DNSKEY and RRSIG DNSKEY TTL values aren't changed after changing of zone's TTL
Aleks Ostapenko
aleks.ostapenko.post at gmail.com
Mon Aug 29 09:09:23 UTC 2016
2016-08-25 17:16 GMT+07:00 Tony Finch <dot at dotat.at>:
> Aleks Ostapenko <aleks.ostapenko.post at gmail.com> wrote:
> >
> > Then I made `rndc freeze <zone_file_name>`. But after this command - the
> > signed zone file (`<zone_file_name>.signed`) still remain
> > in raw format (not text readable) - so I can read it via
> > `named-compilezone` utility, but unfortunately I can't change it.
>
> Ah, I should have checked that more thoroughly, sorry - I wasn't sure if
> the signed zone followed the unsigned master file format or did something
> else...
>
> You can use `named-compilezone` to convert from raw to text, edit the
> text, then convert back to raw. e.g.
>
> $ named-comilezone -f raw -F text -o myzone.text myzone myzone.signed
> $ vi myzone.text
> $ named-comilezone -f text -F raw -o myzone.signed myzone myzone.text
>
> Tony.
> --
> f.anthony.n.finch <dot at dotat.at> http://dotat.at/ - I xn--zr8h
> punycode
> Northwest Fitzroy, Sole: Variable becoming southwesterly 3 or 4,
> occasionally
> 5 later. Moderate. Showers. Good.
>
Unfortunately, after
1. rndc freeze myzone
2. named-comilezone -f raw -F text -o myzone.text myzone myzone.signed
change TTL on DNSKEY and RRSIG DNSKEY in myzone.text
named-comilezone -f text -F raw -o myzone.signed myzone myzone.text
3. rndc thaw myzone
TTL in DNSKEY and RRSIG DNSKEY records still have old values in signed zone
(checked via `dig` locally).
`rndc sync myzone` and `rndc reload` didn't help (`rndc reload myzone`
failed because myzone - is dynamic zone).
Kind regards,
Aleks Ostapenko
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160829/f5445dc0/attachment.html>
More information about the bind-users
mailing list