Migrace na knot: Main process exited, code=killed, status=11/SEGV - knot-dns-users

13 Lis 2017

Dobry den, 

Rad bych pozadal o radu. Experimentuji s Knot DNS, verze
2.6.0-3+0~20171019083827.9+stretch~1.gbpe9bd69. Debian Stretch. 
Mam nasazeny DNSSEC s KSK a ZSK v algoritmu 5 a Bind9, klice bez metadat. Snazim se prejit
na Knot, s tim, ze mam  dve testovaci zony. Pouzivam nasledujici postup.

1. Naimportuji stavajici klice pomoci keymgr
2. nastavim timestamy:
keymgr t-sound.cz  set 18484  created=+0 publish=+0 active=+0
keymgr t-sound.cz  set 04545   created=+0 publish=+0 active=+0

3. zavedu zonu do Knotu. lifetime je extremne kratky, abych vedel, jak mi to funguje.

zone:
  - domain: t-sound.cz
    template: signed
    file: db.t-sound.cz
    dnssec-signing: on
    dnssec-policy: migration

  - domain: mych5.cz
    template: signed
    file: db.mych5.cz
    dnssec-signing: on
    dnssec-policy: migration
    acl: [allowed_transfer]
    notify: idunn-freya-gts

policy:
  - id: migration
    algorithm: RSASHA1
    ksk-size: 2048
    zsk-size: 1024
    zsk-lifetime: 20m
    ksk-lifetime: 10d
    propagation-delay: 5m

Toto projde. Knot zacne podepisovat importovanymi klici. Nasledne zmenim policy u
t-sound.cz na 

policy:
  - id: migration3
    algorithm: ecdsap256sha256
    zsk-lifetime: 20m
    ksk-lifetime: 10d
    propagation-delay: 5m
    ksk-submission: nic.cz

Knot vygeneruje nove klice:

Nov 10 16:40:09 idunn knotd[21682]: warning: [t-sound.cz.] DNSSEC, creating key with
different algorithm than policy
Nov 10 16:40:09 idunn knotd[21682]: warning: [t-sound.cz.] DNSSEC, creating key with
different algorithm than policy
Nov 10 16:40:09 idunn knotd[21682]: info: [t-sound.cz.] DNSSEC, algorithm rollover
started
Nov 10 16:40:09 idunn knotd[21682]: info: [t-sound.cz.] DNSSEC, loaded key, tag 18484,
algorithm 5, KSK yes, ZSK no, public yes, ready no, active yes
Nov 10 16:40:09 idunn knotd[21682]: info: [t-sound.cz.] DNSSEC, loaded key, tag  5821,
algorithm 5, KSK no, ZSK yes, public yes, ready no, active yes
Nov 10 16:40:09 idunn knotd[21682]: info: [t-sound.cz.] DNSSEC, loaded key, tag  4256,
algorithm 13, KSK yes, ZSK no, public no, ready no, active no
Nov 10 16:40:09 idunn knotd[21682]: info: [t-sound.cz.] DNSSEC, loaded key, tag 39697,
algorithm 13, KSK no, ZSK yes, public no, ready no, active yes
Nov 10 16:40:09 idunn knotd[21682]: info: [t-sound.cz.] DNSSEC, signing started
Nov 10 16:40:09 idunn knotd[21682]: info: [t-sound.cz.] DNSSEC, successfully signed
Nov 10 16:40:09 idunn knotd[21682]: info: [t-sound.cz.] DNSSEC, next signing at
2017-11-10T16:45:09

Rozbehne se mechanismus ZSK rolloveru, vypublikuje se CDNSKEY. Projde sumbission. Vysledny
stav je, ze zona funguje, 

