ISC BIND 9.12.3-P1 Question re: DNSSEC Zone Signing

Mark Andrews marka at isc.org
Tue Mar 19 00:17:16 UTC 2019 


> On 19 Mar 2019, at 10:59 am, LeBlanc, Daniel James <daniel.leblanc at bellaliant.ca> wrote:
> 
> Thanks Mark for your quick response.
> 
> On page 29 of the Bv9-12-3-P1ARM I had seen the following, which is why I thought that I "needed" to have one of those statements:
> 
> 
> " Using the auto-dnssec option requires the zone to be configured to allow dynamic updates, by adding an allow-update or update-policy statement to the zone configuration. If this has not been done, the configuration will fail.”


Which applies to master zones w/o "inline-signing yes;”.  If I’m remembering history correctly auto-dnssec
existed well before inline-signing and that description wasn’t updated.

> I was looking to do fully automatic signing using auto-dnssec maintain;.  If that is not possible I could still live with an rndc-based approach if required.

Name will maintain the zone.  Switching between NSEC and NSEC3 requires rndc as you
don’t directly manipulate the zone content with dynamic updates.  Rolling the keys
is done with dnssec-settime and dnssec-keygen or dnssec-keymgr.

> I will try this out in the morning.
> 
> Thanks again!
> 
> Daniel J. LeBlanc, P.Eng., MBA, DTME | Senior Network Architect | Bell Canada
> 
> -----Original Message-----
> From: Mark Andrews [mailto:marka at isc.org] 
> Sent: March-18-19 8:40 PM
> To: LeBlanc, Daniel James
> Cc: bind-users at lists.isc.org
> Subject: Re: ISC BIND 9.12.3-P1 Question re: DNSSEC Zone Signing
> 
> You don’t need update-policy local.  In inline-signing mode named maintains its own copy
> of the zone with the DNSSEC records in addition to the copy from upstream.  DNSSEC is
> controlled by rndc.
> 
>> On 19 Mar 2019, at 10:33 am, LeBlanc, Daniel James <daniel.leblanc at bellaliant.ca> wrote:
>> 
>> Hello All.
>> 
>> I have a pair of ISC BIND 9.12.3-P1 servers that are configured as slaves to a pair of Hidden Master servers.  The Hidden Masters are a proprietary product and unfortunately when used to sign the zones, the SOA records are not populated as expected.  As a result, I was looking into signing the zones within ISC BIND instead.  Reviewed the literature, came up with a plan and the required configuration changes.  However, things are not proceeding as I had hoped…
>> 
>> If I include required statements within the zone options BIND complained that update-policy local is not permitted in a zone of type slave (and failed to start):
>> 
>>                key-directory "keys/externals/{{ zone.zonename }}";
>>                inline-signing yes;
>>                auto-dnssec maintain;
>>                update-policy local;
>> 
>> So I switched it out for the allow-update { localhost; };, and BIND complained that allow-update  is not permitted in a zone of type slave (and failed to start).
>> 
>> So I changed my zone type from slave to master (recall that these BIND instances are intended to be slaved off of the Hidden Masters), and BIND complained that masters statements were not permitted in zones of type master (meaning that updates would not be accepted).
>> 
>> Is there a way for me to sign the zones on the slave servers, even though I intend to provision content into those same zones on the proprietary Hidden Masters?
>> 
>> Thanks.
>> 
>> Daniel J. LeBlanc, P.Eng., MBA, DTME | Senior Network Architect | Bell Canada
>> 
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>> 
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> 
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742              INTERNET: marka at isc.org
> 

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the bind-users mailing list