force re-sign of individual host record?

Catalin Leanca catalinl at rotld.ro
Fri Feb 26 12:58:58 UTC 2016


Are you sure about that ?
Because after "rndc sign zone" command only SOA and DNSKEY RRSIGs are refreshed.


In message <1DB356BF-50CF-4B99-B996-27A1A0984185 at nau.edu 
<https://lists.isc.org/mailman/listinfo/bind-users>>, Mathew Ian Eis write
s:
>/Isnt auto-dnssec maintain; (which we have enabled) supposed to />/effectively do the same thing as rndc sign zone? /
auto-dnssec maintain assumes a sane clock.

"rndc sign zone" forces the zone to be fully re-signed now irrespectived
of when the records are due for re-signing.

>/Mathew Eis />/Northern Arizona University />/Information Technology Services />//>/-----Original Message----- />/From: Mark Andrews <marka at isc.org 
<https://lists.isc.org/mailman/listinfo/bind-users>> />/Date: Thursday, February 25, 2016 at 5:14 PM />/To: Mathew Eis <Mathew.Eis at nau.edu 
<https://lists.isc.org/mailman/listinfo/bind-users>> />/Cc: "bind-users at lists.isc.org 
<https://lists.isc.org/mailman/listinfo/bind-users>" <bind-users at 
isc.org <https://lists.isc.org/mailman/listinfo/bind-users>> />/Subject: Re: force re-sign of individual host record? />//>/ > />/ > "rndc sign zone class view" should do it. />/ > />/ >In message <B9599B05-145F-4111-9E5B-032C6466D764 at nau.edu 
<https://lists.isc.org/mailman/listinfo/bind-users>>, Mathew Ian />/Eis write />/ >s: />/ >> Hi BIND, />/ >> />/ >> Anyone know if there is a good way to force named to resign a single />/host />/ >> record? (e.g. without generating new ZSKs, etc.?) />/ >> />/ >> An ntp glitch recently caused our master nameserver to jump many hours />/ >> into the future, whereupon it began issuing invalid (to the world) />/RRSIGs />/ >> with an inception time many hours into the future. />/ >> />/ >> After correcting the server time, named's signature rollover algorithm />/ >> didnt pick up on the fact that there were invalid RRSIGs (even after />/ >> restarting the named process), so we were left with manually repairing />/ >> them. />/ >> />/ >> We ended up modifying the TTLs (thus forcing named to update the />/RRSIGs), />/ >> and then restoring the TTLs to their previous state. />/ >> />/ >> It seems like there should be a better way was that the "best" />/approach? />/ >> ( Even better, it seems like named could automagically correct for 
this />/ >> particular problem if we can put it on the wishlist ;-) ) />/ >> />/ >> Thoughts? />/ >> />/ >> Thanks in advance, />/ >> />/ >> Mathew Eis />/ >> Northern Arizona University />/ >> Information Technology Services />/ >> />/ > />/ >-- />/ >Mark Andrews, ISC />/ >1 Seymour St., Dundas Valley, NSW 2117, Australia />/ >PHONE: +61 2 9871 4742 INTERNET: marka at isc.org 
<https://lists.isc.org/mailman/listinfo/bind-users> /
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET:marka at isc.org <https://lists.isc.org/mailman/listinfo/bind-users>

*Catalin LEANCA*


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160226/b4659aa5/attachment.html>


More information about the bind-users mailing list