[Opendnssec-user] Problem trying to run Signer Engine

Sebastian Castro sebastian at nzrs.net.nz
Mon Sep 28 21:54:02 UTC 2009 

Jakob Schlyter wrote:
> On 25 sep 2009, at 16.45, Sitowitz, Paul wrote:
> 
>> 4. A name server is notified to load a signed zone, by OpenDNSSEC, when a
>>   zone is signed. This is configured in the conf.xml configuration
>> file via
>>   the <NotifyCommand> tag within the <Signer> tagged block. This tag
>>   configures the OS level command to use to notify a DNS nameserver
>> when a
>>   zone is signed. Are these statements correct?
> 
> yes.
> 
>>   Can a remote nameserver be notified? I'd really like to see an example
>>   which identifies the interface of how information is passed from
>>   OpenDNSSEC to a local and remote nameserver via the NotifyCommand (does
>>   it expect input on STDIN, any special directives for passing parameters
>>   from OpenDNSSEC to the configured NotifyCommand)?
> 
> I'd write a simple shellscript wrapper does what's needed. the notify
> command does not take any special input. I'll add a small example to the
> config file as a start.

I wrote this small script to load the signed zone on a local nameserver.

--------------------------------------------------
#!/bin/sh

# Two arguments should be provided
# zone and zonefile
# zone is the name of the zone being loaded
# zonefile is the file where the new zone is contained

if [ $# -eq 2 ]; then
	ZONE=$1
	SIGNED_ZONE=$2

	ZONE_DIR=/etc/bind
	BACKUP_DIR=/etc/bind/zone-backup
	ZONE_FILE=`basename ${SIGNED_ZONE}`
	CURRENT_ZONE="${ZONE_DIR}/${ZONE_FILE}"

	if [ $UID -ne 0 ]; then
		echo "Must be run as root!"
		exit 0
	fi

	test ! -d ${BACKUP_DIR} && mkdir ${BACKUP_DIR}

	/usr/sbin/named-checkzone -i local ${ZONE} ${SIGNED_ZONE} &> /dev/null

	if [ $? -eq 0 ]; then
		# Backup the old zone
		SEQ=`date -u +%s`
		cp ${CURRENT_ZONE} ${BACKUP_DIR}/${ZONE_FILE}.${SEQ}

		# Copy the new zone
		cp ${SIGNED_ZONE} ${ZONE_DIR}

		# Reload zone
		rndc reload ${ZONE}
	fi
fi

--------------------------------------------------

The corresponding NotifyCommand in my conf file looks like this:

<NotifyCommand>/usr/local/opendnssec/bin/install-zone.sh %zone
%zonefile</NotifyCommand>

%zone and %zonefile are placeholders handled by the signer_engine that
are replaced by the zonename and the signed zone file as indicated on
the zonelist.xml file.

I hope it helps..

Sebastian Castro

> 
>     jakob
> 
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

More information about the Opendnssec-user mailing list