I'm using OpenDNSSEC with zone transfers in and out.
It seems that OpenDNSSEC can get into a state where it refuses
to load a new unsigned zone via zone transfer, claiming that a
zone transfer is already in progress, but in actual fact that is
not happening, and OpenDNSSEC keeps on signing the old
copy of the zone it has.
This may be related to the fix for issue
multiple zone transfers could happen at the same time for the same
When OpenDNSSEC gets into this state, it logs messages of the form
ods-signerd: [query] ignore notify from a.b.c.d: zone xxx.yyy.no transfer in progress
My first question is whether there is something I as an operator
can do to force OpenDNSSEC to reconsider whether an update
is in progress. I have stopped and started OpenDNSSEC via
ods-control stop / ods-control start, without this state clearing.
The second thing is that OpenDNSSEC should not be able to get
into a state such as this in the first place – that's a bug, which
causes updates to the zone on the hidden master not to propagate
out as the signed zone.