9.9.0b1 inline-signing questions

Spain, Dr. Jeffry A. spainj at countryday.net
Fri Nov 18 18:35:07 UTC 2011


I am testing bind 9.9.0b1 compiled on Ubuntu Oneiric x64 (nstest.jaspain.net). I configured a zone as follows:

zone "jaspain.net" {
	type master;
	file "/var/lib/bind/jaspain.net/jaspain.net.db";
	key-directory "/var/lib/bind/jaspain.net";
	update-policy local;
	auto-dnssec maintain;
	inline-signing yes;
};

On initial startup, bind created jaspain.net.db.signed and jaspain.net.db.signed.jnl. Looking at the latter with named-journalprint, the entries appear to be consistent with the zone signing process. I used nsupdate -l to create a new A record, and that succeeded. The file jaspain.net.db.jnl was created in the process. I attempted to freeze the zone using "rndc freeze jaspain.net", and this resulted in the error message "rndc: 'freeze' failed: not dynamic". "rndc thaw jaspain.net" yielded no messages, but added a syslog entry that it was successful. The freeze failure is contrary to what I would have expected. Are "update-policy local;" and "inline-signing yes;" incompatible?

The serial numbers in the SOA records in the various zone-related files are different, but I believe they are consistent. In jaspain.net.db, the SOA serial number was originally 2011111501. Looking at jaspain.net.db.signed.jnl, the SOA serial number got updated to 2011111504 as a result of the initial signing process. Following the record addition with nsupdate, the SOA serial number in jaspain.net.db.jnl was updated to 2011111502. Twelve minutes later bind rewrote jaspain.net.db with this same serial number and the added A record. Immediately after the nsupdate, jaspain.net.db.signed.jnl showed the signing activity for the new A record and an update of the SOA serial number to 2011111505. This is the serial number that is returned by a dig of the SOA record. The named-journalprint output for both jaspain.net.db.jnl and jaspain.net.db.signed.jnl starts with the line BITWS=2011111502. What does that mean?

Fourteen minutes after the nsupdate, bind rewrote jaspain.net.db.signed. Is there a utility akin to named-journalprint that would display the contents of jaspain.net.db.signed in human-readable form?

Thanks for providing this interesting new feature, which I hope to understand more fully.

Jeffry A. Spain
Network Administrator
Cincinnati Country Day School




More information about the bind-users mailing list