On 01/18/2017 10:53 AM, Michael Grimm wrote:
> If I am not mistaken are those files in /usr/local/var/opendnssec/signconf
> rebuild after restarting opendnssec's deamons.
here, with ods2, starting with a clean tree
tree /var/opendnssec
/var/opendnssec
├── [opendnssec 4096] enforcer
├── [opendnssec 4096] raw
├── [opendnssec 4096] signconf
├── [opendnssec 4096] signed
├── [opendnssec 4096] signer
└── [opendnssec 4096] unsigned
after
ods-enforcer-db-setup -f
Database setup successfully.
systemctl start ods-signerd
systemctl start ods-enforcerd
ods-enforcer policy import
Created policy default successfully
Created policy lab successfully
tree /var/opendnssec
/var/opendnssec
├── [opendnssec 4096] enforcer
├── [opendnssec 98304] kasp.db
├── [opendnssec 4096] raw
├── [opendnssec 4096] signconf
├── [opendnssec 4096] signed
├── [opendnssec 4096] signer
└── [opendnssec 4096] unsigned
it's the add zone step that initially populates the signconf/ dir
ods-enforcer zone add \
--zone eample.com \
--xml \
--policy lab \
--input /usr/local/etc/opendnssec/addns.xml \
--output /usr/local/etc/opendnssec/addns.xml \
--in-type DNS \
--out-type DNS
tree /var/opendnssec
/var/opendnssec
├── [opendnssec 4096] enforcer
│ └── [opendnssec 2032] zones.xml
├── [opendnssec 98304] kasp.db
├── [opendnssec 4096] raw
├── [opendnssec 4096] signconf
>>> │ └── [opendnssec 1168] example.com.xml
├── [opendnssec 4096] signed
├── [opendnssec 4096] signer
...
If I
rm -f /var/opendnssec/signconf/*
systemctl restart ods-signerd
systemctl restart ods-enforcerd
that's NOT sufficient to recreate the signconf/*
tree /var/opendnssec
/var/opendnssec
...
├── [opendnssec 4096] raw
>>> ├── [opendnssec 4096] signconf
├── [opendnssec 4096] signed
├── [opendnssec 4096] signer
...
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
