[Opendnssec-user] Integrating OpenDNSSEC in an existing setup
Martijn Brekhof
m.brekhof at gmail.com
Fri Jun 4 15:22:39 UTC 2010
Hi,
I am currently setting up OpeDNSSEC for the dutch nl zone and I am trying to
integrate it with their zone creation and checking system.
In steps I designed the following system
1. Every two hours the create_and_check_zonefile script places the new zone
in
/var/named/unsigned/ and it calls 'rndc -s localhost reload'
2. The localhost nameserver loads the new zone and notifies opendnssec
3. OpenDNSSEC fetches the zone (AXFR) and signs it and places it under
/var/named/signed/
4. OpenDNSSEC calls 'rndc reload' for the hidden primary that will publish
the
signed zone to the secondary nameservers
In the above setup I require two nameservers and I would like to come up
with a
setup that does not require an additional nameserver running.
So in steps I would like to change the above system to do something as
follows:
1. Every two hours the create_and_check_zonefile script places the new zone
in
/var/named/unsigned/ and it calls 'ods-control signer sign nl'
2. OpenDNSSEC signs the zone in /var/named/unsigned/ and places it in
/var/named/signed/
3. OpenDNSSEC calls rndc reload for the hidden primary that will publish the
signed zone to the secondary nameservers
The problem I noticed with this setup is that while running the OpenDNSSEC
daemons or scripts seem to periodically use the zone file on disk. This may
cause a conflict when the script in step 1 places a new zone file while some
OpenDNSSEC daemon or script is using it.
Is there a safe way to copy a new unsigned zone to be signed by OpenDNSSEC?
For instance, by disabling the periodic checks and let the script in step 1
take the initiative for signing the zone?
Best regards,
Martijn Brekhof
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20100604/f032b98c/attachment.htm>
More information about the Opendnssec-user
mailing list