moving DNSSEC to a hidden master

Alan Clegg alan at clegg.com
Mon Oct 14 17:43:45 UTC 2013 

On Oct 13, 2013, at 9:03 PM, David Newman <dnewman at networktest.com> wrote:

> >>> This is where things fall apart. I run 'rndc freeze' and
> >>> increment the zone file's serial number (or make any other
> >>> change), and then run 'rndc thaw' and 'rndc reload'.

So, I'm going to jump back a bit here.... If the configuration that you posted is what is actually running, you should get the following when you try to "rndc freeze":

root at server00:/etc/namedb# rndc freeze example.com
rndc: 'freeze' failed: not dynamic
root at server00:/etc/namedb# 

With the associated logging:

14-Oct-2013 17:36:00.310 received control channel command 'freeze example.com'

You have views... is the definition of the internal one different from the external one (which you posted)?

So, I re-created your zone with the following zone entry:

zone "example.com" in {
        type master;
        file "master/example.com";
        allow-query { any; };
        allow-transfer { any; };
        notify yes;
        key-directory "keys/";
        inline-signing yes;
        auto-dnssec maintain;
};

This zone isn't dynamic based on what you have posted.

It also works fine when I make changes (no "freeze"/"thaw" needed):

== Commands typed ==
root at server00:/etc/namedb# ls
bind.keys  keys  master  named.conf  rndc.key
root at server00:/etc/namedb# cd master
root at server00:/etc/namedb/master# ls
example.com  example.com.jbk  example.com.signed  example.com.signed.jnl
root at server00:/etc/namedb/master# vi example.com
root at server00:/etc/namedb/master# rndc reload example.com
zone reload queued
root at server00:/etc/namedb/master# 

== Logging produced ==
14-Oct-2013 17:39:26.565 received control channel command 'reload example.com'
14-Oct-2013 17:39:26.571 zone example.com/IN (unsigned): loaded serial 2
14-Oct-2013 17:39:26.571 zone example.com/IN (signed): serial 4 (unsigned 2)

And for those of you that have taken the DNS and BIND class, yes, I'm really using the very same lab environment that you used in class to test things... it works!

AlanC
-- 
Alan Clegg | +1-919-355-8851 | alan at clegg.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20131014/154bd1b0/attachment.bin>

More information about the bind-users mailing list