inline-signing

Tony Finch dot at dotat.at
Fri Sep 30 13:27:39 UTC 2011 

I have been playing with the new inline signing feature.

Documentation bug: the inline-signing option is not mentioned in the
syntax for slave zones.

I have not been able to get master inline signing working. Firstly, it
fails to create the signed copy of the zone automatically. If I create it
manually with dnssec-signzone, it fails to update the signed zone when I
edit the master file and tell it to reload.

I have successfully got inline signing working for a slave zone.

Starting with the following configuration:

	zone chiark.net {
		type slave;
		masters { 212.13.197.229; };
		file "/zd/chiark.net/master";
	};

I ran these commands:

	dnssec-keygen chiark.net
	dnssec-keygen -f KSK chiark.net

And add the following to the configuration:

	key-directory "/zd/chiark.net";
	auto-dnssec maintain;
	inline-signing yes;

Note that without "auto-dnssec maintain", named creates two copies of the
zone, "master" and "master.signed", but does not actualy sign the zone :-)

Then I ran `rndc reload` and named crashed:

30-Sep-2011 14:15:52.541 general: info: received control channel command 'reload'
30-Sep-2011 14:15:52.541 general: info: loading configuration from '/etc/named.conf'
30-Sep-2011 14:15:52.542 general: warning: statistics-channels specified but not effective due to missing XML library
30-Sep-2011 14:15:52.542 general: info: using default UDP/IPv4 port range: [49152, 65535]
30-Sep-2011 14:15:52.542 general: info: using default UDP/IPv6 port range: [49152, 65535]
30-Sep-2011 14:15:52.543 general: info: sizing zone task pool based on 69 zones
30-Sep-2011 14:15:52.543 general: critical: zone.c:1130: REQUIRE(zone->type == dns_zone_none || zone->type == type) failed, back trace
30-Sep-2011 14:15:52.544 general: critical: #0 0x413f1b in assertion_failed()+0x4b
30-Sep-2011 14:15:52.544 general: critical: #1 0x5795aa in isc_assertion_failed()+0xa
30-Sep-2011 14:15:52.544 general: critical: #2 0x550c4e in dns_zone_settype()+0x12e
30-Sep-2011 14:15:52.544 general: critical: #3 0x4432f9 in ns_zone_configure()+0x219
30-Sep-2011 14:15:52.544 general: critical: #4 0x4253fd in configure_zone()+0x84d
30-Sep-2011 14:15:52.544 general: critical: #5 0x42ae70 in configure_view()+0x610
30-Sep-2011 14:15:52.544 general: critical: #6 0x43232c in load_configuration()+0x1aac
30-Sep-2011 14:15:52.544 general: critical: #7 0x43378e in loadconfig()+0x5e
30-Sep-2011 14:15:52.544 general: critical: #8 0x433c56 in reload()+0x16
30-Sep-2011 14:15:52.544 general: critical: #9 0x433df2 in ns_server_reloadcommand()+0x102
30-Sep-2011 14:15:52.544 general: critical: #10 0x40d9b2 in ns_control_docommand()+0xf2
30-Sep-2011 14:15:52.544 general: critical: #11 0x410c71 in control_recvmessage()+0x3c1
30-Sep-2011 14:15:52.544 general: critical: #12 0x593f55 in run()+0x285
30-Sep-2011 14:15:52.544 general: critical: #13 0x800bfb511 in _fini()+0x8006542d9
30-Sep-2011 14:15:52.544 general: critical: #14 0x0 in ??
30-Sep-2011 14:15:52.544 general: critical: exiting (due to assertion failure)

After I restarted it, it fetched and signed the zone as expected.

30-Sep-2011 14:21:29.562 general: info: zone chiark.net/IN (unsigned): Transfer started.
30-Sep-2011 14:21:29.567 xfer-in: info: transfer of 'chiark.net/IN (unsigned)' from 212.13.197.229#53: connected using 131.111.11.130#26910
30-Sep-2011 14:21:29.576 general: info: zone chiark.net/IN (unsigned): transferred serial 11
30-Sep-2011 14:21:29.576 general: info: zone chiark.net/IN (signed): loaded serial 11
30-Sep-2011 14:21:29.576 general: info: zone chiark.net/IN (signed): reconfiguring zone keys
30-Sep-2011 14:21:29.582 xfer-in: info: transfer of 'chiark.net/IN (unsigned)' from 212.13.197.229#53: Transfer completed: 1 messages, 14 records, 401 bytes, 0.015 secs (26733 bytes/sec)
30-Sep-2011 14:21:29.583 general: info: zone chiark.net/IN (signed): next key event: 30-Sep-2011 15:21:29.583
30-Sep-2011 14:21:29.583 notify: info: zone chiark.net/IN (signed): sending notifies (serial 12)
30-Sep-2011 14:21:34.577 notify: info: zone chiark.net/IN (signed): sending notifies (serial 15)

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Faeroes, South-east Iceland: Southerly or southwesterly 5 to 7, occasionally
gale 8 in Southeast Iceland. Rough or very rough. Rain then showers. Moderate
or good, occasionally poor at first.

More information about the bind-users mailing list