named cpu usage pretty high because of dns_dnssec_findzonekeys2 -> file not found

Mark Andrews marka at isc.org
Mon Mar 11 07:52:51 UTC 2019 

Because you removed the key from disk before it was removed from the zone.  Presumably named
was logging other error messages before you removed the key from disk or the machine was off
for a period or you mismanaged the key roll and named keep the key alive.

Named’s re-signing strategy is different to when you are signing the whole zone at once as
you are signing it incrementally.  You should be allowing most of the sig-validity interval
before you delete the DNSKEY after you inactive it.  One should check that there are no RRSIGs
still present in the zone before deleting the DNSKEY from the zone.  Inactivating it stops the
DNSKEY being used to generate new signatures but it needs to stay around until all those RRSIGs
have expired from caches which only happens after new replacement signatures have been generated.

If you still have the .private file around reinstate it.   If not you will need to import the
DNSKEY using dnssec-importkey and manage its removal properly.

[beetle:~/git/bind9] marka% dig dnskey  glattweb.ch +rrcomm
;; BADCOOKIE, retrying.

; <<>> DiG 9.15.0-dev+hotspot+add-prefetch+marka <<>> dnskey glattweb.ch +rrcomm
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64267
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 7b44693b86938f2bda7d25725c86082c5b24bafb90421a0a (good)
;; QUESTION SECTION:
;glattweb.ch.			IN	DNSKEY

;; ANSWER SECTION:
glattweb.ch.		300	IN	DNSKEY	256 3 13 Y/m7vFPwhqc59OlfyJLnT66TNsHYMq4JvXN0hBChCD1UpanF/o18bLHh VVMMTK0iB4EeuIdbn1aWvdVeFmSgmg==  ; ZSK; alg = ECDSAP256SHA256 ; key id = 12809
glattweb.ch.		300	IN	DNSKEY	256 3 13 WqIsxqVPQxDwLqB/rv7u2sSx0R4ZgdHM6NexcDs3Z551rHar015v+jB6 HdnZQ/gMscxz6XzFwEc3+xAzsMx3QA==  ; ZSK; alg = ECDSAP256SHA256 ; key id = 33518

;; Query time: 2454 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Mar 11 18:03:08 AEDT 2019
;; MSG SIZE  rcvd: 228

