Spurious DNSKEY records on slave

Jim Fenton fenton at bluepopcorn.net
Thu Aug 18 17:29:03 UTC 2016


I recently switched from external signing of my zone to use of BIND 9.9
inline signing. While things went fairly smoothly on the master server,
my slave ended up with a bunch of spurious DNSKEY records that came from
my previous keys (I generated new keys when I went to inline signing).

The extra DNSKEY records were not present in the zone file of the master
server, so I reinitiated a zone transfer and this did not help. I
checked the signed zone file on the master with named-checkzone and only
the desired DNSKEY records were there.

Eventually I tried shutting down the slave server, deleting the zone
file (and .jnl file that was also there) and restarting and all was good
after that.

Hypothesis: The .jnl file was the culprit; I don't know what's there,
but it sounds like the intent is to allow incremental updates of zone
files. Following the "fix", there is no longer a .jnl file there. I'm
not sure where it came from in the first place.

Master is running 9.9.5-9+deb8u6-Debian <id:f9b8a50e>

Slave is running 9.8.4-rpz2+rl005.12-P1

(both obtained from Debian distribution)

Is this a known problem?

-Jim




More information about the bind-users mailing list