Nov 12 22:48:27 idunn knotd[24980]: info: [t-sound.cz.] DNSSEC, signing zone
Nov 12 22:48:27 idunn knotd[24980]: info: [t-sound.cz.] DNSSEC, loaded key, tag  4256,
algorithm 13, KSK yes, ZSK no, public yes, ready no, active yes
Nov 12 22:48:27 idunn knotd[24980]: info: [t-sound.cz.] DNSSEC, loaded key, tag 22255,
algorithm 13, KSK no, ZSK yes, public yes, ready no, active yes
Nov 12 22:48:27 idunn knotd[24980]: info: [t-sound.cz.] DNSSEC, signing started
Nov 12 22:48:27 idunn knotd[24980]: info: [t-sound.cz.] DNSSEC, successfully signed
Nov 12 22:48:27 idunn knotd[24980]: info: [t-sound.cz.] DNSSEC, next signing at
2017-11-12T23:03:27
Nov 12 22:48:27 idunn knotd[24980]: info: [t-sound.cz.] zone file updated, serial
1510523007 -> 1510523307
Nov 12 22:48:27 idunn knotd[24980]: info: [t-sound.cz.] notify, outgoing,
93.153.117.50@53: serial 1510523307
Nov 12 22:48:27 idunn knotd[24980]: info: [t-sound.cz.] IXFR, outgoing,
93.153.117.50@35557: started, serial 1510523007 -> 1510523307
Nov 12 22:48:27 idunn knotd[24980]: debug: [t-sound.cz.] IXFR, outgoing,
93.153.117.50@35557: serial 1510523007 -> 1510523307
Nov 12 22:48:27 idunn knotd[24980]: info: [t-sound.cz.] IXFR, outgoing,
93.153.117.50@35557: finished, 0.00 seconds, 1 messages, 780 bytes
Nov 12 22:48:27 idunn knotd[24980]: info: [t-sound.cz.] IXFR, outgoing,
93.153.117.20@57641: started, serial 1510523007 -> 1510523307
Nov 12 22:48:27 idunn knotd[24980]: debug: [t-sound.cz.] IXFR, outgoing,
93.153.117.20@57641: serial 1510523007 -> 1510523307
Nov 12 22:48:27 idunn knotd[24980]: info: [t-sound.cz.] IXFR, outgoing,
93.153.117.20@57641: finished, 0.00 seconds, 1 messages, 780 bytes

ZSK se rotuji. Pak ale dojde k chybe nize:

Nov 12 23:03:27 idunn knotd[24980]: info: [t-sound.cz.] DNSSEC, signing zone
Nov 12 23:03:27 idunn knotd[24980]: warning: [t-sound.cz.] DNSSEC, key rollover [1] failed
(unknown error -28)
Nov 12 23:03:27 idunn knotd[24980]: error: [t-sound.cz.] DNSSEC, failed to initialize
(unknown error -28)
Nov 12 23:03:27 idunn knotd[24980]: error: [t-sound.cz.] zone event 'DNSSEC
resign' failed (unknown error -28)

Stav klicu v tomto okamziku:

root@idunn:/var/lib/knot# keymgr t-sound.cz  list human 
c87e00bd71d0f89ea540ef9c21020df1e0106c0f ksk=yes tag=04256 algorithm=13 public-only=no 
created=-2D16h24m21s pre-active=-2D16h24m21s publish=-2D16h19m21s ready=-2D16h14m21s
active=-1D18h14m21s retire-active=0 retire=0 post-active=0 remove=0
fe9f432bfc5d527dc11520615d6e29e5d1799d8c ksk=no  tag=22255 algorithm=13 public-only=no 
created=-10h26m3s pre-active=0 publish=-10h26m3s ready=0 active=-10h21m3s retire-active=0
retire=0 post-active=0 remove=0
root@idunn:/var/lib/knot# 

knotc zone-sign t-sound.cz ale pojde a vse se tim opravi. 

Nov 13 08:56:41 idunn knotd[24980]: info: [t-sound.cz.] control, received command
'zone-status'
Nov 13 09:06:23 idunn knotd[24980]: info: [t-sound.cz.] control, received command
'zone-sign'
Nov 13 09:06:23 idunn knotd[24980]: info: [t-sound.cz.] DNSSEC, dropping previous
signatures, resigning zone
Nov 13 09:06:23 idunn knotd[24980]: info: [t-sound.cz.] DNSSEC, ZSK rollover started
Nov 13 09:06:23 idunn knotd[24980]: info: [t-sound.cz.] DNSSEC, loaded key, tag  4256,
algorithm 13, KSK yes, ZSK no, public yes, ready no, active yes
Nov 13 09:06:23 idunn knotd[24980]: info: [t-sound.cz.] DNSSEC, loaded key, tag 22255,
algorithm 13, KSK no, ZSK yes, public yes, ready no, active yes
Nov 13 09:06:23 idunn knotd[24980]: info: [t-sound.cz.] DNSSEC, loaded key, tag 24386,
algorithm 13, KSK no, ZSK yes, public yes, ready no, active no
Nov 13 09:06:23 idunn knotd[24980]: info: [t-sound.cz.] DNSSEC, signing started
Nov 13 09:06:23 idunn knotd[24980]: info: [t-sound.cz.] DNSSEC, successfully signed
Nov 13 09:06:23 idunn knotd[24980]: info: [t-sound.cz.] DNSSEC, next signing at
2017-11-13T09:11:23

