Freeze/thaw and signed zone files

Grant Taylor gtaylor at tnetconsulting.net
Thu Feb 21 20:41:11 UTC 2019


On 02/21/2019 01:34 PM, @lbutlr via bind-users wrote:
> I edited a zone file after issuing a rndc freeze command, added two new 
> sub zones, changed the serial number, saved the file, and then did an 
> rndc thaw.

I don't see an "rndc flush <zone>" in there.

Which means that BIND likely still has the journal of the zone.  And 
BIND prefers the journal over the actual textual representation of the zone.

> zone serial (2019020105) unchanged. zone may fail to transfer to slaves.
> 
> which is the previous serial number.

I would expect this if you edited the zone file and the journal file 
wasn't flushed.

> So, I tried to move the .signed file aside, thinking maybe thaw might 
> recreate it, But no, it complains the file doesn’t exist, so I put 
> it back.

I don't think this is related to DNSSEC.

> Is it possible for me to edit the zone file (as in with vim) and have 
> bind update, or do I have to do everything through nsupdate and never 
> access the zone files directly?

Yes, it is certainly possible to edit zone files outside of BIND's control.

rndc freeze $ZONE
rndc flush $ZONE
$EDITOR $ZONE
rndc thaw $ZONE

I don't recall if reloading or thawing will automatically re-sign the 
zone or if you need to also explicitly "rndc sign $ZONE".

> At this point, how do I get the zone updated?

Use the method above, or some sort of dynamic update.

> If I try to dig for the new subdomains that are in the zone, they do 
> not resolve, and all the information in DNS is the information that was 
> there on 21090201.

That sounds like the old contents of the zone which are still in the 
journal file.

> I am currently updating to bind912-9.12.3P1_3 to see if anything changes.

I don't think changing the BIND version will change anything.



-- 
Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4008 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190221/18ea778b/attachment.bin>


More information about the bind-users mailing list