I recently switched from external signing of my zone to use of BIND 9.9 inline signing. While things went fairly smoothly on the master server, my slave ended up with a bunch of spurious DNSKEY records that came from my previous keys (I generated new keys when I went to inline signing).
The extra DNSKEY records were not present in the zone file of the master server, so I reinitiated a zone transfer and this did not help. I checked the signed zone file on the master with named-checkzone and only the desired DNSKEY records were there. Eventually I tried shutting down the slave server, deleting the zone file (and .jnl file that was also there) and restarting and all was good after that. Hypothesis: The .jnl file was the culprit; I don't know what's there, but it sounds like the intent is to allow incremental updates of zone files. Following the "fix", there is no longer a .jnl file there. I'm not sure where it came from in the first place. Master is running 9.9.5-9+deb8u6-Debian <id:f9b8a50e> Slave is running 9.8.4-rpz2+rl005.12-P1 (both obtained from Debian distribution) Is this a known problem? -Jim _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
