After setting up a zone with DNSSEC using inline-signing, I have run into
the issue where if I do anything that updates the unsigned file that is
input into BIND, that it never seems to update the signed data it generated.
I've previously [1] received the Gold Star for suggesting ;-)
On 01/30/2012 00:46, Jan-Piet Mens wrote:
After setting up a zone with DNSSEC using inline-signing, I have run into
the issue where if I do anything that updates the unsigned file that is
input into BIND, that it never seems to update the signed data it generated.
I've previously [1]
.
---
Howard Leadmon
-Original Message-
From: Jan-Piet Mens [mailto:jpm...@gmail.com] On Behalf Of Jan-Piet
Mens
Sent: Monday, January 30, 2012 3:47 AM
To: Howard Leadmon
Cc: bind-users@lists.isc.org
Subject: Re: bind 9.9 inline-signing issue..
After setting up a zone with DNSSEC
-
From: bind-users-bounces+howard=leadmon@lists.isc.org [mailto:bind-
users-bounces+howard=leadmon@lists.isc.org] On Behalf Of Howard
Leadmon
Sent: Monday, January 30, 2012 4:14 AM
To: 'Jan-Piet Mens'
Cc: bind-users@lists.isc.org
Subject: RE: bind 9.9 inline-signing issue..
OK, call
That said, instead of using 'rndc reload leadmon.org', I actually have to
use 'rndc reload leadmon.org IN external', or internal as the case may be to
separate the zone I am reloading.
Not here, in spite of multiple views; BIND 9.9.0rc1
-JP
-Original Message-
From: Jan-Piet Mens [mailto:jpm...@gmail.com] On Behalf Of Jan-Piet
Mens
Sent: Monday, January 30, 2012 5:19 AM
To: Howard Leadmon
Cc: bind-users@lists.isc.org
Subject: Re: bind 9.9 inline-signing issue..
That said, instead of using 'rndc reload leadmon.org
On 1/30/2012 5:28 AM, Howard Leadmon wrote:
Jan 30 05:23:26 minbari named[30332]: zone leadmon.org/IN/external
(unsigned): loaded serial 2012012901
Jan 30 05:23:26 minbari named[30332]: zone leadmon.org/IN/external (signed):
serial 2012012901 (unsigned 2012012901)
Jan 30 05:23:26 minbari
Mark Elkins m...@posix.co.za wrote:
I also see...
$TTL 0 ; 0 seconds
TYPE65534 \# 5 ( 08467D0001 )
TYPE65534 \# 5 ( 0896730001 )
appearing on a secondary for this zone. What is it?
(Yes - an unknown data type - the secondary is running bind
On 1/30/2012 11:59 AM, Mark Elkins wrote:
Lastly - how does one 'view' the 'raw' format of a zone file?
Use named-compilezone
Guess that kind of makes some obscure logical sense. Works though
I do think that 'named-compilezone' should be able to work out the
format of the 'input' file
Alan Clegg a...@clegg.com wrote:
Just be sure to watch for the extra SOA record. :)
Or use dig axfr +onesoa ...
Tony.
--
f.anthony.n.finch d...@dotat.at http://dotat.at/
South-east Iceland: Southerly 5 to 7, occasionally gale 8, but variable 4 at
first and later in west. Very rough,
=leadmon@lists.isc.org] On Behalf Of Alan Clegg
Sent: Monday, January 30, 2012 8:00 AM
To: bind-users@lists.isc.org
Subject: Re: bind 9.9 inline-signing issue..
On 1/30/2012 5:28 AM, Howard Leadmon wrote:
Jan 30 05:23:26 minbari named[30332]: zone leadmon.org/IN/external
(unsigned
@lists.isc.org
Subject: Re: bind 9.9 inline-signing issue..
As stated in a prior message, just the signed zone is not being
updated,
when I make an update to the unsigned zone file. The earlier posting
suggesting that I do a rndc reload zone does indeed cause the signed
zones to update, but you
As you mentioned, even a hard restart of the named process would not cause
a resign of the zone, and not that I did it the last time around, but for
sure removing the journal files and .signed zone file would cause named to
update from the unsigned file and then the signed data would be
I suspect that something was wrong with the unsigned zone, 'rndc reload'
failed to catch the problem, and so the zone got itself into a weird state.
The exact circumstance in which I've seen this happen involved a failure to
update the SOA serial, but there may be other triggers for it as
I can install bind 9.9.0rc2 tomorrow and test with both nsupdate and rndc
reload. I would also like to test DNSSEC automatic key rollover with
inline signing again. I imagine this will be fixed in rc2, given the
success of the patch you provided earlier. My next ZSK activation date is
Well after the various discussion a short while back, I decided to give
the inline-signing a run, and after setup I must say it did appear to do
what I expected. Of course anything that went that easy had to have a
snag, and it did, and at the moment I am wondering what I have missed so
I agree with you. I took your example and installed bind 9.9.0b2
I also updated my 'soa' in the unsigned...
Am getting the following in my log...
Jan 29...: zone test1.co.za/IN (unsigned): loaded serial 2012012901
Jan 29...: zone test1.co.za/IN (signed): loaded serial 200105
(DNSSEC signed)
After setting up a zone with DNSSEC using inline-signing, I have run into the
issue where if I do anything that updates the unsigned file that is input
into BIND, that it never seems to update the signed data it generated.
As an example, I had serial number of 2012012701 in the test zone
Slept on this.
This morning 8+ hours later, no change.
Added a completely new record to the (unsigned) zone, updated the SOA
Serial and ran 'rndc reload':
Jan 30 09...: received control channel command 'reload'
Jan 30 09...: loading configuration from '/etc/bind/named.conf'
...
Jan 30 09...: zone
19 matches
Mail list logo