force re-sign of individual host record?

Mark Andrews marka at isc.org
Fri Feb 26 03:43:11 UTC 2016


In message <1DB356BF-50CF-4B99-B996-27A1A0984185 at nau.edu>, Mathew Ian Eis write
s:
> Isnt auto-dnssec maintain; (which we have enabled) supposed to
> effectively do the same thing as rndc sign zone?

auto-dnssec maintain assumes a sane clock.

"rndc sign zone" forces the zone to be fully re-signed now irrespectived
of when the records are due for re-signing.

> Mathew Eis
> Northern Arizona University
> Information Technology Services
>
> -----Original Message-----
> From: Mark Andrews <marka at isc.org>
> Date: Thursday, February 25, 2016 at 5:14 PM
> To: Mathew Eis <Mathew.Eis at nau.edu>
> Cc: "bind-users at lists.isc.org" <bind-users at isc.org>
> Subject: Re: force re-sign of individual host record?
>
> >
> >	"rndc sign zone class view" should do it.
> >
> >In message <B9599B05-145F-4111-9E5B-032C6466D764 at nau.edu>, Mathew Ian
> Eis write
> >s:
> >> Hi BIND,
> >>
> >> Anyone know if there is a good way to force named to resign a single
> host
> >> record? (e.g. without generating new ZSKs, etc.?)
> >>
> >> An ntp glitch recently caused our master nameserver to jump many hours
> >> into the future, whereupon it began issuing invalid (to the world)
> RRSIGs
> >> with an inception time many hours into the future.
> >>
> >> After correcting the server time, named's signature rollover algorithm
> >> didnt pick up on the fact that there were invalid RRSIGs (even after
> >> restarting the named process), so we were left with manually repairing
> >> them.
> >>
> >> We ended up modifying the TTLs (thus forcing named to update the
> RRSIGs),
> >> and then restoring the TTLs to their previous state.
> >>
> >> It seems like there should be a better way was that the "best"
> approach?
> >> ( Even better, it seems like named could automagically correct for this
> >> particular problem  if we can put it on the wishlist ;-)  )
> >>
> >> Thoughts?
> >>
> >> Thanks in advance,
> >>
> >> Mathew Eis
> >> Northern Arizona University
> >> Information Technology Services
> >>
> >
> >--
> >Mark Andrews, ISC
> >1 Seymour St., Dundas Valley, NSW 2117, Australia
> >PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org


More information about the bind-users mailing list