[Opendnssec-user] Problem trying to run Signer Engine
PSitowitz at verisign.com
Fri Sep 25 14:45:55 UTC 2009
There are still a few questions I have regarding to OpenDNSSEC. I hope that you can help me again or else point me to someone else who can.
1. Does OpenDNSSEC require keys to be pre-generated prior to first signing
or will this happen automatically based on defined key management
2. Is there a way in OpenDNSSEC to configure a parent/child relationship
between zones so that DS data is automatically extracted from a signed
zone in order to automate the publishing of this DS data to the parent
zone or is this something that needs to be done manually by a zone
operator? Are the DS records written to a separate file which may be
referenced by a parent zone?
3. Does OpenDNSSEC provide any integration points for interfacing with a
4. A name server is notified to load a signed zone, by OpenDNSSEC, when a
zone is signed. This is configured in the conf.xml configuration file via
the <NotifyCommand> tag within the <Signer> tagged block. This tag
configures the OS level command to use to notify a DNS nameserver when a
zone is signed. Are these statements correct?
Can a remote nameserver be notified? I'd really like to see an example
which identifies the interface of how information is passed from
OpenDNSSEC to a local and remote nameserver via the NotifyCommand (does
it expect input on STDIN, any special directives for passing parameters
from OpenDNSSEC to the configured NotifyCommand)?
As always, thank you again for all of your help and support :-)
From: Matthijs Mekking [mailto:matthijs at nlnetlabs.nl]
Sent: Friday, September 18, 2009 3:27 AM
To: Sitowitz, Paul
Cc: opendnssec-user at lists.opendnssec.org
Subject: Re: [Opendnssec-user] Problem trying to run Signer Engine
-----BEGIN PGP SIGNED MESSAGE-----
I admit it is sort of a cryptic error message, but I think your zone has
lines in it with only spaces. That is encountered as a syntax error (It
reads spaces, thus taking the previous owner name and than there is
nothing else to parse on that line).
Either removing the 'empty' lines or flattening the zone down with
ldns-readzone <zonefile> should work.
Sitowitz, Paul wrote:
> Sep 17 13:24:21 dev-ng-core3 OpenDNSSEC signer engine: stderr from sorter: Warning: Syntax error, could not parse the RR's TTL:
> Sep 17 13:24:21 dev-ng-core3 OpenDNSSEC signer engine: stderr from sorter:
> Sep 17 13:24:21 dev-ng-core3 OpenDNSSEC signer engine: Sorting failed
> As a result, the zones are NOT being signed as I don't see any log messages indicating so nor are there any signed zones in my configured /usr/local/var/opendnssec/signed folder.
So, I'm thinking that the warning " Warning: Syntax error, could not
parse the RR's TTL" is the root cause.
Do you have any recommendations on how I can further troubleshoot this
Can you provide me a sample zone file that you know should definitely
sign with no issues?
> Thanks again,
> -----Original Message-----
> From: Jakob Schlyter [mailto:jakob at kirei.se]
> Sent: Wednesday, September 16, 2009 11:09 PM
> To: Sitowitz, Paul
> Subject: Re: [Opendnssec-user] Problem trying to run Signer Engine
> On 16 sep 2009, at 22.17, Sitowitz, Paul wrote:
>> 1. Start the signer_engine
>> à /usr/local/sbin/signer_engine
>> Python engine proof of concept, v 0.0002 alpha
>> Zone list updated: 0 removed, 1 added, 0 updated
>> running as pid 6145
>> Unable to continue, stopping:
>> à Needed to update Python code for signer_engine to log the
>> actual error which caused the above to fail
>> à vi /usr/local/lib/opendnssec/signer/Engine.py +703
>> (inserted code below)
>> syslog.syslog(syslog.LOG_ERR, "Error: " + str(e))
>> raise e
> patch integrated, thanks!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the Opendnssec-user