+--On 2 mars 2012 16:53:52 +0000 Einar Bjarni Halldórsson <ei...@isnic.is>
wrote:
| Hi,
|
| We're running ods packages from ports on a FreeBSD 8.1 server, version
| 1.3.5. Our inbound zone file is segmented with $INCLUDE directives. The
| auditor seems to be having trouble with this, since I get this in the
| logs:
|
| ods-auditor[58671]: Number of non-DNSSEC resource records differs : 2 in
| /var/opendnssec/tmp/is.inbound, and 89393 in
| /var/opendnssec/tmp/is.finalized
|
| I had to turn on partial auditing to get ods to sign the zone at all. Is
| there a workaround for segmented zone files or is the only choice to use
| one complete zone file as input to ods?
I use $GENERATE quite a lot and I find it easier to run named-compilezone
to clean up the zone file before it's given to the signer.
I use a Makefile to do just that (well, it does a lot more, but this is the
interesting part) :
SIGNED!= find -s * -name '*.signed'
UNSIGNED=/usr/local/var/opendnssec/unsigned/
all: sign
sign: ${SIGNED}
.for i in ${SIGNED:R}
${UNSIGNED}${i:T}: $i
/usr/bin/time /usr/sbin/named-compilezone -o $@ ${i:T:S/_/\//} $>
$i.signed: ${UNSIGNED}${i:T}
/usr/local/sbin/ods-signer clear ${i:T:S/_/\//}
/usr/local/sbin/ods-signer sign ${i:T:S/_/\//}
.endfor
I run make in my /etc/namedb and the Makefile takes care of regenerating
the zone passed to opendnssec and telling the signer to resign the zone.
--
Mathieu Arnold
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user@lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
