Automatic DNSSEC signing workflow
Bob Harold
rharolde at umich.edu
Fri Jul 1 20:58:40 UTC 2016
On Fri, Jul 1, 2016 at 2:13 PM, dramaley <daniel.ramaley at drake.edu> wrote:
> Hello. I'm running Bind 9.9.4 (the default that comes with RHEL 7). I'm
> trying to figure out a workflow for doing DNS updates with auto-dnssec
> turned on. When I have to update a zone file, I do so by editing the zone
> file and incrementing the serial number, then restarting Bind.
> Unfortunately, Bind doesn't pick up the changes. I suspect the reason is
> because with automatic signing, Bind increments the serial number on its
> own
> in the .signed version of the zone, and that the signed zone file will
> already have a higher serial than the file i had just edited. Is there a
> better workflow for doing DNS updates? Or would it be easier just to turn
> off auto-dnssec and go back to manually signing my zones?
>
> My zone file configuration looks like this:
> zone "example.com" {
> type master;
> file "external/example.com.zone";
> auto-dnssec maintain;
> inline-signing yes;
> update-policy local;
> key-directory "/etc/named/keys";
> };
>
> Thanks in advance!
>
>
>
> --
> View this message in context:
> http://bind-users-forum.2342410.n4.nabble.com/Automatic-DNSSEC-signing-workflow-tp2333.html
> Sent from the Bind-Users forum mailing list archive at Nabble.com.
>
>
I am not using DNSSEC yet, but I would say try updating using nsupdate
instead of editing the file.
--
Bob Harold
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160701/05c53fb7/attachment.html>
More information about the bind-users
mailing list