Upgrading from 9.14.12 to 9.16.4 - with existing DNSSEC zones

Duncan duncan at isn-portal.de
Tue Sep 1 15:06:10 UTC 2020

I am using DNSSEC for more than 5 years now (never had a problem so far),
but after upgrading to the latest bind-9.16.4 the verification fails using
Verisign's DNSSEC Validator.


I reverted back to 9.14.12 and everything works as expected.


First I started upgrading my secondary DNS-Server (primary left untouched
!!!) to 9.16.4 - restarted named and everything seems to be OK.


So I tested with Verisign's DNSSEC Validator
https://dnssec-analyzer.verisignlabs.com/ before upgrading my primary DNS.


And Verisign reported an error -> All Queries to
secondary.my-dnsserver-domain.com for my-domain.com/A timed out or failed


Test Results: https://ibb.co/7QLVJsC


Any ideas? .or should I upgrade both servers before I do my first test (not
only the secondary server)? As I said, I only updated my secondary server
and left my primary server untouched!


Are there any related upgrade issues from from 9.14.12 to 9.16.4, which I
should take care first (do I have to update something in my configs)? Is it
possible to keep my already signed zones of my 9.14.12 installation? Or do I
have to re-sign anything?



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200901/9e12417a/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6003 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200901/9e12417a/attachment-0001.bin>

More information about the bind-users mailing list