dnssec update
Graham Clinch
g.clinch at lancaster.ac.uk
Wed Mar 11 09:17:08 UTC 2015
> I configure bind to serve "example.com" domain with
>
> 1. dnssec-enable yes;
> 2. auto-dnssec maintain;
> 3. inline-signing yes;
> 4. allow-update{localhost;};
>
> Bind can fully automatic dnssec signing on example.com but If I want to
> modify a record in example.com zone in the zone's file directly without
> using nsupdate for dynamic zone.
>
> How can I force bind to read from the modified zone's file and sign it
> immediately like manual signing in an older version.
The same as without any dnssec at all - edit the zonefile (including
increasing the serial number), and call 'rndc reload example.com'. The
signed version of the zone will be updated as required - existing
signatures that are still valid won't be replaced (unless they expire
soon, etc, etc)
However, the 'allow-update' stanza makes me wonder whether you're mixing
dynamic updates with manual zonefile changes - I'm not sure whether
inline-signing can support a mixture of dynamic and manual
modifications. If you do need to support this mixed style, Tony Finch
has a script that will generate nsupdate-style change commands from the
difference between two manual zonefiles:
http://dotat.at/prog/nsdiff/
If you used this, you wouldn't enable inline-signing at all, since all
changes would be dynamic.
Graham
More information about the bind-users
mailing list