<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<meta http-equiv="content-type" content="text/html; charset=utf-8">
<pre>Are you sure about that ?
Because after "rndc sign zone" command only SOA and DNSKEY RRSIGs are refreshed.
In message <<a href="https://lists.isc.org/mailman/listinfo/bind-users">1DB356BF-50CF-4B99-B996-27A1A0984185 at nau.edu</a>>, Mathew Ian Eis write
s:
><i> Isnt auto-dnssec maintain; (which we have enabled) supposed to
</i>><i> effectively do the same thing as rndc sign zone?
</i>
auto-dnssec maintain assumes a sane clock.
"rndc sign zone" forces the zone to be fully re-signed now irrespectived
of when the records are due for re-signing.
><i> Mathew Eis
</i>><i> Northern Arizona University
</i>><i> Information Technology Services
</i>><i>
</i>><i> -----Original Message-----
</i>><i> From: Mark Andrews <<a href="https://lists.isc.org/mailman/listinfo/bind-users">marka at isc.org</a>>
</i>><i> Date: Thursday, February 25, 2016 at 5:14 PM
</i>><i> To: Mathew Eis <<a href="https://lists.isc.org/mailman/listinfo/bind-users">Mathew.Eis at nau.edu</a>>
</i>><i> Cc: "<a href="https://lists.isc.org/mailman/listinfo/bind-users">bind-users at lists.isc.org</a>" <<a href="https://lists.isc.org/mailman/listinfo/bind-users">bind-users at isc.org</a>>
</i>><i> Subject: Re: force re-sign of individual host record?
</i>><i>
</i>><i> >
</i>><i> > "rndc sign zone class view" should do it.
</i>><i> >
</i>><i> >In message <<a href="https://lists.isc.org/mailman/listinfo/bind-users">B9599B05-145F-4111-9E5B-032C6466D764 at nau.edu</a>>, Mathew Ian
</i>><i> Eis write
</i>><i> >s:
</i>><i> >> Hi BIND,
</i>><i> >>
</i>><i> >> Anyone know if there is a good way to force named to resign a single
</i>><i> host
</i>><i> >> record? (e.g. without generating new ZSKs, etc.?)
</i>><i> >>
</i>><i> >> An ntp glitch recently caused our master nameserver to jump many hours
</i>><i> >> into the future, whereupon it began issuing invalid (to the world)
</i>><i> RRSIGs
</i>><i> >> with an inception time many hours into the future.
</i>><i> >>
</i>><i> >> After correcting the server time, named's signature rollover algorithm
</i>><i> >> didnt pick up on the fact that there were invalid RRSIGs (even after
</i>><i> >> restarting the named process), so we were left with manually repairing
</i>><i> >> them.
</i>><i> >>
</i>><i> >> We ended up modifying the TTLs (thus forcing named to update the
</i>><i> RRSIGs),
</i>><i> >> and then restoring the TTLs to their previous state.
</i>><i> >>
</i>><i> >> It seems like there should be a better way was that the "best"
</i>><i> approach?
</i>><i> >> ( Even better, it seems like named could automagically correct for this
</i>><i> >> particular problem if we can put it on the wishlist ;-) )
</i>><i> >>
</i>><i> >> Thoughts?
</i>><i> >>
</i>><i> >> Thanks in advance,
</i>><i> >>
</i>><i> >> Mathew Eis
</i>><i> >> Northern Arizona University
</i>><i> >> Information Technology Services
</i>><i> >>
</i>><i> >
</i>><i> >--
</i>><i> >Mark Andrews, ISC
</i>><i> >1 Seymour St., Dundas Valley, NSW 2117, Australia
</i>><i> >PHONE: +61 2 9871 4742 INTERNET: <a href="https://lists.isc.org/mailman/listinfo/bind-users">marka at isc.org</a>
</i>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: <a href="https://lists.isc.org/mailman/listinfo/bind-users">marka at isc.org</a></pre>
<div class="moz-signature">
<pre><b>Catalin LEANCA</b>
</pre>
</div>
</body>
</html>