Re: DNSSEC and upgrading/restoring
On 2/2/14 5:39 AM, Tony Finch wrote: David Newman dnew...@networktest.com wrote: On 1/31/14 10:35 AM, Tony Finch wrote: David Newman dnew...@networktest.com wrote: What action, if any, is needed? Does rndc sign zone make it wake up? Alas, no. There are a bunch of successful IXFR messages to slave servers but the dates in that NSEC3PARAM RRSIG did not change. Not good. I would try deleting and re-adding the NSEC3PARAM records. Slow if the zones are big but at least it should fix the problem. Bingo. That cleared the issue. This may have been unrelated to the system upgrade. It's possible the stale NSEC3 records were there for a while, and I just hadn't noticed. Thanks very much for the troubleshooting clues. dn ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and upgrading/restoring
David Newman dnew...@networktest.com wrote: On 1/31/14 10:35 AM, Tony Finch wrote: David Newman dnew...@networktest.com wrote: What action, if any, is needed? Does rndc sign zone make it wake up? Alas, no. There are a bunch of successful IXFR messages to slave servers but the dates in that NSEC3PARAM RRSIG did not change. Not good. I would try deleting and re-adding the NSEC3PARAM records. Slow if the zones are big but at least it should fix the problem. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and upgrading/restoring
David Newman dnew...@networktest.com wrote: 2. For five domains, the log contains signature-has-expired warnings. In all five cases, these are for NSEC3PARAM records. Is any action needed on my part, for example manually doing NSEC3 signing of these zones? See if named has already re-signed them - check that the first date in the RRSIG is in the future. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and upgrading/restoring
On 1/31/14 3:10 AM, Tony Finch wrote: 2. For five domains, the log contains signature-has-expired warnings. In all five cases, these are for NSEC3PARAM records. Is any action needed on my part, for example manually doing NSEC3 signing of these zones? See if named has already re-signed them - check that the first date in the RRSIG is in the future. So far (~18 hours) named has not re-signed them. In all five cases the first date in the RRSIG is in the past, from 2013. What action, if any, is needed? Thanks! dn ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and upgrading/restoring
David Newman dnew...@networktest.com wrote: What action, if any, is needed? Does rndc sign zone make it wake up? Is there anything in the logs reporting problems, e.g. inability to read the key files? Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and upgrading/restoring
On 1/31/14 10:35 AM, Tony Finch wrote: David Newman dnew...@networktest.com wrote: What action, if any, is needed? Does rndc sign zone make it wake up? Alas, no. There are a bunch of successful IXFR messages to slave servers but the dates in that NSEC3PARAM RRSIG did not change. Is there anything in the logs reporting problems, e.g. inability to read the key files? For these five zones, the only warnings are that the signature has expired. The log has errors for other zones saying the serial number is unchanged. Here's an example: 30-Jan-2014 15:25:46.490 general: error: zone networktest.com/IN/internal (signed): receive_secure_serial: unchanged But I think this is unrelated to the zones with stale NSEC3PARAM RRSIGs. dn ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and upgrading/restoring
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 1/28/14 3:49 AM, Alan Clegg wrote: On Jan 27, 2014, at 7:32 PM, David Newman dnew...@networktest.com wrote: Asking again, in a different and more generic form: When rebuilding a bind 9.9.4 server running DNSSEC with auto maintain, are there any steps I need to take beyond just backing up /var/named/etc/namedb (this is on FreeBSD) and restoring? This server is authoritative and primary, and has slaves for multiple domains. I'm concerned about keeping keys, serial numbers, and any other dynamic info in sync. Should be problem what-so-ever. Just stop the old server, do the backup, restore it where your new system expects it then start the new one. A brief outage of your master should be no issue is your slaves are working correctly. Do make sure that the new version is built with the same options as the old one if you are replicating the file system locations of the data. 8-) Thanks. This mostly worked fine. The only gotchas: 1. On a NanoBSD box, named did not start because it couldn't write to the old named.log file. Deleting the existing named.log cleared that issue. I think this may be a NanoBSD-specific issue. 