Freeze/thaw and signed zone files
kremels at kreme.com
Thu Feb 21 21:03:50 UTC 2019
> On 21 Feb 2019, at 13:41, Grant Taylor via bind-users <bind-users at lists.isc.org> wrote:
> On 02/21/2019 01:34 PM, @lbutlr via bind-users wrote:
>> I edited a zone file after issuing a rndc freeze command, added two new sub zones, changed the serial number, saved the file, and then did an rndc thaw.
> I don't see an "rndc flush <zone>" in there.
OK, but rndc flush example.com results in:
rndc: 'flush' failed: not found
> rndc freeze $ZONE
> rndc flush $ZONE
> $EDITOR $ZONE
> rndc thaw $ZONE
Other than the flush, that is what I did.
> I don't recall if reloading or thawing will automatically re-sign the zone or if you need to also explicitly "rndc sign $ZONE”.
Sign recreates the .jnl file, but doesn’t touch the .signed file.
Doing the following recreated the .signed file, but still didn’t add the new subdomains.
Freeze, flush, edit, thaw,
Then service named stop, service named start.
Had a previous subdomain gallery and it is listed in both the zone file and the signed file
gallery CNAME www
gallery CNAME www
Added a new sub zone, cam
cam CNAME www
This matches up with the results from dig. So, now I do have a .signed file that has the serial number updated to match the zone file, but still doesn’t contain the new sub zones.
So, I did the whole dance again. Freeze, flush, edit (change serial, add another subdomain, thaw, stop/start). Nothing. But the time stamp on the .signed file changes.
And I misspoke earlier, the serial number in the signed file’s SOA didn’t change, but the serial numbers/dates in the RRSIG did update.
This wasn't a proper land. The sky was blue, not flaming with all the
colours of the aurora. And time was passing. To a creature not born
subject to time, it was a sensation not unakin to falling. --Lords and
More information about the bind-users