force re-sign of individual host record?
Mathew Ian Eis
Mathew.Eis at nau.edu
Fri Feb 26 00:30:09 UTC 2016
Isn’t auto-dnssec maintain; (which we have enabled) supposed to effectively do the same thing as rndc sign zone?
Mathew Eis
Northern Arizona University
Information Technology Services
-----Original Message-----
From: Mark Andrews <marka at isc.org>
Date: Thursday, February 25, 2016 at 5:14 PM
To: Mathew Eis <Mathew.Eis at nau.edu>
Cc: "bind-users at lists.isc.org" <bind-users at isc.org>
Subject: Re: force re-sign of individual host record?
>
> "rndc sign zone [class [view]]" should do it.
>
>In message <B9599B05-145F-4111-9E5B-032C6466D764 at nau.edu>, Mathew Ian Eis write
>s:
>> Hi BIND,
>>
>> Anyone know if there is a good way to force named to resign a single host
>> record? (e.g. without generating new ZSKs, etc.?)
>>
>> An ntp glitch recently caused our master nameserver to jump many hours
>> into the future, whereupon it began issuing invalid (to the world) RRSIGs
>> with an inception time many hours into the future.
>>
>> After correcting the server time, named's signature rollover algorithm
>> didnt pick up on the fact that there were invalid RRSIGs (even after
>> restarting the named process), so we were left with manually repairing
>> them.
>>
>> We ended up modifying the TTLs (thus forcing named to update the RRSIGs),
>> and then restoring the TTLs to their previous state.
>>
>> It seems like there should be a better way was that the "best" approach?
>> ( Even better, it seems like named could automagically correct for this
>> particular problem if we can put it on the wishlist ;-) )
>>
>> Thoughts?
>>
>> Thanks in advance,
>>
>> Mathew Eis
>> Northern Arizona University
>> Information Technology Services
>>
>
>--
>Mark Andrews, ISC
>1 Seymour St., Dundas Valley, NSW 2117, Australia
>PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list