Hello again, Another question that popped up when digging around: I am not entirely certain of the role of /var/opendnssec/enforcer/zones.xml.
>From what I can tell from the migration steps it is used by the signer and is supposed to be initally created by copying the old /etc/opendnssec/zonelist.xml there. It is then stated that zonelist.xml is no longer updated automatically, meaning the enforcer database is the authoritative source of information rather than that file. As stated in the example zonelist.xml: === As a result in 2.0 the contents of the enforcer database should be considered the 'master' for the list of currently configured zones, not the zonelist.xml file as the file can easily become out of sync with the database. === Instead I notice that /var/opendnssec/enforcer/zones.xml will be created or appended to when a zone is added with "ods-enforcer zone add --zone example.com". Why has this file been introduced? Doesn't the "can easily become out of sync with the database" hold true for this file as well? >From my perspective there are now two files: zones.xml which is (hopefully) always in sync with the database, and zonelist.xml which _may_ be in sync with the database based on operational procedures (running "ods-enforcer zonelist export" from time to time or adding zones with --xml like "ods-enforcer zone add --zone example.com --xml". If the goal is to not have two places that may get out of sync, why not have the signer fetch information directly from the database? Finally, what is the appropriate thing to do with zones.xml on a fresh install? I notice an error is thrown since it is missing (not created by ods-enforcer-db-setup): === Sep 4 12:31:22 obsd-amd64-t01 ods-signerd: [file] unable to stat file /var/opendnssec/enforcer/zones.xml: ods_fopen() failed === Is it standard operating procedure to get that error on a fresh install, and then making the system happy with the addition of the first zone? -- Patrik Lundin _______________________________________________ Opendnssec-user mailing list Opendnssec-user@lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-user