[Opendnssec-user] OpenDNSSEC AXFR question

Volker Janzen voja at voja.de
Fri Jun 25 11:11:23 CEST 2010


Hi Matthijs,

thanks for your reply.

> If there is no .axfr file, it cannot be moved to be the designated
> unsigned input file. Was the transfer successful?

This was the correct question. bind was sending notifies, but no sign of a
client trying to AXFR. I did not notice that before because I was trying
to force signing via command line too.

Investigating with netstat I found out that my NotifyListen directives in
zonefetch.xml do not result in someone listening on the IP/port
combination.

I'm using these zonefetch.xml settings:

<!-- where to listen for notifies -->
<!-- DEFAULT: do not listen to notify on specific address -->
<NotifyListen><IPv4>myFirstIP</IPv4><Port>1234</Port></NotifyListen><NotifyListen><IPv4>mySecondIP</IPv4><Port>53</Port></NotifyListen>

(Just the first NotifyListen does not make a difference)

Changing the port to a higher number (I let OpenDNSSEC drop root
priviledges) does not have an effect either.

zonefetch.xml is also activated in conf.xml by

<ZoneFetchFile>/etc/opendnssec/zonefetch.xml</ZoneFetchFile>

Do you have any ideas what I need to check to find out what's wrong?


Best regards,
   Volker Janzen





More information about the Opendnssec-user mailing list