[Opendnssec-user] How to implement AXFR from OpenDNSSEC to BIND

Matthijs Mekking matthijs at nlnetlabs.nl
Fri Jun 29 08:53:49 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi 刘硕,

First of all, which version of 1.4 are you using (a1, a2, trunk)?

Second, the configuration files look fine to me. Maybe some
improvements: You don't need the Inbound part at all in the trunk
version if you use File Adapters as input.

The signer complains about the listener not being configured. But from
the looks of it, you do have <Listener> in conf.xml. The signer also
complains that it can not read from the input adapter.

Could you provide me a debug log (run ods-signer -vvvvvv) so I can
take a look why the signer thinks there is no listener and why reading
from the adapter fails? Thanks.

Best regards,
Matthijs

PS: The documentation on the wiki is for the 1.3 version, if you want
the documentation for 1.4 (trunk), please go to:

	https://wiki.opendnssec.org/display/DOCSTRUNK


On 06/29/2012 05:06 AM, 刘硕 wrote:
> hi all, I'm testing opendnssec 1.4 now, the work i have done is get
> zone file created from database and then let
> opendnssec(192.168.1.24) signs it and finally SEND to another
> server(192.168.1.25) equiped with BIND and let BIND reload the
> signed zone file. But, I have not succeed yet, my configuration
> files are as follows(I did not use Inbound in addns.xml,only the
> Outbound used,so I let Inbound not changed): addns.xml .... 
> <Adapter> <DNS> <TSIG> <Name>secret.example.com</Name> <!--
> http://www.iana.org/assignments/tsig-algorithm-names --> 
> <Algorithm>hmac-md5</Algorithm> <!-- base64 encoded secret --> 
> <Secret>L19PntmGH8OTnYQd+nNk+g==</Secret> </TSIG>
> 
> <Inbound> <!-- Address of host to request XFR from --> 
> <RequestTransfer> <!-- EXAMPLE: send request to 1.2.3.4 on the
> default port 53 --> <Remote> <Address>1.2.3.4</Address> </Remote> 
> <!-- EXAMPLE: send request to dead:beef::1 on port 5353, TSIG
> signed with secret.example.com --> <Remote> 
> <Address>dead:beef::1</Address> <Port>5353</Port> 
> <Key>secret.example.com</Key> </Remote> </RequestTransfer>
> 
> <!-- Allow NOTIFY messages from host --> <AllowNotify> <!--
> EXAMPLE: allow notifies from 1.2.3.4 --> <Peer> 
> <Prefix>1.2.3.4</Prefix> </Peer> </AllowNotify> </Inbound>
> 
> <Outbound> <!-- Provide XFR to host --> <ProvideTransfer> <!--
> EXAMPLE: provide XFR to 1.2.3.5 with key secret.example.com --> 
> <Peer> <Prefix>192.168.1.25</Prefix> <Key>secret.example.com</Key> 
> </Peer> </ProvideTransfer>
> 
> <!-- Send NOTIFY messages to host --> <Notify> <!-- EXAMPLE: send
> NOTIFY to 1.2.3.5 on the default port 53 --> <Remote> 
> <Address>192.168.1.25</Address> </Remote> </Notify> </Outbound> 
> </DNS> .... zonelist.xml .... <Zone name="example.com"> 
> <Policy>default</Policy> 
> <SignerConfiguration>/var/opendnssec/signconf/example.com.xml</SignerConfiguration>
>
> 
<Adapters>
> <Input> <Adapter
> type="File">/var/opendnssec/unsigned/example.com</Adapter> 
> </Input> <Output> <Adapter
> type="DNS">/etc/opendnssec/addns.xml</Adapter> </Output> 
> </Adapters> </Zone> ....
> 
> conf.xml .... <Signer> 
> <WorkingDirectory>/var/opendnssec/tmp</WorkingDirectory> 
> <WorkerThreads>4</WorkerThreads> <SignerThreads>4</SignerThreads> 
> <Listener> <Interface><Port>53</Port></Interface> </Listener> 
> </Signer> .... In the syslog, I find " ods-signerd: [engine] no
> dnshandler/listener configured, but zones are configured with dns
> adapters: notify and zone transfer requests will not work properly 
> " " ods-signerd: [tools] unable to read zone example.com: adapter
> failed (General error) "
> 
> Is there something wrong in the configuration files? Can anybody
> help me to implement the AXFR from OpenDNSSEC to BIND? Thanks a
> lot!
> 
> P.S. I found that there are no elements such as <ZonfFechFile> in
> <Common> and <NotifyListen> in conf.xml, maybe a new documentation
> should be released,: ).
> 
> 
> ------------------------------------------------------------------------
>
> 
刘硕
> 
> 
> _______________________________________________ Opendnssec-user
> mailing list Opendnssec-user at lists.opendnssec.org 
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJP7W0dAAoJEA8yVCPsQCW5RAgIAKRRgndyFEJHgYe5Dkg9nqZG
ZjJczyOGTjvj24Vb8kYJ8K9YMGyH/FVp6RsuYliV/1/3Qj3KJaBX7MlQdI0fL4UP
kixmQBUNnHf5MN4lj5MXWqIuYt6nCHJZ5DGaWGRkShuJ7hiu7RqDoZJZmapkf3dE
a3fZzJIUuLb/jasjQx1UCc0CE7IiOX4Poh65u/lZ+jXJn8KeHEyIWG7m1lDBmXD7
tAeLeheaQwuBn+95ftP79OcpO+SqZyFE1R9iacZ+aOMMBcb+IiFYVu5//rKMrmz5
L9N7OQen0D35Yv4HyICgL4R58GjY2HJLJz6e1jW44JL8tqhfYC+1IOSOt376PQU=
=rrB9
-----END PGP SIGNATURE-----



More information about the Opendnssec-user mailing list