dnssec (re)signing and journaling

Mark Andrews marka at isc.org
Fri Dec 14 01:16:06 UTC 2018


inline-signing is optional.  It all depends on how you want to maintain the zone.

I prefer doing all the changed over nsupdate.  Not editing the master file by hand
removes a set of operator errors.

Mark

> On 14 Dec 2018, at 12:07 pm, Edwardo Garcia <wdgarc88 at gmail.com> wrote:
> 
> Yes, I did. 
>        key-directory "keys/";
>        inline-signing yes;       <----- is this not required ?
>         auto-dnssec maintain;
> 
> 
> On Fri, Dec 14, 2018 at 11:05 AM Mark Andrews <marka at isc.org> wrote:
> Sounds like you added inline-signing yes;
> 
> > On 14 Dec 2018, at 12:02 pm, Edwardo Garcia <wdgarc88 at gmail.com> wrote:
> > 
> > I have answered my own Question, yes it does, thank you! (after removing the xxxx.signed in named,conf, else auto signing does xxxx.signed.signed  :-)
> > 
> > Thank you Mark!    
> > 
> > On Fri, Dec 14, 2018 at 10:50 AM Edwardo Garcia <wdgarc88 at gmail.com> wrote:
> > That seems simpler than what we once tried, OK we add that now. Thanks.
> > 
> > And if we need to modify the zone file itself to make a change, rndc reload will do all this or do we need to
> > dnssec-signzone -a -e +secondshere -K keys/ -N INCREMENT xxxxxxx.com  freeze/thaw? etc like for new zone?
> > 
> > On Fri, Dec 14, 2018 at 10:42 AM Mark Andrews <marka at isc.org> wrote:
> > auto-dnssec maintain;
> > 
> > > On 14 Dec 2018, at 11:39 am, Edwardo Garcia <wdgarc88 at gmail.com> wrote:
> > > 
> > > 
> > > zone "xxxxxxxx.com" {
> > >         type master;
> > >         allow-transfer { sysops; slaves; };
> > >         file "xxxxxxxxxx.signed";
> > >         allow-query { any; };
> > >         allow-update { key "corp"; };
> > > };
> > >   
> > > This is what we use now, so by dynamic update we are doing yes?
> > > 
> > > And now we need just have named do automatic (re)signing? 
> > > Last time we tried, we kept killing our domain so google fail us, do  you know of a valid reference URL that is clear? that would be good?
> > > Thanks
> > > 
> > > On Fri, Dec 14, 2018 at 10:24 AM Mark Andrews <marka at isc.org> wrote:
> > > The best way is to configure you zone for dynamic updates and let named
> > > automatically resign the zone as needed.
> > > 
> > > > On 14 Dec 2018, at 11:13 am, Edwardo Garcia <wdgarc88 at gmail.com> wrote:
> > > > 
> > > > Hi,
> > > > What is the best practice for signing/re-singing zones with journal?
> > > > 
> > > > We manually resign our domain, and use journaling, resigning is a PIA. 
> > > > if we forget to thaw, the zone bails and stays unloaded because journal roll forward error, which bring the question why? since resolution to this is stop named, remove journal file and restart, could named and rndc not be smarter in these instance? or at very least, reload zone from file so at least it does not take unsuspecting peoples off air.
> > > > 
> > > > So, way we (try to remember to) do is: 
> > > > (modify zonefile if need)
> > > > rndc freeze
> > > > dnssec-signzone  -options
> > > > rndc thaw
> > > > 
> > > > or is better way? it is the freeze/thaw we keep forgetting :-!
> > > > 
> > > > _______________________________________________
> > > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> > > > 
> > > > bind-users mailing list
> > > > bind-users at lists.isc.org
> > > > https://lists.isc.org/mailman/listinfo/bind-users
> > > 
> > > -- 
> > > Mark Andrews, ISC
> > > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > > PHONE: +61 2 9871 4742              INTERNET: marka at isc.org
> > > 
> > 
> > -- 
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742              INTERNET: marka at isc.org
> > 
> 
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742              INTERNET: marka at isc.org
> 

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org



More information about the bind-users mailing list