[Opendnssec-user] syntax error in zonelist.xml -> destruction

Sara Dickinson sara at sinodun.com
Tue Nov 20 10:45:40 UTC 2012

On 19 Nov 2012, at 16:32, Casper Gielen wrote:

> Hello,
> this is a little precautionary tale for anyone running OpenDNSSEC.
> tl;dr Don't make syntax errors in zonelist.xml
> Today I added a new zone to opendnssec. We manage zonelist.xml by hand
> (it's stored in SVN). Unfortunately I made a typo and deleted one
> character (a '<') somewhere in the middle of the file. Unaware of the
> typo I loaded the broken zonelist.xml (with ods-ksmutil update all).
> OpenDNSSEC promptly informed me that it was unable to parse the
> zonefile. I found and my mistake and loaded the new file and didn't
> think about it anymore until 15 minutes later every alarm in our system
> went off.
> Every zone after my typo had been erased and was being recreated.
> Unfortunately I did not realize the source of the problem right away.
> With hindsight the correct solution would have been to recover the
> entire OpenDNSSEC from backup. Instead I uploaded the new keys to our
> registrar.
> feature request: Please check the configuration for syntax-errors before
> acting upon it.

Hi Casper - thanks for alerting us to this. The xml syntax is checked and this 
should have been caught so this is a (nasty) bug.  Could you please report it at:


(if you still have the logs/example zonelist.xml please attached to the issue as 
that would be really useful). Also - what version of OpenDNSSEC are you running?

For future reference you can run a standalone tool called ods-kaspcheck
that will check the xml files and produce logs like:

Nov 19 16:44:46 ods ods-kaspcheck: INFO: The XML in /etc/opendnssec/conf.xml is valid
Nov 19 16:44:46 ods ods-kaspcheck: INFO: The XML in /etc/opendnssec/zonelist.xml is valid
Nov 19 16:44:46 ods ods-kaspcheck: INFO: The XML in /etc/opendnssec/kasp.xml is valid

if everything is happy. These are the same checks that are (or should be!) run 
by OpenDNSSEC when it loads new xml files while running. 


> -- 
> Casper Gielen <cgielen at uvt.nl> | LIS UNIX
> PGP fingerprint = 16BD 2C9F 8156 C242 F981  63B8 2214 083C F80E 4AF7
> Universiteit van Tilburg | Postbus 90153, 5000 LE
> Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

More information about the Opendnssec-user mailing list