<div dir="ltr"><div>I tried it again to get the logs,</div><div><p class="m_2777644691040829682p1" style="margin:0in;font-size:8.5pt;font-family:Menlo;color:black"><span class="m_2777644691040829682s1" style="color:rgb(202,51,35)"><b>21-May-2025 20:57</b></span><span class="m_2777644691040829682s2">:12.064 general: zone <a href="http://sub.example.com/IN/internal" target="_blank">sub.example.com/IN/internal</a>: (primary) removed</span><u></u><u></u></p><p class="m_2777644691040829682p1" style="margin:0in;font-size:8.5pt;font-family:Menlo;color:black"><span class="m_2777644691040829682s1" style="color:rgb(202,51,35)"><b>21-May-2025 20:57</b></span><span class="m_2777644691040829682s2">:12.064 general: reloading configuration succeeded</span><u></u><u></u></p><p class="m_2777644691040829682p1" style="margin:0in;font-size:8.5pt;font-family:Menlo;color:black"><span class="m_2777644691040829682s1" style="color:rgb(202,51,35)"><b>21-May-2025 20:57</b></span><span class="m_2777644691040829682s2">:12.064 general: scheduled loading new zones</span><u></u><u></u></p><p class="m_2777644691040829682p1" style="margin:0in;font-size:8.5pt;font-family:Menlo;color:black"><span class="m_2777644691040829682s1" style="color:rgb(202,51,35)"><b>21-May-2025 20:57</b></span><span class="m_2777644691040829682s2">:12.511 zoneload: zone <a href="http://sub.example.com/IN/internal" target="_blank">sub.example.com/IN/internal</a> (unsigned): loaded serial 462767 (DNSSEC signed)</span><u></u><u></u></p><p class="m_2777644691040829682p1" style="margin:0in;font-size:8.5pt;font-family:Menlo;color:black"><span class="m_2777644691040829682s1" style="color:rgb(202,51,35)"><b>21-May-2025 20:57</b></span><span class="m_2777644691040829682s2">:12.600 general: zone <a href="http://sub.example.com/IN/internal" target="_blank">sub.example.com/IN/internal</a> (signed): CDS/CDNSKEY consistency checks failed</span><u></u><u></u></p><p class="m_2777644691040829682p1" style="margin:0in;font-size:8.5pt;font-family:Menlo;color:black"><span class="m_2777644691040829682s1" style="color:rgb(202,51,35)"><b>21-May-2025 20:57</b></span><span class="m_2777644691040829682s2">:12.600 zoneload: zone <a href="http://sub.example.com/IN/internal" target="_blank">sub.example.com/IN/internal</a> (signed): not loaded due to errors.</span><u></u><u></u></p><p class="m_2777644691040829682p1" style="margin:0in;font-size:8.5pt;font-family:Menlo;color:black"><span class="m_2777644691040829682s1" style="color:rgb(202,51,35)"><b>21-May-2025 20:57</b></span><span class="m_2777644691040829682s2">:12.600 general: zone <a href="http://sub.example.com/IN/internal" target="_blank">sub.example.com/IN/internal</a> (signed): receive_secure_db: bad CDS</span></p></div><div><br></div><div>I wanted to reduce it to a minimum configuration to reproduce and present that, but I also was working on the approach of purging the zone file of DNSSEC records. Didn't have time to do both. Removing the records wasn't as bad as I thought, simple awk script seems to work,</div><div><p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo;color:black">{<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo;color:black"> sub(/;.*/,"")<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo;color:black">}<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo;color:black">/\s(DNSKEY|CDNSKEY|DS|CDS|RRSIG|NSEC|TYPE65534)/ {<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo;color:black"> if (/\(/) {<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo;color:black"> while (!(/\)/)) {<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo;color:black"> getline<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo;color:black"> }<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo;color:black"> }<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo;color:black"> next<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo;color:black">}<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo;color:black">{<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo;color:black"> print<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:8.5pt;font-family:Menlo;color:black">}</span></p></div><div><br></div><div>Although I can imagine some cases where that logic is too simple.</div><div><br></div><div>Purging the records and then loading the zone worked, but still wasn't as smooth as I liked, I tried,</div><div><br></div><div>1. freeze</div><div>2. sync -clean</div><div>3. Copy the de-DNSSECed fzone file over the old one</div><div>4. thaw</div><div><br></div><div>But that would write the zone back with DNSSEC records in the file. The only way I got it to work was to kill and restart named.</div><div><br></div><div>Given the actual primary is a hidden master, brief named outages for a restart are not a big concern. That's probably good enough.</div><div><br></div></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Tue, May 20, 2025 at 1:45 AM Matthijs Mekking <<a href="mailto:matthijs@isc.org">matthijs@isc.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
<br>
On 17-05-2025 06:39, Crist Clark wrote:<br>
> Tired of looking at the log messages warning me that inline-signing will <br>
> be the default in 9.20. I want to convert my 9.18 to using <br>
> inline-signing. Right now all of the zones use dnssec-policy and are <br>
> dynamic.<br>
> <br>
> I tried just simply adding the "inlien-signing yes" line to a zone with <br>
> dynamic updates that has the DNSSEC records in the file, but it flat out <br>
> stopped the zone from loading at all when I issued a reconfig.<br>
<br>
Can you tell me the error message? I would not expect the zone stopping <br>
from loading, but it's hard to tell without full configuration.<br>
<br>
Note that when switching, signatures and NSEC records from the dynamic <br>
zone would be removed and moving to inline-signing requires a full <br>
re-sign of the zone.<br>
<br>
- Matthijs<br>
<br>
> I assume I could freeze, sync, clean DNSSEC records in the file, and <br>
> reload with inline-signing. But manually cleaning the zone file isn't <br>
> trivial. Not hard, but takes some work to get right.<br>
> <br>
> Is there a right way to just reconfigure named.conf to make this work <br>
> without messing with the zone file directly? Even if it maybe takes steps?<br>
> <br>
> If this really takes cleaning the DNSSEC from the zone file, is there a <br>
> way to coax the existing BIND tools to do this? Took a quick look at <br>
> named-compilezone, dnssec-signzone, etc. None seem to have the capability.<br>
> <br>
-- <br>
Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" rel="noreferrer" target="_blank">https://www.isc.org/contact/</a> for more information.<br>
<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
<br>
</blockquote></div>