[Opendnssec-user] Added new zones to OpenDNSSEC

Warren Kumari warren at kumari.net
Fri Jul 2 15:09:31 UTC 2010

On Jul 2, 2010, at 5:27 AM, Volker Janzen wrote:

> Hi all,
> when I add a new zone to my DNS server, I'm always a bit confused  
> about
> the correct workflow. In the docs under "Adding/Removing zones" I just
> find a call of "ods-ksmutil zone add --zone example.com". This call  
> works
> fine and adds the configuration. But the zone is not signed within
> minutes.
> By private mail contact with Matthijs I found out that I should send  
> a HUP
> signal to the enforcer. I think is cannot be everything needs to be  
> done.
> Doing this the unsigned zone file is not found, because zone fetcher
> hasn't got it yet.
> I'm running a bind with an internal view for OpenDNSSEC with  
> unsigned zone
> data and an external view with signed zone for the rest of the world.
> When I add a new unsigned zone to bind, what needs to be done to get a
> signed zone back to bind?
> Should I first call "ods-ksmutil zone add --zone example.com", then
> restart all of OpenDNSSEC software and finally reload bind to send  
> AXFR to
> OpenDNSSEC or do I have to perform these steps in a different order?  
> After
> restarting everything and changing SOA again in bind and reload  
> everything
> works, but I don't know how to optimize (or script) this procedure.
> Best regards,
>   Volker Janzen

I use this horrendously ugly shell script -- seems to work...

wkumari at lisa:~/scripts$ more add_zone.sh

# This script add a zone to OpenDNSSEC.
# $Revision:: 1                                            $
# $Date::                                                  $
# $Author:: wkumari                                        $
# $HeadURL:: file:///srv/svn/repos/scripts/add_zone.sh     $
# Copyright: Warren Kumari (warren at kumari.net) -- 2010

# Where do the zonefiles live? We pust singed zones in a subdir of this.

if [ -z "$1" ]; then
   cat <<EOF
   This adds a zone file to the OpenDNSSEC system.
   It assumes that the zonefile lives in
   ${ZONEPATH} and will output the
   signed zone to ${ZNOESPATH}/signed/.

     $0 zone

# Needs to be root.
if [[ $EUID -ne 0 ]]; then
    echo -e "ERROR: This script must be run as root." 1>&2
    exit 1

# And make sure that the file exists.
if [ ! -e ${ZONEPATH}/$1 ]; then
    echo -e "ERROR: The zonefile $1 does not exist. Aborting!" 1>&2
    exit 1

# Finally ready to do something!
echo -e "\n*** Adding $1 to the OpenDNSSEClist zone list."
/usr/local/bin/ods-ksmutil zone add --zone $1 --input ${ZONEPATH}/$1 -- 
output ${ZONEPATH}/signed/$1
if [ $RETVAL -ne 0 ]; then
   echo -e "ERROR: Unable to add $1 to the zonelist, something went  
   exit 1

echo -e "\n*** Asking ods-enforcerd to wakeup so it will sign the zone."
if [ ! -e /var/run/opendnssec/enforcerd.pid ]; then
   echo -e "ERROR: I was not able to find the enforcerd PID file. Is  
it running?!"
   exit 1

kill -HUP `cat /var/run/opendnssec/enforcerd.pid`
if [ $RETVAL -ne 0 ]; then
   echo -e "ERROR: kill was not able to send the HUP signal. Weird....."
   exit 1

sleep 5

echo -e "\n*** Asking ods-ksmutil and ods-signer to reload the zonelist"
/usr/local/bin/ods-ksmutil update zonelist && /usr/local/sbin/ods- 
signer update $1
if [ $RETVAL -ne 0 ]; then
   echo -e "ERROR: ods-ksmutil / ods-signer unhappy with the config  
   exit 1

echo -e "\n*** SUCESS ***"

> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

No man is an island, But if you take a bunch of dead guys and tie them  
together, they make a pretty good raft.

More information about the Opendnssec-user mailing list