[Opendnssec-user] Problem trying to run Signer Engine

Jakob Schlyter jakob at kirei.se
Mon Sep 28 08:10:53 UTC 2009

On 25 sep 2009, at 16.45, Sitowitz, Paul wrote:

> 1. Does OpenDNSSEC require keys to be pre-generated prior to first  
> signing
>   or will this happen automatically based on defined key management
>   policies?

keygend needs to be run before first signing. we're working on  
integrating keygend and communicated into once single daemon where  
this will be taken care of auetomatically.

> 2. Is there a way in OpenDNSSEC to configure a parent/child  
> relationship
>   between zones so that DS data is automatically extracted from a  
> signed
>   zone in order to automate the publishing of this DS data to the  
> parent
>   zone or is this something that needs to be done manually by a zone
>   operator? Are the DS records written to a separate file which may be
>   referenced by a parent zone?

not yet, but we have it on the post 1.0-radar.

> 3. Does OpenDNSSEC provide any integration points for interfacing  
> with a
>   parent registry?

we have discussed this, but it will not ready integrated 1.0.

> 4. A name server is notified to load a signed zone, by OpenDNSSEC,  
> when a
>   zone is signed. This is configured in the conf.xml configuration  
> file via
>   the <NotifyCommand> tag within the <Signer> tagged block. This tag
>   configures the OS level command to use to notify a DNS nameserver  
> when a
>   zone is signed. Are these statements correct?


>   Can a remote nameserver be notified? I'd really like to see an  
> example
>   which identifies the interface of how information is passed from
>   OpenDNSSEC to a local and remote nameserver via the NotifyCommand  
> (does
>   it expect input on STDIN, any special directives for passing  
> parameters
>   from OpenDNSSEC to the configured NotifyCommand)?

I'd write a simple shellscript wrapper does what's needed. the notify  
command does not take any special input. I'll add a small example to  
the config file as a start.


More information about the Opendnssec-user mailing list