Automatic DNSSEC signing workflow
dramaley
daniel.ramaley at drake.edu
Fri Jul 1 18:13:29 UTC 2016
Hello. I'm running Bind 9.9.4 (the default that comes with RHEL 7). I'm
trying to figure out a workflow for doing DNS updates with auto-dnssec
turned on. When I have to update a zone file, I do so by editing the zone
file and incrementing the serial number, then restarting Bind.
Unfortunately, Bind doesn't pick up the changes. I suspect the reason is
because with automatic signing, Bind increments the serial number on its own
in the .signed version of the zone, and that the signed zone file will
already have a higher serial than the file i had just edited. Is there a
better workflow for doing DNS updates? Or would it be easier just to turn
off auto-dnssec and go back to manually signing my zones?
My zone file configuration looks like this:
zone "example.com" {
type master;
file "external/example.com.zone";
auto-dnssec maintain;
inline-signing yes;
update-policy local;
key-directory "/etc/named/keys";
};
Thanks in advance!
--
View this message in context: http://bind-users-forum.2342410.n4.nabble.com/Automatic-DNSSEC-signing-workflow-tp2333.html
Sent from the Bind-Users forum mailing list archive at Nabble.com.
More information about the bind-users
mailing list