Bind 9.9.x inline signing
mje at posix.co.za
Sun Jun 3 16:01:27 UTC 2012
Eventually got down to some experimenting again.
These are observations - which may help others.
I followed example 1 of Evan Hunts
(I'm using bind 9.9.1)
I did change the name of the zone and didn't bother with
"allow-transfer" - using the default behaviour of BIND instead (using
the NS records in the zone instead)
I first created the zone and got it working as normally between two
machine (on the same lan - etc). This works fine, add a record to the
first zone, bump the SOA Serial, rndc reload, and the slave gets the
I then went through the example and added automatic DNSSEC.
The Slave no longer seems to get NOTIFY - I had to stop, remove the
saved slaves file, and restart the slave to force the transfer.
Initially, making a change to the unsigned zone works.
(Edit unsigned, add data, bump SOA by one, save, rndc reload)
Log: 03-Jun-2012 17:23:35.941 general: info: zone yellowbutton.co.za/IN
(signed): serial 2012060307 (unsigned 2012060304)
I didn't like the fact that the unsigned serial (which I manage) was
lower than that of the signed zone. Making it bigger than the signed
zones version appears to have gotten the zones back in sync - however
the slave is still not getting any Notifies (and has not yet caught up).
I also expect that in the future, any 'magic bind key-signing' may also
de-sync my unsigned zone's concept of the current SOA Serial as well.
Its the apparent lack of NOTIFY's thats really bugging me, I did modify
the secondary zone config in named.conf and added
"masterfile-format text;" - which saves the zone in nice, easy to debug,
Is the NOTIFY from 'Inline-signing' zones currently broken?
. . ___. .__ Posix Systems - (South) Africa
/| /| / /__ mje at posix.co.za - Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 6161 bytes
Desc: not available
More information about the bind-users