moving DNSSEC to a hidden master

Sten Carlsen stenc at
Fri Oct 4 00:27:29 UTC 2013

This works for me and is the standard method:

rndc freeze
update serial
rndc thaw

Rndc freeze merges the .jnl files into the zone files and stops dynamic
updates. Thaw allows dynamic updates to resume.

On 04/10/13 02.12, David Newman wrote:
> Thanks all for your responses.
> On 10/1/13 6:42 PM, Mark Andrews wrote:
>> As Alan said copy the .key and .private files over.
>> Disable updating on the old master.
>> Transfer the zone contents by setting up as a slave
>> using "masterfile-format text"; or using by using dig.
>> This will give you the most up to date version of the
>> zone.
>> 	dig axfr zone +onesoa @oldmaster
>> Check that the new server is working 
> Converting the new secondary to a new master worked. But incrementing
> the zone's serial number did not, producing an error after 'rndc reload'
> like this:
> Oct  3 16:00:29 host named[35249]: malformed transaction:
> dynamic/ last serial 2013092701 !=
> transaction first serial 2013092700
>> and you can update
>> the zone by using nsupdate.
> Although the zone file lives under dynamic/ so DNSSEC
> updates can happen, I don't have dynamic updates configured, so nsupdate
> won't work. This arrangement -- with static zone files under the dynamic
> directory -- worked OK on the old master. Permissions are the same on both.
> This thread suggested the journal issue was separate views pointing to
> the same zone file:
> Indeed I had pointers to the same zone file in separate views, but
> removing them and restarting named did not clear the issue. Now I have
> the zone in just one view, and still can't manually increment the serial
> number without that journal complaint.
> Thanks in advance for clues on resolving the journal version issue.
> dn
>> Convert the old master server into a slave.
>> Update the other slaves to talk to a new master.
> _______________________________________________
> Please visit to unsubscribe from this list
> bind-users mailing list
> bind-users at

Best regards

Sten Carlsen

No improvements come from shouting:


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list