[Opendnssec-develop] Signing the root

Rickard Bellgrim rickard.bellgrim at iis.se
Fri Feb 12 15:10:55 UTC 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi

I am setting up an education environment based on OpenDNSSEC. In this environment I want to have my own root. The resolvers will be configured with this root. My root will be signed with OpenDNSSEC. But I cannot sign it.

My first attempt was to use this configuration:

        <Zone name=".">
                <Policy>default</Policy>
                <SignerConfiguration>/var/opendnssec/signconf/root.xml</SignerConfiguration>
                <Adapters>
                        <Input>
                                <File>/var/cache/bind/unsigned/root</File>
                        </Input>
                        <Output>
                                <File>/var/cache/bind/signed/root</File>
                        </Output>
                </Adapters>
        </Zone>

The Signer was able to sign the zone and the result looked ok. I get files like:
..finalized
..sorted

But the Auditor fails with:
Feb 12 15:51:02 TeacherODS-LAB ods-auditor[2687]: SOA name () is different to the configured zone name (.) - aborting

So I tried with a second configuration:

        <Zone name="">
                <Policy>default</Policy>
                <SignerConfiguration>/var/opendnssec/signconf/root.xml</SignerConfiguration>
                <Adapters>
                        <Input>
                                <File>/var/cache/bind/unsigned/root</File>
                        </Input>
                        <Output>
                                <File>/var/cache/bind/signed/root</File>
                        </Output>
                </Adapters>
        </Zone>

And now the Signer fails:

Feb 12 15:57:57 TeacherODS-LAB ods-signerd: Run command: '/usr/local/libexec/opendnssec/sorter -o  -f /var/cache/bind/unsigned/root -w /var/opendnssec/tmp/.sorted -m 3600 -t 3600'
Feb 12 15:57:57 TeacherODS-LAB ods-signerd: stderr from sorter: Error, no zone name specified (-o)

How should you configure OpenDNSSEC to sign the root? How do we want OpenDNSSEC to behave?

// Rickard

-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
Charset: utf-8

wsBVAwUBS3Vvf+CjgaNTdVjaAQiDCQf+Ol8Q+1ixqfjPHoiT4t0R0PjR3eZuYg6A
XqE7KFaXykzaoaJV2IKMr5PcNuP/Hol2CwLzwSxnJtGZrHNM1gu3Y8tCxS4r7fYG
C05HOSdBNMgMkyzfIo2t+77emRcHnimsF3f9v2qWpA+2AaxhezqiqvQCGQIFAPgN
FI0aQh/zCUv6tZe/9b48md56m5eVaE3+3RL5rL9OkLm105X9m0wi9zUi61FvkRFL
Qaj5UJ9AbKeacPujba3O075MQQaNpxBBk2viXTis5uHZdJgGw+iDMSzGrFILzLtH
1AaCgolVAfeTj2gicasY6UcYxMaZMwdrAttBh4NCFWqoNMxlvdFAsA==
=zmSU
-----END PGP SIGNATURE-----


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20100212/e461b9a5/attachment.htm>

More information about the Opendnssec-develop mailing list