moving DNSSEC to a hidden master
David Newman
dnewman at networktest.com
Fri Oct 4 00:12:43 UTC 2013
Thanks all for your responses.
On 10/1/13 6:42 PM, Mark Andrews wrote:
> As Alan said copy the .key and .private files over.
>
> Disable updating on the old master.
>
> Transfer the zone contents by setting up as a slave
> using "masterfile-format text"; or using by using dig.
> This will give you the most up to date version of the
> zone.
>
> dig axfr zone +onesoa @oldmaster
>
> Check that the new server is working
Converting the new secondary to a new master worked. But incrementing
the zone's serial number did not, producing an error after 'rndc reload'
like this:
Oct 3 16:00:29 host named[35249]: malformed transaction:
dynamic/mydomain.com/mydomain.com.db.jnl last serial 2013092701 !=
transaction first serial 2013092700
> and you can update
> the zone by using nsupdate.
Although the zone file lives under dynamic/mydomain.com so DNSSEC
updates can happen, I don't have dynamic updates configured, so nsupdate
won't work. This arrangement -- with static zone files under the dynamic
directory -- worked OK on the old master. Permissions are the same on both.
This thread suggested the journal issue was separate views pointing to
the same zone file:
https://lists.isc.org/pipermail/bind-users/2008-June/070807.html
Indeed I had pointers to the same zone file in separate views, but
removing them and restarting named did not clear the issue. Now I have
the zone in just one view, and still can't manually increment the serial
number without that journal complaint.
Thanks in advance for clues on resolving the journal version issue.
dn
>
> Convert the old master server into a slave.
>
> Update the other slaves to talk to a new master.
>
More information about the bind-users
mailing list