[Opendnssec-user] Integrating OpenDNSSEC in an existing setup

[Martijn Brekhof]

Hi,

I am currently setting up OpeDNSSEC for the dutch nl zone and I am trying to

integrate it with their zone creation and checking system.

In steps I designed the following system

1. Every two hours the create_and_check_zonefile script places the new zone
in
   /var/named/unsigned/ and it calls 'rndc -s localhost reload'
2. The localhost nameserver loads the new zone and notifies opendnssec
3. OpenDNSSEC fetches the zone (AXFR) and signs it and places it under
   /var/named/signed/
4. OpenDNSSEC calls 'rndc reload' for the hidden primary that will publish
the
   signed zone to the secondary nameservers

In the above setup I require two nameservers and I would like to come up
with a
setup that does not require an additional nameserver running.
So in steps I would like to change the above system to do something as
follows:

1. Every two hours the create_and_check_zonefile script places the new zone
in
   /var/named/unsigned/ and it calls 'ods-control signer sign nl'
2. OpenDNSSEC signs the zone in /var/named/unsigned/ and places it in
   /var/named/signed/
3. OpenDNSSEC calls rndc reload for the hidden primary that will publish the

   signed zone to the secondary nameservers

The problem I noticed with this setup is that while running the OpenDNSSEC
daemons or scripts seem to periodically use the zone file on disk. This may
cause a conflict when the script in step 1 places a new zone file while some

OpenDNSSEC daemon or script is using it.
Is there a safe way to copy a new unsigned zone to be signed by OpenDNSSEC?
For instance, by disabling the periodic checks and let the script in step 1
take the initiative for signing the zone?

Best regards,
Martijn Brekhof
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20100604/f032b98c/attachment.htm>