We have rather small zone files, which are edited with a simple editor. Of
course this sometimes causes errors in the zone files. We have a small
script that verifies the zone file, before they are copied to the place were
they are processed by bind or by OpenDNSSES. In this script we use
named-checkzone to check for errors before the files are copied. In this
way, our name server continues to run and mistakes in editing the zones can
be repaired without hurry.
It turns out, now that we use OpenDNSSEC, that sometimes OpenDNSSEC finds
problems in the zone files that are not detected by named-checkzone. We find
this only after a while, by inspecting the system log, when the file is
already submitted to the OpenDNSSEC signer. If the messages are not detected
in the system log, than the zone is no longer signed at regular intervals
and signatures may expire.
What we would like is a feature where e.g., the signer can be used to read a
given zone file, check it (issuing error messages if appropriate) and then
exit with an exit value that can be used in a script to determine success or
failure. In case of failure, we will not copy the new zone file to the
location where the signer expects its input file, so that the signer daemon
will continue to refresh signatures, using the old version of the zone file.
I could not find something like this in the documentation.
If this can be accomplished already, can someone tell me how?
If not, what do you think of such a feature?
Fred.Zwarts.
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
