bind 9.9 & inline-signing issue..
Mark Elkins
mje at posix.co.za
Sun Jan 29 21:37:14 UTC 2012
I agree with you. I took your example and installed bind 9.9.0b2
I also updated my 'soa' in the unsigned...
Am getting the following in my log...
Jan 29...: zone test1.co.za/IN (unsigned): loaded serial 2012012901
Jan 29...: zone test1.co.za/IN (signed): loaded serial 2011110105
(DNSSEC signed)
Also couldn't quite figure how to make this an NSEC3 signed zone from
inception so stuck (by 'hand')....
IN NSEC3PARAM 1 0 5 B9A3F38D
into my unsigned zone. The "signed" zone seems to be NSEC though....
I also see...
$TTL 0 ; 0 seconds
TYPE65534 \# 5 ( 08467D0001 )
TYPE65534 \# 5 ( 0896730001 )
appearing on a secondary for this zone. What is it?
(Yes - an unknown data type - the secondary is running bind 9.8)
Next: an 'rndc sync' didn't tidy up the zones .jnl file (much to my
disappointment)
Lastly - how does one 'view' the 'raw' format of a zone file?
I think a few examples would have helped in the documentation?
On Sun, 2012-01-29 at 11:20 -0500, Howard Leadmon wrote:
> Well after the various discussion a short while back, I decided to give
> the inline-signing a run, and after setup I must say it did appear to do
> what I expected. Of course anything that went that easy had to have a
> snag, and it did, and at the moment I am wondering what I have missed so
> figured I would post and see if anyone had any suggestions.
>
> After setting up a zone with DNSSEC using inline-signing, I have run into
> the issue where if I do anything that updates the unsigned file that is
> input into BIND, that it never seems to update the signed data it generated.
>
> As an example, I had serial number of 2012012701 in the test zone file, and
> when I started named up it happily created the signed zone. So then I went
> in and changed this serial to 2012012801, and performed an 'rndc reload' and
> nothing, it saw the updated unsigned zone, but never kicked off an event to
> resign the signed data it was dishing out when asked, so the changes were
> not available. I then went and did a full restart on named, thinking maybe
> a hard restart would make it sign, but no luck, in fact it sees the zones,
> that the serial numbers are different, but never re-signs the served zone.
>
> Looking at my log I see:
>
>
> named[8422]: zone leadmon.org/IN/internal (unsigned): loaded serial
> 2012012802
> named[8422]: zone leadmon.org/IN/internal (signed): loaded serial 2012012708
> (DNSSEC signed)
> named[8422]: zone leadmon.org/IN/internal (signed): receive_secure_serial:
> unchanged
> named[8422]: zone leadmon.org/IN/internal (signed): reconfiguring zone keys
> named[8422]: zone leadmon.org/IN/internal (signed): next key event:
> 29-Jan-2012 11:53:54.971
> named[8422]: zone leadmon.org/IN/internal (signed): sending notifies (serial
> 2012012708)
>
>
> So it is seeing that the signed and unsigned zones have different serials,
> but it's sure not picking up that I have made a change to the unsigned file,
> and that it needs to resign the zone it's serving.
>
> As to my config over here, I have the following in the zone:
>
> zone "leadmon.org" {
> type master;
> file "master/leadmon.org/db.leadmon.org-internal";
> key-directory "keys";
> allow-transfer {
> primary_servers;
> };
> auto-dnssec maintain;
> inline-signing yes;
> };
>
>
> Have I missed any additional commands I need to make this play correctly,
> or is something broken here that I have run into?
>
>
>
> ---
> Howard Leadmon
>
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
. . ___. .__ Posix Systems - (South) Africa
/| /| / /__ mje at posix.co.za - Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4007 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120129/3eb54429/attachment.bin>
More information about the bind-users
mailing list