moving DNSSEC to a hidden master

David Newman dnewman at
Fri Oct 4 00:12:43 UTC 2013

Thanks all for your responses.

On 10/1/13 6:42 PM, Mark Andrews wrote:
> As Alan said copy the .key and .private files over.
> Disable updating on the old master.
> Transfer the zone contents by setting up as a slave
> using "masterfile-format text"; or using by using dig.
> This will give you the most up to date version of the
> zone.
> 	dig axfr zone +onesoa @oldmaster
> Check that the new server is working 

Converting the new secondary to a new master worked. But incrementing
the zone's serial number did not, producing an error after 'rndc reload'
like this:

Oct  3 16:00:29 host named[35249]: malformed transaction:
dynamic/ last serial 2013092701 !=
transaction first serial 2013092700

> and you can update
> the zone by using nsupdate.

Although the zone file lives under dynamic/ so DNSSEC
updates can happen, I don't have dynamic updates configured, so nsupdate
won't work. This arrangement -- with static zone files under the dynamic
directory -- worked OK on the old master. Permissions are the same on both.

This thread suggested the journal issue was separate views pointing to
the same zone file:

Indeed I had pointers to the same zone file in separate views, but
removing them and restarting named did not clear the issue. Now I have
the zone in just one view, and still can't manually increment the serial
number without that journal complaint.

Thanks in advance for clues on resolving the journal version issue.


> Convert the old master server into a slave.
> Update the other slaves to talk to a new master.

More information about the bind-users mailing list