Hi, I am currently setting up OpeDNSSEC for the dutch nl zone and I am trying to
integrate it with their zone creation and checking system. In steps I designed the following system 1. Every two hours the create_and_check_zonefile script places the new zone in /var/named/unsigned/ and it calls 'rndc -s localhost reload' 2. The localhost nameserver loads the new zone and notifies opendnssec 3. OpenDNSSEC fetches the zone (AXFR) and signs it and places it under /var/named/signed/ 4. OpenDNSSEC calls 'rndc reload' for the hidden primary that will publish the signed zone to the secondary nameservers In the above setup I require two nameservers and I would like to come up with a setup that does not require an additional nameserver running. So in steps I would like to change the above system to do something as follows: 1. Every two hours the create_and_check_zonefile script places the new zone in /var/named/unsigned/ and it calls 'ods-control signer sign nl' 2. OpenDNSSEC signs the zone in /var/named/unsigned/ and places it in /var/named/signed/ 3. OpenDNSSEC calls rndc reload for the hidden primary that will publish the signed zone to the secondary nameservers The problem I noticed with this setup is that while running the OpenDNSSEC daemons or scripts seem to periodically use the zone file on disk. This may cause a conflict when the script in step 1 places a new zone file while some OpenDNSSEC daemon or script is using it. Is there a safe way to copy a new unsigned zone to be signed by OpenDNSSEC? For instance, by disabling the periodic checks and let the script in step 1 take the initiative for signing the zone? Best regards, Martijn Brekhof
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
