[Opendnssec-user] opendnssec2 signing error: "unable to add rr to zone: soa record has invalid owner name" ?

Hoda Rohani hoda at nlnetlabs.nl
Mon Dec 19 14:49:56 UTC 2016



On 19-12-16 15:29, PGNet Dev wrote:
> On 12/19/2016 12:21 AM, Hoda Rohani wrote:
>> ods 2.X now accepts these kind of format: '1W' and '3H'.
> 
> ok
> 
>> Name of zone file must match the name of zone, that was your problem.
> 
> realized that since my zone files  (a) are in a chroot and (b) contain INCLUDE stmts, that a compiled version was needed for opendnssec to process
> 
> 	mkdir -p /svr/named/namedb/compiled
> 	named-compilezone \
> 	-t "/svr/named" \
> 	-f text -F text \
> 	-o /namedb/compiled/example.info.compiled \
> 	example.info /namedb/master/example.info.zone
> 
> then matching the zone name with the zonefile name
> 
> 	mv /svr/named/namedb/compiled/example.info.compiled
> 	   /var/opendnssec/unsigned/example.info
> 
> cleaning
> 
> 	/usr/local/opendnssec/sbin/ods-enforcer zone delete --all
> 
> then signing
> 
> 	/usr/local/opendnssec/sbin/ods-enforcer zone add -z example.info.zone -p lab
> 
> now works
> 
> 	ls -al /var/opendnssec/signed/example.info
> 		-rw-r--r-- 1 root root 11K Dec 19 06:14 /var/opendnssec/signed/example.info
> 
> Thanks.
> 
> 
> Fwiw, in the OP, that the output of the enforcer command reported
> 
> 	Zone example.info added successfully
> 

This message comes from enforcer, everything is fine at this side.
The problem occurs in signer and its error messages can be found only in syslog.

> when it wasn't being created, and the logs clearly contained errors is misleading.  It'd be useful to have the signing step report an error at console ...
> 

Yes, it would be useful to see those error messages at console but it needed ods-signerd to run with -d (no-daemon).


Regards,
Hoda




More information about the Opendnssec-user mailing list