[Opendnssec-user] Checking a zone file.

Matthijs Mekking matthijs at nlnetlabs.nl
Thu Jun 28 10:35:10 UTC 2012

Hash: SHA1


Such tool does not yet exist within the OpenDNSSEC project, but I
assume it would be fairly easy, as we can just reuse the read / check
code of the signer engine. I have added an issue for this:


Best regards,

On 06/28/2012 12:10 PM, Fred Zwarts (KVI) wrote:
> We have rather small zone files, which are edited with a simple
> editor. Of course this sometimes causes errors in the zone files.
> We have a small script that verifies the zone file, before they are
> copied to the place were they are processed by bind or by
> OpenDNSSES. In this script we use named-checkzone to check for
> errors before the files are copied. In this way, our name server
> continues to run and mistakes in editing the zones can be repaired
> without hurry.
> It turns out, now that we use OpenDNSSEC, that sometimes
> OpenDNSSEC finds problems in the zone files that are not detected
> by named-checkzone. We find this only after a while, by inspecting
> the system log, when the file is already submitted to the
> OpenDNSSEC signer. If the messages are not detected in the system
> log, than the zone is no longer signed at regular intervals and
> signatures may expire.
> What we would like is a feature where e.g., the signer can be used
> to read a given zone file, check it (issuing error messages if
> appropriate) and then exit with an exit value that can be used in a
> script to determine success or failure.  In case of failure, we
> will not copy the new zone file to the location where the signer
> expects its input file, so that the signer daemon will continue to
> refresh signatures, using the old version of the zone file. I could
> not find something like this in the documentation. If this can be
> accomplished already, can someone tell me how? If not, what do you
> think of such a feature?
> Fred.Zwarts.
> _______________________________________________ Opendnssec-user
> mailing list Opendnssec-user at lists.opendnssec.org 
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the Opendnssec-user mailing list