[Opendnssec-user] RE: Build problem with Beta 2 version of OpenDNSSEC

Sitowitz, Paul PSitowitz at verisign.com
Thu Oct 22 14:27:51 UTC 2009 

Alex,

 

I was finally able to sign the zones. Here are the steps I used:

 

1.	reset kasp Db and delete all zones and tmp files and signer
config files
2.	renamed test-zone.nl to example.com
3.	removed all comments and trailing spaces in example.com unsigned
zone (as recommended by Matthijs)
4.	used ods-ksmutil to add both zones
5.	Had to manually create the signer configuration files as the
software was giving errors that they did not exist (these were
previously generated automatically at the first time of signing):

[root]/usr/local/var/opendnssec/signconf: ods-signer

connecting to /var/run/opendnssec/engine.sock

cmd> sign example.com

 "Error reading zone config for example.com: [Errno 2] No such file or
directory: u'/usr/local/var/opendnssec/signconf/example.com.xml'"

 

cmd> sign example-zone.com

 "Error reading zone config for example-zone.com: [Errno 2] No such file
or directory:
u'/usr/local/var/opendnssec/signconf/example-zone.com.xml'"

6.	$ ods-control start
7.	$ ods-signer

cmd> sign -all

 

By the way, I signed these zones while integrated with a LunaPCI HSM.

 

Thank you for all of your help and support!

 

Paul

________________________________

From: Alexd at nominet.org.uk [mailto:Alexd at nominet.org.uk] 
Sent: Thursday, October 22, 2009 2:54 AM
To: Sitowitz, Paul
Cc: opendnssec-user at lists.opendnssec.org;
opendnssec-user-bounces at lists.opendnssec.org; Rickard Bondesson
Subject: RE: [Opendnssec-user] RE: Build problem with Beta 2 version of
OpenDNSSEC

 

HI Paul - 

Thanks for the files, and sorry for the slow response. 

> The zones file(s) are in the unsigned folder within the tarball that
> I resent to you yesterday. I'm resending the tarball and including 
> the contents of the two zone files below: 

Both of these files now run on my system with only one problem (see
below). I also had to rename the second zone to example.com, as it
didn't seem to match the test-zone.nl name. 

Currently, the second zone is not correctly signed by the signer (I
think there is an issue with spaces after the $ORIGIN statement). This
can be resolved by removing the spaces (i.e. $ORIGIN
example.com;<comments>). 

I haven't had a chance to look at the other config files you sent. If
you are still having problems with trunk (and the $ORIGIN change above),
then please let me know. Hopefully the $ORIGIN bug will be fixed soon. 

Thanks, 


Alex. 

>   
> example-zone.com: 
> @ IN SOA  dev-ng-core4 dnsuser ( 4 10800 3600 604800 86400 ) 
>   IN NS   dev-ng-core4 
> localhost      A     127.0.0.1 
> ajax           A     192.168.5.24 
>                MX    10 ajax 
> odysseus       A     192.168.5.23 
>                MX    10 odysseus 
> achilles       A     192.168.5.20 
>                MX    10 achilles 
> diomedes       A     192.168.5.22 
>                MX    10 diomedes 
> dev-ng-core4   A     192.168.5.1 
>                MX    10 dev-ng-core4 
> menelaeus      A     192.168.5.28 
>                MX    10 menelaeus 
> agamemnon      A     192.168.5.21 
>                MX    10 agamemnon 
>   
> test-zone.nl: 
> $ORIGIN example.com.     ; designates the start of this zone file in
> the name space 
> $TTL 1h                  ; The default expiration time of a resource
> record without its own TTL value 
> example.com.  IN  SOA  ns.example.com. username.example.com. ( 
>               2007120710 ; serial number of this zone file 
>               1d         ; slave refresh (1 day) 
>               1d         ; slave retry time in case of a problem (1
day) 
>               4w         ; slave expiration time (4 weeks) 
>               1h         ; minimum caching time in case of failed 
> lookups (1 hour) 
> ) 
> example.com.  NS    ns                    ; ns.example.com is the 
> nameserver for example.com 
> example.com.  NS    ns.somewhere.com.     ; ns.somewhere.com is a 
> backup nameserver for example.com 
> example.com.  MX    10 mail.example.com.  ; mail.example.com is the 
> mailserver for example.com 
> @             MX    20 mail2.example.com. ; Similar to above line, 
> but using "@" to say "use $ORIGIN" 
> @             MX    50 mail3              ; Similar to above line, 
> but using a host within this domain 
> example.com.  A     10.0.0.1              ; ip address for
"example.com" 
> ns            A     10.0.0.2              ; ip address for
"ns.example.com" 
> www           CNAME ns                    ; "www.example.com" is an 
> alias for "ns.example.com" 
> wwwtest       CNAME www                   ; "wwwtest.example.com" is
> another alias for "www.example.com" 
> mail          A     10.0.0.3              ; ip address for 
> "mail.example.com", any MX record host must be 
>   
>   
> Thanks, 
>   
> Paul 
>   
>   
>   
>   
> 
> From: Alexd at nominet.org.uk [mailto:Alexd at nominet.org.uk
<mailto:Alexd at nominet.org.uk> ] 
> Sent: Friday, October 16, 2009 3:03 AM
> To: Rickard Bondesson
> Cc: opendnssec-user at lists.opendnssec.org; Sitowitz, Paul
> Subject: Re: [Opendnssec-user] RE: Build problem with Beta 2 version
> of OpenDNSSEC 
>   
> > We will work on this problem. Alex, do you have enough of 
> > information to be able to find this problem? 
> 
> It would be very useful to get a copy of the zone which was to be 
> signed. Then I could try to reproduce the problem and fix it. 
> 
> 
> Alex.[attachment "issue-bundle.tgz" deleted by Alex Dalitz/Nominet] 
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
<https://lists.opendnssec.org/mailman/listinfo/opendnssec-user> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20091022/fad06325/attachment.htm>

More information about the Opendnssec-user mailing list