bind 9.9 & inline-signing issue..
Spain, Dr. Jeffry A.
spainj at countryday.net
Tue Jan 31 01:53:55 UTC 2012
> I suspect that something was wrong with the unsigned zone, 'rndc reload' failed to catch the problem, and so the zone got itself into a weird state. The exact circumstance in which I've seen this happen involved a failure to update the SOA serial, but there may be other triggers for it as well. Having 'rndc reload' behave correctly *should* prevent this sort of problem from repeating itself in the future.
In my scenario, where inline signing is in operation and I am using nsupdate to modify the unsigned zone files, the serial numbers of the unsigned zones are always incremented by nsupdate. According to your description this would prevent the zone file "weird state" issue, and indeed I have never seen a problem with my signed zones being properly updated.
> Our current plan is to roll a BIND 9.9.0rc2 release that includes this fix; it should be available by tomorrow. We'd love it if as many people as possible tested this, particularly the inline-signing features. If you're participating in this thread we'd like your input. The target date for final release is quite soon, so the more testing we can get in the next few days, the better.
I can install bind 9.9.0rc2 tomorrow and test with both nsupdate and rndc reload. I would also like to test DNSSEC automatic key rollover with inline signing again. I imagine this will be fixed in rc2, given the success of the patch you provided earlier. My next ZSK activation date is 3/10/2012 with inactivation of the previous key on 3/11 and deletion on 4/15. I will move those dates up 5 weeks on one of the zones in the hope of getting test results sooner, although ultimately the timing depends on individual signature expiration dates.
Jeffry A. Spain
Network Administrator
Cincinnati Country Day School
More information about the bind-users
mailing list