Bind 9.9.x inline signing

Spain, Dr. Jeffry A. spainj at
Mon Jun 4 01:17:22 UTC 2012

> I didn't like the fact that the unsigned serial (which I manage) was lower than that of the signed zone. Making it bigger than the signed zones version appears to have gotten the zones back in sync - however the slave is still not getting any Notifies (and has not yet caught up).

With "inline-signing yes;" and "auto-dnssec maintain;" in place, the SOA serial number of the signed zone will always be ahead of the unsigned zone. BIND 9 periodically carries out signing and key maintenance activities, and in the process automatically increments the SOA serial number of the signed zone.

When you manually edit the unsigned zone, you can set the SOA serial number to any value larger than the previous value, including incrementing by one, and everything should work. BIND 9 tracks the SOA serial numbers of the unsigned and signed versions of the zone separately.

Note that you can also use nsupdate to edit the unsigned zone, and nsupdate will automatically increment the unsigned zone's SOA serial number for you.

> I also expect that in the future, any 'magic bind key-signing' may also de-sync my unsigned zone's concept of the current SOA Serial as well. 

> Its the apparent lack of NOTIFY's thats really bugging me, I did modify the secondary zone config in named.conf and added "masterfile-format text;" - which saves the zone in nice, easy to debug, ascii. 
> Is the NOTIFY from 'Inline-signing' zones currently broken?

This has been working for me, but with some different configuration settings. Because my DNS servers are behind an IPv4 NAT firewall, I have not been relying on BIND 9's default notification scheme. The name server addresses in the zone files are external IPv4 addresses not reachable from inside the firewall. Instead I have configured "notify explicit;" and "also-notify { ... };" to control the notification process. This issue also affects the addresses in "allow-transfer { ... };" and "masters { ... };" statements.

Did you happen to look at your syslog (cat /var/log/syslog | grep named)? It is possible that your slaves are not receiving notifies, or are not able to do zone transfers, or both.

Jeffry A. Spain
Network Administrator
Cincinnati Country Day School

More information about the bind-users mailing list