Converting an inline-signed zone to unsigned
Chris Thompson
cet1 at cam.ac.uk
Wed Feb 19 17:59:07 UTC 2014
What is the right way ... or maybe I should be asking IS there a right
way ... to change a zone that has been signed by inline signing (i.e. with
"inline-signing yes; auto-dnssec maintain;" in it zone statement) to unsigned?
When I change the zone statement to remove the inline signing part, and
update the SOA serial in the zone file for good measure, and then do
either "rndc reload" or "rndc reconfig", I get messages like
named[22954]: general: error: zone playground.test/IN:
journal rollforward failed: journal out of sync with zone
named[22954]: general: error: zone playground.test/IN:
not loaded due to errors.
and the zone goes into SERVFAIL state.
The only way I found out of this was to remove the [zone-file].signed
and [zone-file].signed.jnl files manually, and *then* do "rndc reconfig".
Surely there must be something better than that?
--
Chris Thompson
Email: cet1 at cam.ac.uk
More information about the bind-users
mailing list