DNSSEC and slaves error
Mark Andrews
marka at isc.org
Wed Mar 7 13:35:50 UTC 2012
In message <CAMD-=VK+-sbgeMDnOmKf2Sebb=sD=+WAkFeFTK-RF73wnOAuEQ at mail.gmail.com>
, Nick Edwards writes:
> I am an old hand at bind, but - DNSSEC Newbie alert :->
>
> I am after clarification on how slaves handle DNSSEC.
>
> I have two slaves, both were stale, like since Feb 9 ! One I directly
> control, the second, I do not, so I can not provide details on how
> that one is configured, but given it is a reputable provider, I assume
> setup is as good or better than mine.
>
> The zone was resigned 3 weeks ago as 30 days, but one week ago I
> resigned it again as about 3 months using: dnssec-signzone -a -e
> +15724800 -K keys/ -N INCREMENT guilty_domain.here
You should have fed dnssec-signzone the old signed zone not the unsigned zone.
dnssec-signzone -f guilty_domain.here.signed .... -N INCREMENT guilty_domain.here.signed
> After all this time, still no change on slaves, I had to edit the zone
> (inserted a dummy TXT entry) then resign the zone, and then they
> both picked up changes.
>
> Shouldn't they detect the change from the increment and update? I
> checked my controlled slave and it was stale RRSIGs until I altered
> the actual zone, then RRSIG updated.
>
> my controlled servers:
> Linux Slackware (x2)
> Bind 9.9.0
>
> uncontrolled server Bind 9.9.0, RedHat (release unknown)
>
> /options master
> dnssec-enable yes;
> dnssec-validation yes;
>
> zone
> type master;
> allow-transfer { lan; slavedns; };
> file "xxxxxx.org.signed";
> allow-query { any; };
> allow-update { none; };
>
> /options slave
> dnssec-enable yes;
>
> zone
> type slave;
> masters { x.x.x.x; };
> file "xxxxxx.org";
> allow-query { any; };
>
>
> Am I doing something wrong?
>
> thanks
> Nik
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list