nsd users - Apr 2015 - zones with TLSA records fail to transfer to opendnssec

Hi ?

I am unsure whether that is an issue with nsd or openndssec, thus I will copy my
mail to the opendnssec mailing list:

	This is with opendnssec 1.4.7 and nsd 4.1.2 in a FBSD10-STABLE jail.

	I recently noticed, after trying to modify one of my zones, that some of my
zones fail zone transfers (one example):

	ods-signerd: [signconf] zone MY.TLD signconf: RESIGN[PT7200S]
REFRESH[PT259200S] \
		VALIDITY[PT1209600S] DENIAL[PT1209600S] JITTER[PT43200S] OFFSET[PT3600S]
NSEC[50] \
		DNSKEYTTL[PT3600S] SOATTL[PT3600S] MINIMUM[PT3600S] SERIAL[datecounter]
	ods-signerd: [tools] unable to read zone MY.TLD: adapter failed (Incoming zone
transfer not ready)

	Clearing /usr/local/var/opendnssec/tmp and restarting opendnssec didn't
work, though.

	All failing zones do have TLSA records in contrast to those zones transfering
well. Thus I did remove those TLSA records for testing, and yes, now zone
transfers work without any issue.

	Questions:

	1) Known issue?
	2) Someone else observing this?
	3) Is nsd to blame? (There has been an upgrade from 4.1.1 in February and
opendnssec is from Dec 2014)
	4) Will key rollovers work before having that issue solved? (my ZSK are do to
rollover in a couple of days)
	5) What else should I try in order to debug this issue?



Regards and thanks in advance,
Michael

On 04/25/2015 08:01 AM, Michael Grimm wrote:
> Hi ?
>
> I am unsure whether that is an issue with nsd or openndssec, thus I will
copy my mail to the opendnssec mailing list:
>
> 	This is with opendnssec 1.4.7 and nsd 4.1.2 in a FBSD10-STABLE jail.
>
> 	I recently noticed, after trying to modify one of my zones, that some of
my zones fail zone transfers (one example):
> *snip*
>
I don't *think* it is NSD because all of my TLSA records transfer from 
master to slave without a hitch.

I'm not using opendnssec to sign any zones though, I sign with 
ldns-signzone and then transfer the signed zone file to the master via 
scp where shell scripts there find it, validate the zone file, and add 
it NSD.

Within about a minute all the slaves are updated, including TLSA updates.

I'm using nsd 3.2.18 on CentOS 7.

Hi ?

Michael Grimm <trashcan at odo.in-berlin.de> wrote:
> All failing zones do have TLSA records in contrast to those zones
transfering well.
Well, I do have to report that neither opendnssec nor nsd is to
"blame" regarding this issue.

No, it was correlated with my attempts to implement NAT66 some weeks ago. NATing
http, smtp, and most other protocols do work well, but the domain protocol might
have some issues with FBSD's pf firewall and it's NAT66 implementation,
though. Reverting back to IPv6 to IPV6 communication without NAT66 brought back
full xfr-ing of my "problematic" zonefiles.

I really don't understand it, and I do not have the capabilities of
understanding the technical background, but anyway, it's working again ;-)

Thanks for listening, and regards,
Michael