[Opendnssec-user] Problem trying to run Signer Engine
Jakob Schlyter
jakob at kirei.se
Mon Sep 28 08:10:53 UTC 2009
On 25 sep 2009, at 16.45, Sitowitz, Paul wrote:
> 1. Does OpenDNSSEC require keys to be pre-generated prior to first
> signing
> or will this happen automatically based on defined key management
> policies?
keygend needs to be run before first signing. we're working on
integrating keygend and communicated into once single daemon where
this will be taken care of auetomatically.
> 2. Is there a way in OpenDNSSEC to configure a parent/child
> relationship
> between zones so that DS data is automatically extracted from a
> signed
> zone in order to automate the publishing of this DS data to the
> parent
> zone or is this something that needs to be done manually by a zone
> operator? Are the DS records written to a separate file which may be
> referenced by a parent zone?
not yet, but we have it on the post 1.0-radar.
> 3. Does OpenDNSSEC provide any integration points for interfacing
> with a
> parent registry?
we have discussed this, but it will not ready integrated 1.0.
> 4. A name server is notified to load a signed zone, by OpenDNSSEC,
> when a
> zone is signed. This is configured in the conf.xml configuration
> file via
> the <NotifyCommand> tag within the <Signer> tagged block. This tag
> configures the OS level command to use to notify a DNS nameserver
> when a
> zone is signed. Are these statements correct?
yes.
> Can a remote nameserver be notified? I'd really like to see an
> example
> which identifies the interface of how information is passed from
> OpenDNSSEC to a local and remote nameserver via the NotifyCommand
> (does
> it expect input on STDIN, any special directives for passing
> parameters
> from OpenDNSSEC to the configured NotifyCommand)?
I'd write a simple shellscript wrapper does what's needed. the notify
command does not take any special input. I'll add a small example to
the config file as a start.
jakob
More information about the Opendnssec-user
mailing list