On Jul 2, 2010, at 5:27 AM, Volker Janzen wrote:
Hi all,
when I add a new zone to my DNS server, I'm always a bit confused
about
the correct workflow. In the docs under "Adding/Removing zones" I just
find a call of "ods-ksmutil zone add --zone example.com". This call
works
fine and adds the configuration. But the zone is not signed within
minutes.
By private mail contact with Matthijs I found out that I should send
a HUP
signal to the enforcer. I think is cannot be everything needs to be
done.
Doing this the unsigned zone file is not found, because zone fetcher
hasn't got it yet.
I'm running a bind with an internal view for OpenDNSSEC with
unsigned zone
data and an external view with signed zone for the rest of the world.
When I add a new unsigned zone to bind, what needs to be done to get a
signed zone back to bind?
Should I first call "ods-ksmutil zone add --zone example.com", then
restart all of OpenDNSSEC software and finally reload bind to send
AXFR to
OpenDNSSEC or do I have to perform these steps in a different order?
After
restarting everything and changing SOA again in bind and reload
everything
works, but I don't know how to optimize (or script) this procedure.
Best regards,
Volker Janzen
I use this horrendously ugly shell script -- seems to work...
wkum...@lisa:~/scripts$ more add_zone.sh
#!/bin/bash
# This script add a zone to OpenDNSSEC.
#
# $Revision:: 1 $
# $Date:: $
# $Author:: wkumari $
# $HeadURL:: file:///srv/svn/repos/scripts/add_zone.sh $
# Copyright: Warren Kumari ([email protected]) -- 2010
#
# Where do the zonefiles live? We pust singed zones in a subdir of this.
ZONEPATH=/chroot/named/etc/namedb
if [ -z "$1" ]; then
cat <<EOF
This adds a zone file to the OpenDNSSEC system.
It assumes that the zonefile lives in
${ZONEPATH} and will output the
signed zone to ${ZNOESPATH}/signed/.
Usage:
$0 zone
EOF
exit
fi
# Needs to be root.
if [[ $EUID -ne 0 ]]; then
echo -e "ERROR: This script must be run as root." 1>&2
exit 1
fi
# And make sure that the file exists.
if [ ! -e ${ZONEPATH}/$1 ]; then
echo -e "ERROR: The zonefile $1 does not exist. Aborting!" 1>&2
exit 1
fi
# Finally ready to do something!
echo -e "\n*** Adding $1 to the OpenDNSSEClist zone list."
/usr/local/bin/ods-ksmutil zone add --zone $1 --input ${ZONEPATH}/$1 --
output ${ZONEPATH}/signed/$1
RETVAL=$?
if [ $RETVAL -ne 0 ]; then
echo -e "ERROR: Unable to add $1 to the zonelist, something went
wrong."
exit 1
fi
echo -e "\n*** Asking ods-enforcerd to wakeup so it will sign the zone."
if [ ! -e /var/run/opendnssec/enforcerd.pid ]; then
echo -e "ERROR: I was not able to find the enforcerd PID file. Is
it running?!"
exit 1
fi
kill -HUP `cat /var/run/opendnssec/enforcerd.pid`
RETVAL=$?
if [ $RETVAL -ne 0 ]; then
echo -e "ERROR: kill was not able to send the HUP signal. Weird....."
exit 1
fi
sleep 5
echo -e "\n*** Asking ods-ksmutil and ods-signer to reload the zonelist"
/usr/local/bin/ods-ksmutil update zonelist && /usr/local/sbin/ods-
signer update $1
RETVAL=$?
if [ $RETVAL -ne 0 ]; then
echo -e "ERROR: ods-ksmutil / ods-signer unhappy with the config
file."
exit 1
fi
echo -e "\n*** SUCESS ***"
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
--
No man is an island, But if you take a bunch of dead guys and tie them
together, they make a pretty good raft.
--Anon.
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
