dnssec (re)signing and journaling

Edwardo Garcia wdgarc88 at gmail.com
Fri Dec 14 01:18:30 UTC 2018


Ok, thanks.

On Fri, Dec 14, 2018 at 11:16 AM Mark Andrews <marka at isc.org> wrote:

> inline-signing is optional.  It all depends on how you want to maintain
> the zone.
>
> I prefer doing all the changed over nsupdate.  Not editing the master file
> by hand
> removes a set of operator errors.
>
> Mark
>
> > On 14 Dec 2018, at 12:07 pm, Edwardo Garcia <wdgarc88 at gmail.com> wrote:
> >
> > Yes, I did.
> >        key-directory "keys/";
> >        inline-signing yes;       <----- is this not required ?
> >         auto-dnssec maintain;
> >
> >
> > On Fri, Dec 14, 2018 at 11:05 AM Mark Andrews <marka at isc.org> wrote:
> > Sounds like you added inline-signing yes;
> >
> > > On 14 Dec 2018, at 12:02 pm, Edwardo Garcia <wdgarc88 at gmail.com>
> wrote:
> > >
> > > I have answered my own Question, yes it does, thank you! (after
> removing the xxxx.signed in named,conf, else auto signing does
> xxxx.signed.signed  :-)
> > >
> > > Thank you Mark!
> > >
> > > On Fri, Dec 14, 2018 at 10:50 AM Edwardo Garcia <wdgarc88 at gmail.com>
> wrote:
> > > That seems simpler than what we once tried, OK we add that now. Thanks.
> > >
> > > And if we need to modify the zone file itself to make a change, rndc
> reload will do all this or do we need to
> > > dnssec-signzone -a -e +secondshere -K keys/ -N INCREMENT xxxxxxx.com
> freeze/thaw? etc like for new zone?
> > >
> > > On Fri, Dec 14, 2018 at 10:42 AM Mark Andrews <marka at isc.org> wrote:
> > > auto-dnssec maintain;
> > >
> > > > On 14 Dec 2018, at 11:39 am, Edwardo Garcia <wdgarc88 at gmail.com>
> wrote:
> > > >
> > > >
> > > > zone "xxxxxxxx.com" {
> > > >         type master;
> > > >         allow-transfer { sysops; slaves; };
> > > >         file "xxxxxxxxxx.signed";
> > > >         allow-query { any; };
> > > >         allow-update { key "corp"; };
> > > > };
> > > >
> > > > This is what we use now, so by dynamic update we are doing yes?
> > > >
> > > > And now we need just have named do automatic (re)signing?
> > > > Last time we tried, we kept killing our domain so google fail us,
> do  you know of a valid reference URL that is clear? that would be good?
> > > > Thanks
> > > >
> > > > On Fri, Dec 14, 2018 at 10:24 AM Mark Andrews <marka at isc.org> wrote:
> > > > The best way is to configure you zone for dynamic updates and let
> named
> > > > automatically resign the zone as needed.
> > > >
> > > > > On 14 Dec 2018, at 11:13 am, Edwardo Garcia <wdgarc88 at gmail.com>
> wrote:
> > > > >
> > > > > Hi,
> > > > > What is the best practice for signing/re-singing zones with
> journal?
> > > > >
> > > > > We manually resign our domain, and use journaling, resigning is a
> PIA.
> > > > > if we forget to thaw, the zone bails and stays unloaded because
> journal roll forward error, which bring the question why? since resolution
> to this is stop named, remove journal file and restart, could named and
> rndc not be smarter in these instance? or at very least, reload zone from
> file so at least it does not take unsuspecting peoples off air.
> > > > >
> > > > > So, way we (try to remember to) do is:
> > > > > (modify zonefile if need)
> > > > > rndc freeze
> > > > > dnssec-signzone  -options
> > > > > rndc thaw
> > > > >
> > > > > or is better way? it is the freeze/thaw we keep forgetting :-!
> > > > >
> > > > > _______________________________________________
> > > > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> > > > >
> > > > > bind-users mailing list
> > > > > bind-users at lists.isc.org
> > > > > https://lists.isc.org/mailman/listinfo/bind-users
> > > >
> > > > --
> > > > Mark Andrews, ISC
> > > > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > > > PHONE: +61 2 9871 4742              INTERNET: marka at isc.org
> > > >
> > >
> > > --
> > > Mark Andrews, ISC
> > > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > > PHONE: +61 2 9871 4742              INTERNET: marka at isc.org
> > >
> >
> > --
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742              INTERNET: marka at isc.org
> >
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742              INTERNET: marka at isc.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20181214/3b43a842/attachment.html>


More information about the bind-users mailing list