[Opendnssec-user] How to implement AXFR from OpenDNSSEC to BIND

刘硕 shuoleo at 126.com
Fri Jun 29 03:06:10 UTC 2012


hi all,
I'm testing opendnssec 1.4 now, the work i have done is get zone file created from database and then let opendnssec(192.168.1.24) signs it and finally SEND to another server(192.168.1.25) equiped with BIND and let BIND reload the signed zone file.
But, I have not succeed yet, my configuration files are as follows(I did not use Inbound in addns.xml,only the Outbound used,so I let Inbound not changed):
addns.xml
....
<Adapter>
        <DNS>
                <TSIG>
                        <Name>secret.example.com</Name>
                        <!-- http://www.iana.org/assignments/tsig-algorithm-names -->
                        <Algorithm>hmac-md5</Algorithm>
                        <!-- base64 encoded secret -->
                        <Secret>L19PntmGH8OTnYQd+nNk+g==</Secret>
                </TSIG>

                <Inbound>
                        <!-- Address of host to request XFR from -->
                        <RequestTransfer>
                                <!-- EXAMPLE: send request to 1.2.3.4 on the default port 53 -->
                                <Remote>
                                        <Address>1.2.3.4</Address>
                                </Remote>
                                <!-- EXAMPLE: send request to dead:beef::1 on port 5353, TSIG signed with secret.example.com -->
                                <Remote>
                                        <Address>dead:beef::1</Address>
                                        <Port>5353</Port>
                                        <Key>secret.example.com</Key>
                                </Remote>
                        </RequestTransfer>

                        <!-- Allow NOTIFY messages from host -->
                        <AllowNotify>
                                <!-- EXAMPLE: allow notifies from 1.2.3.4 -->
                                <Peer>
                                        <Prefix>1.2.3.4</Prefix>
                                </Peer>
                        </AllowNotify>
                </Inbound>

                <Outbound>
                        <!-- Provide XFR to host -->
                        <ProvideTransfer>
                                <!-- EXAMPLE: provide XFR to 1.2.3.5 with key secret.example.com -->
                                <Peer>
                                        <Prefix>192.168.1.25</Prefix>
                                        <Key>secret.example.com</Key>
                              </Peer>
                        </ProvideTransfer>

                        <!-- Send NOTIFY messages to host -->
                        <Notify>
                                <!-- EXAMPLE: send NOTIFY to 1.2.3.5 on the default port 53 -->
                                <Remote>
                                        <Address>192.168.1.25</Address>
                                </Remote>
                        </Notify>
                </Outbound>
        </DNS>
....
zonelist.xml
....
 <Zone name="example.com">
                <Policy>default</Policy>
                <SignerConfiguration>/var/opendnssec/signconf/example.com.xml</SignerConfiguration>
                <Adapters>
                        <Input>
                                <Adapter type="File">/var/opendnssec/unsigned/example.com</Adapter>
                        </Input>
                        <Output>
                                <Adapter type="DNS">/etc/opendnssec/addns.xml</Adapter>
                        </Output>
                </Adapters>
        </Zone>
....

conf.xml
....
        <Signer>
                <WorkingDirectory>/var/opendnssec/tmp</WorkingDirectory>
                <WorkerThreads>4</WorkerThreads>
                <SignerThreads>4</SignerThreads>
                <Listener>
                        <Interface><Port>53</Port></Interface>
                </Listener>
        </Signer>
....
In the syslog, I find
" ods-signerd: [engine] no dnshandler/listener configured, but zones are configured with dns adapters: notify and zone transfer requests will not work properly " 
" ods-signerd: [tools] unable to read zone example.com: adapter failed (General error) " 

Is there something wrong in the configuration files? Can anybody help me to implement the AXFR from OpenDNSSEC to BIND? Thanks a lot!

P.S.
I found that there are no elements such as <ZonfFechFile> in <Common> and <NotifyListen> in conf.xml, maybe a new documentation should be released,: ). 





刘硕
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20120629/1297f09a/attachment.htm>


More information about the Opendnssec-user mailing list