[beetle:~/git/bind9] marka% 


> On 11 Mar 2019, at 6:00 pm, Philippe Maechler <pmaechler-ml at glattnet.ch> wrote:
> 
> Hello List
>  
> Today our bind server started with the following log contents:
> 11-Mar-2019 07:41:06.599 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found
> 11-Mar-2019 07:41:06.600 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found
> 11-Mar-2019 07:41:06.602 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found
> 11-Mar-2019 07:41:06.603 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found
> 11-Mar-2019 07:41:06.604 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found
> 11-Mar-2019 07:41:06.606 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found
> 11-Mar-2019 07:41:06.607 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found
> 11-Mar-2019 07:41:06.609 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found
> 11-Mar-2019 07:41:06.610 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found
> 11-Mar-2019 07:41:06.611 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found
> 11-Mar-2019 07:41:06.613 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found
> 11-Mar-2019 07:41:06.614 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found
> 11-Mar-2019 07:41:06.616 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found
> 11-Mar-2019 07:41:06.617 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found
> 11-Mar-2019 07:41:06.618 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found
> 11-Mar-2019 07:41:06.620 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found
> 11-Mar-2019 07:41:06.621 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found
> 11-Mar-2019 07:41:06.623 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found
> 11-Mar-2019 07:41:06.624 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found
> 11-Mar-2019 07:41:06.625 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found
> 11-Mar-2019 07:41:06.627 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found
> 11-Mar-2019 07:41:06.628 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found
> 11-Mar-2019 07:41:06.630 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found
> 11-Mar-2019 07:41:06.631 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found
> 11-Mar-2019 07:41:06.633 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found
> 11-Mar-2019 07:41:06.634 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found
> 11-Mar-2019 07:41:06.635 general: warning: dns_dnssec_findzonekeys2: error reading /usr/local/etc/namedb/keys/glattweb.ch/Kglattweb.ch.+013+33518.private: file not found
>  
>  
> This is a FreeBSD 11.2 with bind compiled from Ports
>  
> # named -V
> BIND 9.11.5 (Extended Support Version) <id:3b0b204>
> running on FreeBSD amd64 11.2-RELEASE-p5 FreeBSD 11.2-RELEASE-p5 #0: Tue Nov 27 09:33:52 UTC 2018     root at amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC
> built by make with '--localstatedir=/var' '--disable-linux-caps' '--disable-symtable' '--with-randomdev=/dev/random' '--with-libxml2=/usr/local' '--with-readline=-L/usr/local/lib -ledit' '--with-dlopen=yes' '--with-gost=no' '--sysconfdir=/usr/local/etc/namedb' '--with-dlz-filesystem=yes' '--enable-dnstap' '--disable-filter-aaaa' '--disable-fixed-rrset' '--without-geoip' '--without-gssapi' '--with-libidn2=/usr/local' '--enable-ipv6' '--with-libjson=/usr/local' '--disable-largefile' '--with-lmdb=/usr/local' '--disable-native-pkcs11' '--with-python=/usr/local/bin/python2.7' '--disable-querytrace' '--enable-rpz-nsdname' '--enable-rpz-nsip' 'STD_CDEFINES=-DDIG_SIGCHASE=1' '--with-openssl=/usr' '--enable-threads' '--with-tuning=default' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd11.2' 'build_alias=amd64-portbld-freebsd11.2' 'CC=cc' 'CFLAGS=-O2 -pipe -DLIBICONV_PLUG -fstack-protector -isystem /usr/local/include -fno-strict-aliasing ' 'LDFLAGS= -fstack-protector ' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-DLIBICONV_PLUG -isystem /usr/local/include' 'CPP=cpp'
> compiled by CLANG 4.2.1 Compatible FreeBSD Clang 6.0.0 (tags/RELEASE_600/final 326565)
> compiled with OpenSSL version: OpenSSL 1.0.2o-freebsd  27 Mar 2018
> linked to OpenSSL version: OpenSSL 1.0.2o-freebsd  27 Mar 2018
> compiled with libxml2 version: 2.9.7
> linked to libxml2 version: 20907
> compiled with libjson-c version: 0.13.1
> linked to libjson-c version: 0.13.1
> compiled with zlib version: 1.2.11
> linked to zlib version: 1.2.11
> threads support is enabled
>  
> The Zone in Questions has the following config:
> # rndc showzone glattweb.ch
> zone "glattweb.ch." { 
>   type master; 
>   file "/usr/local/etc/namedb/master/glattweb.ch.db"; 
>   allow-transfer { "xfer"; }; 
>   also-notify { 192.168.3.220; 192.168.3.221; 192.168.3.223; 192.168.3.224; }; 
>   auto-dnssec maintain; 
>   dnssec-loadkeys-interval 60; 
>   inline-signing yes; 
>   key-directory "/usr/local/etc/namedb/keys/glattweb.ch"; 
>   masterfile-format text; 
>   notify yes; 
>   serial-update-method date; 
> };
>  
> The key in question (33518) had the following dates:
> Filename: Kglattweb.ch.+013+33518.key
> Key ID: 33518
> Publish 27.12.2018 07:45:22
> Activate 27.12.2018 07:45:22
> Inactive 10.02.2019 09:07:15
> Delete 14.02.2019 09:07:15
> SYNC Publish 27.12.2018 07:45:22
> SYNC Delete 14.02.2019 09:07:15
> 
> And was deleted by me at the 26 Feb 2019
>  
> Questions: 
> How I can stop named to stop log the error message above?
> Why do I get that many messages in a second? The CPU usage on this host is since then > 85%
> Why do I get the messages now, ~12 days after I deleted the key? (named was restarted several times in the time between)
> They key has a delete Date of 14.02.2019 and the TTL is 3600, when should I delete this key file? I had the impression that after DELETE-DATE + TTL it’s safe to delete the key
>  
> I’m upgrading this bind instance to the latest 9.11 version now to see if the error disappears, if not I hope to get an answer or solution, else I’ll upgrade to 9.12.x
>  
> Best regards
> Philippe
>  
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list