DNSSEC and upgrading/restoring

David Newman dnewman at networktest.com
Thu Jan 30 23:57:56 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 1/28/14 3:49 AM, Alan Clegg wrote:
> 
> On Jan 27, 2014, at 7:32 PM, David Newman <dnewman at networktest.com>
> wrote:
> 
>> Asking again, in a different and more generic form: When
>> rebuilding a bind 9.9.4 server running DNSSEC with auto maintain,
>> are there any steps I need to take beyond just backing up
>> /var/named/etc/namedb (this is on FreeBSD) and restoring?
>> 
>> This server is authoritative and primary, and has slaves for
>> multiple domains.
>> 
>> I'm concerned about keeping keys, serial numbers, and any other
>> dynamic info in sync.
> 
> Should be problem what-so-ever.
> 
> Just stop the old server, do the backup, restore it where your new
> system expects it then start the new one.  A brief outage of your
> master should be no issue is your slaves are working correctly.
> 
> Do make sure that the new version is built with the same options as
> the old one if you are replicating the file system locations of the
> data.  8-)

Thanks. This mostly worked fine.

The only gotchas:

1. On a NanoBSD box, named did not start because it couldn't write to
the old named.log file. Deleting the existing named.log cleared that
issue. I think this may be a NanoBSD-specific issue.

2. For five domains, the log contains signature-has-expired warnings.

In all five cases, these are for NSEC3PARAM records.

Is any action needed on my part, for example manually doing NSEC3
signing of these zones?

Thanks again!

dn


-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJS6ucEAAoJEDoYs7vtFALacaEP/izW2EQ8rjff25TpCANlJ2Za
WSeZTRZLiWpatz1ErlKp6kOZqABpNgH764DfueRMGfPsqvthGCCt+1k0v4jzVMnr
SF3rpwH5Zue5RAkeHknyazvdrXd22psxN7J4pnqe83zMpfXY7JPdsmUKb/vIZeRY
n1x+eMDSgNPUKN5g5Is1FPaQH4X95otDiH3C79n05wNCTDTrKHZNcDTEbrPkW3SE
rNU1PBKkj1Q4g+xMcTjccUPUPzjBObhE///QZu5psfZutEAC8BUMIbNHvP5coszc
byUOBKCpini4/8gOlEC49m1tHU6H7t8dppqufMSzxA6gZEKshd03MVdCJg7D8+e/
aYAXh/uBIWtav3QRIxix3g6q7zF/hOh/FG30IYhufItTnaK8BdO9sufbBnLePmf2
NwDcLc/U7bbN/pxY/oc7TgMbjqnAAP9YUAMHmOFqiw/JnmQ1SMXYxI80hSBoKnRx
/gixPGW0qv146s4kJ0+phRl9/0igC97/S3Q0tk7erOXetw+CMHgfgBT9BCx2/I+A
9gEJ5Laqi2J6NT/QNl14WBJ/IF6a2umo47bBj0l4Orb3ivJkpsMo6k8vaytH6QDZ
t38d5RXRJ1vNbr9kRMuXQAoKwsxemPFkVL/o7MAPBu4Htv8DD3VTEYL7R3l2EkEx
K+9iLy/TKYMEPtNEetQ6
=NEkU
-----END PGP SIGNATURE-----

More information about the bind-users mailing list