moving DNSSEC to a hidden master

Alan Clegg alan at
Mon Oct 14 17:43:45 UTC 2013

On Oct 13, 2013, at 9:03 PM, David Newman <dnewman at> wrote:

> >>> This is where things fall apart. I run 'rndc freeze' and
> >>> increment the zone file's serial number (or make any other
> >>> change), and then run 'rndc thaw' and 'rndc reload'.

So, I'm going to jump back a bit here.... If the configuration that you posted is what is actually running, you should get the following when you try to "rndc freeze":

root at server00:/etc/namedb# rndc freeze
rndc: 'freeze' failed: not dynamic
root at server00:/etc/namedb# 

With the associated logging:

14-Oct-2013 17:36:00.310 received control channel command 'freeze'

You have views... is the definition of the internal one different from the external one (which you posted)?

So, I re-created your zone with the following zone entry:

zone "" in {
        type master;
        file "master/";
        allow-query { any; };
        allow-transfer { any; };
        notify yes;
        key-directory "keys/";
        inline-signing yes;
        auto-dnssec maintain;

This zone isn't dynamic based on what you have posted.

It also works fine when I make changes (no "freeze"/"thaw" needed):

== Commands typed ==
root at server00:/etc/namedb# ls
bind.keys  keys  master  named.conf  rndc.key
root at server00:/etc/namedb# cd master
root at server00:/etc/namedb/master# ls
root at server00:/etc/namedb/master# vi
root at server00:/etc/namedb/master# rndc reload
zone reload queued
root at server00:/etc/namedb/master# 

== Logging produced ==
14-Oct-2013 17:39:26.565 received control channel command 'reload'
14-Oct-2013 17:39:26.571 zone (unsigned): loaded serial 2
14-Oct-2013 17:39:26.571 zone (signed): serial 4 (unsigned 2)

And for those of you that have taken the DNS and BIND class, yes, I'm really using the very same lab environment that you used in class to test things... it works!

Alan Clegg | +1-919-355-8851 | alan at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <>

More information about the bind-users mailing list