Upgrading from 9.6 to 9.7
Timothe Litt
litt at acm.org
Tue Sep 7 01:42:44 UTC 2010
Thanks - a couple of clarifying questions..
From: Mark Andrews [mailto:marka at isc.org]
Sent: Monday, September 06, 2010 19:57
To: Timothe Litt
Cc: bind-users at isc.org
Subject: Re: Upgrading from 9.6 to 9.7
In message <A312010A27F14658B095B6523E39B920 at sb.litts.net>, "Timothe Litt"
writ
es:
> I've been running 9.6-ESV-R1 and 9.6.1-P3 with
> "-DALLOW_INSECURE_TO_SECURE -DALLOW_SECURE_TO_INSECURE" serving DNSSEC
> zones on several servers - all linux, some FC13, others on ARM embedded
systems.
>> -DALLOW_INSECURE_TO_SECURE is always allowed.
>> -DALLOW_SECURE_TO_INSECURE is a named.conf option
>> dnssec-secure-to-insecure <boolean>;
> Is there any documentation for what I need to do to convert from this
> interim dnssec auto-signing mechanism to the 9.7.1-P2 release?
>> Just allow keys changes to become stable, then remove the
sig-signing-type records.
These are the TYPE 65534 records? E.g. dig axfr reports these:
example.com. 0 IN TYPE65534 \# 5 0797800001
How can I tell that key changes are 'stable'? (The only changes going on at
present
are the automagic re-signing. (sig-validity-interval 8 2; + dhcp updates)
Will nsupdate allow me to delete these? (all the zones are, of course,
dynamic)
The ARM (p 24) seems to indicate that bind 9.7 still uses them - are you
saying that I
need to delete them under the old version before starting the new?
This would a bit tricky, since as long as the master is up, dhcp and other
DDNS updates
will arrive at unpredictable times - and of course that triggers resigning.
If the master
is down - I guess I could axfr from one of the slaves to get a consistent
copy. But
if I restart the master with those files (dozens of them), I'd have to
delete the
journals - would state then be lost? Or do the slaves have everything
required?
> Are there interoperability issues between these versions?
>> No.
So would you suggest upgrading the slaves before the master, or the master
first?
And I can use my existing key-directory (ies - 1/view) and zone/journal
files - no
changes required?
> To make life more interesting, I not only want to update all my
> servers, but also must move the master server to a new host - with
> selinux (fedora core 13).
>
> Is there any 'getting started' presentation (esp for DNSEC) on 9.7?
> There was a "DNSSEC in (a few) minutes" presentation for bind, but I
> haven't seen an update for 97. The ARM is great reference, but not
> easy to decipher for upgrade situations...
>> Read up on "rndc sign" and "auto-dnssec". 9.7 also introduced
"managed-keys"
>> for setting up trusted keys which are using RFC 5011 management
techniques.
I'm looking forward to these - once I understand how they work and how to
get
them to do the most magic for me... And how to get the rest into my web gui
& cron -
E.g. I want to end up with a button that says "roll key for this zone", with
all
the delays and key generation and adds and removes just happening...
> (I'd be happy to move this to dnssec-deployment if the concensus is
> that it belongs there.)
>
> Thanks.
>
> ---------------------------------------------------------
> This communication may not represent my employer's views, if any, on
> the matters discussed.
>
>
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list