force re-sign of individual host record?
Mark Andrews
marka at isc.org
Fri Feb 26 00:14:52 UTC 2016
"rndc sign zone [class [view]]" should do it.
In message <B9599B05-145F-4111-9E5B-032C6466D764 at nau.edu>, Mathew Ian Eis write
s:
> Hi BIND,
>
> Anyone know if there is a good way to force named to resign a single host
> record? (e.g. without generating new ZSKs, etc.?)
>
> An ntp glitch recently caused our master nameserver to jump many hours
> into the future, whereupon it began issuing invalid (to the world) RRSIGs
> with an inception time many hours into the future.
>
> After correcting the server time, named's signature rollover algorithm
> didnt pick up on the fact that there were invalid RRSIGs (even after
> restarting the named process), so we were left with manually repairing
> them.
>
> We ended up modifying the TTLs (thus forcing named to update the RRSIGs),
> and then restoring the TTLs to their previous state.
>
> It seems like there should be a better way was that the "best" approach?
> ( Even better, it seems like named could automagically correct for this
> particular problem if we can put it on the wishlist ;-) )
>
> Thoughts?
>
> Thanks in advance,
>
> Mathew Eis
> Northern Arizona University
> Information Technology Services
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list