[Opendnssec-user] Notfiying slaves
Scott Armitage
S.P.Armitage at lboro.ac.uk
Fri Jun 11 10:23:09 UTC 2010
Hi,
I'm new to OpenDNSSEC and despite reading through the documentation I am a little unclear as to the working of OpenDNSSEC. From presentations I have been to, I imagined that it worked like this:
* OpenDNSSEC listens for NOTIFY messages from a Master DNS Server
* OpenDNSSEC AXFR zone transfers from Master (on NOTIFY)
* OpenDNSSEC signs, then audits zones
* OpenDNSSEC NOTIFYs slaves
* Slave DNS Servers AXFR from OpenDNSSEC
-------------------- ---------------------- ------------------
| Master DNS | === NOTIFY ===> | OpenDNSSEC |===NOTIFY=====> | Slave DNS |
|------------------- ----------------------- ------------------
| |
| ---> SIGN ---|
However from reading documentation it seems like OpenDNSSEC doesn't do the final 2 steps; Send NOTIFY messages, and AXFR to requesting Slaves. It seems like you need to run a DNS Server on the same box as the OpenDNSSEC, ODS then triggers the rebuilding of the DNS once it has signed the zone:
conf.xml
<Signer>
<!--
<Privileges>
<User>opendnssec</User>
<Group>opendnssec</Group>
</Privileges>
-->
<WorkingDirectory>/var/lib/opendnssec/tmp</WorkingDirectory>
<WorkerThreads>3</WorkerThreads>
<!-- the <NotifyCommmand> will expand the following variables:
%zone the name of the zone that was signed
%zonefile the filename of the signed zone
-->
<!--
<NotifyCommand>/usr/local/bin/my_nameserver_reload_command</NotifyCommand>
-->
<!--
<NotifyCommand>/usr/sbin/rndc reload %zone</NotifyCommand>
-->
</Signer>
Can anyone help me out?
Thanks
Scott
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 203 bytes
Desc: This is a digitally signed message part
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20100611/3325fcb2/attachment.bin>
More information about the Opendnssec-user
mailing list