Dynamic update of signed zone issues
Mark Andrews
Mark_Andrews at isc.org
Sat Feb 2 13:32:01 UTC 2008
> Hi.
>
> I'm currently trying to figure out how to get dynamic updates of a
> signed zone to work. So far I've done the following:
>
> dnssec-keygen -a rsasha1 -b 1024 -n zone example.com
> dnssec-keygen -k -a rsasha1 -b 1024 -n zone example.com
> cat Kexample.com.*.key >> example.com.db
> dnssec-signzone -t -g -o example.com example.com.db
> Kexample.com.+005.59358.private
>
> Added this to named.conf
> zone "example.com" IN {
> type master;
> file "data/example.com.db.signed";
> update-policy {
> grant example.com. subdomain example.com any;
};
> };
>
> Now when running nsupdate:
>
> nsupdate -d -v -k
> Kexample.com.+005+12345.private
>
>
> server
> 123.123.123.123
>
>
>
> zone
> example.com
>
>
>
> update delete test.example.com.
> A
>
>
> update add test.exmaple.com. 3600 A
> 231.231.231.231
>
>
> show
>
>
>
> send
>
>
>
> show
>
>
>
>
> Everything seams fine from the nsupdate standpoint but when looking at a
> zone transfer the following data appears:
>
> test.example.com. 3600 IN NSEC www.example.com. A NSEC
> test.example.com. 3600 IN A 123.123.123.123
>
> I.e. RRSIG is missing.
>
> If I resign the signed zone and restart the bind server it all appears
> right but then you kinda loose the point of dynamic DNS.
>
> Please advice on what I'm missing.
>
> PS. Works fine with removing...
Did you tell named where to find the private key? By default
named looks in the working directory.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list