Followup: BIND 9.10.6-P1 dnssec update zone A record

Douglas C. Stephens stephens at ameslab.gov
Thu Mar 29 21:17:23 UTC 2018 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kim,

I run BIND 9.11 so this might or might not translate down to BIND 9.10.

When this happens to me, I run "rndc zonestatus <zonename>" on it.
Then I look for the "serial:" and "signed serial:" values.

Normally, you would be correct in only needing to increment the
unsigned SOA serial to at least +1 larger than the "serial:" value
shown by the above output.  Sometimes, however, to make BIND load the
update, I need to increase the SOA serial in the unsigned zone file to
be higher than the SOA serial signed zone file.  Then run "rndc reload
<zonename>".

Another thing to check is whether you're actually checking the zone
serial of a slave instead of at the master BIND doing the signing.  If
so, are they higher than the signed zone serial at your master?

Also, something that looks odd to me compared with my live running
config is your "file" line.  Does that "domain.com.signed" filespec
actually point to the BIND-maintained .signed file, or does it means
something else?  If the latter, then I would guess you have a
"domain.com.signed.signed" file alongside it which is the one
maintained by BIND.

I'm also using "auto-dnssec maintain" and "inline-signing yes", but my
zone "file" points to my unsigned zone file, while the .signed version
(and its .signed.jnl) is wholly created and maintained by BIND.

Hope this helps.


On 3/29/2018 3:15 PM, Kim Culhan wrote:
> Some additional info here, from named.conf, dnssec config:
> 
> options { directory "/var/named"; [lines omitted] dnssec-validation
> auto; managed-keys-directory "/var/named/keys";
> 
> From the zone section;
> 
> file "domain.com.signed"; key-directory "/var/named/keys/domain.com
> <http://domain.com>"; auto-dnssec maintain; inline-signing yes;
> 
> Zone file is in /var/named
> 
> Sorry did not include this in the original post.
> 
> thanks -kim
> 
> --
> 
> 
> 
> _______________________________________________ Please visit
> https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
> 
> bind-users mailing list bind-users at lists.isc.org 
> https://lists.isc.org/mailman/listinfo/bind-users
> 

- -- 
Douglas C. Stephens		| Network Systems Analyst
Enterprise Information Services | Phone: (515) 294-6102
Ames Laboratory, US DOE         | Email: stephens at ameslab.gov
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iEYEARECAAYFAlq9V+MACgkQ46phdn656QQGdgCfdyHd1QaeNvrF1v2p+yXqdqtE
pisAoIQPCgKPMKUJpP/mCLITTgP43+1P
=D7S2
-----END PGP SIGNATURE-----

More information about the bind-users mailing list