Followup: BIND 9.10.6-P1 dnssec update zone A record
Kim Culhan
w8hdkim at gmail.com
Thu Mar 29 22:24:27 UTC 2018
un "rndc zonestatus <zonename>" on it.
> Then I look for the "serial:" and "signed serial:" values.On Thu, Mar 29,
2018 at 5:17 PM, Douglas C. Stephens <stephens at ameslab.gov> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Kim,
>
> I run BIND 9.11 so this might or might not translate down to BIND 9.10.
>
> When this happens to me, I run "rndc zonestatus <zonename>" on it.
> Then I look for the "serial:" and "signed serial:" values.
>
Running rndc zonestatus <zonename>
FWIW returns serial: and signed serial: which are not the same and are from
1 day ago.
Normally, you would be correct in only needing to increment the
> unsigned SOA serial to at least +1 larger than the "serial:" value
> shown by the above output. Sometimes, however, to make BIND load the
> update, I need to increase the SOA serial in the unsigned zone file to
> be higher than the SOA serial signed zone file. Then run "rndc reload
> <zonename>".
>
> Another thing to check is whether you're actually checking the zone
> serial of a slave instead of at the master BIND doing the signing. If
> so, are they higher than the signed zone serial at your master?
>
ATM there are 2 masters, I'm working on 1 now.
>
> Also, something that looks odd to me compared with my live running
> config is your "file" line. Does that "domain.com.signed" filespec
> actually point to the BIND-maintained .signed file, or does it means
> something else? If the latter, then I would guess you have a
> "domain.com.signed.signed" file alongside it which is the one
maintained by BIND.
>
Yes, this is true: domain.com.signed.signed
>
> I'm also using "auto-dnssec maintain" and "inline-signing yes", but my
> zone "file" points to my unsigned zone file, while the .signed version
> (and its .signed.jnl) is wholly created and maintained by BIND.
I have those files but I don't know how to get BIND to maintain them.
That appears to be the problem.
This helps, I'm not sure where to go from here though.
I've googled this for hours and keep thinking the solution is just another
google away but just now I'm not so sure.
>
>
Hope this helps.
This helps and thanks for replying to my post.
-kim
> On 3/29/2018 3:15 PM, Kim Culhan wrote:
> > Some additional info here, from named.conf, dnssec config:
> >
> > options { directory "/var/named"; [lines omitted] dnssec-validation
> > auto; managed-keys-directory "/var/named/keys";
> >
> > From the zone section;
> >
> > file "domain.com.signed"; key-directory "/var/named/keys/domain.com
> > <http://domain.com>"; auto-dnssec maintain; inline-signing yes;
> >
> > Zone file is in /var/named
> >
> > Sorry did not include this in the original post.
> >
> > thanks -kim
> >
> > --
> >
> >
> >
> > _______________________________________________ Please visit
> > https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> > from this list
> >
> > bind-users mailing list bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> >
>
> - --
> Douglas C. Stephens | Network Systems Analyst
> Enterprise Information Services | Phone: (515) 294-6102
> Ames Laboratory, US DOE | Email: stephens at ameslab.gov
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.17 (MingW32)
>
> iEYEARECAAYFAlq9V+MACgkQ46phdn656QQGdgCfdyHd1QaeNvrF1v2p+yXqdqtE
> pisAoIQPCgKPMKUJpP/mCLITTgP43+1P
> =D7S2
> -----END PGP SIGNATURE-----
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20180329/bb0b4e3c/attachment-0001.html>
More information about the bind-users
mailing list