Discussion:
[Opendnssec-user] opendnssec2 signing error: "unable to add rr to zone: soa record has invalid owner name" ?
Hoda Rohani
2016-12-19 08:21:38 UTC
Permalink
Hello,
I'm building/installing opendnssec 2 on linux/64
I've started the daemons
systemctl restart ods-signer
...
but I'm not clear what the problem actually is.
A bit of digging, and I found this old, 2014 thread
https://lists.opendnssec.org/pipermail/opendnssec-user/2014-March/002838.html
with (then) two issues
"Bind allows time values in SOA records like '1W' and '3H' however I'mafraid ods does not. Try: s/1W/604800/ s/3H/10800/."
and
ods 2.X now accepts these kind of format: '1W' and '3H'.
"found the 'problem'. Zone was example.com, zone filename was example.com.zone. I renamed zonefiles to match zone names and the issue was gone."
Name of zone file must match the name of zone, that was your problem.
I've not yet found any subsequent resolution ...
Are either/both of those still a problem for opendnssec ?
Regards,
Hoda
_______________________________________________
Opendnssec-user mailing list
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
Hoda Rohani
2016-12-19 14:49:56 UTC
Permalink
Post by Hoda Rohani
ods 2.X now accepts these kind of format: '1W' and '3H'.
ok
Post by Hoda Rohani
Name of zone file must match the name of zone, that was your problem.
realized that since my zone files (a) are in a chroot and (b) contain INCLUDE stmts, that a compiled version was needed for opendnssec to process
mkdir -p /svr/named/namedb/compiled
named-compilezone \
-t "/svr/named" \
-f text -F text \
-o /namedb/compiled/example.info.compiled \
example.info /namedb/master/example.info.zone
then matching the zone name with the zonefile name
mv /svr/named/namedb/compiled/example.info.compiled
/var/opendnssec/unsigned/example.info
cleaning
/usr/local/opendnssec/sbin/ods-enforcer zone delete --all
then signing
/usr/local/opendnssec/sbin/ods-enforcer zone add -z example.info.zone -p lab
now works
ls -al /var/opendnssec/signed/example.info
-rw-r--r-- 1 root root 11K Dec 19 06:14 /var/opendnssec/signed/example.info
Thanks.
Fwiw, in the OP, that the output of the enforcer command reported
Zone example.info added successfully
This message comes from enforcer, everything is fine at this side.
The problem occurs in signer and its error messages can be found only in syslog.
when it wasn't being created, and the logs clearly contained errors is misleading. It'd be useful to have the signing step report an error at console ...
Yes, it would be useful to see those error messages at console but it needed ods-signerd to run with -d (no-daemon).


Regards,
Hoda

Loading...