DNSKEY and RRSIG DNSKEY TTL values aren't changed after changing of zone's TTL

Andreas Meyer a.meyer at nimmini.de
Tue Aug 23 13:28:38 UTC 2016

Tony Finch <dot at dotat.at> schrieb am 23.08.16 um 10:45:15 Uhr:

> Aleks Ostapenko <aleks.ostapenko.post at gmail.com> wrote:
> > As for second variant - unfortunately I don't know how to edit manually TTL
> > in the signed (not raw) master file.  
> (1) Use `rndc freeze` which makes `named` rewrite the zone file with all
> pending changes from the journal, and makes it stop making further changes
> to the zone.
> (2) The signed zone file will normally be in standard text format, so you
> can just run the editor of your choice on the file. Change the TTLs of all
> the DNSKEY records and the RRSIG DNSKEY to what you want.
> (3) Run `rndc thaw` to make `named` reload the zone and permit it to make
> changes.

This is the most important information for resigning a zone so that a
change is noticed in a signed zone and it is missing in

It took me hours to find out:

rndc freeze domain.de
edit domain.de
rndc reload domain.de
rndc thaw domain.de


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 230 bytes
Desc: Digitale Signatur von OpenPGP
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160823/798e59a0/attachment.bin>

More information about the bind-users mailing list