[Opendnssec-user] Some questions from a new ods user

Sander Smeenk ssmeenk at freshdot.net
Thu Jul 5 08:27:33 UTC 2012

Quoting Georg Sluyterman (georg at sman.dk):

> When i perform a 'softhsm --init-token' i get asked about the SO and
> User PIN, however it seems only possible to enter one PIN in conf.xml.
> As far as I have found out the only way to get it working is to set
> both PINs the same and enter that PIN in conf.xml. Is that the correct
> way (it seems a bit wrong..), if not, what PIN should be entered in
> conf.XML: SO or User?

You can have different SO and User PINs.
You should specify the User PIN in conf.xml
AFAIK the SO-pin isn't actively used by SoftHSM anyways.

> When I have added a new zone  and wish to let ods get on with
> generation keys and signing the zone right away instead of waiting
> e.g. up to an hour, what command should i be running?

After 'ods-ksmutil zone add', run 'ods-ksmutil update zonelist'.
This will trigger the enforcer to generate keys and will place the zone
on the signer's queue. If you want, you could request an immediate sign
by calling 'ods-signer sign $zone' after the update.
Make sure the enforcer is done with generating keys or the signer will
'fail' and retry later.

> Is it possible to have several seperate files for a given zone? (split
> horizon DNS) If yes, how is that managed? It seems the ods-ksmutil
> does not handle multiple file names for --input/--output

AFAIK this is not implemented.

> Is it possible to create a policy that does not sign a zone at all, in
> order to have the flow of zones running through ods and not having to
> split it up? (In a scenario when only some zones are signed)

AFAIK it is not possible to have a policy that does NOT sign zones.
I'm not sure why you would want that.
Just don't add zones that don't need signing? :)

> When i delete a zone that i have just added (ie. no signing has been
> performed yet) the zones still appear in zonelist.xml. Is there some
> delay that i should be aware of (i.e. cleaning key material etc.
> first, the next time enforcerd starts)? The command output is:
> # ods-ksmutil zone delete --zone example.org 
> zonelist filename set to /etc/opendnssec/zonelist.xml.

Again, run 'ods-ksmutil update zonelist' after removing a zone to have
it updated immediately. Also, there are (were?) some issues with
removing zones from ODS, breaking keystates etc. Refer to the archives
for more information on that.

> When i choose an algorithm type for NSEC3 it seems that only key type
> 1 is allowed and not e.g. 5 or 7, although key type 1 is deprecated
> according to IANA
> (http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.txt).
> Is this about to change, or is there some reason why this is the case?

No idea. :)

| If swimming makes you thin, then what do whales do wrong?
| 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7  FBD6 F3A9 9442 20CC 6CD2

More information about the Opendnssec-user mailing list