Hi,<br><br>I am currently setting up OpeDNSSEC for the dutch nl zone and I am trying to <br>integrate it with their zone creation and checking system. <br><br>In steps I designed the following system <br><br>1. Every two hours the create_and_check_zonefile script places the new zone in <br>
/var/named/unsigned/ and it calls 'rndc -s localhost reload'<br>2. The localhost nameserver loads the new zone and notifies opendnssec<br>3. OpenDNSSEC fetches the zone (AXFR) and signs it and places it under <br>
/var/named/signed/<br>4. OpenDNSSEC calls 'rndc reload' for the hidden primary that will publish the <br> signed zone to the secondary nameservers<br><br>In the above setup I require two nameservers and I would like to come up with a<br>
setup that does not require an additional nameserver running.<br>So in steps I would like to change the above system to do something as follows:<br><br>1. Every two hours the create_and_check_zonefile script places the new zone in <br>
/var/named/unsigned/ and it calls 'ods-control signer sign nl'<br>2. OpenDNSSEC signs the zone in /var/named/unsigned/ and places it in <br> /var/named/signed/ <br>3. OpenDNSSEC calls rndc reload for the hidden primary that will publish the <br>
signed zone to the secondary nameservers<br><br>The problem I noticed with this setup is that while running the OpenDNSSEC <br>daemons or scripts seem to periodically use the zone file on disk. This may <br>cause a conflict when the script in step 1 places a new zone file while some <br>
OpenDNSSEC daemon or script is using it.<br>Is there a safe way to copy a new unsigned zone to be signed by OpenDNSSEC? <br>For instance, by disabling the periodic checks and let the script in step 1 <br>take the initiative for signing the zone?<br>
<br>Best regards,<br>Martijn Brekhof<br><br>