named cpu usage pretty high because of dns_dnssec_findzonekeys2 -> file not found
Philippe Maechler
pmaechler-ml at glattnet.ch
Tue Mar 12 15:42:45 UTC 2019
Hello Mark and bind users
Thank you for the explanations. Some things are still not clear to me...
> -----Original Message-----
> From: Mark Andrews <marka at isc.org>
> Sent: Monday, March 11, 2019 8:53 AM
> To: Philippe Maechler <pmaechler-ml at glattnet.ch>
> Cc: bind-users at lists.isc.org
> Subject: Re: named cpu usage pretty high because of dns_dnssec_findzonekeys2 -> file not found
>
> Because you removed the key from disk before it was removed from the zone. Presumably named
> was logging other error messages before you removed the key from disk or the machine was off
> for a period or you mismanaged the key roll and named keep the key alive.
>
Possible, the machine was running all the time (uptime is ~92 days). I would have to search in old logs to be sure. Since this domain is for testing purposes, its not important. The "bad thing" is the cpu usage which is quite high.
Is this something that will be addressed in further bind releases? E.g. dns_dnssec_findzonekeys2 only search at a given interval for new keys or only logs this message once in a minute/hour?
> Named’s re-signing strategy is different to when you are signing the whole zone at once as
> you are signing it incrementally. You should be allowing most of the sig-validity interval
> before you delete the DNSKEY after you inactive it.
What exactly ist he sig-validy time? From my understanding this is the period from "Activate" to "Inactive"
# dnssec-settime -pall Kglattweb.ch.+013+06605
Created: Mon Mar 11 10:03:49 2019
Publish: Mon Mar 11 11:06:44 2019
Activate: Tue Mar 19 10:02:19 2019
Revoke: UNSET
Inactive: Thu Mar 21 10:06:44 2019
Delete: Sun Mar 31 11:05:48 2019
SYNC Publish: Mon Mar 11 11:06:44 2019
SYNC Delete: Sun Mar 31 11:06:44 2019
In this case the sig-validity time is ~2d 4m
The key has a delete Date of 2019-03-31 and I can delete (or move) the key at 2019-04-02 or to be safe 2019-04-03?
> One should check that there are no RRSIGs
> still present in the zone before deleting the DNSKEY from the zone. Inactivating it stops the
> DNSKEY being used to generate new signatures but it needs to stay around until all those RRSIGs
> have expired from caches which only happens after new replacement signatures have been generated.
When are these replacement RRSIGs created? The key reached it's delete date, the new key is in place and new RRSIGs are created.
> If you still have the .private file around reinstate it. If not you will need to import the
> DNSKEY using dnssec-importkey and manage its removal properly.
Can you help me here?
# dnssec-importkey -v 99 -f /usr/local/etc/namedb/master/glattweb.ch.db
dnssec-importkey: error: dns_master_load: /usr/local/etc/namedb/master/glattweb.ch.db:15: glattweb.ch: not at top of zone
dnssec-importkey: fatal: can't load /usr/local/etc/namedb/master/glattweb.ch.db: not at top of zone
ok... yes makes sense, glattweb.ch is not at the top of zone
# head /usr/local/etc/namedb/master/glattweb.ch.db
$TTL 300
$ORIGIN glattweb.ch.
@ 300 IN SOA dns1.glattnet.ch. hostmaster.glattnet. (
2019020400 ; serial
600 ; refresh
300 ; retry
3600 ; expire
90 ; nttl
)
I don't think that I should use the .signed file... let’s test that anyway
# dnssec-importkey -v 99 -f /usr/local/etc/namedb/master/glattweb.ch.db.signed
dnssec-importkey: error: dns_master_load: /usr/local/etc/namedb/master/glattweb.ch.db.signed:1: syntax error
dnssec-importkey: fatal: can't load /usr/local/etc/namedb/master/glattweb.ch.db.signed: syntax error
Maybe I have to change the zone format from raw to text...
# named-compilezone -j -fraw -F text -o tmp glattweb.ch /usr/local/etc/namedb/master/glattweb.ch.db.signed
zone glattweb.ch/IN: loaded serial 2019022800 (DNSSEC signed)
dump zone to tmp...done
OK
# less tmp
glattweb.ch. 300 IN SOA dns1.glattnet.ch. hostmaster.glattnet. 2019022800 600 300 3600 90
glattweb.ch. 300 IN RRSIG SOA 13 2 300 20190330214039 20190228204039 12809 glattweb.ch. WDhpay5Iwi3DumsZ3UQiwdfkkIY44t8ez8dRW6/xv3sXFOJrwYQTyxwx eO2iiRBZwwOI6oyT/0eNDJiF+FSIlg==
; resign=20190330214039
glattweb.ch. 300 IN NS dns1.glattnet.ch.
glattweb.ch. 300 IN NS dns2.glattnet.ch.
