Freeze/thaw and signed zone files

@lbutlr kremels at kreme.com
Fri Feb 22 14:40:24 UTC 2019 

On 21 Feb 2019, at 20:43, Grant Taylor via bind-users <bind-users at lists.isc.org> wrote:
> 
> On 2/21/19 6:28 PM, @lbutlr wrote:
>> rndc reload did not recreate (or at least update the time stamp) on the .signed file.
> 
> Hum.  Maybe it's something different about how you're doing DNSSEC than I am.
> 
> I have BIND managing DNSSEC for me via "auto-dnssec maintain;".  So I don't get .signed files.

the .signed files were created when I first signed the zones with dnssec-signzone which is what gave me the dsset file containing the information I needed to add DNSSEC to my domain's registrar.

dnssec-signzone -3 $(head -c 1000 /dev/random | shasum | cut -b 1-16) -A -N INCREMENT -o ZONE -t ZONEFILE

I was assuming, perhaps wrongly, that these ,signed files continue to be required, as they were placed alongside the regular zone files.

> I was just able to do the following:
> 
> rndc freeze $ZONE
> rndc sync -clean $ZONE
> $EDITOR $ZONEFILE
> rndc thaw $ZONE
> rndc sign $ZONE
> 
> I did have to manually do the "rndc sign" for DNSViz to be happy with the new test entry.  I don't know if that's expected or not.

Overnight, many of my zones have new zone.signed.jnl files

> Does your actual zone file have the DNSSEC records in it?  That's where mine are.  I don't have a separate unsigned zone file.

I have three files for each zone:

example.com (less than 2K, unsigned, no DNSSEC info, contains $INCLUDE lines at the end for the two public keys.

example.com.signed (12K, All the DNSSEC info)

example.com.signed.jnl (Created by bind, about double the size of .signed and a binary file) This file is updated when I issue the rind sign ZONE command.

> I believe so.  Do you have a "managed-keys-directory" entry in your named.conf file?  (I do.  My .key and .private files are in the specified directory.)

My private files are in that directory, I have the public ones in both the directory and the master/ directory Which is what seems to be needed (probably because of the include statement).

In named.conf I have


zone "example.com" { type master; file "master/example.com.signed"; update-policy local; auto-dnssec maintain; };


-- 
"Alas, earwax."

More information about the bind-users mailing list