named cpu usage pretty high because of dns_dnssec_findzonekeys2 -> file not found

Philippe Maechler pmaechler-ml at glattnet.ch
Mon Mar 11 07:00:32 UTC 2019


Hello List

 

Today our bind server started with the following log contents:

11-Mar-2019 07:41:06.599 general: warning: dns_dnssec_findzonekeys2: error
reading
/usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
not found

11-Mar-2019 07:41:06.600 general: warning: dns_dnssec_findzonekeys2: error
reading
/usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
not found

11-Mar-2019 07:41:06.602 general: warning: dns_dnssec_findzonekeys2: error
reading
/usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
not found

11-Mar-2019 07:41:06.603 general: warning: dns_dnssec_findzonekeys2: error
reading
/usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
not found

11-Mar-2019 07:41:06.604 general: warning: dns_dnssec_findzonekeys2: error
reading
/usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
not found

11-Mar-2019 07:41:06.606 general: warning: dns_dnssec_findzonekeys2: error
reading
/usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
not found

11-Mar-2019 07:41:06.607 general: warning: dns_dnssec_findzonekeys2: error
reading
/usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
not found

11-Mar-2019 07:41:06.609 general: warning: dns_dnssec_findzonekeys2: error
reading
/usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
not found

11-Mar-2019 07:41:06.610 general: warning: dns_dnssec_findzonekeys2: error
reading
/usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
not found

11-Mar-2019 07:41:06.611 general: warning: dns_dnssec_findzonekeys2: error
reading
/usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
not found

11-Mar-2019 07:41:06.613 general: warning: dns_dnssec_findzonekeys2: error
reading
/usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
not found

11-Mar-2019 07:41:06.614 general: warning: dns_dnssec_findzonekeys2: error
reading
/usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
not found

11-Mar-2019 07:41:06.616 general: warning: dns_dnssec_findzonekeys2: error
reading
/usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
not found

11-Mar-2019 07:41:06.617 general: warning: dns_dnssec_findzonekeys2: error
reading
/usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
not found

11-Mar-2019 07:41:06.618 general: warning: dns_dnssec_findzonekeys2: error
reading
/usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
not found

11-Mar-2019 07:41:06.620 general: warning: dns_dnssec_findzonekeys2: error
reading
/usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
not found

11-Mar-2019 07:41:06.621 general: warning: dns_dnssec_findzonekeys2: error
reading
/usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
not found

11-Mar-2019 07:41:06.623 general: warning: dns_dnssec_findzonekeys2: error
reading
/usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
not found

11-Mar-2019 07:41:06.624 general: warning: dns_dnssec_findzonekeys2: error
reading
/usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
not found

11-Mar-2019 07:41:06.625 general: warning: dns_dnssec_findzonekeys2: error
reading
/usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
not found

11-Mar-2019 07:41:06.627 general: warning: dns_dnssec_findzonekeys2: error
reading
/usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
not found

11-Mar-2019 07:41:06.628 general: warning: dns_dnssec_findzonekeys2: error
reading
/usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
not found

11-Mar-2019 07:41:06.630 general: warning: dns_dnssec_findzonekeys2: error
reading
/usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
not found

11-Mar-2019 07:41:06.631 general: warning: dns_dnssec_findzonekeys2: error
reading
/usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
not found

11-Mar-2019 07:41:06.633 general: warning: dns_dnssec_findzonekeys2: error
reading
/usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
not found

11-Mar-2019 07:41:06.634 general: warning: dns_dnssec_findzonekeys2: error
reading
/usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
not found

11-Mar-2019 07:41:06.635 general: warning: dns_dnssec_findzonekeys2: error
reading
/usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file
not found

 

 

This is a FreeBSD 11.2 with bind compiled from Ports

 

