Freeze/thaw and signed zone files
Grant Taylor
gtaylor at tnetconsulting.net
Fri Feb 22 03:43:55 UTC 2019
On 2/21/19 6:28 PM, @lbutlr wrote:
> rndc reload did not recreate (or at least update the time stamp) on the
> .signed file.
Hum. Maybe it's something different about how you're doing DNSSEC than
I am.
I have BIND managing DNSSEC for me via "auto-dnssec maintain;". So I
don't get .signed files.
I was just able to do the following:
rndc freeze $ZONE
rndc sync -clean $ZONE
$EDITOR $ZONEFILE
rndc thaw $ZONE
rndc sign $ZONE
I did have to manually do the "rndc sign" for DNSViz to be happy with
the new test entry. I don't know if that's expected or not.
> But at no point do I get the new subdomains I added to the zone added
> to the zone.signed
The new record showed up exactly as expected.
Granted, I only added an A record and didn't create a new sub-domain.
> I’ll try sync clean and see if I get further.
>
> Nope, now the .signed file isn’t touched at all after the zone file
> is edited.
>
> zone "example.com" { type master; file "master/example.com.signed";
> update-policy local; auto-dnssec maintain; };
I don't have .signed files.
> So I am still with a zone file that contains two subdomains that are
> not represented in the .signed zone file, so do not load and nothing
> that I do seems to be able to recreate the .signed file with the correct
> information.
Does your actual zone file have the DNSSEC records in it? That's where
mine are. I don't have a separate unsigned zone file.
> Is the original random key that was generated at the time of signing
> kept somewhere? NSEC3 seems to contain a 16 character hex sting that
> recurs throughout the file.
I believe so. Do you have a "managed-keys-directory" entry in your
named.conf file? (I do. My .key and .private files are in the
specified directory.)
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4008 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190221/96ffba5a/attachment.bin>
More information about the bind-users
mailing list