How to recover from "receive_secure_serial: not exact"?
Mark Andrews
marka at isc.org
Thu Feb 25 21:26:00 UTC 2021
Really, I would remove "inline-signing yes;”. It really isn’t needed when you are doing all the changes by dynamic update. It is a option for those that can’t/won’t stop editing the zone by hand.
> On 26 Feb 2021, at 08:19, bind-workers-post at ee.lbl.gov wrote:
>
> We recently upgraded from bind 9.16.11 to 9.16.12 and ended up with corrupt journal files for a couple of zones as described here:
>
> https://seclists.org/oss-sec/2021/q1/169
>
> The one that's problematic has frequent ddns updates. At one point we unsigned the zone, deleted everything except the SOA and NS records from the unsigned zone, then resigned the (newly empty) zone, and finally used nsupdate to repopulate it. That worked for awhile but a few hours later we started getting "receive_secure_serial: not exact" errors. Once this error first appears ddns updates to the zone "work" but are not visible via dns requests.
>
> What is the procedure for recovering from this situation? The zone config looks similar to this:
>
> zone "example.net" {
> type master;
> file "dynamic/example.net";
> check-names ignore;
> auto-dnssec maintain;
> dnssec-secure-to-insecure yes;
> inline-signing yes;
> allow-update {
> key update-key;
> };
> };
>
> Rolling back to 9.16.11 is also an option.
>
> Craig
> _______________________________________________
> bind-workers mailing list
> bind-workers at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-workers
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-workers
mailing list