DNSSEC zones not updated

Jukka Pakkanen jukka.pakkanen at qnet.fi
Wed Jan 22 12:29:33 UTC 2020

And we also get after a change and a reload the "secure_serial: not exact" error, of course because the signed zone is not in sync with the non-signed anymore. So I guess the question is why it is not signing automatically after updates to zone.

Get Outlook for Android<https://aka.ms/ghei36>
From: jukka.pakkanen at qnet.fi <jukka.pakkanen at qnet.fi>
Sent: Wednesday, January 22, 2020 1:13:11 PM
To: Ondřej Surý <ondrej at isc.org>
Cc: bind-users at isc.org <bind-users at isc.org>
Subject: Re: DNSSEC zones not updated

Yed we have quite several times by now  when trying to find the culprit. Also the whole windows 2019 server. And it is not only this domain/zone, but all of them.

Get Outlook for Android<https://aka.ms/ghei36>

From: Ondřej Surý <ondrej at isc.org>
Sent: Wednesday, January 22, 2020 1:08:22 PM
To: Jukka Pakkanen <jukka.pakkanen at qnet.fi>
Cc: bind-users at isc.org <bind-users at isc.org>
Subject: Re: DNSSEC zones not updated


did you try stopping BIND, removing journal files and then starting BIND again?

If the signed copy of the zone got corrupted in the memory, you might be dumping the corrupted version on disk again with `rndc reload`.

Ondřej Surý
ondrej at isc.org

> On 22 Jan 2020, at 12:11, Jukka Pakkanen <jukka.pakkanen at qnet.fi> wrote:
> Running BIND 9.14.9 Windows.   The zone data is not updated for some reason anymore, and same problem in all our signed zones. Example "gemtrade.fi":
> zone "gemtrade.fi" {
>     type master;
>     file "named.gemtrade";
>     inline-signing yes;
>     auto-dnssec maintain;
> };
> ;
> ;    File:      named.gemtrade
> ;
> $TTL 60
> @        IN SOA    ns1.qnet.fi. helpdesk.qnet.fi. (
>               202001234  ; serial number
>               28800      ; refresh every 12 hours
>               7200       ; retry after 2 hours
>               604800     ; expire after 2 weeks
>               33600)     ; default ttl is 2 days
> gemtrade.fi.        IN A
>                              IN MX     55 qntsrv8.qnet.fi.
>                 IN MX     25 qntsrv9.qnet.fi.
>                              IN NS     ns1.qnet.fi.
>                              IN NS     ns2.qnet.fi.
>                              IN NS     ns3.qnet.fi.
> www             IN A   
> _autodiscover._tcp      IN SRV    0 5 443 mail.qnet.fi.
> localhost.gemtrade.fi.       IN A
> Used to work fine, now no matter what change I make to the zone file and reload, it does not show up in queries, but the old data, weeks behind.  The SOA & serial numbers *are* updating in the queries, but the actual records not.  Example the MX records, currently I have priorities 55 and 25, still inquiries return the old 20 and 20. Same with any records, the changes does not get updated.
> Deleting the .jnl file does not help, after "rndc reload gemtrade.fi" a new .jnl file is created, but queries still return old data.
> The named process has all possible rights in the file structure.
> What might be wrong?
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200122/636f9e48/attachment.htm>

More information about the bind-users mailing list