> We are scripting a push-button DNSSEC service around OpenDNSSEC, as > foreseen in the project (and its logo). As part of that, we generate > kasp.xml and zonelist.xml from scripts. OpenDNSSEC appears to be quite > suitable for this! > > We found that empty lists of zones are not welcomed by OpenDNSSEC. Is > there a specific reason for this? We'd prefer if our system wouldn't get > disrupted in this possible (intermediate) state. > > The same applies to policies -- we generate policies because we group zones > that need to share a key set in the HSM. We assign a key set to each > independent customer of SURFnet. But if there are no zones, there are no > groups, and no policies either. Are we crazy for trying to create an > empty list of policies in case the list of zones is empty, or are we > merely exploring new areas?
I had certainly never thought about starting a system with a "blank slate" like this; so I am not surprised that it doesn't work. Without a command to add new policies you presumably have to edit the xml and then run "ods-ksmutil update kasp"? Sion _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
