[Opendnssec-develop] bug with adding zones on opendnssec trunk

Patrik Wallström patrik.wallstrom at iis.se
Mon Sep 6 08:32:44 UTC 2010

On Sep 6, 2010, at 9:29 AM, Sion Lloyd wrote:
> On Saturday 04 Sep 2010 9:44:03 am Patrik Wallström wrote:
>> Add some zones using ods-ksmutil zone add. Then do ods-ksmutil update
>> zonelist, and all the (added) zones are removed from the configuration.
>> This was a really unexpected behaviour. But what should happen? Using zone
>> add the zones were never added to the zonelist.xml though, so I guess it
>> is correct, but the problem might be zone add.
> Are you using the --no-xml flag? There is an issue where adding zones to the 
> database only followed by an update removes zones which don't exist in the 
> database. (Normally we regard the zonelist as the authority.)

I did not use the --no-xml flag.

> So if you add zones without altering the xml you need to use the "ods-ksmutil 
> zonelist export" command to create a new zonelist that reflects the database.
> Is it the case that the --no-xml flag is defaulting to on? What message do you 
> get when you do a zone add?

I spent some time testing this now.

The problem (still) seems to be that if I start up the system from scratch, with no zones added, and the zonelist is empty - is that I get this error message (without --no-xml) when adding zones:

Not enough keys to satisfy zsk policy for zone: 6suffix.orgods-enforcerd will create some more keys on its next runError allocating zsks to zone 6suffix.orgFailed to Link Keys to zone

And also, nothing is added to zonelist.xml.

If I do exactly the same thing, but before starting the system add an example.com zone and setup the system with that, all new zones are added just fine with this message:

"Imported zone: 6suffix.org"

What is --no-xml used for? Can I run the system without any dependency on zonelist.xml?

Patrik Wallström
Project Manager, R&D
.SE (Stiftelsen för Internetinfrastruktur)
E-mail: patrik.wallstrom at iis.se
Web: http://www.iis.se/

More information about the Opendnssec-develop mailing list