glattweb.ch. 300 IN RRSIG NS 13 2 300 20190318002703 20190215232756 12809 glattweb.ch. AJ3ez1YZEK6YzRlByyLJf3scpljMgZYjIRH55pG6oPhc7AP0qgo4dBqH MDvaVubxEWyulruRcOiD8jpym6gp2w==
; resign=20190318002703
glattweb.ch. 90 IN NSEC www.glattweb.ch. NS SOA RRSIG NSEC DNSKEY CDS CDNSKEY
glattweb.ch. 90 IN RRSIG NSEC 13 2 90 20190330212621 20190228204039 12809 glattweb.ch. 7Z93XycEUNrzZ64LxmQuBwSzps6nMxjVMrtUFR0Kse29RQF/3eIIjTGx ZoTpDSOjjsrEhsBEyGSKvrGLS6bLXA==
; resign=20190330212621
glattweb.ch. 300 IN DNSKEY 256 3 13 WqIsxqVPQxDwLqB/rv7u2sSx0R4ZgdHM6NexcDs3Z551rHar015v+jB6 HdnZQ/gMscxz6XzFwEc3+xAzsMx3QA==
glattweb.ch. 300 IN DNSKEY 256 3 13 Y/m7vFPwhqc59OlfyJLnT66TNsHYMq4JvXN0hBChCD1UpanF/o18bLHh VVMMTK0iB4EeuIdbn1aWvdVeFmSgmg==
glattweb.ch. 300 IN RRSIG DNSKEY 13 2 300 20190328131200 20190226121200 12809 glattweb.ch. gbDTbnIz+NtSg4dws88wWxv67gXdz4Qw/PL54CixibylGptcufep5W49 2RkNz3iy79u1Kqvl4FUdEQhdZnLBJw==
glattweb.ch. 300 IN RRSIG DNSKEY 13 2 300 20190328131200 20190226121200 33518 glattweb.ch. eNk21CrH5BWkAp0uHk0N3gV2FCfsYUBO0bgRv4Vsqt2P9pz63sGKB/J0 9zWLNb4Lf7GF6tIUZjyXq3vERmL+KA==
; resign=20190328131200
glattweb.ch. 300 IN CDS 12809 13 1 C621D4A4904C012CBB35EB77E59F4C0CA3C81E87
glattweb.ch. 300 IN CDS 12809 13 2 75CDE511593A4D6D65D7FAC1C52EC304F9CB86D9AE53D550F2764A22 606FB96D
glattweb.ch. 300 IN CDS 33518 13 1 05977C7AC6320E25A3403366B69A1893DF023F63
glattweb.ch. 300 IN CDS 33518 13 2 39803C6F03171D50BA428C3BE5E4A3AB01CECF8564DAC18EBBFA2ED5 201B62C7
glattweb.ch. 300 IN RRSIG CDS 13 2 300 20190328131200 20190226121200 12809 glattweb.ch. h3rdycn57p0K2bi3IYPUyjf8NIYedWRO2OSpxrdGxiwqlH1tF9TaD9Rd n6YLP7cZtMZWOFBreHeNYGPKlqulEQ==
glattweb.ch. 300 IN RRSIG CDS 13 2 300 20190328131200 20190226121200 33518 glattweb.ch. 9Yy4QmylesxZrszDHwp1NkLps2XKWQYyQHfxNQ0rOsxxiujVEfcRY6Fl Xup1K9yZQdOxl5+GkyuHKic8HLXttA==
; resign=20190328131200
glattweb.ch. 300 IN CDNSKEY 256 3 13 WqIsxqVPQxDwLqB/rv7u2sSx0R4ZgdHM6NexcDs3Z551rHar015v+jB6 HdnZQ/gMscxz6XzFwEc3+xAzsMx3QA==
glattweb.ch. 300 IN CDNSKEY 256 3 13 Y/m7vFPwhqc59OlfyJLnT66TNsHYMq4JvXN0hBChCD1UpanF/o18bLHh VVMMTK0iB4EeuIdbn1aWvdVeFmSgmg==
glattweb.ch. 300 IN RRSIG CDNSKEY 13 2 300 20190328131200 20190226121200 12809 glattweb.ch. l2FmSIdTBYCytoqZu8oiOx9tZ26MVIdaYXsF8uLAThJ5C1iXRuADwwde tCwN7zQsiK9+VF/qLGKUSInOFosgxw==
glattweb.ch. 300 IN RRSIG CDNSKEY 13 2 300 20190328131200 20190226121200 33518 glattweb.ch. gresGcjFA258p6374Ke/+qHr2WNFMPccQZnZgc4p074hqlF01lZUKx7w 388ph5i+fUzcsbT6Pf+trdkovuw7/A==
; resign=20190328131200
www.glattweb.ch. 300 IN CNAME gnweb.glattnet.ch.
www.glattweb.ch. 300 IN RRSIG CNAME 13 3 300 20190318002703 20190215232756 12809 glattweb.ch. 5gBSM7WaCIf2t/CFcaZ4p17xL6TpQw6zH+KpJphG3vxikRDgBNWVVjX7 ObDN6D7I4FhfaWEdRl3TcN4fJJQ++w==
; resign=20190318002703
www.glattweb.ch. 90 IN NSEC glattweb.ch. CNAME RRSIG NSEC
www.glattweb.ch. 90 IN RRSIG NSEC 13 3 90 20190328204045 20190226195831 12809 glattweb.ch. u+gIh06+Q3N1qwKIqieYI+2118ZoWvbI0vgCM27zU0lGDLdFLMeBUMuh Qh1BSYBsj/JDNH/jTsJFav5GZK44ng==
; resign=20190328204045
#
# dnssec-importkey -v 99 -f tmp
dnssec-importkey: error: dns_master_load: tmp:26: glattweb.ch: not at top of zone
dnssec-importkey: fatal: can't load tmp: not at top of zone
Since I get the same error message that I got when using the dnssec-importkey in the unsigned file, I guess I do something fundamentally wrong :/
tia
Philippe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190312/534f4ec4/attachment-0001.html>
More information about the bind-users
mailing list