clean trashheap.net'
- zone is frozen
- unsigned serial is increased (to 9)
- zone is unfrozen
- zone receives new signed serial (11)

Dec 27 11:44:10 spectre named[27411]: received control channel command 'sync -clean trashheap.net'
Dec 27 11:44:10 spectre named[27411]: sync: dumping zone 'trashheap.net/IN', removing journal file: success
Dec 27 11:45:40 spectre named[27411]: received control channel command 'loadkeys trashheap.net'
Dec 27 11:45:40 spectre named[27411]: zone trashheap.net/IN (signed): reconfiguring zone keys
Dec 27 11:45:40 spectre named[27411]: zone trashheap.net/IN (signed): next key event: 27-Dec-2012 11:45:40.045
Dec 27 11:46:38 spectre named[27411]: received control channel command 'freeze trashheap.net'
Dec 27 11:46:38 spectre named[27411]: freezing zone 'trashheap.net/IN': success
Dec 27 11:47:02 spectre named[27411]: received control channel command 'thaw trashheap.net'
Dec 27 11:47:02 spectre named[27411]: thawing zone 'trashheap.net/IN': success
Dec 27 11:47:02 spectre named[27411]: zone trashheap.net/IN (unsigned): loaded serial 9
Dec 27 11:47:02 spectre named[27411]: zone trashheap.net/IN (signed): serial 11 (unsigned 9)
Dec 27 11:47:02 spectre named[27411]: zone trashheap.net/IN (signed): sending notifies (serial 11)
Dec 27 11:47:02 spectre named[27411]: client 88.198.49.12#54606/key ns1-acme.spoerlein.net (trashheap.net): transfer of 'trashheap.net/IN': IXFR started: TSIG ns1-acme.spoerlein.net
Dec 27 11:47:02 spectre named[27411]: client 88.198.49.12#54606/key ns1-acme.spoerlein.net (trashheap.net): transfer of 'trashheap.net/IN': IXFR ended

- another TXT record is added and propagation works going forward

Dec 27 12:03:21 spectre named[27411]: client 188.138.3.243#13188/key tlx.leuxner.net: updating zone 'trashheap.net/IN': adding an RR at '2014._domainkey.trashheap.net' TXT
Dec 27 12:03:21 spectre named[27411]: zone trashheap.net/IN (signed): serial 12 (unsigned 10)
Dec 27 12:03:21 spectre named[27411]: zone trashheap.net/IN (signed): sending notifies (serial 12)

Regards
Thomas

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4364 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20121227/90027edd/attachment-0001.bin>

More information about the bind-users mailing list