[Opendnssec-user] OpenDNSSEC in a hidden master setup

Klaus Darilion klaus.mailinglists at pernau.at
Tue Aug 26 10:19:53 UTC 2014 

At first I would start tcpdump on the ODS server and watch if there are
incoming NOTIFYs if you increase the serial and reload the master. Then
watch out if ODS makes a zone transfer (AXFR or IXFR). Further, the
incoming handler of ODS will write the received zone to disk somewhere.
Check if you have a new file with increased serial. Then the signer
should be notified (I think via some unix socket) about the signing
process (I once had file permission problems on this socket).

regards
Klaus


On 26.08.2014 10:08, Roman Serbski wrote:
> Hello-
> 
> I'm sorry for a dumb question (I've just started working with
> OpenDNSSEC), but in the following setup with three servers involved:
> 
> [Hidden master] <---> [OpenDNSSEC] <---> [Public slave]
> 
> do I need to run "traditional" DNS server on the OpenDNSSEC box to deal
> with signed zones transfers to the slave?
> 
> I think I have a problem with getting the zone from the hidden master as
> soon as I increase the serial.
> 
> All three servers are running FreeBSD 10-STABLE, with the latest NSD
> (4.0.3) installed on the hidden master and the slave.  OpenDNSSEC box
> (version 1.4.6) doesn't have NSD installed.
> 
> My plan is to feed plain zones to OpenDNSSEC, sign them and transfer to
> the slave.
> 
> Here is the snippet from nsd.conf from the hidden master (192.168.157.47
> is the IP of OpenDNSSEC):
> 
> pattern:
>         name: "plain-to-signer"
>         zonefile: "zones/%s"
>         notify: 192.168.157.47 tsig.sha256.signed
>         provide-xfr: 192.168.157.47 tsig.sha256.signed
> 
> zone:
>         name: "domain.org <http://domain.org>"
>         include-pattern: "plain-to-signer"
> 
> OpenDNSSEC configs:
> 
> addns.xml (192.168.157.46 is the hidden master and 192.168.163.86 is the
> slave):
> 
> <Inbound>
> <RequestTransfer>
> <Remote>
> <Address>192.168.157.46</Address>
> <Key>tsig.sha256.signed</Key>
> </Remote>
> </RequestTransfer>
> 
> <AllowNotify>
> <Peer>
> <Prefix>192.168.157.46</Prefix>
> <Key>tsig.sha256.signed</Key>
> </Peer>
> </AllowNotify>
> </Inbound>
> 
> <Outbound>
> <ProvideTransfer>
> <Peer>
> <Prefix>192.168.163.86</Prefix>
> <Key>tsig.sha256.signed</Key>
> </Peer>
> </ProvideTransfer>
> 
> <Notify>
> <Remote>
> <Address>192.168.163.86</Address>
> <Key>tsig.sha256.signed</Key>
> </Remote>
> </Notify>
> </Outbound>
> 
> conf.xml is the default one, with one modification:
> 
> <Listener>
> <Interface><Address>192.168.157.47</Address><Port>53</Port></Interface>
> </Listener>
> 
> kasp.xml is the default one (I'm using default policy), with one change:
> 
> <Serial>datecounter</Serial>
> 
> zonelist.xml:
> 
> <Zone name="domain.org <http://domain.org>">
> <Policy>default</Policy>
> <SignerConfiguration>/usr/local/var/opendnssec/signconf/domain.org.xml</SignerConfiguration>
> <Adapters>
> <Input>
> <Adapter type="DNS">/usr/local/etc/opendnssec/addns.xml</Adapter>
> </Input>
> <Output>
> <Adapter type="DNS">/usr/local/etc/opendnssec/addns.xml</Adapter>
> </Output>
> </Adapters>
> </Zone>
> 
> If I increase the serial, reload the zone on hidden master and do
> ods-control stop/start on the OpenDNSSEC I see that the signed zone was
> successfully transferred to the slave. Here is the log from the slave:
> 
> [1408994435] nsd[1404]: info: notify for domain.org <http://domain.org>.
> from 192.168.157.47
> [1408994435] nsd[1364]: info: xfrd: zone domain.org <http://domain.org>
> committed "received update to serial 2014082512 at 2014-08-25T21:20:35
> from 192.168.157.47 TSIG verified with key tsig.sha256.signed"
> [1408994435] nsd[1480]: info: rehash of zone domain.org
> <http://domain.org>. with parameters 1 0 5 e99189ffbae225cf
> [1408994435] nsd[1480]: info: zone domain.org <http://domain.org>.
> received update to serial 2014082512 at 2014-08-25T21:20:35 from
> 192.168.157.47 TSIG verified with key tsig.sha256.signed of 3566 bytes
> in 0.000139 seconds
> [1408994435] nsd[1364]: info: Zone domain.org <http://domain.org> serial
> 2014082509 is updated to 2014082512.
> 
> But if I just increase the serial and reload the zone on hidden master,
> I get the following in the logs of OpenDNSSEC:
> 
> Aug 26 09:20:40 ns-sign ods-signerd: [xfrd] zone domain.org
> <http://domain.org> request udp/ixfr=2014082511 to 192.168.157.46
> 
> and nothing happens after that. I see no errors on the hidden master or
> OpenDNSSEC.
> 
> Any hints would be greatly appreciated.
> 
> Thank you.
> 
> 
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>

More information about the Opendnssec-user mailing list