named cpu usage pretty high because of dns_dnssec_findzonekeys2 -> file not found

Philippe Maechler pmaechler-ml at glattnet.ch
Tue Mar 12 15:42:45 UTC 2019


Hello Mark and bind users

 

Thank you for the explanations. Some things are still not clear to me...

 

> -----Original Message-----
> From: Mark Andrews <marka at isc.org> 
> Sent: Monday, March 11, 2019 8:53 AM
> To: Philippe Maechler <pmaechler-ml at glattnet.ch>
> Cc: bind-users at lists.isc.org
> Subject: Re: named cpu usage pretty high because of dns_dnssec_findzonekeys2 -> file not found

> 

> Because you removed the key from disk before it was removed from the zone.  Presumably named

> was logging other error messages before you removed the key from disk or the machine was off

> for a period or you mismanaged the key roll and named keep the key alive.

> 

 

Possible, the machine was running all the time (uptime is ~92 days). I would have to search in old logs to be sure. Since this domain is for testing purposes, its not important. The "bad thing" is the cpu usage which is quite high.

Is this something that will be addressed in further bind releases? E.g. dns_dnssec_findzonekeys2 only search at a given interval for new keys or only logs this message once in a minute/hour?

 

> Named’s re-signing strategy is different to when you are signing the whole zone at once as

> you are signing it incrementally.  You should be allowing most of the sig-validity interval

> before you delete the DNSKEY after you inactive it.  

 

What exactly ist he sig-validy time? From my understanding this is the period from "Activate" to "Inactive"

 

# dnssec-settime -pall Kglattweb.ch.+013+06605

Created: Mon Mar 11 10:03:49 2019

Publish: Mon Mar 11 11:06:44 2019

Activate: Tue Mar 19 10:02:19 2019

Revoke: UNSET

Inactive: Thu Mar 21 10:06:44 2019

Delete: Sun Mar 31 11:05:48 2019

SYNC Publish: Mon Mar 11 11:06:44 2019

SYNC Delete: Sun Mar 31 11:06:44 2019

 

In this case the sig-validity time is ~2d 4m

The key has a delete Date of 2019-03-31 and I can delete (or move) the key at 2019-04-02 or to be safe 2019-04-03?

 

> One should check that there are no RRSIGs

> still present in the zone before deleting the DNSKEY from the zone.  Inactivating it stops the

> DNSKEY being used to generate new signatures but it needs to stay around until all those RRSIGs

> have expired from caches which only happens after new replacement signatures have been generated.

 

When are these replacement RRSIGs created? The key reached it's delete date, the new key is in place and new RRSIGs are created. 

 

> If you still have the .private file around reinstate it.   If not you will need to import the

> DNSKEY using dnssec-importkey and manage its removal properly.

 

Can you help me here?

# dnssec-importkey -v 99 -f /usr/local/etc/namedb/master/glattweb.ch.db

dnssec-importkey: error: dns_master_load: /usr/local/etc/namedb/master/glattweb.ch.db:15: glattweb.ch: not at top of zone

dnssec-importkey: fatal: can't load /usr/local/etc/namedb/master/glattweb.ch.db: not at top of zone

 

ok... yes makes sense, glattweb.ch is not at the top of zone

# head /usr/local/etc/namedb/master/glattweb.ch.db

$TTL    300

$ORIGIN glattweb.ch.

 

@     300  IN  SOA  dns1.glattnet.ch. hostmaster.glattnet. (

                     2019020400 ; serial

                            600 ; refresh

                            300 ; retry

                           3600 ; expire

                             90 ; nttl

                     )

 

I don't think that I should use the .signed file... let’s test that anyway

# dnssec-importkey -v 99 -f /usr/local/etc/namedb/master/glattweb.ch.db.signed

dnssec-importkey: error: dns_master_load: /usr/local/etc/namedb/master/glattweb.ch.db.signed:1: syntax error

dnssec-importkey: fatal: can't load /usr/local/etc/namedb/master/glattweb.ch.db.signed: syntax error

 

Maybe I have to change the zone format from raw to text...

# named-compilezone -j -fraw -F text -o tmp glattweb.ch /usr/local/etc/namedb/master/glattweb.ch.db.signed

zone glattweb.ch/IN: loaded serial 2019022800 (DNSSEC signed)

dump zone to tmp...done

OK

 

# less tmp 

glattweb.ch.                                  300 IN SOA        dns1.glattnet.ch. hostmaster.glattnet. 2019022800 600 300 3600 90

glattweb.ch.                                  300 IN RRSIG      SOA 13 2 300 20190330214039 20190228204039 12809 glattweb.ch. WDhpay5Iwi3DumsZ3UQiwdfkkIY44t8ez8dRW6/xv3sXFOJrwYQTyxwx eO2iiRBZwwOI6oyT/0eNDJiF+FSIlg==

; resign=20190330214039

glattweb.ch.                                  300 IN NS         dns1.glattnet.ch.

glattweb.ch.                                  300 IN NS         dns2.glattnet.ch.

glattweb.ch.                                  300 IN RRSIG      NS 13 2 300 20190318002703 20190215232756 12809 glattweb.ch. AJ3ez1YZEK6YzRlByyLJf3scpljMgZYjIRH55pG6oPhc7AP0qgo4dBqH MDvaVubxEWyulruRcOiD8jpym6gp2w==

; resign=20190318002703

glattweb.ch.                                  90 IN NSEC        www.glattweb.ch. NS SOA RRSIG NSEC DNSKEY CDS CDNSKEY

glattweb.ch.                                  90 IN RRSIG       NSEC 13 2 90 20190330212621 20190228204039 12809 glattweb.ch. 7Z93XycEUNrzZ64LxmQuBwSzps6nMxjVMrtUFR0Kse29RQF/3eIIjTGx ZoTpDSOjjsrEhsBEyGSKvrGLS6bLXA==

