dnssec (re)signing and journaling

Edwardo Garcia wdgarc88 at gmail.com
Fri Dec 14 01:02:23 UTC 2018 

I have answered my own Question, yes it does, thank you! (after removing
the xxxx.signed in named,conf, else auto signing does xxxx.signed.signed
:-)

Thank you Mark!

On Fri, Dec 14, 2018 at 10:50 AM Edwardo Garcia <wdgarc88 at gmail.com> wrote:

> That seems simpler than what we once tried, OK we add that now. Thanks.
>
> And if we need to modify the zone file itself to make a change, rndc
> reload will do all this or do we need to
> dnssec-signzone -a -e +secondshere -K keys/ -N INCREMENT xxxxxxx.com
> freeze/thaw? etc like for new zone?
>
> On Fri, Dec 14, 2018 at 10:42 AM Mark Andrews <marka at isc.org> wrote:
>
>> auto-dnssec maintain;
>>
>> > On 14 Dec 2018, at 11:39 am, Edwardo Garcia <wdgarc88 at gmail.com> wrote:
>> >
>> >
>> > zone "xxxxxxxx.com" {
>> >         type master;
>> >         allow-transfer { sysops; slaves; };
>> >         file "xxxxxxxxxx.signed";
>> >         allow-query { any; };
>> >         allow-update { key "corp"; };
>> > };
>> >
>> > This is what we use now, so by dynamic update we are doing yes?
>> >
>> > And now we need just have named do automatic (re)signing?
>> > Last time we tried, we kept killing our domain so google fail us, do
>> you know of a valid reference URL that is clear? that would be good?
>> > Thanks
>> >
>> > On Fri, Dec 14, 2018 at 10:24 AM Mark Andrews <marka at isc.org> wrote:
>> > The best way is to configure you zone for dynamic updates and let named
>> > automatically resign the zone as needed.
>> >
>> > > On 14 Dec 2018, at 11:13 am, Edwardo Garcia <wdgarc88 at gmail.com>
>> wrote:
>> > >
>> > > Hi,
>> > > What is the best practice for signing/re-singing zones with journal?
>> > >
>> > > We manually resign our domain, and use journaling, resigning is a
>> PIA.
>> > > if we forget to thaw, the zone bails and stays unloaded because
>> journal roll forward error, which bring the question why? since resolution
>> to this is stop named, remove journal file and restart, could named and
>> rndc not be smarter in these instance? or at very least, reload zone from
>> file so at least it does not take unsuspecting peoples off air.
>> > >
>> > > So, way we (try to remember to) do is:
>> > > (modify zonefile if need)
>> > > rndc freeze
>> > > dnssec-signzone  -options
>> > > rndc thaw
>> > >
>> > > or is better way? it is the freeze/thaw we keep forgetting :-!
>> > >
>> > > _______________________________________________
>> > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>> > >
>> > > bind-users mailing list
>> > > bind-users at lists.isc.org
>> > > https://lists.isc.org/mailman/listinfo/bind-users
>> >
>> > --
>> > Mark Andrews, ISC
>> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
>> > PHONE: +61 2 9871 4742              INTERNET: marka at isc.org
>> >
>>
>> --
>> Mark Andrews, ISC
>> 1 Seymour St., Dundas Valley, NSW 2117, Australia
>> PHONE: +61 2 9871 4742              INTERNET: marka at isc.org
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20181214/2b779d2f/attachment.html>

More information about the bind-users mailing list