[Opendnssec-user] Problem trying to run Signer Engine

Sebastian Castro sebastian at nzrs.net.nz
Mon Sep 28 21:54:02 UTC 2009

Jakob Schlyter wrote:
> On 25 sep 2009, at 16.45, Sitowitz, Paul wrote:
>> 4. A name server is notified to load a signed zone, by OpenDNSSEC, when a
>>   zone is signed. This is configured in the conf.xml configuration
>> file via
>>   the <NotifyCommand> tag within the <Signer> tagged block. This tag
>>   configures the OS level command to use to notify a DNS nameserver
>> when a
>>   zone is signed. Are these statements correct?
> yes.
>>   Can a remote nameserver be notified? I'd really like to see an example
>>   which identifies the interface of how information is passed from
>>   OpenDNSSEC to a local and remote nameserver via the NotifyCommand (does
>>   it expect input on STDIN, any special directives for passing parameters
>>   from OpenDNSSEC to the configured NotifyCommand)?
> I'd write a simple shellscript wrapper does what's needed. the notify
> command does not take any special input. I'll add a small example to the
> config file as a start.

I wrote this small script to load the signed zone on a local nameserver.


# Two arguments should be provided
# zone and zonefile
# zone is the name of the zone being loaded
# zonefile is the file where the new zone is contained

if [ $# -eq 2 ]; then

	ZONE_FILE=`basename ${SIGNED_ZONE}`

	if [ $UID -ne 0 ]; then
		echo "Must be run as root!"
		exit 0

	test ! -d ${BACKUP_DIR} && mkdir ${BACKUP_DIR}

	/usr/sbin/named-checkzone -i local ${ZONE} ${SIGNED_ZONE} &> /dev/null

	if [ $? -eq 0 ]; then
		# Backup the old zone
		SEQ=`date -u +%s`

		# Copy the new zone

		# Reload zone
		rndc reload ${ZONE}


The corresponding NotifyCommand in my conf file looks like this:

<NotifyCommand>/usr/local/opendnssec/bin/install-zone.sh %zone

%zone and %zonefile are placeholders handled by the signer_engine that
are replaced by the zonename and the signed zone file as indicated on
the zonelist.xml file.

I hope it helps..

Sebastian Castro

>     jakob
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

More information about the Opendnssec-user mailing list