moving DNSSEC to a hidden master

Alan Clegg alan at
Sun Oct 13 08:34:30 UTC 2013

On Oct 12, 2013, at 7:59 PM, Alan Clegg <alan at> wrote:

> On Oct 11, 2013, at 10:54 PM, David Newman <dnewman at> wrote:
>> 4. "Check that the new server is working and you can update
>> the zone by using nsupdate."
>> This is where things fall apart. I run 'rndc freeze' and increment the
>> zone file's serial number (or make any other change), and then run 'rndc
>> thaw' and 'rndc reload'.
>> There's no change in serial number, and there's no error reported in the
>> logs.
>> What am I missing?
> What log messages are you getting from named?  What is the "zone" entry in your named.conf that relates to the zone in question?
> I would strongly recommend forgetting all about "freeze the zone and edit" as a method of updating... move completely to dynamic zones if at all possible.

And yes, I noticed that you say there are no errors in the logs... there may be no "errors", but if BIND isn't logging anything, I'm extremely curious as to what your logging stanza has in it.

If it's not logging, turn some on (or up) so that we can help you figure out the problem.  In worst case, strip out any keying material and just post your entire config file.

At this point, we are all shooting in the dark.

Alan Clegg | +1-919-355-8851 | alan at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <>

More information about the bind-users mailing list