bind 9.9 & inline-signing issue..

Mark Elkins mje at posix.co.za
Sun Jan 29 21:37:14 UTC 2012 

I agree with you. I took your example and installed bind 9.9.0b2
I also updated my 'soa' in the unsigned...

Am getting the following in my log...
Jan 29...: zone test1.co.za/IN (unsigned): loaded serial 2012012901
Jan 29...: zone test1.co.za/IN (signed): loaded serial 2011110105
(DNSSEC signed)

Also couldn't quite figure how to make this an NSEC3 signed zone from
inception so stuck (by 'hand')....
IN	NSEC3PARAM 1 0 5 B9A3F38D
into my unsigned zone. The "signed" zone seems to be NSEC though....

I also see...
$TTL 0  ; 0 seconds
                        TYPE65534 \# 5 ( 08467D0001 )
                        TYPE65534 \# 5 ( 0896730001 )
appearing on a secondary for this zone. What is it?
(Yes - an unknown data type - the secondary is running bind 9.8)

Next: an 'rndc sync' didn't tidy up the zones .jnl file (much to my
disappointment)
Lastly - how does one 'view' the 'raw' format of a zone file?

I think a few examples would have helped in the documentation?

On Sun, 2012-01-29 at 11:20 -0500, Howard Leadmon wrote:
> Well after the various discussion a short while back, I decided to give
> the inline-signing a run, and after setup I must say it did appear to do
> what I expected.   Of course anything that went that easy had to have a
> snag, and it did, and at the moment I am wondering what I have missed so
> figured I would post and see if anyone had any suggestions.
> 
>  After setting up a zone with DNSSEC using inline-signing, I have run into
> the issue where if I do anything that updates the unsigned file that is
> input into BIND, that it never seems to update the signed data it generated.
> 
>  As an example, I had serial number of 2012012701 in the test zone file, and
> when I started named up it happily created the signed zone.   So then I went
> in and changed this serial to 2012012801, and performed an 'rndc reload' and
> nothing, it saw the updated unsigned zone, but never kicked off an event to
> resign the signed data it was dishing out when asked, so the changes were
> not available.   I then went and did a full restart on named, thinking maybe
> a hard restart would make it sign, but no luck, in fact it sees the zones,
> that the serial numbers are different, but never re-signs the served zone.
> 
>  Looking at my log I see:
> 
> 
> named[8422]: zone leadmon.org/IN/internal (unsigned): loaded serial
> 2012012802
> named[8422]: zone leadmon.org/IN/internal (signed): loaded serial 2012012708
> (DNSSEC signed)
> named[8422]: zone leadmon.org/IN/internal (signed): receive_secure_serial:
> unchanged
> named[8422]: zone leadmon.org/IN/internal (signed): reconfiguring zone keys
> named[8422]: zone leadmon.org/IN/internal (signed): next key event:
> 29-Jan-2012 11:53:54.971
> named[8422]: zone leadmon.org/IN/internal (signed): sending notifies (serial
> 2012012708)
> 
> 
>  So it is seeing that the signed and unsigned zones have different serials,
> but it's sure not picking up that I have made a change to the unsigned file,
> and that it needs to resign the zone it's serving.   
> 
>  As to my config over here, I have the following in the zone:
> 
> zone "leadmon.org" {
>         type master;
>         file "master/leadmon.org/db.leadmon.org-internal";
>         key-directory "keys";
>         allow-transfer { 
>                 primary_servers;
>         };
>         auto-dnssec maintain;
>         inline-signing yes;
> };
> 
> 
>  Have I missed any additional commands I need to make this play correctly,
> or is something broken here that I have run into?
> 
> 
> 
> ---
> Howard Leadmon 
> 
> 
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
  .  .     ___. .__      Posix Systems - (South) Africa
 /| /|       / /__       mje at posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4007 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120129/3eb54429/attachment.bin>

More information about the bind-users mailing list