Converting an inline-signed zone to unsigned

Chris Thompson cet1 at cam.ac.uk
Thu Mar 6 17:45:00 UTC 2014 

On Feb 19 2014, Alan Clegg wrote:

>On 2/19/14, 8:59 PM, Chris Thompson wrote:
>> What is the right way ... or maybe I should be asking IS there a right
>> way ... to change a zone that has been signed by inline signing (i.e. with
>> "inline-signing yes; auto-dnssec maintain;" in it zone statement) to
>> unsigned?
>> 
>> When I change the zone statement to remove the inline signing part, and
>> update the SOA serial in the zone file for good measure, and then do
>> either "rndc reload" or "rndc reconfig", I get messages like
>> 
>> named[22954]: general: error: zone playground.test/IN:
>>   journal rollforward failed: journal out of sync with zone
>> named[22954]: general: error: zone playground.test/IN:
>>   not loaded due to errors.
>> 
>> and the zone goes into SERVFAIL state.
>> 
>> The only way I found out of this was to remove the [zone-file].signed
>> and [zone-file].signed.jnl files manually, and *then* do "rndc reconfig".
>> Surely there must be something better than that?
>> 
>
>Have you tried setting "dnssec-secure-to-insecure" then setting all of
>the keys to deleted?

Thanks - I have now tried that (set the deletion date to "now" with
dnssec-settime), and it does work. You end up with a [zone-file].signed
which is not actually signed being served, but being maintained from
[zone-file] in an incremental way.

I suppose this is indeed the way to go with the flow of inline signing.
You don't even have to have any keys for the zone in the key directory
initially. It's the transition between having "inline-signing yes" and
"inline-signing no" in the zone definition that seems to expose rough
edge cases. 

I still have to investigate the problem that Graham Clinch reported,
and see whether that might be a show-stopper for the application of
inline signing that I have in mind.

More generally: it's a pity that there isn't any real documentation
of inline signing in the ARM, just the examples in ISC's KB articles.
Some clearer explanation of which options "inline-signing yes" is
(in)compatible with would be helpful. For example, it obviously turns
on some sort of moral equivalent of "ixfr-from-differences yes" on
the unsigned version of the zone, but would turning inline signing
on (or off) work better if this were specified explicitly? And the
examples have "auto-dnssec maintain", but would "auto-dnssec allow"
work?

-- 
Chris Thompson
Email: cet1 at cam.ac.uk

More information about the bind-users mailing list