2. For five domains, the log contains signature-has-expired warnings. In all five cases, these are for NSEC3PARAM records. Is any action needed on my part, for example manually doing NSEC3 signing of these zones? Thanks again! dn -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJS6ucEAAoJEDoYs7vtFALacaEP/izW2EQ8rjff25TpCANlJ2Za WSeZTRZLiWpatz1ErlKp6kOZqABpNgH764DfueRMGfPsqvthGCCt+1k0v4jzVMnr SF3rpwH5Zue5RAkeHknyazvdrXd22psxN7J4pnqe83zMpfXY7JPdsmUKb/vIZeRY n1x+eMDSgNPUKN5g5Is1FPaQH4X95otDiH3C79n05wNCTDTrKHZNcDTEbrPkW3SE rNU1PBKkj1Q4g+xMcTjccUPUPzjBObhE///QZu5psfZutEAC8BUMIbNHvP5coszc byUOBKCpini4/8gOlEC49m1tHU6H7t8dppqufMSzxA6gZEKshd03MVdCJg7D8+e/ aYAXh/uBIWtav3QRIxix3g6q7zF/hOh/FG30IYhufItTnaK8BdO9sufbBnLePmf2 NwDcLc/U7bbN/pxY/oc7TgMbjqnAAP9YUAMHmOFqiw/JnmQ1SMXYxI80hSBoKnRx /gixPGW0qv146s4kJ0+phRl9/0igC97/S3Q0tk7erOXetw+CMHgfgBT9BCx2/I+A 9gEJ5Laqi2J6NT/QNl14WBJ/IF6a2umo47bBj0l4Orb3ivJkpsMo6k8vaytH6QDZ t38d5RXRJ1vNbr9kRMuXQAoKwsxemPFkVL/o7MAPBu4Htv8DD3VTEYL7R3l2EkEx K+9iLy/TKYMEPtNEetQ6 =NEkU -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and upgrading/restoring
On Jan 27, 2014, at 7:32 PM, David Newman dnew...@networktest.com wrote: Asking again, in a different and more generic form: When rebuilding a bind 9.9.4 server running DNSSEC with auto maintain, are there any steps I need to take beyond just backing up /var/named/etc/namedb (this is on FreeBSD) and restoring? This server is authoritative and primary, and has slaves for multiple domains. I'm concerned about keeping keys, serial numbers, and any other dynamic info in sync. Should be problem what-so-ever. Just stop the old server, do the backup, restore it where your new system expects it then start the new one. A brief outage of your master should be no issue is your slaves are working correctly. Do make sure that the new version is built with the same options as the old one if you are replicating the file system locations of the data. 8-) AlanC -- Alan Clegg | +1-919-355-8851 | a...@clegg.com signature.asc Description: Message signed with OpenPGP using GPGMail ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and upgrading/restoring
Asking again, in a different and more generic form: When rebuilding a bind 9.9.4 server running DNSSEC with auto maintain, are there any steps I need to take beyond just backing up /var/named/etc/namedb (this is on FreeBSD) and restoring? This server is authoritative and primary, and has slaves for multiple domains. I'm concerned about keeping keys, serial numbers, and any other dynamic info in sync. Thanks! dn This may not apply to FreeBSD, but you should backup the main named.conf if it is in some other directory than /var/named/etc/namedb. On my system (Solaris) named.conf and a key file for managed keys for the root are in /etc. Tom Schulz Applied Dynamics Intl. sch...@adi.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and upgrading/restoring
Asking again, in a different and more generic form: When rebuilding a bind 9.9.4 server running DNSSEC with auto maintain, are there any steps I need to take beyond just backing up /var/named/etc/namedb (this is on FreeBSD) and restoring? This server is authoritative and primary, and has slaves for multiple domains. I'm concerned about keeping keys, serial numbers, and any other dynamic info in sync. Thanks! dn On 1/23/14 10:16 AM, David Newman wrote: Are there any recommended practices/config changes needed when upgrading or restoring a bind 9.9.4 server using DNSSEC inline signing and auto maintain? Asking specifically about upgrading a server running on NanoBSD, but this question is really about upgrading or restoring any DNSSEC server with inline signing and auto maintain enabled. Is this as easy as copying everything from /var/named to the NanoBSD build machine and going from there? Or is something else required? Thanks! dn ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users