Isn’t auto-dnssec maintain; (which we have enabled) supposed to effectively do the same thing as rndc sign zone?
Mathew Eis Northern Arizona University Information Technology Services -----Original Message----- From: Mark Andrews <ma...@isc.org> Date: Thursday, February 25, 2016 at 5:14 PM To: Mathew Eis <mathew....@nau.edu> Cc: "bind-users@lists.isc.org" <bind-us...@isc.org> Subject: Re: force re-sign of individual host record? > > "rndc sign zone [class [view]]" should do it. > >In message <b9599b05-145f-4111-9e5b-032c6466d...@nau.edu>, Mathew Ian Eis write >s: >> Hi BIND, >> >> Anyone know if there is a good way to force named to resign a single host >> record? (e.g. without generating new ZSKs, etc.?) >> >> An ntp glitch recently caused our master nameserver to jump many hours >> into the future, whereupon it began issuing invalid (to the world) RRSIGs >> with an inception time many hours into the future. >> >> After correcting the server time, named's signature rollover algorithm >> didnt pick up on the fact that there were invalid RRSIGs (even after >> restarting the named process), so we were left with manually repairing >> them. >> >> We ended up modifying the TTLs (thus forcing named to update the RRSIGs), >> and then restoring the TTLs to their previous state. >> >> It seems like there should be a better way was that the "best" approach? >> ( Even better, it seems like named could automagically correct for this >> particular problem if we can put it on the wishlist ;-) ) >> >> Thoughts? >> >> Thanks in advance, >> >> Mathew Eis >> Northern Arizona University >> Information Technology Services >> > >-- >Mark Andrews, ISC >1 Seymour St., Dundas Valley, NSW 2117, Australia >PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
