[Opendnssec-user] How to implement AXFR from OpenDNSSEC to BIND

Matthijs Mekking matthijs at nlnetlabs.nl
Fri Jun 29 08:53:49 UTC 2012

Hash: SHA1

Hi 刘硕,

First of all, which version of 1.4 are you using (a1, a2, trunk)?

Second, the configuration files look fine to me. Maybe some
improvements: You don't need the Inbound part at all in the trunk
version if you use File Adapters as input.

The signer complains about the listener not being configured. But from
the looks of it, you do have <Listener> in conf.xml. The signer also
complains that it can not read from the input adapter.

Could you provide me a debug log (run ods-signer -vvvvvv) so I can
take a look why the signer thinks there is no listener and why reading
from the adapter fails? Thanks.

Best regards,

PS: The documentation on the wiki is for the 1.3 version, if you want
the documentation for 1.4 (trunk), please go to:


On 06/29/2012 05:06 AM, 刘硕 wrote:
> hi all, I'm testing opendnssec 1.4 now, the work i have done is get
> zone file created from database and then let
> opendnssec( signs it and finally SEND to another
> server( equiped with BIND and let BIND reload the
> signed zone file. But, I have not succeed yet, my configuration
> files are as follows(I did not use Inbound in addns.xml,only the
> Outbound used,so I let Inbound not changed): addns.xml .... 
> <Adapter> <DNS> <TSIG> <Name>secret.example.com</Name> <!--
> http://www.iana.org/assignments/tsig-algorithm-names --> 
> <Algorithm>hmac-md5</Algorithm> <!-- base64 encoded secret --> 
> <Secret>L19PntmGH8OTnYQd+nNk+g==</Secret> </TSIG>
> <Inbound> <!-- Address of host to request XFR from --> 
> <RequestTransfer> <!-- EXAMPLE: send request to on the
> default port 53 --> <Remote> <Address></Address> </Remote> 
> <!-- EXAMPLE: send request to dead:beef::1 on port 5353, TSIG
> signed with secret.example.com --> <Remote> 
> <Address>dead:beef::1</Address> <Port>5353</Port> 
> <Key>secret.example.com</Key> </Remote> </RequestTransfer>
> <!-- Allow NOTIFY messages from host --> <AllowNotify> <!--
> EXAMPLE: allow notifies from --> <Peer> 
> <Prefix></Prefix> </Peer> </AllowNotify> </Inbound>
> <Outbound> <!-- Provide XFR to host --> <ProvideTransfer> <!--
> EXAMPLE: provide XFR to with key secret.example.com --> 
> <Peer> <Prefix></Prefix> <Key>secret.example.com</Key> 
> </Peer> </ProvideTransfer>
> <!-- Send NOTIFY messages to host --> <Notify> <!-- EXAMPLE: send
> NOTIFY to on the default port 53 --> <Remote> 
> <Address></Address> </Remote> </Notify> </Outbound> 
> </DNS> .... zonelist.xml .... <Zone name="example.com"> 
> <Policy>default</Policy> 
> <SignerConfiguration>/var/opendnssec/signconf/example.com.xml</SignerConfiguration>
> <Input> <Adapter
> type="File">/var/opendnssec/unsigned/example.com</Adapter> 
> </Input> <Output> <Adapter
> type="DNS">/etc/opendnssec/addns.xml</Adapter> </Output> 
> </Adapters> </Zone> ....
> conf.xml .... <Signer> 
> <WorkingDirectory>/var/opendnssec/tmp</WorkingDirectory> 
> <WorkerThreads>4</WorkerThreads> <SignerThreads>4</SignerThreads> 
> <Listener> <Interface><Port>53</Port></Interface> </Listener> 
> </Signer> .... In the syslog, I find " ods-signerd: [engine] no
> dnshandler/listener configured, but zones are configured with dns
> adapters: notify and zone transfer requests will not work properly 
> " " ods-signerd: [tools] unable to read zone example.com: adapter
> failed (General error) "
> Is there something wrong in the configuration files? Can anybody
> help me to implement the AXFR from OpenDNSSEC to BIND? Thanks a
> lot!
> P.S. I found that there are no elements such as <ZonfFechFile> in
> <Common> and <NotifyListen> in conf.xml, maybe a new documentation
> should be released,: ).
> ------------------------------------------------------------------------
> _______________________________________________ Opendnssec-user
> mailing list Opendnssec-user at lists.opendnssec.org 
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the Opendnssec-user mailing list