DNSSEC and slaves error
Nick Edwards
nick.z.edwards at gmail.com
Wed Mar 7 13:03:58 UTC 2012
I am an old hand at bind, but - DNSSEC Newbie alert :->
I am after clarification on how slaves handle DNSSEC.
I have two slaves, both were stale, like since Feb 9 ! One I directly
control, the second, I do not, so I can not provide details on how
that one is configured, but given it is a reputable provider, I assume
setup is as good or better than mine.
The zone was resigned 3 weeks ago as 30 days, but one week ago I
resigned it again as about 3 months using: dnssec-signzone -a -e
+15724800 -K keys/ -N INCREMENT guilty_domain.here
After all this time, still no change on slaves, I had to edit the zone
(inserted a dummy TXT entry) then resign the zone, and then they
both picked up changes.
Shouldn't they detect the change from the increment and update? I
checked my controlled slave and it was stale RRSIGs until I altered
the actual zone, then RRSIG updated.
my controlled servers:
Linux Slackware (x2)
Bind 9.9.0
uncontrolled server Bind 9.9.0, RedHat (release unknown)
/options master
dnssec-enable yes;
dnssec-validation yes;
zone
type master;
allow-transfer { lan; slavedns; };
file "xxxxxx.org.signed";
allow-query { any; };
allow-update { none; };
/options slave
dnssec-enable yes;
zone
type slave;
masters { x.x.x.x; };
file "xxxxxx.org";
allow-query { any; };
Am I doing something wrong?
thanks
Nik
More information about the bind-users
mailing list