Automatic DNSSEC signing workflow

[Tony Finch]

Tony Finch <dot at dotat.at> wrote:

> dramaley <daniel.ramaley at drake.edu> wrote:
>
> > Hello. I'm running Bind 9.9.4 (the default that comes with RHEL 7). I'm
> > trying to figure out a workflow for doing DNS updates with auto-dnssec
> > turned on. When I have to update a zone file, I do so by editing the zone
> > file and incrementing the serial number, then restarting Bind.
> > Unfortunately, Bind doesn't pick up the changes.
>
> Does it work better if you run `rndc reload` or equivalent (e.g. service
> bind reload)?

Oh, I just noticed you have an "update-policy local" clause in your domain
configuration.

This means that named owns the unsigned master file as well as the signed
version, so you should not edit the unsigned version without co-ordinating
with named. i.e. you need to use `rndc freeze` and `rndc thaw` before and
sfter editing the zone.

Or, if you are not using nsupdate, you can just remove the `update-policy`
clause.

In most cases it is best to either use `nsupdate` exclusively, or directly
edit the master file, but not a mixture of the two. If you are using
`nsupdate` then there is no need for inline-signing.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
Trafalgar: Cyclonic 4 or 5 in far southeast, otherwise northerly 5 or 6,
occasionally 7 in north. Moderate or rough, occasionally slight in far
southeast. Fog patches in southeast. Moderate or good, occasionally very poor
in southeast.