Bind 9.9.0b2 inline signing...

Spain, Dr. Jeffry A. spainj at countryday.net
Tue Nov 22 19:34:46 UTC 2011 

Kevin: I did something similar, using nsupdate to modify the unsigned zone instead of a manual edit. The myzone.db, myzone.db.jnl, myzone.db.signed, and myzone.db.signed.jnl files all get updated appropriately. "rndc reload" is not necessary. It is interesting to note that the serial number in the signed zone gets incremented more than the serial number in the unsigned zone. A dig request for the SOA record returns the serial number from the signed zone.

To allow for this I have the following in my configuration file:

zone "myzone" {
                type master;
                file "/var/lib/bind/myzone/myzone.db";
                key-directory "/var/lib/bind/myzone";
                update-policy local;
                auto-dnssec maintain;
                inline-signing yes;
};

I'll give it a try with a manual edit and let you know. Jeff.

From: bind-users-bounces+spainj=countryday.net at lists.isc.org [mailto:bind-users-bounces+spainj=countryday.net at lists.isc.org] On Behalf Of McConville, Kevin
Sent: Tuesday, November 22, 2011 11:58 AM
To: bind-users at lists.isc.org
Subject: Bind 9.9.0b2 inline signing...

I have opened up a Bug ticket with ISC on this - #26676, but I just wanted to make sure that I'm not doing anything "wrong" that may be causing the issue.

Has anyone been able to get inline-signing to work on a static master zone using an authoritative server?

When we manually change the Master static zone file - ualbanytest.org - the signed and signed.jnl files are not getting an update - as shown by the time/date stamps below (just using rndc reload).

-rw-rw-r-- 1 named root   1077 Nov 22 11:22 ualbanytest.org
-rw------- 1 named named  9415 Nov 22 11:14 ualbanytest.org.signed
-rw------- 1 named named 12041 Nov 22 11:02 ualbanytest.org.signed.jnl

The log shows the correct serial for the unsigned zone, but then pulls the wrong signed file.
>>>>>>>
22-Nov-2011 11:25:28.314 general: info: received control channel command 'reload'
22-Nov-2011 11:25:28.314 general: info: loading configuration from '/etc/named.conf'
22-Nov-2011 11:25:28.315 general: info: using default UDP/IPv4 port range: [1024, 65535]
22-Nov-2011 11:25:28.315 general: info: using default UDP/IPv6 port range: [1024, 65535]
22-Nov-2011 11:25:28.316 general: info: sizing zone task pool based on 4 zones
22-Nov-2011 11:25:28.318 general: info: zone ualbanytest.org/IN (signed): (master) removed
22-Nov-2011 11:25:28.318 general: info: reloading configuration succeeded
22-Nov-2011 11:25:28.318 general: info: reloading zones succeeded
22-Nov-2011 11:25:28.320 general: info: zone ualbanytest.org/IN (unsigned): loaded serial 2011112201
22-Nov-2011 11:25:28.320 general: info: zone ualbanytest.org/IN (signed): loaded serial 2011112114 (DNSSEC signed)
22-Nov-2011 11:25:28.320 general: notice: all zones loaded
22-Nov-2011 11:25:28.320 general: notice: running
22-Nov-2011 11:25:28.320 general: info: zone ualbanytest.org/IN (signed): reconfiguring zone keys
22-Nov-2011 11:25:28.321 general: info: zone ualbanytest.org/IN (signed): next key event: 22-Nov-2011 11:35:28.321
22-Nov-2011 11:25:28.321 notify: info: zone ualbanytest.org/IN (signed): sending notifies (serial 2011112114)
>>>>>>>

>From Named.conf:

>>>>>>>>>>>>>>>>>>>>>>>>
options {
                directory       "/conf";
                pid-file        "/var/run/named.pid";
                statistics-file "/var/run/named.stats";
                dump-file       "/var/run/named.db";
                version         "[secured]";
                dnssec-enable yes;
        sig-validity-interval 10;
        dnssec-loadkeys-interval 10;
        empty-zones-enable no;
};

# DNSSEC Zone
zone "ualbanytest.org" {
     type master;
     file "ualbanytest.org";
     auto-dnssec maintain;
     inline-signing yes;
     key-directory "/conf";
     serial-update-method increment;
};

>>>>>>>>>>>>>>>>>>>>>

Has anyone gotten this to work on an authoritative (meaning that I am missing something) or is it a "real" bug? I just don't want to be claiming it's a "bug" if it's something that I messed up or fat fingered :)

Thanks you all in advance.

Thanks,

-Kevin


Kevin McConville

University at Albany


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20111122/e394059f/attachment.html>

More information about the bind-users mailing list