# named -V

BIND 9.11.5 (Extended Support Version) <id:3b0b204>

running on FreeBSD amd64 11.2-RELEASE-p5 FreeBSD 11.2-RELEASE-p5 #0: Tue Nov
27 09:33:52 UTC 2018
root at amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC

built by make with '--localstatedir=/var' '--disable-linux-caps'
'--disable-symtable' '--with-randomdev=/dev/random'
'--with-libxml2=/usr/local' '--with-readline=-L/usr/local/lib -ledit'
'--with-dlopen=yes' '--with-gost=no' '--sysconfdir=/usr/local/etc/namedb'
'--with-dlz-filesystem=yes' '--enable-dnstap' '--disable-filter-aaaa'
'--disable-fixed-rrset' '--without-geoip' '--without-gssapi'
'--with-libidn2=/usr/local' '--enable-ipv6' '--with-libjson=/usr/local'
'--disable-largefile' '--with-lmdb=/usr/local' '--disable-native-pkcs11'
'--with-python=/usr/local/bin/python2.7' '--disable-querytrace'
'--enable-rpz-nsdname' '--enable-rpz-nsip' 'STD_CDEFINES=-DDIG_SIGCHASE=1'
'--with-openssl=/usr' '--enable-threads' '--with-tuning=default'
'--prefix=/usr/local' '--mandir=/usr/local/man'
'--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd11.2'
'build_alias=amd64-portbld-freebsd11.2' 'CC=cc' 'CFLAGS=-O2 -pipe
-DLIBICONV_PLUG -fstack-protector -isystem /usr/local/include
-fno-strict-aliasing ' 'LDFLAGS= -fstack-protector ' 'LIBS=-L/usr/local/lib'
'CPPFLAGS=-DLIBICONV_PLUG -isystem /usr/local/include' 'CPP=cpp'

compiled by CLANG 4.2.1 Compatible FreeBSD Clang 6.0.0
(tags/RELEASE_600/final 326565)

compiled with OpenSSL version: OpenSSL 1.0.2o-freebsd  27 Mar 2018

linked to OpenSSL version: OpenSSL 1.0.2o-freebsd  27 Mar 2018

compiled with libxml2 version: 2.9.7

linked to libxml2 version: 20907

compiled with libjson-c version: 0.13.1

linked to libjson-c version: 0.13.1

compiled with zlib version: 1.2.11

linked to zlib version: 1.2.11

threads support is enabled

 

The Zone in Questions has the following config:

# rndc showzone glattweb.ch

zone "glattweb.ch." { 

  type master; 

  file "/usr/local/etc/namedb/master/glattweb.ch.db"; 

  allow-transfer { "xfer"; }; 

  also-notify { 192.168.3.220; 192.168.3.221; 192.168.3.223; 192.168.3.224;
}; 

  auto-dnssec maintain; 

  dnssec-loadkeys-interval 60; 

  inline-signing yes; 

  key-directory "/usr/local/etc/namedb/keys/glattweb.ch"; 

  masterfile-format text; 

  notify yes; 

  serial-update-method date; 

};

 

The key in question (33518) had the following dates:

Filename: Kglattweb.ch.+013+33518.key
Key ID: 33518
Publish 27.12.2018 07:45:22
Activate 27.12.2018 07:45:22
Inactive 10.02.2019 09:07:15
Delete 14.02.2019 09:07:15
SYNC Publish 27.12.2018 07:45:22
SYNC Delete 14.02.2019 09:07:15



And was deleted by me at the 26 Feb 2019

 

Questions: 

How I can stop named to stop log the error message above?

Why do I get that many messages in a second? The CPU usage on this host is
since then > 85%

Why do I get the messages now, ~12 days after I deleted the key? (named was
restarted several times in the time between)

They key has a delete Date of 14.02.2019 and the TTL is 3600, when should I
delete this key file? I had the impression that after DELETE-DATE + TTL it's
safe to delete the key

 

I'm upgrading this bind instance to the latest 9.11 version now to see if
the error disappears, if not I hope to get an answer or solution, else I'll
upgrade to 9.12.x

 

Best regards

Philippe

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190311/6472c5fc/attachment-0001.html>


More information about the bind-users mailing list