Skip to content

Opendnssec14 migration

Migration from OpenDNSSEC prior to 2.0

Migrating between 1.3 and 1.4

Version 1.4 has some kasp database changes compared to 1.3 to allow for an update to the zonelist.xml schema (these changes support flexibility in the input and output adapters).

:memo: Also see the MIGRATION file in the source code.

This means that in order to use version 1.4 of OpenDNSSEC with a database created with an earlier minor version of OpenDNSSEC (1.3 or earlier) there are two options:

  1. If you do NOT need to retain the key information for the system:
    Wipe and recreate your kasp database (by running ods-ksmutil setup) which will lose all of the current state for the system including all existing key information..
  2. If you DO need to retain the key information for the system:
  3. Assuming that you are currently using v1.3; run the sql statements against your existing database (depending on which databse is used) given in:
    • enforcer/utils/migrate_adapters_1.mysql or
    • enforcer/utils/migrate_adapters_1.sqlite3
  4. If you are using v1.1 and wish to maintain your existing keys then you will first need to run one of:
    • enforcer/utils/migrate_keyshare_mysql.pl or
    • enforcer/utils/migrate_keyshare_sqlite3.pl depending on your database, before running the above.

:warning: Although these scripts have been tested it is recommended to make a backup of your database prior to running them.

Migrating between patch versions (1.4.n to 1.4.m)

Patch versions normally do not require changes to the database schema and nothing needs to be done to the database in order to upgrade. However, in exceptional cases this may be required, but this will be clearly stated in the NEWS file and in the release announcement.

Migrate pre-1.4 zone fetchers

OpenDNSSEC version 1.4 introduced DNS adapters. With the introduction of DNS adapters, OpenDNSSEC is able to read unsigned zones directly from AXFR or IXFR, and to output signed AXFR and IXFRs. Version 1.3 also understood incoming, unsigned AXFRs, thanks to the zone fetcher process. The zone fetcher had its own configuration file, zonefetch.xml. With the introduction of the DNS adapters, a zone fetcher is not needed anymore and is removed in version 1.4. Version 1.4 also provides IXFR and outgoing zone transfers, and requires more configuration options. A new configuration file, addns.xml, is required to configure the DNS adapters.

If you upgrade OpenDNSSEC from 1.3 or lower to 1.4 or higher, and you used the zone fetcher, you will have to migrate the configuration. This page explains how you do that.

Changes in conf.xml

In 1.3 and earlier, the zone fetcher configuration filename had to be specified in conf.xml in the element. In version 1.4, this element must be removed.

In 1.3 and earlier, the zonefetch.xml file contains an element : this defines which interface and port the system must bind to listen NOTIFY messages on. For example, to let the zone fetcher listen on the IPv4 address 192.0.2.100 on port 53, you would have configured the zone fetcher like this:

... 192.0.2.10053

With OpenDNSSEC 1.4, the signer can listen to more than NOTIFY messages. It also accepts zone transfer requests and 'regular queries' like SOA, DNSKEY, and so on. The listener becomes more general and therefore the configuration now goes in conf.xml, under the element:

...

192.0.2.100
53

Instead of , the element name is made more general and is now called . There is an additional element to indicate this describes an interface and to support multiple listening interfaces. The configuration does not need different elements for IPv4 and IPv6 anymore, so also for an IPv6 address you would use the

element. The element remains unchanged.

From zonefetch.xml to addns.xml

In 1.3 and earlier, all the zone fetcher configuration (except the ) is encapsulated within the elements . In 1.4, the DNS adapter configuration is encapsulated in . The part is unchanged and can be copied straightforward.

Because the zone fetcher only was able to do inbound zone transfers, the element was immediately listed under the element. The DNS Adapter configuration is for both inbound and outbound zone transfers, so it should now be encapsulated within the element. Again, suppose you had the following configuration in zonefetch.xml:

... 192.0.2.100 53 secret.example.com ...

You would have to translate that into the following configuration in addns.xml:

secret.example.com hmac-sha256 sw0nMPCswVbes1tmQTm1pcMmpNRK+oGMYN+qKNR/BwQ=

192.0.2.100
53 secret.example.com ... ...

The element is renamed to

again, which is IP version independent. and remains unchanged. The three elements are encapsulated into the element , so that multiple remote zone transfer sources can be configured.

That's it! In the DNS adapter configuration you can now also configure from which sources you allow NOTIFY messages and you can configure outbound zone transfers. For more information on that, see the documentation on addns.xml.

Comments currently disabled.
OpenDNSSEC
www.opendnssec.org
Bugtracking
Report a bug
Mailinglist
Mailing list