Followup: BIND 9.10.6-P1 dnssec update zone A record

Kim Culhan w8hdkim at gmail.com
Fri Mar 30 13:14:28 UTC 2018 

Removed the signing files: domain.com.* and re-ran the siging process with
named not running.
With a new 'domain.com.signed' file created by the signing process and in
the named.conf zone section:
file "domain.com.signed";
Started named and everything appears to be working fine.

https://dnssec-debugger.verisignlabs.com
Showing all green indicators!

Not all green at first, reloaded the browser and now all Ok again.

Thanks muchly,
-kim

On Thu, Mar 29, 2018 at 6:24 PM, Kim Culhan <w8hdkim at gmail.com> wrote:

>
> un "rndc zonestatus <zonename>" on it.
> > Then I look for the "serial:" and "signed serial:" values.On Thu, Mar
> 29, 2018 at 5:17 PM, Douglas C. Stephens <stephens at ameslab.gov> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Kim,
>>
>> I run BIND 9.11 so this might or might not translate down to BIND 9.10.
>>
>> When this happens to me, I run "rndc zonestatus <zonename>" on it.
>> Then I look for the "serial:" and "signed serial:" values.
>>
>
> Running rndc zonestatus  <zonename>
>
> FWIW returns serial: and signed serial: which are not the same and are from
> 1 day ago.
>
> Normally, you would be correct in only needing to increment the
>> unsigned SOA serial to at least +1 larger than the "serial:" value
>> shown by the above output.  Sometimes, however, to make BIND load the
>> update, I need to increase the SOA serial in the unsigned zone file to
>> be higher than the SOA serial signed zone file.  Then run "rndc reload
>> <zonename>".
>>
>> Another thing to check is whether you're actually checking the zone
>> serial of a slave instead of at the master BIND doing the signing.  If
>> so, are they higher than the signed zone serial at your master?
>>
>
> ATM there are 2 masters, I'm working on 1 now.
>
>
>>
>> Also, something that looks odd to me compared with my live running
>> config is your "file" line.  Does that "domain.com.signed" filespec
>> actually point to the BIND-maintained .signed file, or does it means
>> something else?  If the latter, then I would guess you have a
>> "domain.com.signed.signed" file alongside it which is the one
>
> maintained by BIND.
>>
>
> Yes, this is true:   domain.com.signed.signed
>
>>
>> I'm also using "auto-dnssec maintain" and "inline-signing yes", but my
>> zone "file" points to my unsigned zone file, while the .signed version
>> (and its .signed.jnl) is wholly created and maintained by BIND.
>
>
> I have those files but I don't know how to get BIND to maintain them.
>
> That appears to be the problem.
>
> This helps, I'm not sure where to go from here though.
>
> I've googled this for hours and keep thinking the solution is just another
> google away but just now I'm not so sure.
>
>>
>>
> Hope this helps.
>
>
> This helps and thanks for replying to my post.
>
> -kim
>
>
>> On 3/29/2018 3:15 PM, Kim Culhan wrote:
>> > Some additional info here, from named.conf, dnssec config:
>> >
>> > options { directory "/var/named"; [lines omitted] dnssec-validation
>> > auto; managed-keys-directory "/var/named/keys";
>> >
>> > From the zone section;
>> >
>> > file "domain.com.signed"; key-directory "/var/named/keys/domain.com
>> > <http://domain.com>"; auto-dnssec maintain; inline-signing yes;
>> >
>> > Zone file is in /var/named
>> >
>> > Sorry did not include this in the original post.
>> >
>> > thanks -kim
>> >
>> > --
>> >
>> >
>> >
>> > _______________________________________________ Please visit
>> > https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>> > from this list
>> >
>> > bind-users mailing list bind-users at lists.isc.org
>> > https://lists.isc.org/mailman/listinfo/bind-users
>> >
>>
>> - --
>> Douglas C. Stephens             | Network Systems Analyst
>> Enterprise Information Services | Phone: (515) 294-6102
>> Ames Laboratory, US DOE         | Email: stephens at ameslab.gov
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2.0.17 (MingW32)
>>
>> iEYEARECAAYFAlq9V+MACgkQ46phdn656QQGdgCfdyHd1QaeNvrF1v2p+yXqdqtE
>> pisAoIQPCgKPMKUJpP/mCLITTgP43+1P
>> =D7S2
>> -----END PGP SIGNATURE-----
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20180330/6bc057d8/attachment.html>

More information about the bind-users mailing list