Freeze/thaw and signed zone files
Tony Finch
dot at dotat.at
Fri Feb 22 19:12:49 UTC 2019
@lbutlr via bind-users <bind-users at lists.isc.org> wrote:
> On 22 Feb 2019, at 09:54, Tony Finch <dot at dotat.at> wrote:
> > You might want a config like
> >
> > zone "example.com" {
> > type master;
> > file "master/example.com”;
>
> Not example.com.signed?
No, in inline-signing mode the zone you interact with is the unsigned
version; the signed version belongs entirely to `named` and you don't
touch it.
> > Alternatively, with your current config you can update the zone using
> > https://dotat.at/prog/nsdiff/ like this:
> >
> > nsdiff example.com master/example.com | nsupdate -l
>
> Where the second one of those is my example.com.signed file?
No, the unsigned file, as I said. `nsdiff` works out the differences
between the current live version of example.com (which it fetches by AXFR)
and the new version (on disk in `master/example.com`) and produces a
script for `nsupdate` that will make the live (signed) version match. Your
config says the live version is in `master/example.com.signed`.
It works in a similar way to inline-signing mode, except you have more
control over how changes propagate from the unsigned version to the signed
one.
> Is nsdiff a separate package? It’s not on my FereeBSD 11.2 system with Bind 9.12
Get it from the link above, if you want :-)
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Portland, Plymouth, Biscay, East Fitzroy: Southeasterly 4 or 5, occasionally 6
in Plymouth and Fitzroy, becoming variable 3 or 4 later. Moderate or rough,
occasionally very rough except in Portland. Fair, but rain in Fitzroy. Good,
occasionally poor.
More information about the bind-users
mailing list