Dynamic update of signed zone issues
Jonathan Petersson
jpetersson at garnser.se
Sat Feb 2 11:47:44 UTC 2008
Hi.
I'm currently trying to figure out how to get dynamic updates of a
signed zone to work. So far I've done the following:
dnssec-keygen -a rsasha1 -b 1024 -n zone example.com
dnssec-keygen -k -a rsasha1 -b 1024 -n zone example.com
cat Kexample.com.*.key >> example.com.db
dnssec-signzone -t -g -o example.com example.com.db
Kexample.com.+005.59358.private
Added this to named.conf
zone "example.com" IN {
type master;
file "data/example.com.db.signed";
update-policy {
grant example.com. subdomain example.com any;
};
};
Now when running nsupdate:
nsupdate -d -v -k
Kexample.com.+005+12345.private
server
123.123.123.123
zone
example.com
update delete test.example.com.
A
update add test.exmaple.com. 3600 A
231.231.231.231
show
send
show
Everything seams fine from the nsupdate standpoint but when looking at a
zone transfer the following data appears:
test.example.com. 3600 IN NSEC www.example.com. A NSEC
test.example.com. 3600 IN A 123.123.123.123
I.e. RRSIG is missing.
If I resign the signed zone and restart the bind server it all appears
right but then you kinda loose the point of dynamic DNS.
Please advice on what I'm missing.
PS. Works fine with removing...
More information about the bind-users
mailing list