bind 9.9 & inline-signing issue..
Evan Hunt
each at isc.org
Mon Jan 30 23:20:58 UTC 2012
> As stated in a prior message, just the signed zone is not being updated,
> when I make an update to the unsigned zone file. The earlier posting
> suggesting that I do a "rndc reload <zone>" does indeed cause the signed
> zones to update, but you must specify the zone, just doing a "rndc reload"
> to reload everything results in no update being performed on the signed
> zone, and even a hard restart of the named process doesn't cause an update.
I haven't been able to reproduce this bug in exactly the way you described
it, but I found something that sounds similar enough that it's likely to be
related: named can, under some circumstances, lose sync between the
signed and unsigned zone databases if you forget to update the SOA serial
number when you change the zone file. Normally that doesn't happen, but
once it does, the server can't recover without help.
I'll send you a patch later that prevents this particular scenario from
reoccurring. It may turn out that there are other ways to get the server
into this broken state, though. I believe these steps will cause the
server to recover:
- sync and remove the journal files:
$ rndc sync -clean leadmon.org in external
$ rndc sync -clean leadmon.org in internal
- increase the SOA serial number in the unsigned zone files
- restart the server
When you restart, it will detect that the serial numbers in the unsigned
zone files have changed, but it won't find any journal files to replay, so
it will force the signed and unsigned databases to sync up to one another
directly; it should remain sane after that.
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list