19 Pro
2017
19 Pro
'17
20:38
Hi Libor,
On Friday 15 of December 2017 10:26:09 libor.peltan(a)nic.cz wrote:
Hi all,
first, we must distinguish two things:
1) on every reload, every zone is attempted to be re-signed. This takes
some CPU time, as the NSEC(3) chain is re-constructed and RRSIGs
validated. Anyway, if we perform reload "often", it "usually" ends up
with the messages "DNSSEC, zone is up-to-date". This is a design feature
of Knot. Is it a problem for you?
This is perfectly clear to me and it is not an issue for me. I like that up-to-date status
is logged during the startup.
2) when anything in the zone changes, or the zone would re-sign itself
anyway in the meantime, the re-signing ends up with "DNSSEC,
successfully signed". This happens e.g. if zone contents changed, NSEC3
salt updated, some RRSIG nearing its end of validity... If this happens
on "clear" zone, it's a bug. We have de-bugged this behavior in the past
and we also have got a test case covering this. But still it may happen
that there is a bug. The best point to start at is journal contents. In
the changesets it should be visible what changed. You can explore the
journal with "kjournalprint" utility.
This is also clear to me. I am just trying to find the reason for re-sign when the zone
content was not (externally) updated. I am rather wonder why this is happening than
complaining.
Thanks for reminding me of kjournalprint. When checking the journal I can see (last three
changes):
;; Changes between zone versions: 1513694442 -> 1513707970
;;Removed
rozjezdy.cz. 3600 SOA idunn.t-mobile.cz. dss-system.t-mobile.cz.
1513694442 7200 600 1209600 3600
rozjezdy.cz. 3600 RRSIG SOA 13 2 3600 20180102144042 20171219131042 53957
rozjezdy.cz.
Vnzp8R5bJk3sOybu9WoJzf/1ABNuIz3d0WHhbyQ3VDiIzmZwJ13OOUjsqYuD18OqsFO9eFMNJrPccKjMHsDBLw==
rozjezdy.cz. 0 RRSIG NSEC3PARAM 13 2 0 20180102144042 20171219131042
53957 rozjezdy.cz.
9lv+D3biq8FHB2PyTXa98J/31Lf7rdv6KNJNILlm7jsimi0ylSslK6uisLdt5h13jXFRLePs3yWqWMfdBLG8FA==
;;Added
rozjezdy.cz. 3600 SOA idunn.t-mobile.cz. dss-system.t-mobile.cz.
1513707970 7200 600 1209600 3600
rozjezdy.cz. 3600 RRSIG SOA 13 2 3600 20180102182610 20171219165610 53957
rozjezdy.cz.
zG1o9Rc5zeiO2+JDntbkjrs3Cv+LbKgxvyCYB4tnkT8U/5874YPZlX8OGfDhXAo+QjYk8+RMEf3DReIN/gcbOA==
rozjezdy.cz. 0 RRSIG NSEC3PARAM 13 2 0 20180102182610 20171219165610
53957 rozjezdy.cz.
xLDqFtMLVWF8Rwjaq84qj5GATN8ozFKEn1sGUNm4rPvPomChkhpz3z6jAC+jTTawTsCbzfMYkAINIeQpMkLJeA==
;; Changes between zone versions: 1513707970 -> 1513708136
;;Removed
rozjezdy.cz. 3600 SOA idunn.t-mobile.cz. dss-system.t-mobile.cz.
1513707970 7200 600 1209600 3600
rozjezdy.cz. 3600 RRSIG SOA 13 2 3600 20180102182610 20171219165610 53957
rozjezdy.cz.
zG1o9Rc5zeiO2+JDntbkjrs3Cv+LbKgxvyCYB4tnkT8U/5874YPZlX8OGfDhXAo+QjYk8+RMEf3DReIN/gcbOA==
rozjezdy.cz. 0 RRSIG NSEC3PARAM 13 2 0 20180102182610 20171219165610
53957 rozjezdy.cz.
xLDqFtMLVWF8Rwjaq84qj5GATN8ozFKEn1sGUNm4rPvPomChkhpz3z6jAC+jTTawTsCbzfMYkAINIeQpMkLJeA==
;;Added
rozjezdy.cz. 3600 SOA idunn.t-mobile.cz. dss-system.t-mobile.cz.
1513708136 7200 600 1209600 3600
rozjezdy.cz. 3600 RRSIG SOA 13 2 3600 20180102182856 20171219165856 53957
rozjezdy.cz.
GId9nFX7W6zDuhDkXSEoYHL7P2A3tQpr0mlAlJCpGrW2VnxBXlnmMqfVm376PbfN9jijSt3wKHagzz3eS+22DA==
rozjezdy.cz. 0 RRSIG NSEC3PARAM 13 2 0 20180102182856 20171219165856
53957 rozjezdy.cz.
nYEne/00rSqUQtS5p3Lvi7KbeKQvrlPrdiz31WlQoBwMj+Pg5wZdTu1rbacF4vQCjGfdCYgvuU4M1noAlCfZdg==
;; Changes between zone versions: 1513708136 -> 1513708291
;;Removed
rozjezdy.cz. 3600 SOA idunn.t-mobile.cz. dss-system.t-mobile.cz.
1513708136 7200 600 1209600 3600
rozjezdy.cz. 3600 RRSIG SOA 13 2 3600 20180102182856 20171219165856 53957
rozjezdy.cz.
GId9nFX7W6zDuhDkXSEoYHL7P2A3tQpr0mlAlJCpGrW2VnxBXlnmMqfVm376PbfN9jijSt3wKHagzz3eS+22DA==
rozjezdy.cz. 0 RRSIG NSEC3PARAM 13 2 0 20180102182856 20171219165856
53957 rozjezdy.cz.
nYEne/00rSqUQtS5p3Lvi7KbeKQvrlPrdiz31WlQoBwMj+Pg5wZdTu1rbacF4vQCjGfdCYgvuU4M1noAlCfZdg==
;;Added
rozjezdy.cz. 3600 SOA idunn.t-mobile.cz. dss-system.t-mobile.cz.
1513708291 7200 600 1209600 3600
rozjezdy.cz. 3600 RRSIG SOA 13 2 3600 20180102183131 20171219170131 53957
rozjezdy.cz.
KklZfsp8Ztzih04/Weedt1aP5Qa9oxsnj72KuGeeqI1szSvL/l6uGC6Rf6ZZJjrN/A/TQMcJzbkgwIMe6YetYA==
rozjezdy.cz. 0 RRSIG NSEC3PARAM 13 2 0 20180102183131 20171219170131
53957 rozjezdy.cz.
FfE9FhQgr8NWCfKf9d1aA0I8h4cd7CCSRbp0Nkq+BXmLOpRMs862lRSWCNHPxRPqufQvjo34AlroRrTYpevwEg==
I do not understand it: are the changes listed above the cause or the consequenceof
re-sign?
Regards
Ales