DNSSEC problem expire too soon (ISPConfig 3.1)

Discussion in 'ISPConfig 3 Priority Support' started by muekno, Nov 10, 2016.

Page 2 of 2
  1. muekno

    muekno Active Member HowtoForge Supporter

    Exact the zone files (pri.muekno.de and pri.muekno.de.signed) are ok for naec.de and another domain pri.naec.de is updated but pri.naec.de.signed is NOT updated.
    Thank for further help

    Rainer
     
    muekno, Dec 9, 2016
    #21
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, and the zon files aor not ok on the slaves only, so its a problem with sync inside BIND, most likely he slaves did not got notified by BIND. Try to add the slave IP addresses in the also notify field of the zone and check the syslog on master and slave to see if there are any BIND communication problems for that zone.
     
    till, Dec 11, 2016
    #22
  3. muekno

    muekno Active Member HowtoForge Supporter

    I think you did still not understand. I do not speak from the Slave, I do not think there is a problem there, and if that a second problem.
    Please go to dnsstuf.com it is free, do a DNSreport on muekno.de (the good domain) and naec.de and mueller-knoche.de (both wrong) an you will see the problem.
    See a directory listing on the master server admin which is primary DNS Server too
    I hope that explains the problem.
    The ISPConfig database SOA entries see above
    Rainer
     
    muekno, Dec 11, 2016
    #23
  4. muekno

    muekno Active Member HowtoForge Supporter

    Still no answer, no solution. I hope I had described the problem in my post above. There is no problem with the secondary DNS server, there seams to be no problem with the primary DNS server, let's say with bind itself, as on domain increases the expiration as it should, two others not. The ISPConfig database on the ISPConfig master (which ist primary DNS too) seams to be accurate, so there must be something wrong with the script renewing the pri.xxxx.signed files. Running the script, you recommended above, I can see no errors.
    I know it is crazy, that the things on the same server are running well in one instance and faulty or even not in two others.
    I realy need a solution or al least a hint where to look to find and solve the problem.
    Thank you

    Rainer
     
    muekno, Dec 17, 2016
    #24
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Enable debug logging in ispconfig and then check the ispconfig log and the syslog after a nightly run of dnssec renewal to see if there are any errors in the log.
     
    till, Dec 18, 2016
    #25
  6. muekno

    muekno Active Member HowtoForge Supporter

    ISPConfig debug log shows only
    syslog shows
    Syslog day before last SOA updateing working domain
    Seams to not even try one of the not advancing zones mueller-knoche.de or naec.de, the touched zone muekno.de is the working one
    May it be the script stop when worked 1 zone und does not look for others?

    Rainer
     
    muekno, Dec 20, 2016
    #26
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    You can see in the dnssec cron plugin what the script is doing, it loops trouh all zones that match these query criteria:

    $soas = $app->db->queryAllRecords("SELECT id,serial,origin FROM dns_soa WHERE server_id = ? AND active= 'Y' AND dnssec_wanted = 'Y' AND dnssec_initialized = 'Y' AND (dnssec_last_signed < ? OR dnssec_last_signed > ?)", $conf['server_id'], time()-(3600*24*5)+900, time()+900);
     
    till, Dec 20, 2016
    #27
  8. muekno

    muekno Active Member HowtoForge Supporter

    OK, I postet the SOA records some days before above, for me they look good. If there is an important difference I am not able to see it. Also the records in the db seams to be updated, so the question is, why does the script only one of the xxxx.signed files and not all. I can not see any reason for it in the logs. As you see in the logs there are no errors reported, at least I can see none.

    Are there any further information I can post to solve the problem?
    I appreciate your support.

    Rainer

    for clearance the actual dns_soa records
    and the actual directory listing of /var/lib/bind
    As you can see some of the .signed files are not touched, but should be in my opinion according the database records. I also looked a the script 550-bind_dnssec.inc.php the is a loop about all found soas, but i can not verify if all soas are found.
     
    Last edited: Dec 21, 2016
    muekno, Dec 20, 2016
    #28
  9. muekno

    muekno Active Member HowtoForge Supporter

    Still waiting for response, remember it is a payed support, you just recharged me

    Rainer
     
    muekno, Jan 28, 2017
    #29
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    I explained at the beginning that I do not use dnssec. This is the priority support forums which means that I answer questions with priority here, but it does not mean that I have an answer to every question.

    If you want to see which zones get selected, take a look at the sql query from the plugin:

    Code:
    $soas = $app->db->queryAllRecords("SELECT id,serial,origin FROM dns_soa WHERE server_id = ? AND active= 'Y' AND dnssec_wanted = 'Y' AND dnssec_initialized = 'Y' AND (dnssec_last_signed < ? OR dnssec_last_signed > ?)", $conf['server_id'], time()-(3600*24*5)+900, time()+900);
    If you want to use PHP to get the sql query, use this code:

    <?php
    echo "SELECT id,serial,origin FROM dns_soa WHERE server_id = 1 AND active= 'Y' AND dnssec_wanted = 'Y' AND dnssec_initialized = 'Y' AND (dnssec_last_signed < ".time()-(3600*24*5)+900." OR dnssec_last_signed > ".time()+900.")";
    ?>

    you might have to replace the server_id in the query with the ID of your dns server
     
    till, Jan 30, 2017
    #30
Page 2 of 2

Share This Page