Bind 9.9.x inline signing

Mark Elkins mje at posix.co.za
Fri Jun 8 12:43:58 UTC 2012


Some updates:

Eventually got VirtualBox to behave and now have two virtual instances
of Gentoo/BIND on my box. Now I have a cleaner test environment.

Rebuilt Evans demo and its now working well. Running BIND 9.9.1 and
'haveged' on both machines. I have modified my 'signer' script so if the
zone type is 'Auto', I just manage the Keys and BIND does the rest. The
script also check the SOA of the signed zone and brings the unsigned
zone up to the same Serial Number. Seems to be keeping in Sync now.

Some other 'changes' I've made, I create keys with SHA256 rather than
SHA1, thus my 'dnssec-keygen' invocation looks like:
        dnssec-keygen -a RSASHA256 -b 1024
        dnssec-keygen -fk -a RSASHA256 -b 2048 
        
So I have a beautiful NSEC managed zone - on to test with NSEC3!


On Sun, 2012-06-03 at 18:01 +0200, Mark Elkins wrote:
> Eventually got down to some experimenting again.
> These are observations - which may help others.
> 
> I followed example 1 of Evan Hunts
> https://kb.isc.org/article/AA-00626/0/Inline-Signing-in-ISC-BIND-9.9.0-Examples.html
> (I'm using bind 9.9.1)
> 
> I did change the name of the zone and didn't bother with
> "allow-transfer" - using the default behaviour of BIND instead (using
> the NS records in the zone instead)
> 
> I first created the zone and got it working as normally between two
> machine (on the same lan - etc). This works fine, add a record to the
> first zone, bump the SOA Serial, rndc reload, and the slave gets the
> update notify.
> 
> I then went through the example and added automatic DNSSEC.
> 
> The Slave no longer seems to get NOTIFY - I had to stop, remove the
> saved slaves file, and restart the slave to force the transfer.
> 
> Initially, making a change to the unsigned zone works.
> (Edit unsigned, add data, bump SOA by one, save, rndc reload)
> Log:  03-Jun-2012 17:23:35.941 general: info: zone yellowbutton.co.za/IN
> (signed): serial 2012060307 (unsigned 2012060304)
> 
> I didn't like the fact that the unsigned serial (which I manage) was
> lower than that of the signed zone. Making it bigger than the signed
> zones version appears to have gotten the zones back in sync - however
> the slave is still not getting any Notifies (and has not yet caught up).
> I also expect that in the future, any 'magic bind key-signing' may also
> de-sync my unsigned zone's concept of the current SOA Serial as well. 
> 
> Its the apparent lack of NOTIFY's thats really bugging me, I did modify
> the secondary zone config in named.conf and added
> "masterfile-format text;" - which saves the zone in nice, easy to debug,
> ascii. 
> Is the NOTIFY from 'Inline-signing' zones currently broken?
> 
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
  .  .     ___. .__      Posix Systems - (South) Africa
 /| /|       / /__       mje at posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 6161 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120608/bdd27530/attachment.bin>


More information about the bind-users mailing list