dnssec update

Wed Mar 11 09:17:08 UTC 2015

> I  configure bind to serve "example.com" domain with
> 
> 1.       dnssec-enable yes;
> 2.       auto-dnssec maintain;
> 3.       inline-signing yes;
> 4.       allow-update{localhost;};
> 
> Bind can fully automatic  dnssec signing on example.com but If I want to
> modify a record in example.com zone in the  zone's file directly without
> using nsupdate for dynamic zone.
> 
> How can I force bind to read from  the modified zone's file and sign it
> immediately like manual signing in an older version.

The same as without any dnssec at all - edit the zonefile (including
increasing the serial number), and call 'rndc reload example.com'.  The
signed version of the zone will be updated as required - existing
signatures that are still valid won't be replaced (unless they expire
soon, etc, etc)

However, the 'allow-update' stanza makes me wonder whether you're mixing
dynamic updates with manual zonefile changes - I'm not sure whether
inline-signing can support a mixture of dynamic and manual
modifications.  If you do need to support this mixed style, Tony Finch
has a script that will generate nsupdate-style change commands from the
difference between two manual zonefiles:

http://dotat.at/prog/nsdiff/

If you used this, you wouldn't enable inline-signing at all, since all
changes would be dynamic.

Graham