[Opendnssec-user] ods-ksmutil zone delete doesn't clean after itself

Rick van Rein rick at openfortress.nl
Mon Oct 11 09:12:39 UTC 2010


Hi,

> The signer gets confused if there still exists a signed zonefile in the
> output directory.

Yes, one thing we did in our scripting around OpenDNSSEC is to
remove zone files when we drop a zone from the signing discipline.
We wondered why the toolkit didn't do that but thought it not
worthy of a bug report or even a feature request.

> This can be avoided, before re-adding the zone, by remove the signed
> zone from the output directory.

Don't forget to empty the tmp directory entries as well.  I can't
remember where this caused trouble for us, but we were happier
when we started deleting those as well.  Again, that's hardly a
bug report -- we've been trying a few really wild things with
OpenDNSSEC in order to test its stability!

We also ended up explicitly removing the signed zone, BTW.  I'll
attach the relevant code blurp in a "use at your own risk" fashion.
You still want to do mutex stuff and so on, where applicable.


Hope this helps,
 -Rick

    ------- 8< ------- 8< ------- 8< ------- 8< ------- 8< -------

zonemap = load_zonemap ()
gen_zonelist (zonemap)
gen_policies (zonemap)
#
# State: Locked, atomic_support, configured, generated.
# Cleanup zones if they are no longer signed.
#
for z in os.listdir ('/var/opendnssec/unsigned'):
	if (z [-5:] == '.axfr' and not zonemap.has_key (z [:-5])) and not zonemap.has_key (z):
		os.unlink ('/var/opendnssec/unsigned/' + z)
for z in os.listdir ('/var/opendnssec/signconf'):
	if z [-4:] == '.xml' and not zonemap.has_key (z [:-4]):
		os.unlink ('/var/opendnssec/signconf/' + z)
reload_bind = False
for z in os.listdir (bindzonedir):
	if not zonemap.has_key (z):
		os.unlink (bindzonedir + '/' + z)
		reload_bind = True
if reload_bind:
	os.system ('/usr/local/surfdomeinen/bin/notify_bind')
#
# State: Locked, atomic_support, configured, generated.
# Download zones if they are not currently available
#
zonelist = os.listdir ('/var/opendnssec/unsigned')
portal = hostname2portalhostname [os.uname () [1]]
for z in zonemap.keys ():
	os.system ('sudo -u portal scp -q signer@' + portal + ':/opt/beheer/scripts/queue/local/export/' + z +
		' /home/portal/' + z + '.fetch')
	if z + '.axfr' not in zonelist:
		os.system ('/usr/local/surfdomeinen/bin/process_fetched ' + z)
#
# State: Locked, atomic_support, configured, generated.
#
activate_opendnssec_config ()




More information about the Opendnssec-user mailing list