On Feb 19 2014, Alan Clegg wrote:
On 2/19/14, 8:59 PM, Chris Thompson wrote:
What is the right way ... or maybe I should be asking IS there a right
way ... to change a zone that has been signed by inline signing (i.e. with
"inline-signing yes; auto-dnssec maintain;" in it zone statement) to
unsigned?
When I change the zone statement to remove the inline signing part, and
update the SOA serial in the zone file for good measure, and then do
either "rndc reload" or "rndc reconfig", I get messages like
named[22954]: general: error: zone playground.test/IN:
journal rollforward failed: journal out of sync with zone
named[22954]: general: error: zone playground.test/IN:
not loaded due to errors.
and the zone goes into SERVFAIL state.
The only way I found out of this was to remove the [zone-file].signed
and [zone-file].signed.jnl files manually, and *then* do "rndc reconfig".
Surely there must be something better than that?
Have you tried setting "dnssec-secure-to-insecure" then setting all of
the keys to deleted?
Thanks - I have now tried that (set the deletion date to "now" with
dnssec-settime), and it does work. You end up with a [zone-file].signed
which is not actually signed being served, but being maintained from
[zone-file] in an incremental way.
I suppose this is indeed the way to go with the flow of inline signing.
You don't even have to have any keys for the zone in the key directory
initially. It's the transition between having "inline-signing yes" and
"inline-signing no" in the zone definition that seems to expose rough
edge cases.
I still have to investigate the problem that Graham Clinch reported,
and see whether that might be a show-stopper for the application of
inline signing that I have in mind.
More generally: it's a pity that there isn't any real documentation
of inline signing in the ARM, just the examples in ISC's KB articles.
Some clearer explanation of which options "inline-signing yes" is
(in)compatible with would be helpful. For example, it obviously turns
on some sort of moral equivalent of "ixfr-from-differences yes" on
the unsigned version of the zone, but would turning inline signing
on (or off) work better if this were specified explicitly? And the
examples have "auto-dnssec maintain", but would "auto-dnssec allow"
work?
--
Chris Thompson
Email: c...@cam.ac.uk
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
