Bind9 forward/reverse zones with multiple TSIG keys
ObNox
obnox3 at gmail.com
Fri Feb 1 15:31:09 UTC 2019
On 29/01/2019 17:26, Grant Taylor via bind-users wrote:
Sorry for the late replies, I'm drowning with all the stuff I have to do
and getting late on every project.
>> For that to work, I need to make sure every separated component works
>> as expected when configured separately.
>
> Ah, yes. The joys / perils of testing discrete units individually and
> then start pugging them together like Legos and making sure that things
> still work.
I always use this method. It's way slower but I end up having a better
understanding at each component and I know why it works (instead of
being surprised it works :))
> I'm wondering if you're being bitten by something that got me years ago
> when I first started messing with dynamic zones that allowed updates.
>
> In short, when dynamic updates are enabled, BIND will make changes to a
> journal file (which I think is binary). You have to "freeze" and
> "flush" the zone to be able to make to text file.
Indeed you nailed it! The minute I activate the "allow-update { key XXX;
};" statement, "rndc reload" does not reload the zones even if the
contents were updated the proper way.
I have to "freeze" + "thaw" to see them properly (re)loaded!
> So I'm guessing that your change wasn't detected because you
> transitioned to dynamic updates ~> journal file at the same time (or
> apparently) before BIND loaded the new zone. Thus the journal ~> BIND
> was using the old version of the zone file.
The journal data, at this point must be memory-only because no journal
file is written upon "rndc reload" after the dynamic updates transition.
> I've found that I do most of my zone administration via nsupdate on the
> DNS server using the local key & socket.
I'll be using nsupdate only in the future but you know, the "test each
component first" strategy bites you in the ass. In this case, it looked
like some bug was triggered where in reality, there was nothing...
> If BIND did do what I'm thinking, then your edits were functionally
> lost. (Technically they may still be in the text file.)
Good catch, Bind did what you were thinking, you wizard :)
> Good luck.
I don't need luck, I need people who know! And that's what I had, so
thank you :)
--
ObNox
More information about the bind-users
mailing list