[Opendnssec-user] Problem trying to run Signer Engine

Sitowitz, Paul PSitowitz at verisign.com
Fri Sep 25 14:45:55 UTC 2009

Hi Matt,

There are still a few questions I have regarding to OpenDNSSEC. I hope that you can help me again or else point me to someone else who can.

1. Does OpenDNSSEC require keys to be pre-generated prior to first signing  
   or will this happen automatically based on defined key management 

2. Is there a way in OpenDNSSEC to configure a parent/child relationship 
   between zones so that DS data is automatically extracted from a signed 
   zone in order to automate the publishing of this DS data to the parent 
   zone or is this something that needs to be done manually by a zone 
   operator? Are the DS records written to a separate file which may be 
   referenced by a parent zone?

3. Does OpenDNSSEC provide any integration points for interfacing with a 
   parent registry?

4. A name server is notified to load a signed zone, by OpenDNSSEC, when a 
   zone is signed. This is configured in the conf.xml configuration file via 
   the <NotifyCommand> tag within the <Signer> tagged block. This tag 
   configures the OS level command to use to notify a DNS nameserver when a 
   zone is signed. Are these statements correct?

   Can a remote nameserver be notified? I'd really like to see an example 
   which identifies the interface of how information is passed from 
   OpenDNSSEC to a local and remote nameserver via the NotifyCommand (does 
   it expect input on STDIN, any special directives for passing parameters 
   from OpenDNSSEC to the configured NotifyCommand)?

As always, thank you again for all of your help and support :-)


Paul Sitowitz
VeriSign, INC.

-----Original Message-----
From: Matthijs Mekking [mailto:matthijs at nlnetlabs.nl] 
Sent: Friday, September 18, 2009 3:27 AM
To: Sitowitz, Paul
Cc: opendnssec-user at lists.opendnssec.org
Subject: Re: [Opendnssec-user] Problem trying to run Signer Engine

Hash: SHA1

Hi Paul,

I admit it is sort of a cryptic error message, but I think your zone has
lines in it with only spaces. That is encountered as a syntax error (It
reads spaces, thus taking the previous owner name and than there is
nothing else to parse on that line).

Either removing the 'empty' lines or flattening the zone down with
ldns-readzone <zonefile> should work.

Best regards,

Matthijs Mekking

Sitowitz, Paul wrote:

> Sep 17 13:24:21 dev-ng-core3 OpenDNSSEC signer engine: stderr from sorter: Warning: Syntax error, could not parse the RR's TTL: 
> Sep 17 13:24:21 dev-ng-core3 OpenDNSSEC signer engine: stderr from sorter:                                            
> Sep 17 13:24:21 dev-ng-core3 OpenDNSSEC signer engine: Sorting failed
> As a result, the zones are NOT being signed as I don't see any log messages indicating so nor are there any signed zones in my configured /usr/local/var/opendnssec/signed folder.

So, I'm thinking that the warning " Warning: Syntax error, could not
parse the RR's TTL" is the root cause.

Do you have any recommendations on how I can further troubleshoot this

Can you provide me a sample zone file that you know should definitely
sign with no issues?

> Thanks again,
> Paul
> -----Original Message-----
> From: Jakob Schlyter [mailto:jakob at kirei.se] 
> Sent: Wednesday, September 16, 2009 11:09 PM
> To: Sitowitz, Paul
> Subject: Re: [Opendnssec-user] Problem trying to run Signer Engine
> On 16 sep 2009, at 22.17, Sitowitz, Paul wrote:
>> 1.      Start the signer_engine
>> à          /usr/local/sbin/signer_engine
>> Python engine proof of concept, v 0.0002 alpha
>> Zone list updated: 0 removed, 1 added, 0 updated
>> running as pid 6145
>> Unable to continue, stopping:
>> à          Needed to update Python code for signer_engine to log the  
>> actual error which caused the above to fail
>> à          vi /usr/local/lib/opendnssec/signer/Engine.py +703   
>> (inserted code below)
>> syslog.syslog(syslog.LOG_ERR, "Error: " +  str(e))
>>         raise e
> patch integrated, thanks!
> 	jakob

Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the Opendnssec-user mailing list