dnssec updated zone data is not live ??
Chris Thompson
cet1 at cam.ac.uk
Fri Dec 18 13:03:02 UTC 2009
On Dec 18 2009, Alan Clegg wrote:
>Niobos wrote:
>> On 17 Dec 2009, at 20:50, Kevin Darcy wrote:
>>> Cat'ing the zone file is no longer reliable once you've enabled a
>>> zone for Dynamic Update. There might be updates in the log file
>>> which haven't been committed to the actual zone file yet. That's
>>> why I recommended that you use an AXFR of the zone to check for
>>> changes recently made.
>>
>> Or do an "rndc freeze example.net". This will stop dynamic updates to
>> the zone and commit the logfile to the zonefile. Be sure to do an
>> "rndc unfreeze example.net" when you're done to reenable dynamic
>> updates.
>
>"rndc thaw [zone]" is the documented way to resume dynamic updates.
>
>I'd also recommend getting acquainted with "named-journalprint"
>(formerly just "journalprint") which will allow you to see the deltas
>that have been made to a given zone without taking that zone into
>"frozen" state.
There is also the -j option of named-checkzone (combined with writing
out a clean version with -D & -o), but unfortunately that only works
if the journal is named using the default "add .jnl to the zone file
name" convention.
Altogether, using AXFR is the thing to get used to using in this
context. (If you disable zone transfers generally, at least allow
them on the loopback interface.) Then start using "masterfile-format
raw", and forget about thinking of zone files are something human
readable ...
--
Chris Thompson
Email: cet1 at cam.ac.uk
More information about the bind-users
mailing list