I have used opendnssec for a week or so but still have some issues. I think I am missing 1 thing to get it all going.. * it doesn't fetch the zone when I add it. * It doesn't make active KSK's * Using default policy (as installed from apt-get install opendnsdec from ppa's on opendnssec's website). ods-ksmutil zone add --zone spam.co.nz zonelist filename set to /etc/opendnssec/zonelist.xml. SQLite database set to: /var/lib/opendnssec/db/kasp.db Imported zone: spam.co.nz
# ods-ksmutil zone list zonelist filename set to /etc/opendnssec/zonelist.xml. SQLite database set to: /var/lib/opendnssec/db/kasp.db Found Zone: spam.co.nz; on policy default But the fetcher doesn't start up to fetch the file. If I pdns_control notify-host spam.co.nz 114.23.20.4 opendnssec complains Jun 22 10:54:45 opendnssec ods-signerd: zone fetcher notify received for unknown zone: spam.co.nz. # ods-ksmutil key list SQLite database set to: /var/lib/opendnssec/db/kasp.db Keys: Zone: Keytype: State: Date of next transition: Now if I ods-control stop.; ods-control start ods-ksmutil key list SQLite database set to: /var/lib/opendnssec/db/kasp.db Keys: Zone: Keytype: State: Date of next transition: spam.co.nz KSK publish 2011-06-23 00:58:28 spam.co.nz ZSK active 2011-07-22 10:58:28 And there is a file called spam.co.nz in /var/lib/opendnssec/signed And if I run the pdns_control again Jun 22 11:00:49 opendnssec ods-signerd: zone fetcher received NOTIFY for zone spam.co.nz Jun 22 11:00:49 opendnssec ods-signerd: zone fetcher transferred zone spam.co.nz serial 1308697239 successfully Jun 22 11:00:49 opendnssec ods-signerd: cmdhandler: zone spam.co.nz scheduled for immediate re-sign Jun 22 11:00:49 opendnssec ods-auditor[23029]: Auditor started Jun 22 11:00:49 opendnssec ods-auditor[23029]: Auditor starting on spam.co.nz Jun 22 11:00:49 opendnssec ods-auditor[23029]: SOA differs : from 1308697239 to 1308697249 Jun 22 11:00:49 opendnssec ods-auditor[23029]: Auditing spam.co.nz zone : NSEC3 SIGNED Jun 22 11:00:50 opendnssec ods-auditor[23029]: Finished auditing spam.co.nz zone It will sign ok.. And run <NotifyCommand>/archives/reloadnamed.pl</NotifyCommand> ok But the KSK is not active.. ods-ksmutil key list SQLite database set to: /var/lib/opendnssec/db/kasp.db Keys: Zone: Keytype: State: Date of next transition: spam.co.nz KSK publish 2011-06-23 00:58:28 spam.co.nz ZSK active 2011-07-22 10:58:28 So no DS's show.. ods-ksmutil key export --zone spam.co.nz --ds SQLite database set to: /var/lib/opendnssec/db/kasp.db ods-ksmutil key list --verbose SQLite database set to: /var/lib/opendnssec/db/kasp.db Keys: Zone: Keytype: State: Date of next transition: CKA_ID: Repository: Keytag: spam.co.nz KSK publish 2011-06-23 00:58:28 8e27b9f2560825f70d8640017e091b06 SoftHSM 54437 spam.co.nz ZSK active 2011-07-22 10:58:28 0fbf4ec5ea8b25e772196946e46af700 SoftHSM 8839 When running ksm-enforcer 1 Jun 22 11:13:48 opendnssec ods-enforcerd: opendnssec starting... Jun 22 11:13:48 opendnssec ods-enforcerd: opendnssec Parent exiting... Jun 22 11:13:48 opendnssec ods-enforcerd: opendnssec forked OK... Jun 22 11:13:48 opendnssec ods-enforcerd: group set to: opendnsec (0) Jun 22 11:13:48 opendnssec ods-enforcerd: user set to: opendnsec (0) Jun 22 11:13:48 opendnssec ods-enforcerd: opendnssec started (version 1.2.1), pid 23063 Jun 22 11:13:48 opendnssec ods-enforcerd: HSM opened successfully. Jun 22 11:13:48 opendnssec ods-enforcerd: Reading config "/etc/opendnssec/conf.xml" Jun 22 11:13:48 opendnssec ods-enforcerd: Reading config schema "/usr/share/opendnssec/conf.rng" Jun 22 11:13:48 opendnssec ods-enforcerd: Communication Interval: 3600 Jun 22 11:13:48 opendnssec ods-enforcerd: No DS Submit command supplied Jun 22 11:13:48 opendnssec ods-enforcerd: SQLite database set to: /var/lib/opendnssec/db/kasp.db Jun 22 11:13:48 opendnssec ods-enforcerd: Log User set to: local0 Jun 22 11:13:48 opendnssec ods-enforcerd: Switched log facility to: local0 Jun 22 11:13:48 opendnssec ods-enforcerd: Connecting to Database... Jun 22 11:13:48 opendnssec ods-enforcerd: Policy default found. Jun 22 11:13:48 opendnssec ods-enforcerd: Key sharing is Off. Jun 22 11:13:48 opendnssec ods-enforcerd: Purging keys... Jun 22 11:13:48 opendnssec ods-enforcerd: zonelist filename set to /etc/opendnssec/zonelist.xml. Jun 22 11:13:48 opendnssec ods-enforcerd: Zone spam.co.nz found. Jun 22 11:13:48 opendnssec ods-enforcerd: Policy for spam.co.nz set to default. Jun 22 11:13:48 opendnssec ods-enforcerd: Config will be output to /var/lib/opendnssec/signconf/spam.co.nz.xml. Jun 22 11:13:48 opendnssec ods-enforcerd: WARNING: KSK rollover for zone 'spam.co.nz' not completed as there are no keys in the 'ready' state; ods-enforcerd will try again when it runs next Jun 22 11:13:48 opendnssec ods-enforcerd: No change to: /var/lib/opendnssec/signconf/spam.co.nz.xml Jun 22 11:13:48 opendnssec ods-enforcerd: Disconnecting from Database... Jun 22 11:13:48 opendnssec ods-enforcerd: Running once only, exiting... Jun 22 11:13:48 opendnssec ods-enforcerd: all done! hsm_close result: 0 Thanks
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
