[Opendnssec-user] Checking a zone file.

Fred Zwarts (KVI) F.Zwarts at KVI.nl
Thu Jun 28 10:10:47 UTC 2012

We have rather small zone files, which are edited with a simple editor. Of 
course this sometimes causes errors in the zone files. We have a small 
script that verifies the zone file, before they are copied to the place were 
they are processed by bind or by OpenDNSSES. In this script we use 
named-checkzone to check for errors before the files are copied. In this 
way, our name server continues to run and mistakes in editing the zones can 
be repaired without hurry.

It turns out, now that we use OpenDNSSEC, that sometimes OpenDNSSEC finds 
problems in the zone files that are not detected by named-checkzone. We find 
this only after a while, by inspecting the system log, when the file is 
already submitted to the OpenDNSSEC signer. If the messages are not detected 
in the system log, than the zone is no longer signed at regular intervals 
and signatures may expire.

What we would like is a feature where e.g., the signer can be used to read a 
given zone file, check it (issuing error messages if appropriate) and then 
exit with an exit value that can be used in a script to determine success or 
failure.  In case of failure, we will not copy the new zone file to the 
location where the signer expects its input file, so that the signer daemon 
will continue to refresh signatures, using the old version of the zone file.
I could not find something like this in the documentation.
If this can be accomplished already, can someone tell me how?
If not, what do you think of such a feature?


More information about the Opendnssec-user mailing list