moving DNSSEC to a hidden master
dnewman at networktest.com
Fri Oct 4 00:12:43 UTC 2013
Thanks all for your responses.
On 10/1/13 6:42 PM, Mark Andrews wrote:
> As Alan said copy the .key and .private files over.
> Disable updating on the old master.
> Transfer the zone contents by setting up as a slave
> using "masterfile-format text"; or using by using dig.
> This will give you the most up to date version of the
> dig axfr zone +onesoa @oldmaster
> Check that the new server is working
Converting the new secondary to a new master worked. But incrementing
the zone's serial number did not, producing an error after 'rndc reload'
Oct 3 16:00:29 host named: malformed transaction:
dynamic/mydomain.com/mydomain.com.db.jnl last serial 2013092701 !=
transaction first serial 2013092700
> and you can update
> the zone by using nsupdate.
Although the zone file lives under dynamic/mydomain.com so DNSSEC
updates can happen, I don't have dynamic updates configured, so nsupdate
won't work. This arrangement -- with static zone files under the dynamic
directory -- worked OK on the old master. Permissions are the same on both.
This thread suggested the journal issue was separate views pointing to
the same zone file:
Indeed I had pointers to the same zone file in separate views, but
removing them and restarting named did not clear the issue. Now I have
the zone in just one view, and still can't manually increment the serial
number without that journal complaint.
Thanks in advance for clues on resolving the journal version issue.
> Convert the old master server into a slave.
> Update the other slaves to talk to a new master.
More information about the bind-users