DNSSEC and upgrading/restoring
David Newman
dnewman at networktest.com
Fri Jan 31 23:23:51 UTC 2014
On 1/31/14 10:35 AM, Tony Finch wrote:
> David Newman <dnewman at networktest.com> wrote:
>>
>> What action, if any, is needed?
>
> Does rndc sign <zone> make it wake up?
Alas, no. There are a bunch of successful IXFR messages to slave servers
but the dates in that NSEC3PARAM RRSIG did not change.
> Is there anything in the logs
> reporting problems, e.g. inability to read the key files?
For these five zones, the only warnings are that the signature has expired.
The log has errors for other zones saying the serial number is
unchanged. Here's an example:
30-Jan-2014 15:25:46.490 general: error: zone
networktest.com/IN/internal (signed): receive_secure_serial: unchanged
But I think this is unrelated to the zones with stale NSEC3PARAM RRSIGs.
dn
More information about the bind-users
mailing list