Bind 9.9.0B1 Inline-Signing Question
McConville, Kevin
kmcconville at albany.edu
Thu Nov 17 16:55:15 UTC 2011
First off, Thank you to all who responded/helped in my previous post - this list is a wonderful community. The inline-signing is now working...sort of.
We edit the static zone, adding a resource record (of any type), increment the serial, and then do a rndc reload. However, Bind is still looking at the previous dnssec signed file - it's not picking up the new records.
Another strange thing is that using the auto-dnssec maintain option, it is still creating a journal file -
-rw-rw-r-- 1 named root 2250 Nov 17 11:29 ualbanytest.org.db
-rw------- 1 named named 9969 Nov 16 12:04 ualbanytest.org.db.signed
-rw------- 1 named named 13095 Nov 16 11:52 ualbanytest.org.db.signed.jnl
Doing an rndc stop, removing the signed and signed.jnl files, the new resource records are picked up when named is restarted. But, that defeats the point of inline-signing.
Below is info from our named.conf and our log file (we are using it a chroot and is being run as user named):
>>>>>>
options {
directory "/conf";
pid-file "/var/run/named.pid";
statistics-file "/var/run/named.stats";
dump-file "/var/run/named.db";
version "[secured]";
dnssec-enable yes;
sig-validity-interval 10;
dnssec-loadkeys-interval 10;
empty-zones-enable no;
};
# DNSSEC Zone
zone "ualbanytest.org" {
type master;
file "ualbanytest.org.db";
auto-dnssec maintain;
inline-signing yes;
key-directory "/conf";
serial-update-method increment;
};
>>>>>>>>>
17-Nov-2011 11:29:56.865 general: info: received control channel command 'reload'
17-Nov-2011 11:29:56.865 general: info: loading configuration from '/etc/named.conf'
17-Nov-2011 11:29:56.866 general: info: using default UDP/IPv4 port range: [1024, 65535]
17-Nov-2011 11:29:56.866 general: info: using default UDP/IPv6 port range: [1024, 65535]
17-Nov-2011 11:29:56.867 general: info: sizing zone task pool based on 4 zones
17-Nov-2011 11:29:56.869 general: info: zone ualbanytest.org/IN (signed): (master) removed
17-Nov-2011 11:29:56.869 general: info: reloading configuration succeeded
17-Nov-2011 11:29:56.869 general: info: reloading zones succeeded
17-Nov-2011 11:29:56.871 general: info: zone ualbanytest.org/IN (unsigned): loaded serial 2011111701
17-Nov-2011 11:29:56.871 general: info: zone ualbanytest.org/IN (signed): loaded serial 2011111507 (DNSSEC signed)
17-Nov-2011 11:29:56.871 general: notice: all zones loaded
17-Nov-2011 11:29:56.871 general: notice: running
17-Nov-2011 11:29:56.871 general: info: zone ualbanytest.org/IN (signed): reconfiguring zone keys
17-Nov-2011 11:29:56.872 general: info: zone ualbanytest.org/IN (signed): next key event: 17-Nov-2011 11:39:56.872
17-Nov-2011 11:29:56.872 notify: info: zone ualbanytest.org/IN (signed): sending notifies (serial 2011111507)
>>>>>>>
I'm probably missing something, but this list has really been very helpful. Any ideas or suggestions are greatly appreciated.
Thanks,
-Kevin
Kevin McConville
University at Albany
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20111117/02030a8e/attachment.html>
More information about the bind-users
mailing list