RE: Bind 9.9.x inline signing

Sun, 03 Jun 2012 18:33:29 -0700 

> I didn't like the fact that the unsigned serial (which I manage) was lower 
> than that of the signed zone. Making it bigger than the signed zones version 
> appears to have gotten the zones back in sync - however the slave is still 
> not getting any Notifies (and has not yet caught up).

With "inline-signing yes;" and "auto-dnssec maintain;" in place, the SOA serial 
number of the signed zone will always be ahead of the unsigned zone. BIND 9 
periodically carries out signing and key maintenance activities, and in the 
process automatically increments the SOA serial number of the signed zone.

When you manually edit the unsigned zone, you can set the SOA serial number to 
any value larger than the previous value, including incrementing by one, and 
everything should work. BIND 9 tracks the SOA serial numbers of the unsigned 
and signed versions of the zone separately.

Note that you can also use nsupdate to edit the unsigned zone, and nsupdate 
will automatically increment the unsigned zone's SOA serial number for you.

> I also expect that in the future, any 'magic bind key-signing' may also 
> de-sync my unsigned zone's concept of the current SOA Serial as well. 

> Its the apparent lack of NOTIFY's thats really bugging me, I did modify the 
> secondary zone config in named.conf and added "masterfile-format text;" - 
> which saves the zone in nice, easy to debug, ascii. 
> Is the NOTIFY from 'Inline-signing' zones currently broken?

This has been working for me, but with some different configuration settings. 
Because my DNS servers are behind an IPv4 NAT firewall, I have not been relying 
on BIND 9's default notification scheme. The name server addresses in the zone 
files are external IPv4 addresses not reachable from inside the firewall. 
Instead I have configured "notify explicit;" and "also-notify { ... };" to 
control the notification process. This issue also affects the addresses in 
"allow-transfer { ... };" and "masters { ... };" statements.

Did you happen to look at your syslog (cat /var/log/syslog | grep named)? It is 
possible that your slaves are not receiving notifies, or are not able to do 
zone transfers, or both.

Jeffry A. Spain
Network Administrator
Cincinnati Country Day School

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to