bind 9.9 & inline-signing issue..
Spain, Dr. Jeffry A.
spainj at countryday.net
Mon Jan 30 03:23:32 UTC 2012
> After setting up a zone with DNSSEC using inline-signing, I have run into the issue where if I do anything that updates the unsigned file that is input into BIND, that it never seems to update the signed data it generated.
> As an example, I had serial number of 2012012701 in the test zone file, and when I started named up it happily created the signed zone. So then I went in and changed this serial to 2012012801, and performed an 'rndc reload' and nothing, it saw the updated unsigned zone, but never kicked off an event to resign the signed data it was dishing out when asked, so the changes were
not available.
I have been using inline signing successfully, but am using a different method to make changes to the unsigned data. My zone configuration contains "update-policy local;" and I have been using "nsupdate -l" to make changes to the unsigned zone. Nsupdate automatically increments the serial number on the SOA record in the unsigned zone. The signed zone typically has a different and higher serial number due to signing activity that occurs automatically, e.g. resigning a record with an expired signature.
With regard to "rndc reload" not working for you, see https://lists.isc.org/pipermail/bind-users/2011-November/085739.html. Per that message, try "rndc reload leadmon.org". Also verify that the UID under which the named process is running is the owner of the various zone data and journal files.
Jeffry A. Spain
Network Administrator
Cincinnati Country Day School
More information about the bind-users
mailing list