force re-sign of individual host record?

Mathew Ian Eis Mathew.Eis at nau.edu
Thu Feb 25 23:45:56 UTC 2016


Hi BIND,

Anyone know if there is a good way to force named to resign a single host record? (e.g. without generating new ZSKs, etc.?)

An ntp glitch recently caused our master nameserver to jump many hours into the future, whereupon it began issuing invalid (to the world) RRSIGs with an inception time many hours into the future.

After correcting the server time, named's signature rollover algorithm didn’t pick up on the fact that there were invalid RRSIGs (even after restarting the named process), so we were left with manually repairing them.

We ended up modifying the TTLs (thus forcing named to update the RRSIGs), and then restoring the TTLs to their previous state.

It seems like there should be a better way… was that the "best" approach? ( Even better, it seems like named could automagically correct for this particular problem – if we can put it on the wishlist ;-)  )

Thoughts?

Thanks in advance,

Mathew Eis
Northern Arizona University
Information Technology Services

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160225/6bf43987/attachment.html>


More information about the bind-users mailing list