Hi all,
I can't quite figure this out, I have two servers running Knot DNS 3.0.3 on Ubuntu 20.04.
horus.bastetrix.net is the primary, sekhmet.bastetrix.net is the secondary.
One of the zones hosted on these servers is selfhosting.cloud.
Whenever I commit a change to selfhosting.cloud, this happens in the log. As you can see, for some reason the IPv4 address returns a NOTAUTH error and then Knot successfully notifies over IPv6.
Dec 27 00:53:37 horus.bastetrix.net knotd[174159]: warning: [selfhosting.cloud.] notify, outgoing, remote 192.195.251.53@53, server responded with error 'NOTAUTH'
Dec 27 00:53:37 horus.bastetrix.net knotd[174159]: info: [selfhosting.cloud.] notify, outgoing, remote 2620:98:400c::53@53, serial 5
Dec 27 00:53:38 horus.bastetrix.net knotd[174159]: info: [selfhosting.cloud.] IXFR, outgoing, remote 2620:98:400c::53@36778, started, serial 4 -> 5
Dec 27 00:53:38 horus.bastetrix.net knotd[174159]: info: [selfhosting.cloud.] IXFR, outgoing, remote 2620:98:400c::53@36778, finished, 0.00 seconds, 1 messages, 295 bytes
sekhmet only logs a successful notify and IXFR from the v6 address, nothing about the failed v4 notify:
Dec 27 00:53:37 sekhmet.bastetrix.net knotd[536887]: info: [selfhosting.cloud.] notify, incoming, remote 2620:98:400a::53@58782, serial 5
Dec 27 00:53:38 sekhmet.bastetrix.net knotd[536887]: info: [selfhosting.cloud.] refresh, remote 2620:98:400a::53@53, remote serial 5, zone is outdated
Dec 27 00:53:38 sekhmet.bastetrix.net knotd[536887]: info: [selfhosting.cloud.] IXFR, incoming, remote 2620:98:400a::53@53, started
Dec 27 00:53:38 sekhmet.bastetrix.net knotd[536887]: info: [selfhosting.cloud.] IXFR, incoming, remote 2620:98:400a::53@53, finished, 0.00 seconds, 1 messages, 295 bytes
Dec 27 00:53:38 sekhmet.bastetrix.net knotd[536887]: info: [selfhosting.cloud.] refresh, remote 2620:98:400a::53@53, zone updated, 0.40 seconds, serial 4 -> 5
Dec 27 00:53:38 sekhmet.bastetrix.net knotd[536887]: info: [selfhosting.cloud.] zone file updated, serial 4 -> 5
I am attaching the knot.conf for both servers. I double checked both configs multiple times and don't see why that particular warning is happening during zone notify.
Can someone shed some light on this mystery?
--
Sadiq Saif
https://bastetrix.com
Hi,
We're migrating our signer from OpenDNSSEC to Knot 3.0. Our new design
will have one active signer and at least one backup signer. Zone data is
deployed from git to both signers. We've got syncing of the keys working
using `knotc zone-backup +nozonefile` and `knotc zone-restore
+nozonefile`. I'm still unsure of how hot to keep the standby. In the
dev env now I have the standby set to a manual dnssec policy to keep it
from rolling it's keys. The keys are synced from the active signer every
hour. Both the active and the backup signers are creating signatures but
SOA serials don't match. Both signers have `serial-policy: dateserial`
and `zonefile-sync: -1` but we're considering adding `zonefile-load:
difference-no-serial`.
We've discussed stopping signing on the backup altogether and including
the zonefiles in the backup. The problem we have with this idea is that
problems with signing on the backup won't be discovered until it goes
active.
Are other people doing active-backup signers and how do you set it up?
.einar
Hi (again),
I was trying to backup and restore a server with the new knotc
zone-backup/restore command.
I recognized that only half of the private keys were in the backup,
which leads to an error:
2020-12-08T14:44:00+0100 error: [xxx.] DNSSEC, failed to load private
keys (not exists)
2020-12-08T14:44:00+0100 error: [xxx.] DNSSEC, failed to load keys (not
exists)
Shouldn't the backup contain all private keys?
Thanks,
Thomas
Hi,
I was trying to backup and restore a server with the new knotc
zone-backup/restore command.
I recognized that only half of the private keys were in the backup,
which leads to an error:
2020-12-08T14:44:00+0100 error: [xxx.] DNSSEC, failed to load private
keys (not exists)
2020-12-08T14:44:00+0100 error: [xxx.] DNSSEC, failed to load keys (not
exists)
Shouldn't the backup contain all private keys?
Thanks,
Thomas
Hello,
I'm trying to remove the slave node from the master Knot, result code is
0, but no change happened. There is no information in the log file. Can
you please help me, why does it happen?
# knotc conf-get template[default].notify
> template[default].notify = 1 2 3 4 5 6 7 8 9
# knotc conf-begin
> OK
# knotc conf-set -b template[default].notify 1 2 4 5 6 7 8 9
> OK
# knotc conf-diff
(no output)
# knotc conf-get template[default].notify
> template[default].notify = 1 2 3 4 5 6 7 8 9
Thanks for your help.
--
Zdeněk Nový
Linux administrator
ACTIVE 24, s.r.o.
Sokolovská 394/17 186 00 Praha 8
Web: http://www.active24.cz
Hello,
we are facing the issue with "Too many transactions" during configuring
knot via knotc - we are using confdb. We are using Python3 worker and
popen function to knotc socket.
This is the log from the Python worker:
[2020-12-07 08:58:13,001] [INFO] adding zone xxxxxxxx
[2020-12-07 08:58:13,016] [ERROR] [event worker.job] Exception in job
'dns.add_zone'
Traceback (most recent call last):
......
ACK Exception: error running command: 'conf-begin'
retcode: 1
out: error: (too many transactions)
Is there any limitation for number of open transactions and are we able
to increase it? Is it possible to see, how many open transactions there
are now?
I can't see any message in the log file, is it possible to log
conf-begin requests? Or are there any other ways, how to determine and
guard the situation?
Many thanks for your help
--
Zdeněk Nový
Linux administrator
ACTIVE 24, s.r.o.
Sokolovská 394/17 186 00 Praha 8
Web: http://www.active24.cz
Hello,
I'm trying to remove the slave node from the master Knot, result code is
0, but no change happen. There is no information in the log file. Can
you please help me, why does it happen?
# knotc conf-get template[default].notify
> template[default].notify = 1 2 3 4 5 6 7 8 9
# knotc conf-begin
> OK
# knotc conf-set -b template[default].notify 1 2 4 5 6 7 8 9
> OK
# knotc conf-diff
(no output)
# knotc conf-get template[default].notify
> template[default].notify = 1 2 3 4 5 6 7 8 9
Thanks for your help.
--
Zdeněk Nový
Linux administrator
ACTIVE 24, s.r.o.
Sokolovská 394/17 186 00 Praha 8
Web: http://www.active24.cz
Hello,
as I plan to migrate an existing DNS setup to Knot, not only for deploying DNSSEC but also for synthesizing some records using mod-synthrecord, I am not sure as how to setup online signing when having multiple public authoritative name servers. My uncertainty is, if it is necessary to give them the same ZSKs and do the key rollover from the outside, or if the chain of trust isn't severed when they generate their own ZSKs based from a common KSK or even their distinct KSKs, and therefore provide different signatures.
Best regards and thanks,
Nils
--
Nils Trampel
GPG: 0x012BADD8