; resign=20190330212621

glattweb.ch.                                  300 IN DNSKEY     256 3 13 WqIsxqVPQxDwLqB/rv7u2sSx0R4ZgdHM6NexcDs3Z551rHar015v+jB6 HdnZQ/gMscxz6XzFwEc3+xAzsMx3QA==

glattweb.ch.                                  300 IN DNSKEY     256 3 13 Y/m7vFPwhqc59OlfyJLnT66TNsHYMq4JvXN0hBChCD1UpanF/o18bLHh VVMMTK0iB4EeuIdbn1aWvdVeFmSgmg==

glattweb.ch.                                  300 IN RRSIG      DNSKEY 13 2 300 20190328131200 20190226121200 12809 glattweb.ch. gbDTbnIz+NtSg4dws88wWxv67gXdz4Qw/PL54CixibylGptcufep5W49 2RkNz3iy79u1Kqvl4FUdEQhdZnLBJw==

glattweb.ch.                                  300 IN RRSIG      DNSKEY 13 2 300 20190328131200 20190226121200 33518 glattweb.ch. eNk21CrH5BWkAp0uHk0N3gV2FCfsYUBO0bgRv4Vsqt2P9pz63sGKB/J0 9zWLNb4Lf7GF6tIUZjyXq3vERmL+KA==

; resign=20190328131200

glattweb.ch.                                  300 IN CDS        12809 13 1 C621D4A4904C012CBB35EB77E59F4C0CA3C81E87

glattweb.ch.                                  300 IN CDS        12809 13 2 75CDE511593A4D6D65D7FAC1C52EC304F9CB86D9AE53D550F2764A22 606FB96D

glattweb.ch.                                  300 IN CDS        33518 13 1 05977C7AC6320E25A3403366B69A1893DF023F63

glattweb.ch.                                  300 IN CDS        33518 13 2 39803C6F03171D50BA428C3BE5E4A3AB01CECF8564DAC18EBBFA2ED5 201B62C7

glattweb.ch.                                  300 IN RRSIG      CDS 13 2 300 20190328131200 20190226121200 12809 glattweb.ch. h3rdycn57p0K2bi3IYPUyjf8NIYedWRO2OSpxrdGxiwqlH1tF9TaD9Rd n6YLP7cZtMZWOFBreHeNYGPKlqulEQ==

glattweb.ch.                                  300 IN RRSIG      CDS 13 2 300 20190328131200 20190226121200 33518 glattweb.ch. 9Yy4QmylesxZrszDHwp1NkLps2XKWQYyQHfxNQ0rOsxxiujVEfcRY6Fl Xup1K9yZQdOxl5+GkyuHKic8HLXttA==

; resign=20190328131200

glattweb.ch.                                  300 IN CDNSKEY    256 3 13 WqIsxqVPQxDwLqB/rv7u2sSx0R4ZgdHM6NexcDs3Z551rHar015v+jB6 HdnZQ/gMscxz6XzFwEc3+xAzsMx3QA==

glattweb.ch.                                  300 IN CDNSKEY    256 3 13 Y/m7vFPwhqc59OlfyJLnT66TNsHYMq4JvXN0hBChCD1UpanF/o18bLHh VVMMTK0iB4EeuIdbn1aWvdVeFmSgmg==

glattweb.ch.                                  300 IN RRSIG      CDNSKEY 13 2 300 20190328131200 20190226121200 12809 glattweb.ch. l2FmSIdTBYCytoqZu8oiOx9tZ26MVIdaYXsF8uLAThJ5C1iXRuADwwde tCwN7zQsiK9+VF/qLGKUSInOFosgxw==

glattweb.ch.                                  300 IN RRSIG      CDNSKEY 13 2 300 20190328131200 20190226121200 33518 glattweb.ch. gresGcjFA258p6374Ke/+qHr2WNFMPccQZnZgc4p074hqlF01lZUKx7w 388ph5i+fUzcsbT6Pf+trdkovuw7/A==

; resign=20190328131200

www.glattweb.ch.                              300 IN CNAME      gnweb.glattnet.ch.

www.glattweb.ch.                              300 IN RRSIG      CNAME 13 3 300 20190318002703 20190215232756 12809 glattweb.ch. 5gBSM7WaCIf2t/CFcaZ4p17xL6TpQw6zH+KpJphG3vxikRDgBNWVVjX7 ObDN6D7I4FhfaWEdRl3TcN4fJJQ++w==

; resign=20190318002703

www.glattweb.ch.                              90 IN NSEC        glattweb.ch. CNAME RRSIG NSEC

www.glattweb.ch.                              90 IN RRSIG       NSEC 13 3 90 20190328204045 20190226195831 12809 glattweb.ch. u+gIh06+Q3N1qwKIqieYI+2118ZoWvbI0vgCM27zU0lGDLdFLMeBUMuh Qh1BSYBsj/JDNH/jTsJFav5GZK44ng==

; resign=20190328204045

#

 

# dnssec-importkey -v 99 -f tmp 

dnssec-importkey: error: dns_master_load: tmp:26: glattweb.ch: not at top of zone

dnssec-importkey: fatal: can't load tmp: not at top of zone

 

Since I get the same error message that I got when using the dnssec-importkey in the unsigned file, I guess I do something fundamentally wrong :/

 

 

tia

Philippe

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190312/534f4ec4/attachment-0001.html>


More information about the bind-users mailing list