[Opendnssec-user] Some questions from a new ods user

Matthijs Mekking matthijs at nlnetlabs.nl
Thu Jul 5 08:45:20 UTC 2012

Hash: SHA1


On 07/05/2012 10:27 AM, Sander Smeenk wrote:
> Quoting Georg Sluyterman (georg at sman.dk):
>> When i perform a 'softhsm --init-token' i get asked about the SO
>> and User PIN, however it seems only possible to enter one PIN in
>> conf.xml. As far as I have found out the only way to get it
>> working is to set both PINs the same and enter that PIN in
>> conf.xml. Is that the correct way (it seems a bit wrong..), if
>> not, what PIN should be entered in conf.XML: SO or User?
> You can have different SO and User PINs. You should specify the
> User PIN in conf.xml AFAIK the SO-pin isn't actively used by
> SoftHSM anyways.
>> When I have added a new zone  and wish to let ods get on with 
>> generation keys and signing the zone right away instead of
>> waiting e.g. up to an hour, what command should i be running?
> After 'ods-ksmutil zone add', run 'ods-ksmutil update zonelist'. 
> This will trigger the enforcer to generate keys and will place the
> zone on the signer's queue. If you want, you could request an
> immediate sign by calling 'ods-signer sign $zone' after the
> update. Make sure the enforcer is done with generating keys or the
> signer will 'fail' and retry later.
>> Is it possible to have several seperate files for a given zone?
>> (split horizon DNS) If yes, how is that managed? It seems the
>> ods-ksmutil does not handle multiple file names for
>> --input/--output
> AFAIK this is not implemented.

Correct, but it is on our radar.

>> Is it possible to create a policy that does not sign a zone at
>> all, in order to have the flow of zones running through ods and
>> not having to split it up? (In a scenario when only some zones
>> are signed)
> AFAIK it is not possible to have a policy that does NOT sign
> zones. I'm not sure why you would want that. Just don't add zones
> that don't need signing? :)

This is a feature that is intended to be in 2.0.0. I believe people
want that, because they have a mixed collection of DNSSEC enabled and
'plain' zones and want them to have the same work flow.

>> When i delete a zone that i have just added (ie. no signing has
>> been performed yet) the zones still appear in zonelist.xml. Is
>> there some delay that i should be aware of (i.e. cleaning key
>> material etc. first, the next time enforcerd starts)? The command
>> output is: # ods-ksmutil zone delete --zone example.org zonelist
>> filename set to /etc/opendnssec/zonelist.xml.
> Again, run 'ods-ksmutil update zonelist' after removing a zone to
> have it updated immediately. Also, there are (were?) some issues
> with removing zones from ODS, breaking keystates etc. Refer to the
> archives for more information on that.
>> When i choose an algorithm type for NSEC3 it seems that only key
>> type 1 is allowed and not e.g. 5 or 7, although key type 1 is
>> deprecated according to IANA 
>> (http://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.txt).
Is this about to change, or is there some reason why this is the case?
> No idea. :)

The number 1 refers to the NSEC3 hash algorithm type. Only SHA-1 is
defined (1). I think you are confusing it with the DNSKEY algorithm
numbers, which should be set in the <Keys> section. If you want to use
NSEC3, you want to do 7.

Best regards,

> -Sndr.

Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the Opendnssec-user mailing list