[Opendnssec-user] OpenBSD porting questions regarding 2.x

Patrik Lundin patrik at sigterm.se
Sun Sep 4 11:26:18 UTC 2016


Hello again,

Another question that popped up when digging around: I am not entirely
certain of the role of /var/opendnssec/enforcer/zones.xml.

>From what I can tell from the migration steps it is used by the signer
and is supposed to be initally created by copying the old
/etc/opendnssec/zonelist.xml there.

It is then stated that zonelist.xml is no longer updated automatically,
meaning the enforcer database is the authoritative source of information
rather than that file. As stated in the example zonelist.xml:
===
As a result in 2.0 the contents of the enforcer database should be considered
the 'master' for the list of currently configured zones, not the zonelist.xml
file as the file can easily become out of sync with the database.
===

Instead I notice that /var/opendnssec/enforcer/zones.xml will be created or
appended to when a zone is added with "ods-enforcer zone add --zone example.com".
Why has this file been introduced? Doesn't the "can easily become out of sync
with the database" hold true for this file as well?

>From my perspective there are now two files: zones.xml which is (hopefully)
always in sync with the database, and zonelist.xml which _may_ be in sync with
the database based on operational procedures (running "ods-enforcer zonelist
export" from time to time or adding zones with --xml like "ods-enforcer zone
add --zone example.com --xml".

If the goal is to not have two places that may get out of sync, why not have
the signer fetch information directly from the database?

Finally, what is the appropriate thing to do with zones.xml on a fresh install?
I notice an error is thrown since it is missing (not created by
ods-enforcer-db-setup):
===
Sep  4 12:31:22 obsd-amd64-t01 ods-signerd: [file] unable to stat file /var/opendnssec/enforcer/zones.xml: ods_fopen() failed
===

Is it standard operating procedure to get that error on a fresh install, and
then making the system happy with the addition of the first zone?

-- 
Patrik Lundin



More information about the Opendnssec-user mailing list