[Opendnssec-user] OpenDNSSEC in a hidden master setup

Roman Serbski mefystofel at gmail.com
Tue Aug 26 08:08:40 UTC 2014


Hello-

I'm sorry for a dumb question (I've just started working with OpenDNSSEC),
but in the following setup with three servers involved:

[Hidden master] <---> [OpenDNSSEC] <---> [Public slave]

do I need to run "traditional" DNS server on the OpenDNSSEC box to deal
with signed zones transfers to the slave?

I think I have a problem with getting the zone from the hidden master as
soon as I increase the serial.

All three servers are running FreeBSD 10-STABLE, with the latest NSD
(4.0.3) installed on the hidden master and the slave.  OpenDNSSEC box
(version 1.4.6) doesn't have NSD installed.

My plan is to feed plain zones to OpenDNSSEC, sign them and transfer to the
slave.

Here is the snippet from nsd.conf from the hidden master (192.168.157.47 is
the IP of OpenDNSSEC):

pattern:
        name: "plain-to-signer"
        zonefile: "zones/%s"
        notify: 192.168.157.47 tsig.sha256.signed
        provide-xfr: 192.168.157.47 tsig.sha256.signed

zone:
        name: "domain.org"
        include-pattern: "plain-to-signer"

OpenDNSSEC configs:

addns.xml (192.168.157.46 is the hidden master and 192.168.163.86 is the
slave):

<Inbound>
<RequestTransfer>
<Remote>
<Address>192.168.157.46</Address>
<Key>tsig.sha256.signed</Key>
</Remote>
</RequestTransfer>

<AllowNotify>
<Peer>
<Prefix>192.168.157.46</Prefix>
<Key>tsig.sha256.signed</Key>
</Peer>
</AllowNotify>
</Inbound>

<Outbound>
<ProvideTransfer>
<Peer>
<Prefix>192.168.163.86</Prefix>
<Key>tsig.sha256.signed</Key>
</Peer>
</ProvideTransfer>

<Notify>
<Remote>
<Address>192.168.163.86</Address>
<Key>tsig.sha256.signed</Key>
</Remote>
</Notify>
</Outbound>

conf.xml is the default one, with one modification:

<Listener>
<Interface><Address>192.168.157.47</Address><Port>53</Port></Interface>
</Listener>

kasp.xml is the default one (I'm using default policy), with one change:

<Serial>datecounter</Serial>

zonelist.xml:

<Zone name="domain.org">
<Policy>default</Policy>
<SignerConfiguration>/usr/local/var/opendnssec/signconf/domain.org.xml</SignerConfiguration>
<Adapters>
<Input>
<Adapter type="DNS">/usr/local/etc/opendnssec/addns.xml</Adapter>
</Input>
<Output>
<Adapter type="DNS">/usr/local/etc/opendnssec/addns.xml</Adapter>
</Output>
</Adapters>
</Zone>

If I increase the serial, reload the zone on hidden master and do
ods-control stop/start on the OpenDNSSEC I see that the signed zone was
successfully transferred to the slave. Here is the log from the slave:

[1408994435] nsd[1404]: info: notify for domain.org. from 192.168.157.47
[1408994435] nsd[1364]: info: xfrd: zone domain.org committed "received
update to serial 2014082512 at 2014-08-25T21:20:35 from 192.168.157.47 TSIG
verified with key tsig.sha256.signed"
[1408994435] nsd[1480]: info: rehash of zone domain.org. with parameters 1
0 5 e99189ffbae225cf
[1408994435] nsd[1480]: info: zone domain.org. received update to serial
2014082512 at 2014-08-25T21:20:35 from 192.168.157.47 TSIG verified with
key tsig.sha256.signed of 3566 bytes in 0.000139 seconds
[1408994435] nsd[1364]: info: Zone domain.org serial 2014082509 is updated
to 2014082512.

But if I just increase the serial and reload the zone on hidden master, I
get the following in the logs of OpenDNSSEC:

Aug 26 09:20:40 ns-sign ods-signerd: [xfrd] zone domain.org request
udp/ixfr=2014082511 to 192.168.157.46

and nothing happens after that. I see no errors on the hidden master or
OpenDNSSEC.

Any hints would be greatly appreciated.

Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140826/1932787f/attachment.htm>


More information about the Opendnssec-user mailing list