DNSSEC and slaves error

Nick Edwards nick.z.edwards at gmail.com
Wed Mar 7 13:03:58 UTC 2012

I am an old hand at bind, but -  DNSSEC Newbie alert :->

I am after clarification on how slaves handle DNSSEC.

I have two slaves, both were stale, like since Feb 9 ! One I directly
control, the second, I do not, so I can not provide details on how
that one is configured, but given it is a reputable provider, I assume
setup is as good or better than mine.

The zone was resigned 3 weeks ago as 30 days, but one week ago I
resigned it again as about 3 months using:    dnssec-signzone -a -e
+15724800 -K keys/ -N INCREMENT guilty_domain.here

After all this time, still no change on slaves, I had to edit the zone
(inserted a dummy TXT entry)   then resign the zone, and then  they
both picked up changes.

Shouldn't they detect the change from the increment  and update? I
checked my controlled slave and it was stale RRSIGs until I altered
the actual zone, then RRSIG updated.

my controlled servers:
Linux Slackware (x2)
Bind 9.9.0

uncontrolled server Bind 9.9.0,  RedHat (release unknown)

/options master
        dnssec-enable yes;
        dnssec-validation yes;

        type master;
        allow-transfer { lan; slavedns; };
        file "xxxxxx.org.signed";
        allow-query { any; };
        allow-update { none; };

/options slave
        dnssec-enable yes;

      type slave;
      masters { x.x.x.x; };
      file "xxxxxx.org";
      allow-query { any; };

Am I doing something wrong?


More information about the bind-users mailing list