moving DNSSEC to a hidden master

David Newman dnewman at networktest.com
Sun Oct 13 19:03:44 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/13/13 1:34 AM, Alan Clegg wrote:
> 
> On Oct 12, 2013, at 7:59 PM, Alan Clegg <alan at clegg.com> wrote:
> 
>> 
>> On Oct 11, 2013, at 10:54 PM, David Newman
>> <dnewman at networktest.com> wrote:
>> 
>>> 4. "Check that the new server is working and you can update the
>>> zone by using nsupdate."
>>> 
>>> This is where things fall apart. I run 'rndc freeze' and
>>> increment the zone file's serial number (or make any other
>>> change), and then run 'rndc thaw' and 'rndc reload'.
>>> 
>>> There's no change in serial number, and there's no error
>>> reported in the logs.
>>> 
>>> What am I missing?
>> 
>> What log messages are you getting from named?

Sorry for not posting these earlier. Here's the log entry, with the
zone name redacted:

('rndc reload' after initial axfr and then becoming master)

Oct 13 11:50:27 uci named[62826]: using built-in root key for view
external-in
Oct 13 11:50:27 uci named[62826]: the working directory is not writable
Oct 13 11:50:27 uci named[62826]: zone example.org/IN/external-in
(signed): receive_secure_serial: unchanged
Oct 13 11:50:28 uci named[62826]: all zones loaded
Oct 13 11:50:28 uci named[62826]: running

('rndc reload' after incrementing serial number in zone file)

Oct 13 11:51:22 uci named[62826]: using built-in root key for view
internal-in
Oct 13 11:51:22 uci named[62826]: using built-in root key for view
external-in
Oct 13 11:51:22 uci named[62826]: the working directory is not writable
Oct 13 11:51:22 uci named[62826]: all zones loaded
Oct 13 11:51:23 uci named[62826]: running


> What is the "zone" entry in your named.conf that relates to the
> zone in question?

Here are the logging, options, and zone parts of named.conf:

options {
        // All file and path names are relative to the chroot directory,
        // if any, and should be fully qualified.
        directory       "/etc/namedb";
        pid-file        "/var/run/named/pid";
        dump-file       "/var/dump/named_dump.db";
        statistics-file "/var/stats/named.stats";
        transfer-format many-answers;
        max-transfer-time-in 60;
        masterfile-format text;
	    allow-query { trusted; };
        allow-query-cache { trusted; };
        allow-transfer { external-xfer; internal-xfer; };
        version none;
        // DNSSEC stuff
        dnssec-enable yes;
        managed-keys-directory "managed-keys";
        dnssec-validation auto;

	..

};

logging {

	channel "default_syslog" {
		// Send most of the named messages to syslog.
		syslog local2;
		severity debug 1;
	};

	channel audit_log {
		// Send the security related messages to a separate file.
		file "/var/log/named.log" versions 7 size 1m;
		severity debug 1;
		print-time yes;
	};

	category default { default_syslog; };
	category general { default_syslog; };
	category security { audit_log; default_syslog; };
	category config { default_syslog; };
	category resolver { audit_log; };
	category xfer-in { audit_log; };
	category xfer-out { audit_log; };
	category notify { audit_log; };
	category client { audit_log; };
	category network { audit_log; };
	category update { audit_log; };
	category queries { audit_log; };
	category lame-servers { audit_log; };

};

view "external" in {

..

	zone "example.com" in {
		type master;
 		file "dynamic/example.org/example.org.db";
		allow-query { any; };
		allow-transfer { external-xfer; };
		notify yes;
		key-directory "managed-keys/example.org";
		inline-signing yes;
		auto-dnssec maintain;
	};

};



>> 
>> I would strongly recommend forgetting all about "freeze the zone
>> and edit" as a method of updating... move completely to dynamic
>> zones if at all possible.

I've been resisting this, mostly because I have a lot of static zones
and I'm lazy. I know ISC has been moving toward dynamic zones, but are
they really required to run DNSSEC?

> 
> And yes, I noticed that you say there are no errors in the logs...
> there may be no "errors", but if BIND isn't logging anything, I'm
> extremely curious as to what your logging stanza has in it.
> 
> If it's not logging, turn some on (or up) so that we can help you
> figure out the problem.  In worst case, strip out any keying
> material and just post your entire config file.
> 
> At this point, we are all shooting in the dark.

Hope these entries help. Thanks in advance for more troubleshooting
clues...I'm sure this is easy, and I'm just missing some basic config
issue.

dn

> 
> AlanC
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlJa7pAACgkQyPxGVjntI4IuhACg10jF/MHLLlXKt3fLxXWndZNm
p0sAoMUIvcSGMai5Q9mPrQPof4FuBkUR
=uQs/
-----END PGP SIGNATURE-----

More information about the bind-users mailing list