moving DNSSEC to a hidden master
Alan Clegg
alan at clegg.com
Sun Oct 13 08:34:30 UTC 2013
On Oct 12, 2013, at 7:59 PM, Alan Clegg <alan at clegg.com> wrote:
>
> On Oct 11, 2013, at 10:54 PM, David Newman <dnewman at networktest.com> wrote:
>
>> 4. "Check that the new server is working and you can update
>> the zone by using nsupdate."
>>
>> This is where things fall apart. I run 'rndc freeze' and increment the
>> zone file's serial number (or make any other change), and then run 'rndc
>> thaw' and 'rndc reload'.
>>
>> There's no change in serial number, and there's no error reported in the
>> logs.
>>
>> What am I missing?
>
> What log messages are you getting from named? What is the "zone" entry in your named.conf that relates to the zone in question?
>
> I would strongly recommend forgetting all about "freeze the zone and edit" as a method of updating... move completely to dynamic zones if at all possible.
And yes, I noticed that you say there are no errors in the logs... there may be no "errors", but if BIND isn't logging anything, I'm extremely curious as to what your logging stanza has in it.
If it's not logging, turn some on (or up) so that we can help you figure out the problem. In worst case, strip out any keying material and just post your entire config file.
At this point, we are all shooting in the dark.
AlanC
--
Alan Clegg | +1-919-355-8851 | alan at clegg.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20131013/9ef4f1f5/attachment.bin>
More information about the bind-users
mailing list