Freeze/thaw and signed zone files

Tony Finch dot at
Fri Feb 22 19:12:49 UTC 2019

@lbutlr via bind-users <bind-users at> wrote:
> On 22 Feb 2019, at 09:54, Tony Finch <dot at> wrote:
> > You might want a config like
> >
> > 	zone "" {
> > 		type master;
> > 		file "master/”;
> Not

No, in inline-signing mode the zone you interact with is the unsigned
version; the signed version belongs entirely to `named` and you don't
touch it.

> > Alternatively, with your current config you can update the zone using
> > like this:
> >
> > 	nsdiff master/ | nsupdate -l
> Where the second one of those is my file?

No, the unsigned file, as I said. `nsdiff` works out the differences
between the current live version of (which it fetches by AXFR)
and the new version (on disk in `master/`) and produces a
script for `nsupdate` that will make the live (signed) version match. Your
config says the live version is in `master/`.

It works in a similar way to inline-signing mode, except you have more
control over how changes propagate from the unsigned version to the signed

> Is nsdiff a separate package? It’s not on my FereeBSD 11.2 system with Bind 9.12

Get it from the link above, if you want :-)

f.anthony.n.finch  <dot at>
Portland, Plymouth, Biscay, East Fitzroy: Southeasterly 4 or 5, occasionally 6
in Plymouth and Fitzroy, becoming variable 3 or 4 later. Moderate or rough,
occasionally very rough except in Portland. Fair, but rain in Fitzroy. Good,
occasionally poor.

More information about the bind-users mailing list