DNSSEC and slaves error

Mark Andrews marka at isc.org
Wed Mar 7 13:35:50 UTC 2012 

In message <CAMD-=VK+-sbgeMDnOmKf2Sebb=sD=+WAkFeFTK-RF73wnOAuEQ at mail.gmail.com>
, Nick Edwards writes:
> I am an old hand at bind, but -  DNSSEC Newbie alert :->
> 
> I am after clarification on how slaves handle DNSSEC.
> 
> I have two slaves, both were stale, like since Feb 9 ! One I directly
> control, the second, I do not, so I can not provide details on how
> that one is configured, but given it is a reputable provider, I assume
> setup is as good or better than mine.
> 
> The zone was resigned 3 weeks ago as 30 days, but one week ago I
> resigned it again as about 3 months using:    dnssec-signzone -a -e
> +15724800 -K keys/ -N INCREMENT guilty_domain.here

You should have fed dnssec-signzone the old signed zone not the unsigned zone.

dnssec-signzone -f guilty_domain.here.signed .... -N INCREMENT guilty_domain.here.signed
 
> After all this time, still no change on slaves, I had to edit the zone
> (inserted a dummy TXT entry)   then resign the zone, and then  they
> both picked up changes.
> 
> Shouldn't they detect the change from the increment  and update? I
> checked my controlled slave and it was stale RRSIGs until I altered
> the actual zone, then RRSIG updated.
> 
> my controlled servers:
> Linux Slackware (x2)
> Bind 9.9.0
> 
> uncontrolled server Bind 9.9.0,  RedHat (release unknown)
> 
> /options master
>         dnssec-enable yes;
>         dnssec-validation yes;
> 
> zone
>         type master;
>         allow-transfer { lan; slavedns; };
>         file "xxxxxx.org.signed";
>         allow-query { any; };
>         allow-update { none; };
> 
> /options slave
>         dnssec-enable yes;
> 
> zone
>       type slave;
>       masters { x.x.x.x; };
>       file "xxxxxx.org";
>       allow-query { any; };
> 
> 
> Am I doing something wrong?
> 
> thanks
> Nik
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list