O den drive na tom knot zcela havaroval:

Nov 11 23:05:09 idunn knotd[21682]: info: [t-sound.cz.] DNSSEC, signing zone
Nov 11 23:05:09 idunn knotd[21682]: info: [t-sound.cz.] DNSSEC, loaded key, tag 39964,
algorithm 13, KSK no, ZSK yes, public yes, ready no, active yes
Nov 11 23:05:09 idunn knotd[21682]: info: [t-sound.cz.] DNSSEC, loaded key, tag  4256,
algorithm 13, KSK yes, ZSK no, public yes, ready no, active yes
Nov 11 23:05:09 idunn knotd[21682]: info: [t-sound.cz.] DNSSEC, signing started
Nov 11 23:05:09 idunn knotd[21682]: info: [t-sound.cz.] DNSSEC, successfully signed
Nov 11 23:05:09 idunn systemd[1]: knot.service: Main process exited, code=killed,
status=11/SEGV
Nov 11 23:05:09 idunn systemd[1]: knot.service: Unit entered failed state.
Nov 11 23:05:09 idunn systemd[1]: knot.service: Failed with result 'signal'.
Nov 11 23:05:10 idunn systemd[1]: knot.service: Service hold-off time over, scheduling
restart.
Nov 11 23:05:10 idunn systemd[1]: Stopped Knot DNS server.
Nov 11 23:05:10 idunn systemd[1]: Started Knot DNS server.
Nov 11 23:05:10 idunn knotd[23933]: info: Knot DNS 2.6.0 starting
Nov 11 23:05:10 idunn knotd[23933]: info: binding to interface 0.0.0.0@553
Nov 11 23:05:10 idunn knotd[23933]: info: binding to interface ::@553
Nov 11 23:05:10 idunn knotd[23933]: info: changing GID to 121
Nov 11 23:05:10 idunn knotd[23933]: info: changing UID to 114
Nov 11 23:05:10 idunn knotd[23933]: info: loading 2 zones
Nov 11 23:05:10 idunn knotd[23933]: info: [mych5.cz.] zone will be loaded
Nov 11 23:05:10 idunn knotd[23933]: info: [t-sound.cz.] zone will be loaded
Nov 11 23:05:10 idunn knotd[23933]: info: starting server
Nov 11 23:05:10 idunn knotd[23933]: info: [t-sound.cz.] DNSSEC, loaded key, tag 39964,
algorithm 13, KSK no, ZSK yes, public yes, ready no, active yes
Nov 11 23:05:10 idunn knotd[23933]: info: [t-sound.cz.] DNSSEC, loaded key, tag  4256,
algorithm 13, KSK yes, ZSK no, public yes, ready no, active yes
Nov 11 23:05:10 idunn knotd[23933]: info: [t-sound.cz.] DNSSEC, signing started
Nov 11 23:05:10 idunn knotd[23933]: warning: [mych5.cz.] DNSSEC, key rollover [1] failed
(unknown error -28)
Nov 11 23:05:10 idunn knotd[23933]: error: [mych5.cz.] DNSSEC, failed to initialize
(unknown error -28)
Nov 11 23:05:10 idunn knotd[23933]: error: [mych5.cz.] zone event 'load' failed
(unknown error -28)
Nov 11 23:05:10 idunn knotd[23933]: info: [t-sound.cz.] DNSSEC, successfully signed
Nov 11 23:05:10 idunn systemd[1]: knot.service: Main process exited, code=killed,
status=11/SEGV
Nov 11 23:05:10 idunn systemd[1]: knot.service: Unit entered failed state.
Nov 11 23:05:10 idunn systemd[1]: knot.service: Failed with result 'signal'.
Nov 11 23:05:10 idunn systemd[1]: knot.service: Service hold-off time over, scheduling
restart.
Nov 11 23:05:10 idunn systemd[1]: Stopped Knot DNS server.
Nov 11 23:05:10 idunn systemd[1]: Started Knot DNS server.

Delam nekde chybu? Omlouvam se za komplikovany a dlouhy popis. 

Diky

S pozdravem
Ales Rygl