-
Type:
Bug
-
Status: Open
-
Priority:
Minor
-
Resolution: Unresolved
-
Affects Version/s: OpenDNSSEC 1.4.3
-
Fix Version/s: None
-
Component/s: Signer
-
Labels:None
-
Environment:
Debian testing, OpenDNSSec 1:1.4.3-3.
During automated zone resigns ods-signerd seems to not detect that zone file has been updated and has new serial:
Feb 27 13:46:18 dns-mgt ods-signerd: [namedb] zone teleglobe.net cannot keep SOA SERIAL from input zone (2014022510): previous output SOA SERIAL is 2014022510
Feb 27 13:46:18 dns-mgt ods-signerd: [zone] unable to update zone teleglobe.net soa serial: Conflict detected
Feb 27 13:46:18 dns-mgt ods-signerd: [zone] If this is the result of a key rollover, please increment the serial in the unsigned zone teleglobe.net
Feb 27 13:46:18 dns-mgt ods-signerd: [worker[4]] unable to sign zone teleglobe.net: failed to increment serial
Feb 27 13:46:18 dns-mgt ods-signerd: [worker[4]] CRITICAL: failed to sign zone teleglobe.net: Conflict detected
Feb 27 13:46:18 dns-mgt ods-signerd: [worker[4]] backoff task [sign] for zone teleglobe.net with 3600 seconds
However, after issuing ods-signer sign --all (and not even touching zone files) ods-signerd recognizes new serial and sign zone:
Feb 27 14:14:42 dns-mgt ods-signerd: [STATS] teleglobe.net RR[count=2 time=0(sec)] NSEC3[count=2 time=0(sec)] RRSIG[new=4 reused=1900 time=0(sec) avg=0(sig/sec)] TOTAL[time=0(sec)]
Also, I don't really understand why signerd has to care about zone serial so much. Is there mode in which it will try to re-sign zone by request regardless of serial?