dnssec (re)signing and journaling

Edwardo Garcia wdgarc88 at gmail.com
Fri Dec 14 00:39:26 UTC 2018 

zone "xxxxxxxx.com" {
        type master;
        allow-transfer { sysops; slaves; };
        file "xxxxxxxxxx.signed";
        allow-query { any; };
        allow-update { key "corp"; };
};

This is what we use now, so by dynamic update we are doing yes?

And now we need just have named do automatic (re)signing?
Last time we tried, we kept killing our domain so google fail us, do  you
know of a valid reference URL that is clear? that would be good?
Thanks

On Fri, Dec 14, 2018 at 10:24 AM Mark Andrews <marka at isc.org> wrote:

> The best way is to configure you zone for dynamic updates and let named
> automatically resign the zone as needed.
>
> > On 14 Dec 2018, at 11:13 am, Edwardo Garcia <wdgarc88 at gmail.com> wrote:
> >
> > Hi,
> > What is the best practice for signing/re-singing zones with journal?
> >
> > We manually resign our domain, and use journaling, resigning is a PIA.
> > if we forget to thaw, the zone bails and stays unloaded because journal
> roll forward error, which bring the question why? since resolution to this
> is stop named, remove journal file and restart, could named and rndc not be
> smarter in these instance? or at very least, reload zone from file so at
> least it does not take unsuspecting peoples off air.
> >
> > So, way we (try to remember to) do is:
> > (modify zonefile if need)
> > rndc freeze
> > dnssec-signzone  -options
> > rndc thaw
> >
> > or is better way? it is the freeze/thaw we keep forgetting :-!
> >
> > _______________________________________________
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> >
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742              INTERNET: marka at isc.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20181214/5a252a50/attachment.html>

More information about the bind-users mailing list