Converting an inline-signed zone to unsigned
Alan Clegg
alan at clegg.com
Wed Feb 19 18:58:01 UTC 2014
On 2/19/14, 8:59 PM, Chris Thompson wrote:
> What is the right way ... or maybe I should be asking IS there a right
> way ... to change a zone that has been signed by inline signing (i.e. with
> "inline-signing yes; auto-dnssec maintain;" in it zone statement) to
> unsigned?
>
> When I change the zone statement to remove the inline signing part, and
> update the SOA serial in the zone file for good measure, and then do
> either "rndc reload" or "rndc reconfig", I get messages like
>
> named[22954]: general: error: zone playground.test/IN:
> journal rollforward failed: journal out of sync with zone
> named[22954]: general: error: zone playground.test/IN:
> not loaded due to errors.
>
> and the zone goes into SERVFAIL state.
>
> The only way I found out of this was to remove the [zone-file].signed
> and [zone-file].signed.jnl files manually, and *then* do "rndc reconfig".
> Surely there must be something better than that?
>
Have you tried setting "dnssec-secure-to-insecure" then setting all of
the keys to deleted?
AlanC
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 600 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20140219/eac21073/attachment.bin>
More information about the bind-users
mailing list