bind 9.9 & inline-signing issue..

Mark Elkins mje at posix.co.za
Mon Jan 30 07:41:45 UTC 2012 

Slept on this.
This morning 8+ hours later, no change.
Added a completely new record to the (unsigned) zone, updated the SOA
Serial and ran 'rndc reload':

Jan 30 09...: received control channel command 'reload'
Jan 30 09...: loading configuration from '/etc/bind/named.conf'
...
Jan 30 09...: zone test1.co.za/IN (signed): (master) removed
Jan 30 09...: reloading configuration succeeded
Jan 30 09...: reloading zones succeeded
Jan 30 09...: zone test1.co.za/IN (unsigned): loaded serial 2012013001
Jan 30 09...: zone test1.co.za/IN (signed): loaded serial 2011110105
(DNSSEC signed)
Jan 30 09...: all zones loaded
Jan 30 09...: running

So still broken in my opinion.

Also - I miss the creation of the "dsset-test.co.za." file :-(

I have been using the file/directory format of...
.../pri/domain.com/db.domain.com and then sticking everything associated
with that domain in that directory. Used this for over a year now and it
works well for me (organised clutter).


On Sun, 2012-01-29 at 23:37 +0200, Mark Elkins wrote:
> I agree with you. I took your example and installed bind 9.9.0b2
> I also updated my 'soa' in the unsigned...
> 
> Am getting the following in my log...
> Jan 29...: zone test1.co.za/IN (unsigned): loaded serial 2012012901
> Jan 29...: zone test1.co.za/IN (signed): loaded serial 2011110105
> (DNSSEC signed)
> 
> Also couldn't quite figure how to make this an NSEC3 signed zone from
> inception so stuck (by 'hand')....
> IN	NSEC3PARAM 1 0 5 B9A3F38D
> into my unsigned zone. The "signed" zone seems to be NSEC though....
> 
> I also see...
> $TTL 0  ; 0 seconds
>                         TYPE65534 \# 5 ( 08467D0001 )
>                         TYPE65534 \# 5 ( 0896730001 )
> appearing on a secondary for this zone. What is it?
> (Yes - an unknown data type - the secondary is running bind 9.8)
> 
> Next: an 'rndc sync' didn't tidy up the zones .jnl file (much to my
> disappointment)
> Lastly - how does one 'view' the 'raw' format of a zone file?
> 
> I think a few examples would have helped in the documentation?
> 
> On Sun, 2012-01-29 at 11:20 -0500, Howard Leadmon wrote:
> > Well after the various discussion a short while back, I decided to give
> > the inline-signing a run, and after setup I must say it did appear to do
> > what I expected.   Of course anything that went that easy had to have a
> > snag, and it did, and at the moment I am wondering what I have missed so
> > figured I would post and see if anyone had any suggestions.
> > 
> >  After setting up a zone with DNSSEC using inline-signing, I have run into
> > the issue where if I do anything that updates the unsigned file that is
> > input into BIND, that it never seems to update the signed data it generated.
> > 
> >  As an example, I had serial number of 2012012701 in the test zone file, and
> > when I started named up it happily created the signed zone.   So then I went
> > in and changed this serial to 2012012801, and performed an 'rndc reload' and
> > nothing, it saw the updated unsigned zone, but never kicked off an event to
> > resign the signed data it was dishing out when asked, so the changes were
> > not available.   I then went and did a full restart on named, thinking maybe
> > a hard restart would make it sign, but no luck, in fact it sees the zones,
> > that the serial numbers are different, but never re-signs the served zone.
> > 
> >  Looking at my log I see:
> > 
> > 
> > named[8422]: zone leadmon.org/IN/internal (unsigned): loaded serial
> > 2012012802
> > named[8422]: zone leadmon.org/IN/internal (signed): loaded serial 2012012708
> > (DNSSEC signed)
> > named[8422]: zone leadmon.org/IN/internal (signed): receive_secure_serial:
> > unchanged
> > named[8422]: zone leadmon.org/IN/internal (signed): reconfiguring zone keys
> > named[8422]: zone leadmon.org/IN/internal (signed): next key event:
> > 29-Jan-2012 11:53:54.971
> > named[8422]: zone leadmon.org/IN/internal (signed): sending notifies (serial
> > 2012012708)
> > 
> > 
> >  So it is seeing that the signed and unsigned zones have different serials,
> > but it's sure not picking up that I have made a change to the unsigned file,
> > and that it needs to resign the zone it's serving.   
> > 
> >  As to my config over here, I have the following in the zone:
> > 
> > zone "leadmon.org" {
> >         type master;
> >         file "master/leadmon.org/db.leadmon.org-internal";
> >         key-directory "keys";
> >         allow-transfer { 
> >                 primary_servers;
> >         };
> >         auto-dnssec maintain;
> >         inline-signing yes;
> > };
> > 
> > 
> >  Have I missed any additional commands I need to make this play correctly,
> > or is something broken here that I have run into?
> > 
> > 
> > 
> > ---
> > Howard Leadmon 
> > 
> > 
> > 
> > _______________________________________________
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> > 
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
  .  .     ___. .__      Posix Systems - (South) Africa
 /| /|       / /__       mje at posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4007 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120130/9c726dcd/attachment.bin>

More information about the bind-users mailing list