moving DNSSEC to a hidden master

David Newman dnewman at networktest.com
Fri Oct 4 17:23:05 UTC 2013 

On 10/3/13 5:27 PM, Sten Carlsen wrote:
> This works for me and is the standard method:
> 
> rndc freeze
> update serial
> rndc thaw

Bingo. Thanks!

dn

> 
> Rndc freeze merges the .jnl files into the zone files and stops dynamic
> updates. Thaw allows dynamic updates to resume.
> 
> On 04/10/13 02.12, David Newman wrote:
>> Thanks all for your responses.
>>
>> On 10/1/13 6:42 PM, Mark Andrews wrote:
>>> As Alan said copy the .key and .private files over.
>>>
>>> Disable updating on the old master.
>>>
>>> Transfer the zone contents by setting up as a slave
>>> using "masterfile-format text"; or using by using dig.
>>> This will give you the most up to date version of the
>>> zone.
>>>
>>> 	dig axfr zone +onesoa @oldmaster
>>>
>>> Check that the new server is working 
>> Converting the new secondary to a new master worked. But incrementing
>> the zone's serial number did not, producing an error after 'rndc reload'
>> like this:
>>
>> Oct  3 16:00:29 host named[35249]: malformed transaction:
>> dynamic/mydomain.com/mydomain.com.db.jnl last serial 2013092701 !=
>> transaction first serial 2013092700
>>
>>> and you can update
>>> the zone by using nsupdate.
>> Although the zone file lives under dynamic/mydomain.com so DNSSEC
>> updates can happen, I don't have dynamic updates configured, so nsupdate
>> won't work. This arrangement -- with static zone files under the dynamic
>> directory -- worked OK on the old master. Permissions are the same on both.
>>
>> This thread suggested the journal issue was separate views pointing to
>> the same zone file:
>>
>> https://lists.isc.org/pipermail/bind-users/2008-June/070807.html
>>
>> Indeed I had pointers to the same zone file in separate views, but
>> removing them and restarting named did not clear the issue. Now I have
>> the zone in just one view, and still can't manually increment the serial
>> number without that journal complaint.
>>
>> Thanks in advance for clues on resolving the journal version issue.
>>
>> dn
>>
>>> Convert the old master server into a slave.
>>>
>>> Update the other slaves to talk to a new master.
>>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> 
> -- 
> Best regards
> 
> Sten Carlsen
> 
> No improvements come from shouting:
> 
>        "MALE BOVINE MANURE!!!" 
>

More information about the bind-users mailing list