DNSSEC and upgrading/restoring
David Newman
dnewman at networktest.com
Thu Jan 30 23:57:56 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 1/28/14 3:49 AM, Alan Clegg wrote:
>
> On Jan 27, 2014, at 7:32 PM, David Newman <dnewman at networktest.com>
> wrote:
>
>> Asking again, in a different and more generic form: When
>> rebuilding a bind 9.9.4 server running DNSSEC with auto maintain,
>> are there any steps I need to take beyond just backing up
>> /var/named/etc/namedb (this is on FreeBSD) and restoring?
>>
>> This server is authoritative and primary, and has slaves for
>> multiple domains.
>>
>> I'm concerned about keeping keys, serial numbers, and any other
>> dynamic info in sync.
>
> Should be problem what-so-ever.
>
> Just stop the old server, do the backup, restore it where your new
> system expects it then start the new one. A brief outage of your
> master should be no issue is your slaves are working correctly.
>
> Do make sure that the new version is built with the same options as
> the old one if you are replicating the file system locations of the
> data. 8-)
Thanks. This mostly worked fine.
The only gotchas:
1. On a NanoBSD box, named did not start because it couldn't write to
the old named.log file. Deleting the existing named.log cleared that
issue. I think this may be a NanoBSD-specific issue.
2. For five domains, the log contains signature-has-expired warnings.
In all five cases, these are for NSEC3PARAM records.
Is any action needed on my part, for example manually doing NSEC3
signing of these zones?
Thanks again!
dn
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJS6ucEAAoJEDoYs7vtFALacaEP/izW2EQ8rjff25TpCANlJ2Za
WSeZTRZLiWpatz1ErlKp6kOZqABpNgH764DfueRMGfPsqvthGCCt+1k0v4jzVMnr
SF3rpwH5Zue5RAkeHknyazvdrXd22psxN7J4pnqe83zMpfXY7JPdsmUKb/vIZeRY
n1x+eMDSgNPUKN5g5Is1FPaQH4X95otDiH3C79n05wNCTDTrKHZNcDTEbrPkW3SE
rNU1PBKkj1Q4g+xMcTjccUPUPzjBObhE///QZu5psfZutEAC8BUMIbNHvP5coszc
byUOBKCpini4/8gOlEC49m1tHU6H7t8dppqufMSzxA6gZEKshd03MVdCJg7D8+e/
aYAXh/uBIWtav3QRIxix3g6q7zF/hOh/FG30IYhufItTnaK8BdO9sufbBnLePmf2
NwDcLc/U7bbN/pxY/oc7TgMbjqnAAP9YUAMHmOFqiw/JnmQ1SMXYxI80hSBoKnRx
/gixPGW0qv146s4kJ0+phRl9/0igC97/S3Q0tk7erOXetw+CMHgfgBT9BCx2/I+A
9gEJ5Laqi2J6NT/QNl14WBJ/IF6a2umo47bBj0l4Orb3ivJkpsMo6k8vaytH6QDZ
t38d5RXRJ1vNbr9kRMuXQAoKwsxemPFkVL/o7MAPBu4Htv8DD3VTEYL7R3l2EkEx
K+9iLy/TKYMEPtNEetQ6
=NEkU
-----END PGP SIGNATURE-----
More information about the bind-users
mailing list