Discussion:
[Opendnssec-user] no signconf/foo.xml
Randy Bush
2018-01-02 15:21:49 UTC
Permalink
1.4 on freebsd10

i manually updated zonelist.zml to add

<Zone name="foo.com"> <Policy>default</Policy>
<SignerConfiguration>/usr/local/var/opendnssec/signconf/foo.com.xml</SignerConfiguration>
<Adapters>
<Input> <File>/usr/local/var/opendnssec/unsigned/com.foo</File> </Input>
<Output> <File>/usr/home/dns/primary/com.foo</File> </Output>
</Adapters>
</Zone>

i ran

ods-ksmutil update zonelist
ods-ksmutil update all
ods-ksmutil update conf

i stopped and started opendnssec

but i have no

/usr/local/var/opendnssec/signconf/foo.com.xml

so

# ods-signer sign foo.com
Zone foo.com scheduled for immediate re-sign.

# l /usr/local/var/opendnssec/signconf/foo.com.xml
ls: /usr/local/var/opendnssec/signconf/foo.com.xml: No such file or directory

a clue bat would be appreciated

randy
Hoda Rohani
2018-01-02 16:19:37 UTC
Permalink
Hello Randy,

We need more data from your side. Could you please look into syslog and provide us some log messages after running
update commands?

Regards,
Hoda
Post by Randy Bush
1.4 on freebsd10
i manually updated zonelist.zml to add
<Zone name="foo.com"> <Policy>default</Policy>
<SignerConfiguration>/usr/local/var/opendnssec/signconf/foo.com.xml</SignerConfiguration>
<Adapters>
<Input> <File>/usr/local/var/opendnssec/unsigned/com.foo</File> </Input>
<Output> <File>/usr/home/dns/primary/com.foo</File> </Output>
</Adapters>
</Zone>
i ran
ods-ksmutil update zonelist
ods-ksmutil update all
ods-ksmutil update conf
i stopped and started opendnssec
but i have no
/usr/local/var/opendnssec/signconf/foo.com.xml
so
# ods-signer sign foo.com
Zone foo.com scheduled for immediate re-sign.
# l /usr/local/var/opendnssec/signconf/foo.com.xml
ls: /usr/local/var/opendnssec/signconf/foo.com.xml: No such file or directory
a clue bat would be appreciated
randy
_______________________________________________
Opendnssec-user mailing list
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
Randy Bush
2018-01-03 00:39:36 UTC
Permalink
i believe the problem was soft-hsm backup was needed and i had not
gotten to that check in my daily manual ritual. why soft-hsm backup
is manual, is something i have yet to understand.

randy
Yuri Schaeffer
2018-01-08 09:10:47 UTC
Permalink
Post by Randy Bush
i believe the problem was soft-hsm backup was needed and i had not
gotten to that check in my daily manual ritual. why soft-hsm backup
is manual, is something i have yet to understand.
For OpenDNSSEC it is a policy thing. You can configure it to use any key
available or only allow keys that are explicitly marked as backed up by
the user.
How the HSM (SoftHSM or otherwise) manages/automates its backups is out
of scope for ODS.

//Yuri
Randy Bush
2018-01-09 05:09:45 UTC
Permalink
Post by Yuri Schaeffer
Post by Randy Bush
i believe the problem was soft-hsm backup was needed and i had not
gotten to that check in my daily manual ritual. why soft-hsm backup
is manual, is something i have yet to understand.
For OpenDNSSEC it is a policy thing. You can configure it to use any key
available or only allow keys that are explicitly marked as backed up by
the user.
it would seem to be ill-advised to use a key which is not backed up
Post by Yuri Schaeffer
How the HSM (SoftHSM or otherwise) manages/automates its backups is out
of scope for ODS.
no comment

Loading...