<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.5pt;
font-family:Consolas;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:Consolas;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="color:#1F497D">Kevin: I did something similar, using nsupdate to modify the unsigned zone instead of a manual edit. The myzone.db, myzone.db.jnl, myzone.db.signed, and myzone.db.signed.jnl files all get updated appropriately.
“rndc reload” is not necessary. It is interesting to note that the serial number in the signed zone gets incremented more than the serial number in the unsigned zone. A dig request for the SOA record returns the serial number from the signed zone.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">To allow for this I have the following in my configuration file:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">zone "myzone" {<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> type master;<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> file "/var/lib/bind/myzone/myzone.db";<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> key-directory "/var/lib/bind/myzone";<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> update-policy local;<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> auto-dnssec maintain;<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"> inline-signing yes;<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">};<o:p></o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="color:#1F497D">I’ll give it a try with a manual edit and let you know. Jeff.<o:p></o:p></span></p>
<p class="MsoNormal"><a name="_MailEndCompose"><span style="color:#1F497D"><o:p> </o:p></span></a></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> bind-users-bounces+spainj=countryday.net@lists.isc.org [mailto:bind-users-bounces+spainj=countryday.net@lists.isc.org]
<b>On Behalf Of </b>McConville, Kevin<br>
<b>Sent:</b> Tuesday, November 22, 2011 11:58 AM<br>
<b>To:</b> bind-users@lists.isc.org<br>
<b>Subject:</b> Bind 9.9.0b2 inline signing...<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I have opened up a Bug ticket with ISC on this - #26676, but I just wanted to make sure that I’m not doing anything “wrong” that may be causing the issue.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Has anyone been able to get inline-signing to work on a static master zone using an authoritative server?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">When we manually change the Master static zone file – ualbanytest.org – the signed and signed.jnl files are not getting an update – as shown by the time/date stamps below (just using rndc reload).<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">-rw-rw-r-- 1 named root 1077 Nov 22 11:22 ualbanytest.org<o:p></o:p></p>
<p class="MsoNormal">-rw------- 1 named named 9415 Nov 22 11:14 ualbanytest.org.signed<o:p></o:p></p>
<p class="MsoNormal">-rw------- 1 named named 12041 Nov 22 11:02 ualbanytest.org.signed.jnl<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The log shows the correct serial for the unsigned zone, but then pulls the wrong signed file.<o:p></o:p></p>
<p class="MsoNormal">>>>>>>><o:p> </o:p></p>
<p class="MsoNormal">22-Nov-2011 11:25:28.314 general: info: received control channel command 'reload'<o:p></o:p></p>
<p class="MsoNormal">22-Nov-2011 11:25:28.314 general: info: loading configuration from '/etc/named.conf'<o:p></o:p></p>
<p class="MsoNormal">22-Nov-2011 11:25:28.315 general: info: using default UDP/IPv4 port range: [1024, 65535]<o:p></o:p></p>
<p class="MsoNormal">22-Nov-2011 11:25:28.315 general: info: using default UDP/IPv6 port range: [1024, 65535]<o:p></o:p></p>
<p class="MsoNormal">22-Nov-2011 11:25:28.316 general: info: sizing zone task pool based on 4 zones<o:p></o:p></p>
<p class="MsoNormal">22-Nov-2011 11:25:28.318 general: info: zone ualbanytest.org/IN (signed): (master) removed<o:p></o:p></p>
<p class="MsoNormal">22-Nov-2011 11:25:28.318 general: info: reloading configuration succeeded<o:p></o:p></p>
<p class="MsoNormal">22-Nov-2011 11:25:28.318 general: info: reloading zones succeeded<o:p></o:p></p>
<p class="MsoNormal">22-Nov-2011 11:25:28.320 general: info: zone ualbanytest.org/IN (unsigned): loaded serial 2011112201<o:p></o:p></p>
<p class="MsoNormal">22-Nov-2011 11:25:28.320 general: info: zone ualbanytest.org/IN (signed): loaded serial 2011112114 (DNSSEC signed)<o:p></o:p></p>
<p class="MsoNormal">22-Nov-2011 11:25:28.320 general: notice: all zones loaded<o:p></o:p></p>
<p class="MsoNormal">22-Nov-2011 11:25:28.320 general: notice: running<o:p></o:p></p>
<p class="MsoNormal">22-Nov-2011 11:25:28.320 general: info: zone ualbanytest.org/IN (signed): reconfiguring zone keys<o:p></o:p></p>
<p class="MsoNormal">22-Nov-2011 11:25:28.321 general: info: zone ualbanytest.org/IN (signed): next key event: 22-Nov-2011 11:35:28.321<o:p></o:p></p>
<p class="MsoNormal">22-Nov-2011 11:25:28.321 notify: info: zone ualbanytest.org/IN (signed): sending notifies (serial 2011112114)<o:p></o:p></p>
<p class="MsoNormal">>>>>>>><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">From Named.conf:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">>>>>>>>>>>>>>>>>>>>>>>>><o:p> </o:p></p>
<p class="MsoNormal">options {<o:p></o:p></p>
<p class="MsoNormal"> directory "/conf";<o:p></o:p></p>
<p class="MsoNormal"> pid-file "/var/run/named.pid";<o:p></o:p></p>
<p class="MsoNormal"> statistics-file "/var/run/named.stats";<o:p></o:p></p>
<p class="MsoNormal"> dump-file "/var/run/named.db";<o:p></o:p></p>
<p class="MsoNormal"> version "[secured]";<o:p></o:p></p>
<p class="MsoNormal"> dnssec-enable yes;<o:p></o:p></p>
<p class="MsoNormal"> sig-validity-interval 10;<o:p></o:p></p>
<p class="MsoNormal"> dnssec-loadkeys-interval 10;<o:p></o:p></p>
<p class="MsoNormal"> empty-zones-enable no;<o:p></o:p></p>
<p class="MsoNormal">};<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"># DNSSEC Zone<o:p></o:p></p>
<p class="MsoNormal">zone "ualbanytest.org" {<o:p></o:p></p>
<p class="MsoNormal"> type master;<o:p></o:p></p>
<p class="MsoNormal"> file "ualbanytest.org";<o:p></o:p></p>
<p class="MsoNormal"> auto-dnssec maintain;<o:p></o:p></p>
<p class="MsoNormal"> inline-signing yes; <o:p></o:p></p>
<p class="MsoNormal"> key-directory "/conf";<o:p></o:p></p>
<p class="MsoNormal"> serial-update-method increment;<o:p></o:p></p>
<p class="MsoNormal">};<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">>>>>>>>>>>>>>>>>>>>>><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Has anyone gotten this to work on an authoritative (meaning that I am missing something) or is it a “real” bug? I just don’t want to be claiming it’s a “bug” if it’s something that I messed up or fat fingered
<span style="font-family:Wingdings">J</span><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks you all in advance.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">-Kevin <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoPlainText">Kevin McConville<o:p></o:p></p>
<p class="MsoPlainText">University at Albany<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>