[Opendnssec-user] Number of non-DNSSEC resource records differs

[Mathieu Arnold]

+--On 2 mars 2012 16:53:52 +0000 Einar Bjarni Halldórsson <einar at isnic.is>
wrote:
| Hi,
| 
| We're running ods packages from ports on a FreeBSD 8.1 server, version
| 1.3.5. Our inbound zone file is segmented with $INCLUDE directives. The
| auditor seems to be having trouble with this, since I get this in the
| logs:
| 
| ods-auditor[58671]: Number of non-DNSSEC resource records differs : 2 in
| /var/opendnssec/tmp/is.inbound, and 89393 in
| /var/opendnssec/tmp/is.finalized
| 
| I had to turn on partial auditing to get ods to sign the zone at all. Is
| there a workaround for segmented zone files or is the only choice to use
| one complete zone file as input to ods?

I use $GENERATE quite a lot and I find it easier to run named-compilezone
to clean up the zone file before it's given to the signer.

I use a Makefile to do just that (well, it does a lot more, but this is the
interesting part) :

SIGNED!= find -s * -name '*.signed'
UNSIGNED=/usr/local/var/opendnssec/unsigned/

all: sign
sign: ${SIGNED}

.for i in ${SIGNED:R}
${UNSIGNED}${i:T}: $i
        /usr/bin/time /usr/sbin/named-compilezone -o $@ ${i:T:S/_/\//} $>
$i.signed: ${UNSIGNED}${i:T}
        /usr/local/sbin/ods-signer clear ${i:T:S/_/\//}
        /usr/local/sbin/ods-signer sign ${i:T:S/_/\//}
.endfor

I run make in my /etc/namedb and the Makefile takes care of regenerating
the zone passed to opendnssec and telling the signer to resign the zone.

-- 
Mathieu Arnold