DNSKEY and RRSIG DNSKEY TTL values aren't changed after changing of zone's TTL
Andreas Meyer
a.meyer at nimmini.de
Tue Aug 23 13:28:38 UTC 2016
Tony Finch <dot at dotat.at> schrieb am 23.08.16 um 10:45:15 Uhr:
> Aleks Ostapenko <aleks.ostapenko.post at gmail.com> wrote:
>
> > As for second variant - unfortunately I don't know how to edit manually TTL
> > in the signed (not raw) master file.
>
> (1) Use `rndc freeze` which makes `named` rewrite the zone file with all
> pending changes from the journal, and makes it stop making further changes
> to the zone.
>
> (2) The signed zone file will normally be in standard text format, so you
> can just run the editor of your choice on the file. Change the TTLs of all
> the DNSKEY records and the RRSIG DNSKEY to what you want.
>
> (3) Run `rndc thaw` to make `named` reload the zone and permit it to make
> changes.
This is the most important information for resigning a zone so that a
change is noticed in a signed zone and it is missing in
https://deepthought.isc.org/article/AA-00711/0/In-line-Signing-With-NSEC3-in-BIND-9.9-A-Walk-through.html
It took me hours to find out:
rndc freeze domain.de
edit domain.de
rndc reload domain.de
rndc thaw domain.de
Greetings
Andreas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 230 bytes
Desc: Digitale Signatur von OpenPGP
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160823/798e59a0/attachment.bin>
More information about the bind-users
mailing list