ods-checkzone: A tool to sanity check an unsigned zone before providing it to the signer engine

On 06/28/2012 12:10 PM, Fred Zwarts (KVI) wrote:
> We have rather small zone files, which are edited with a simple editor.
> Of course this sometimes causes errors in the zone files. We have a
> small script that verifies the zone file, before they are copied to the
> place were they are processed by bind or by OpenDNSSES. In this script
> we use named-checkzone to check for errors before the files are copied.
> In this way, our name server continues to run and mistakes in editing
> the zones can be repaired without hurry.
>
> It turns out, now that we use OpenDNSSEC, that sometimes OpenDNSSEC
> finds problems in the zone files that are not detected by
> named-checkzone. We find this only after a while, by inspecting the
> system log, when the file is already submitted to the OpenDNSSEC signer.
> If the messages are not detected in the system log, than the zone is no
> longer signed at regular intervals and signatures may expire.
>
> What we would like is a feature where e.g., the signer can be used to
> read a given zone file, check it (issuing error messages if appropriate)
> and then exit with an exit value that can be used in a script to
> determine success or failure. In case of failure, we will not copy the
> new zone file to the location where the signer expects its input file,
> so that the signer daemon will continue to refresh signatures, using the
> old version of the zone file.
> I could not find something like this in the documentation.
> If this can be accomplished already, can someone tell me how?
> If not, what do you think of such a feature?
>
> Fred.Zwarts.
>