recover missing journal files from running server

Phil Pennock bind-users+phil at spodhuis.org
Thu Jul 10 22:37:15 UTC 2014 

On 2014-07-10 at 12:33 -0400, Phil Pennock wrote:
> Folks, in a moment of gross stupidity I added "--delete-delay" to an
> rsync invocation in a deploy script, to remove master zonefiles from
> the server which are no longer needed.  I forgot that the DNSSEC
> auto-maintain journal files are in that directory too.
> 
> Seeing little things like this:
> 
>     deleting db.spodhuis.org.signed.jnl
>     deleting db.spodhuis.org.signed
>     deleting db.spodhuis.org.jnl
>     deleting db.spodhuis.org.jbk
> 
> worry me.  So, I still have all of the DNSSEC keyfiles (different
> directory, and in private git pushed to backup storage anyway).  I still
> have a running server instance.
> 
> Is there any way to get back the on-disk state files for the
> auto-maintained zones, so that I can recover from my mistake cleanly?
> (There's about 20 domains).
> 
> Using `rndc sync` or `rndc sync spodhuis.org` does not recreate the
> journal file.  Log file lines and `rndc zonestatus` below.
> 
> What are my options to recover?

For the archives: I did later solve this problem.

Using `rndc sign $zone` recreated the journal file on disk, with the
correct SOA serial number: the in-memory copy was used to create the SOA
for the new journal.

The important bit was to override the "next key event" by just forcing
an immediate re-signing.  I have since been able to `rndc reconfig` and
then also perform a full restart, and the zones are still serving
correctly.

So even though `named-journalprint $zonefile.signed.jnl` only shows
"del" records for SOAs with serial numbers higher than recorded in the
master zonefile as stored in git, on startup bind reconciles the
zonefile and the journal and works anyway.

(And yes, the fully dynamic zone I had is in a different directory and
is frozen/thaw'd around backup time anyway, so I could still have
recovered that aspect, had the failure occurred there).

Regards,
-Phil
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140710/59a8e4e6/attachment.bin>

More information about the bind-users mailing list