[Opendnssec-user] opendnssec2 signing error: "unable to add rr to zone: soa record has invalid owner name" ?
Hoda Rohani
hoda at nlnetlabs.nl
Mon Dec 19 14:49:56 UTC 2016
On 19-12-16 15:29, PGNet Dev wrote:
> On 12/19/2016 12:21 AM, Hoda Rohani wrote:
>> ods 2.X now accepts these kind of format: '1W' and '3H'.
>
> ok
>
>> Name of zone file must match the name of zone, that was your problem.
>
> realized that since my zone files (a) are in a chroot and (b) contain INCLUDE stmts, that a compiled version was needed for opendnssec to process
>
> mkdir -p /svr/named/namedb/compiled
> named-compilezone \
> -t "/svr/named" \
> -f text -F text \
> -o /namedb/compiled/example.info.compiled \
> example.info /namedb/master/example.info.zone
>
> then matching the zone name with the zonefile name
>
> mv /svr/named/namedb/compiled/example.info.compiled
> /var/opendnssec/unsigned/example.info
>
> cleaning
>
> /usr/local/opendnssec/sbin/ods-enforcer zone delete --all
>
> then signing
>
> /usr/local/opendnssec/sbin/ods-enforcer zone add -z example.info.zone -p lab
>
> now works
>
> ls -al /var/opendnssec/signed/example.info
> -rw-r--r-- 1 root root 11K Dec 19 06:14 /var/opendnssec/signed/example.info
>
> Thanks.
>
>
> Fwiw, in the OP, that the output of the enforcer command reported
>
> Zone example.info added successfully
>
This message comes from enforcer, everything is fine at this side.
The problem occurs in signer and its error messages can be found only in syslog.
> when it wasn't being created, and the logs clearly contained errors is misleading. It'd be useful to have the signing step report an error at console ...
>
Yes, it would be useful to see those error messages at console but it needed ods-signerd to run with -d (no-daemon).
Regards,
Hoda
More information about the Opendnssec-user
mailing list