bind9.9.0rc2 inline signing tests
Spain, Dr. Jeffry A.
spainj at countryday.net
Tue Jan 31 16:36:59 UTC 2012
I compiled and installed bind 9.9.0 rc2 on Ubuntu Oneiric x64. The zone jaspain.net used for testing was configured as a master zone with update-policy local, auto-dnssec maintain, and inline-signing yes. I tested by making changes to the unsigned zone, and used named-checkzone to output the unsigned and signed zone files before and after each change.
1. In the first test I used nsupdate -l to add an A record to the unsigned zone. Nsupdate added the record and incremented the serial number of the unsigned zone. The signed zone was updated appropriately including a serial number increment, resignature of the SOA, addition of the new A record, signing of the new A record, and addition/modification/signing of NSEC records. This is consistent with the results with bind 9.9.0rc1.
2. Prior to the second test, in an attempt to get rid of the journal files, I issued the command "rndc sync -clear jaspain.net". This generated an error "rndc: 'sync' failed: unknown class/type. I found that "rndc sync" and "rndc sync jaspain.net" both worked, so I think rndc just doesn't recognize the -clear parameter as described in the rndc usage message. With the journal files still present, I decided to use "rndc freeze jaspain.net" prior to the next test.
3. With the zone frozen, I manually edited the unsigned zone file, and my only change was to increment the SOA serial number. I then issued the command "rndc reload". In the interest of saving time, I issued "rndc sync" to merge the journal file into the signed zone file. The unsigned zone file was unchanged after the reload. The signed zone file had its serial number incremented and the SOA record was resigned. I believe this demonstrates that the issue described in the thread "bind 9.9 & inline-signing issue.." for bind 9.9.0rc1 has been fixed in rc2.
4. Finally with regard to ZSK rollover testing, my zone jaspain.us has several RRSIGS that will be expiring on February 8. Currently ZSKs 30795 and 55158 are published, and 55158 is active. I am altering the metadata so that ZSK 30795 goes active on February 1, and 55158 goes inactive on February 2. By February 9, it should be apparent whether or not the inline-signing-related key rollover problem, for which you previously sent me an rc1 patch, has stayed fixed in rc2.
Jeffry A. Spain
Network Administrator
Cincinnati Country Day School
More information about the bind-users
mailing list