[Opendnssec-develop] bug with adding zones on opendnssec trunk

Sion Lloyd sion at nominet.org.uk
Mon Sep 6 09:16:59 UTC 2010

On Monday 06 Sep 2010 9:32:44 am Patrik Wallström wrote:
> On Sep 6, 2010, at 9:29 AM, Sion Lloyd wrote:
> > On Saturday 04 Sep 2010 9:44:03 am Patrik Wallström wrote:
> >> Add some zones using ods-ksmutil zone add. Then do ods-ksmutil update
> >> zonelist, and all the (added) zones are removed from the configuration.
> >> This was a really unexpected behaviour. But what should happen? Using
> >> zone add the zones were never added to the zonelist.xml though, so I
> >> guess it is correct, but the problem might be zone add.
> > 
> > Are you using the --no-xml flag? There is an issue where adding zones to
> > the database only followed by an update removes zones which don't exist
> > in the database. (Normally we regard the zonelist as the authority.)
> I did not use the --no-xml flag.
> > So if you add zones without altering the xml you need to use the
> > "ods-ksmutil zonelist export" command to create a new zonelist that
> > reflects the database.
> > 
> > Is it the case that the --no-xml flag is defaulting to on? What message
> > do you get when you do a zone add?
> I spent some time testing this now.
> The problem (still) seems to be that if I start up the system from scratch,
> with no zones added, and the zonelist is empty - is that I get this error
> message (without --no-xml) when adding zones:
> Not enough keys to satisfy zsk policy for zone: 6suffix.orgods-enforcerd
> will create some more keys on its next runError allocating zsks to zone
> 6suffix.orgFailed to Link Keys to zone
> And also, nothing is added to zonelist.xml.
> If I do exactly the same thing, but before starting the system add an
> example.com zone and setup the system with that, all new zones are added
> just fine with this message:
> "Imported zone: 6suffix.org"
> What is --no-xml used for? Can I run the system without any dependency on
> zonelist.xml?

I think that Rickard and I have got somewhere with this. You will still see 
the error message but the zones should appear in the zonelist now.

If the behaviour is right then I will suppress that message (if I can) when 
there are no zones.


More information about the Opendnssec-develop mailing list