Freeze/thaw and signed zone files

@lbutlr kremels at
Thu Feb 21 21:03:50 UTC 2019

> On 21 Feb 2019, at 13:41, Grant Taylor via bind-users <bind-users at> wrote:
> On 02/21/2019 01:34 PM, @lbutlr via bind-users wrote:
>> I edited a zone file after issuing a rndc freeze command, added two new sub zones, changed the serial number, saved the file, and then did an rndc thaw.
> I don't see an "rndc flush <zone>" in there.

OK, but rndc flush results in:

rndc: 'flush' failed: not found

> rndc freeze $ZONE
> rndc flush $ZONE
> rndc thaw $ZONE

Other than the flush, that is what I did.

> I don't recall if reloading or thawing will automatically re-sign the zone or if you need to also explicitly "rndc sign $ZONE”.

Sign recreates the .jnl file, but doesn’t touch the .signed file.

Doing the following recreated the .signed file, but still didn’t add the new subdomains.

Freeze, flush, edit, thaw, 

Then service named stop, service named start.

Had a previous subdomain gallery and it is listed in both the zone file and the signed file 

gallery                 CNAME   www

gallery                 CNAME   www

Added a new sub zone, cam

cam                     CNAME   www


This matches up with the results from dig. So, now I do have a .signed file that has the serial number updated to match the zone file, but still doesn’t contain the new sub zones.

So, I did the whole dance again. Freeze, flush, edit (change serial, add another subdomain, thaw, stop/start). Nothing. But the time stamp on the .signed file changes. 

And I misspoke earlier, the serial number in the signed file’s SOA didn’t change, but the serial numbers/dates in the RRSIG did update.

This wasn't a proper land. The sky was blue, not flaming with all the
colours of the aurora. And time was passing. To a creature not born
subject to time, it was a sensation not unakin to falling. --Lords and

More information about the bind-users mailing list