<div dir="ltr"><div><br></div><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">un "rndc zonestatus <zonename>" on it.</span><br style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">> Then I look for the "serial:" and "signed serial:" values.</span>On Thu, Mar 29, 2018 at 5:17 PM, Douglas C. Stephens <span dir="ltr"><<a href="mailto:stephens@ameslab.gov" target="_blank">stephens@ameslab.gov</a>></span> wrote:</div><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
Kim,<br>
<br>
I run BIND 9.11 so this might or might not translate down to BIND 9.10.<br>
<br>
When this happens to me, I run "rndc zonestatus <zonename>" on it.<br>
Then I look for the "serial:" and "signed serial:" values.<br></blockquote><div><br></div><div>Running rndc zonestatus
<span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><zonename></span>
</div><div><br></div><div>FWIW returns serial: and signed serial: which are not the same and are from<br></div><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">1 day ago.</span></div><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><br></span></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Normally, you would be correct in only needing to increment the<br>
unsigned SOA serial to at least +1 larger than the "serial:" value<br>
shown by the above output. Sometimes, however, to make BIND load the<br>
update, I need to increase the SOA serial in the unsigned zone file to<br>
be higher than the SOA serial signed zone file. Then run "rndc reload<br>
<zonename>".<br>
<br>
Another thing to check is whether you're actually checking the zone<br>
serial of a slave instead of at the master BIND doing the signing. If<br>
so, are they higher than the signed zone serial at your master?<br></blockquote><div><br></div><div>ATM there are 2 masters, I'm working on 1 now.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Also, something that looks odd to me compared with my live running<br>
config is your "file" line. Does that "domain.com.signed" filespec<br>
actually point to the BIND-maintained .signed file, or does it means<br>
something else? If the latter, then I would guess you have a<br>
"domain.com.signed.signed" file alongside it which is the one</blockquote><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
maintained by BIND.<br></blockquote><div><br></div><div>Yes, this is true:
<span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">domain.com.signed.signed</span>
</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
I'm also using "auto-dnssec maintain" and "inline-signing yes", but my<br>
zone "file" points to my unsigned zone file, while the .signed version<br>
(and its .signed.jnl) is wholly created and maintained by BIND.</blockquote><div><br></div><div>I have those files but I don't know how to get BIND to maintain them.</div><div><br></div><div>That appears to be the problem.</div><div><br></div><div>This helps, I'm not sure where to go from here though.</div><div><br></div><div>I've googled this for hours and keep thinking the solution is just another</div><div>google away but just now I'm not so sure.</div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <br></blockquote><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hope this helps.</blockquote><div> </div><div>This helps and thanks for replying to my post.</div><div><br></div><div>-kim</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">
On 3/29/2018 3:15 PM, Kim Culhan wrote:<br>
> Some additional info here, from named.conf, dnssec config:<br>
><br>
> options { directory "/var/named"; [lines omitted] dnssec-validation<br>
> auto; managed-keys-directory "/var/named/keys";<br>
><br>
> From the zone section;<br>
><br>
> file "domain.com.signed"; key-directory "/var/named/keys/<a href="http://domain.com" rel="noreferrer" target="_blank">domain.com</a><br>
</span>> <<a href="http://domain.com" rel="noreferrer" target="_blank">http://domain.com</a>>"; auto-dnssec maintain; inline-signing yes;<br>
<span class="">><br>
> Zone file is in /var/named<br>
><br>
> Sorry did not include this in the original post.<br>
><br>
> thanks -kim<br>
><br>
> --<br>
><br>
><br>
><br>
</span>> ______________________________<wbr>_________________ Please visit<br>
> <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/<wbr>listinfo/bind-users</a> to unsubscribe<br>
> from this list<br>
><br>
> bind-users mailing list <a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
> <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/<wbr>listinfo/bind-users</a><br>
><br>
<br>
- --<br>
Douglas C. Stephens | Network Systems Analyst<br>
Enterprise Information Services | Phone: <a href="tel:%28515%29%20294-6102" value="+15152946102">(515) 294-6102</a><br>
Ames Laboratory, US DOE | Email: <a href="mailto:stephens@ameslab.gov">stephens@ameslab.gov</a><br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2.0.17 (MingW32)<br>
<br>
iEYEARECAAYFAlq9V+<wbr>MACgkQ46phdn656QQGdgCfdyHd1Qae<wbr>NvrF1v2p+yXqdqtE<br>
pisAoIQPCgKPMKUJpP/mCLITTgP43+<wbr>1P<br>
=D7S2<br>
-----END PGP SIGNATURE-----<br>
______________________________<wbr>_________________<br>
Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/<wbr>listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/<wbr>listinfo/bind-users</a><br>
</blockquote></div><br></div></div>