[Opendnssec-user] Checking a zone file.

Matthijs Mekking matthijs at nlnetlabs.nl
Thu Jun 28 10:35:10 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Such tool does not yet exist within the OpenDNSSEC project, but I
assume it would be fairly easy, as we can just reuse the read / check
code of the signer engine. I have added an issue for this:

	https://issues.opendnssec.org/browse/SUPPORT-31

Best regards,
  Matthijs

On 06/28/2012 12:10 PM, Fred Zwarts (KVI) wrote:
> We have rather small zone files, which are edited with a simple
> editor. Of course this sometimes causes errors in the zone files.
> We have a small script that verifies the zone file, before they are
> copied to the place were they are processed by bind or by
> OpenDNSSES. In this script we use named-checkzone to check for
> errors before the files are copied. In this way, our name server
> continues to run and mistakes in editing the zones can be repaired
> without hurry.
> 
> It turns out, now that we use OpenDNSSEC, that sometimes
> OpenDNSSEC finds problems in the zone files that are not detected
> by named-checkzone. We find this only after a while, by inspecting
> the system log, when the file is already submitted to the
> OpenDNSSEC signer. If the messages are not detected in the system
> log, than the zone is no longer signed at regular intervals and
> signatures may expire.
> 
> What we would like is a feature where e.g., the signer can be used
> to read a given zone file, check it (issuing error messages if
> appropriate) and then exit with an exit value that can be used in a
> script to determine success or failure.  In case of failure, we
> will not copy the new zone file to the location where the signer
> expects its input file, so that the signer daemon will continue to
> refresh signatures, using the old version of the zone file. I could
> not find something like this in the documentation. If this can be
> accomplished already, can someone tell me how? If not, what do you
> think of such a feature?
> 
> Fred.Zwarts.
> 
> _______________________________________________ Opendnssec-user
> mailing list Opendnssec-user at lists.opendnssec.org 
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJP7DNeAAoJEA8yVCPsQCW5orwH/Rb2U5Gxcmuij2sf5stZRu0a
sqJ9VDtPmu4jmQiHaWveIVYPAVJwJzxRIc1kDLsXJPL2MxTPeknVkUyBvVHmR+EV
6LUAvrE3jV0ItVUq2h3yrYO+/0jHP/FLu68b5PlJMEOGCcLqJ5FBvbXdNyPG9Knm
uJrMU3F6jWXhilR707njxm7tLSSw2xo6Kte0a8sBkrctphl2ebpXBdlfwHkVxCsU
RiVTGaZBS+sECIvjLViXtUSWoDcGhfkdHVHqPxnl3NDfYld6YMAotZoxP/FN3rJE
LzH2qSAPJPdfWtQASJZZmJcIOQtxloqMN2B1QLk9XBHs/FWAZVeFCMfWqAPgDJ8=
=hfGj
-----END PGP SIGNATURE-----



More information about the Opendnssec-user mailing list