[Opendnssec-user] Notfiying slaves

Scott Armitage S.P.Armitage at lboro.ac.uk
Fri Jun 11 12:23:09 CEST 2010


Hi,

I'm new to OpenDNSSEC and despite reading through the documentation I am a little unclear as to the working of OpenDNSSEC.  From presentations I have been to, I imagined that it worked like this:


* OpenDNSSEC listens for NOTIFY messages from a Master DNS Server
* OpenDNSSEC AXFR zone transfers from Master (on NOTIFY)
* OpenDNSSEC signs, then audits zones
* OpenDNSSEC NOTIFYs slaves
* Slave DNS Servers AXFR from OpenDNSSEC

--------------------                                    ----------------------                                     ------------------
| Master DNS  | === NOTIFY ===> | OpenDNSSEC |===NOTIFY=====> | Slave DNS |
|-------------------                                    -----------------------                                    ------------------
                                                                  |                       |
                                                                  | ---> SIGN ---|



However from reading documentation it seems like OpenDNSSEC doesn't do the final 2 steps; Send NOTIFY messages, and AXFR to requesting Slaves.  It seems like you need to run a DNS Server on the same box as the OpenDNSSEC,  ODS then triggers the rebuilding of the DNS once it has signed the zone:

conf.xml

	<Signer>
	        <!--
		<Privileges>
			<User>opendnssec</User>
			<Group>opendnssec</Group>
		</Privileges>
		-->
		<WorkingDirectory>/var/lib/opendnssec/tmp</WorkingDirectory>
		<WorkerThreads>3</WorkerThreads>

		<!-- the <NotifyCommmand> will expand the following variables:

		     %zone      the name of the zone that was signed
		     %zonefile  the filename of the signed zone
		-->
<!--
		<NotifyCommand>/usr/local/bin/my_nameserver_reload_command</NotifyCommand>
-->
<!--
		<NotifyCommand>/usr/sbin/rndc reload %zone</NotifyCommand>
-->
	</Signer>



Can anyone help me out?


Thanks

Scott



-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 203 bytes
Desc: This is a digitally signed message part
URL: <https://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20100611/3325fcb2/attachment.sig>


More information about the Opendnssec-user mailing list