[Opendnssec-user] Some questions from a new ods user

Georg Sluyterman georg at sman.dk
Thu Jul 5 07:35:54 UTC 2012


I have a few questions that i had trouble finding answers for in the wiki/mailinglists. I hope you can help me out :)

When i perform a 'softhsm --init-token' i get asked about the SO and User PIN, however it seems only possible to enter one PIN in conf.xml. As far as I have found out the only way to get it working is to set both PINs the same and enter that PIN in conf.xml. Is that the correct way (it seems a bit wrong..), if not, what PIN should be entered in conf.XML: SO or User?

When I have added a new zone  and wish to let ods get on with generation keys and signing the zone right away instead of waiting e.g. up to an hour, what command should i be running?

Is it possible to have several seperate files for a given zone? (split horizon DNS) If yes, how is that managed? It seems the ods-ksmutil does not handle multiple file names for --input/--output

Is it possible to create a policy that does not sign a zone at all, in order to have the flow of zones running through ods and not having to split it up? (In a scenario when only some zones are signed)

When i delete a zone that i have just added (ie. no signing has been performed yet) the zones still appear in zonelist.xml. Is there some delay that i should be aware of (i.e. cleaning key material etc. first, the next time enforcerd starts)? The command output is:
# ods-ksmutil zone delete --zone example.org 
zonelist filename set to /etc/opendnssec/zonelist.xml.

When i choose an algorithm type for NSEC3 it seems that only key type 1 is allowed and not e.g. 5 or 7, although key type 1 is deprecated according to IANA (http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.txt). Is this about to change, or is there some reason why this is the case?

Georg Sluyterman

More information about the Opendnssec-user mailing list