[Opendnssec-user] Migrating zones from file to axfr adapter?

Matthijs Mekking matthijs at nlnetlabs.nl
Mon Jul 22 10:36:37 UTC 2013


Hi,

On 07/17/2013 11:29 PM, Havard Eidnes wrote:
> Hi,
> 
> I'm a newbie trying to find my way around OpenDNSSEC.  I started
> with 1.3.13, and after a few failed starts and some helpful hints
> from the people responding to bug reports, I managed to coerce
> OpenDNSSEC to produce a signed zone file, using the zonefetch
> method, and my /var/opendnssec tree now contains the following
> files:
> 
> ./signconf/156.193.in-addr.arpa.xml
> ./signconf/156.193.in-addr.arpa.xml.OLD
> ./signed/156.193.in-addr.arpa
> ./unsigned/156.193.in-addr.arpa
> ./unsigned/156.193.in-addr.arpa.axfr

The files in the signconf directory are produced by the enforcer.
The file in the signed and unsigned directory are produced by the
signer. Specifically, the .axfr file is written by the zone fetcher and
read by the signer engine.

> 
> Now, I've installed OpenDNSSEC version 1.4.1, and did the
> conversion of the Sqlite3 database, and want to start using the
> "axfr in" and "axfr out" adapters for this zone instead of the
> old signer interface which did "file in", "file out".  By the
> looks of it, I need to modify the zonelist.xml file, and replace
> the <Input><File> sections with <Input><Adapter type="DNS"> etc.,
> and "ods-ksmutil update all" now accepts that config as valid.

Also make sure to change the file location. A File Adapter points to an
unsigned zone file, but a DNS Adapter points to a zone transfer config
file. For documentation on that file, see:

    https://wiki.opendnssec.org/display/DOCS/addns.xml

> 
> However, trying to do a zone transfer from the configured
> consumer fails, and in the log I get
> 
> Jul 17 22:02:06 xxxxx ods-signerd: [axfr] unable to open axfr file 156.193.in-addr.arpa.axfr for zone 156.193.in-addr.arpa
> 
> I'm thinking: Well, if the configured method needs a file with a
> particular name in a particular directory, it's OpenDNSSEC's job
> ensure that file gets created, not mine!

Agreed :)

> 
> What am I missing?

I guess that the signer was unable to create that file. Why? Not sure.
An interesting line I found in the logs you have sent off list is:

Jul 18 17:55:37 hugin ods-signerd: [notify] zone 156.193.in-addr.arpa
received bad notify rcode 9

That means the signer got back that the master server is not
authoritative for the zone 156.193.in-addr.arpa. (From off list
conversation I understand this problem has been fixed)


> 
> Do I need to delete and re-add the zone?  Won't that recycle the
> KSK key? Not that I've copied the DS, but ... Among other
> things, I wanted to see whether the required conversions were
> sufficiently documented...
> 
> (The zone file has most probably not been fetched using the input
> adapter, so what's in /var/opendnssec is what ODS 1.3.13 left
> there, since the zone file has not been updated on the master
> server.)

Note a subtle difference that OpenDNSSEC 1.4 stores the .axfr file into
the working directory (usually /var/opendnssec/tmp/) not the unsigned
directory like version 1.3. does.

Best regards,
  Matthijs

> 
> Regards,
> 
> - Håvard
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
> 




More information about the Opendnssec-user mailing list