inline-signing

Tony Finch Fri, 30 Sep 2011 06:37:25 -0700

I have been playing with the new inline signing feature.

Documentation bug: the inline-signing option is not mentioned in the
syntax for slave zones.


I have not been able to get master inline signing working. Firstly, it
fails to create the signed copy of the zone automatically. If I create it
manually with dnssec-signzone, it fails to update the signed zone when I
edit the master file and tell it to reload.

I have successfully got inline signing working for a slave zone.

Starting with the following configuration:

        zone chiark.net {
                type slave;
                masters { 212.13.197.229; };
                file "/zd/chiark.net/master";
        };

I ran these commands:

        dnssec-keygen chiark.net
        dnssec-keygen -f KSK chiark.net

And add the following to the configuration:

        key-directory "/zd/chiark.net";
        auto-dnssec maintain;
        inline-signing yes;

Note that without "auto-dnssec maintain", named creates two copies of the
zone, "master" and "master.signed", but does not actualy sign the zone :-)

Then I ran `rndc reload` and named crashed:

30-Sep-2011 14:15:52.541 general: info: received control channel command 
'reload'
30-Sep-2011 14:15:52.541 general: info: loading configuration from 
'/etc/named.conf'
30-Sep-2011 14:15:52.542 general: warning: statistics-channels specified but 
not effective due to missing XML library
30-Sep-2011 14:15:52.542 general: info: using default UDP/IPv4 port range: 
[49152, 65535]
30-Sep-2011 14:15:52.542 general: info: using default UDP/IPv6 port range: 
[49152, 65535]
30-Sep-2011 14:15:52.543 general: info: sizing zone task pool based on 69 zones
30-Sep-2011 14:15:52.543 general: critical: zone.c:1130: REQUIRE(zone->type == 
dns_zone_none || zone->type == type) failed, back trace
30-Sep-2011 14:15:52.544 general: critical: #0 0x413f1b in 
assertion_failed()+0x4b
30-Sep-2011 14:15:52.544 general: critical: #1 0x5795aa in 
isc_assertion_failed()+0xa
30-Sep-2011 14:15:52.544 general: critical: #2 0x550c4e in 
dns_zone_settype()+0x12e
30-Sep-2011 14:15:52.544 general: critical: #3 0x4432f9 in 
ns_zone_configure()+0x219
30-Sep-2011 14:15:52.544 general: critical: #4 0x4253fd in 
configure_zone()+0x84d
30-Sep-2011 14:15:52.544 general: critical: #5 0x42ae70 in 
configure_view()+0x610
30-Sep-2011 14:15:52.544 general: critical: #6 0x43232c in 
load_configuration()+0x1aac
30-Sep-2011 14:15:52.544 general: critical: #7 0x43378e in loadconfig()+0x5e
30-Sep-2011 14:15:52.544 general: critical: #8 0x433c56 in reload()+0x16
30-Sep-2011 14:15:52.544 general: critical: #9 0x433df2 in 
ns_server_reloadcommand()+0x102
30-Sep-2011 14:15:52.544 general: critical: #10 0x40d9b2 in 
ns_control_docommand()+0xf2
30-Sep-2011 14:15:52.544 general: critical: #11 0x410c71 in 
control_recvmessage()+0x3c1
30-Sep-2011 14:15:52.544 general: critical: #12 0x593f55 in run()+0x285
30-Sep-2011 14:15:52.544 general: critical: #13 0x800bfb511 in 
_fini()+0x8006542d9
30-Sep-2011 14:15:52.544 general: critical: #14 0x0 in ??
30-Sep-2011 14:15:52.544 general: critical: exiting (due to assertion failure)

After I restarted it, it fetched and signed the zone as expected.

30-Sep-2011 14:21:29.562 general: info: zone chiark.net/IN (unsigned): Transfer 
started.
30-Sep-2011 14:21:29.567 xfer-in: info: transfer of 'chiark.net/IN (unsigned)' 
from 212.13.197.229#53: connected using 131.111.11.130#26910
30-Sep-2011 14:21:29.576 general: info: zone chiark.net/IN (unsigned): 
transferred serial 11
30-Sep-2011 14:21:29.576 general: info: zone chiark.net/IN (signed): loaded 
serial 11
30-Sep-2011 14:21:29.576 general: info: zone chiark.net/IN (signed): 
reconfiguring zone keys
30-Sep-2011 14:21:29.582 xfer-in: info: transfer of 'chiark.net/IN (unsigned)' 
from 212.13.197.229#53: Transfer completed: 1 messages, 14 records, 401 bytes, 
0.015 secs (26733 bytes/sec)
30-Sep-2011 14:21:29.583 general: info: zone chiark.net/IN (signed): next key 
event: 30-Sep-2011 15:21:29.583
30-Sep-2011 14:21:29.583 notify: info: zone chiark.net/IN (signed): sending 
notifies (serial 12)
30-Sep-2011 14:21:34.577 notify: info: zone chiark.net/IN (signed): sending 
notifies (serial 15)

Tony.
-- 
f.anthony.n.finch  <d...@dotat.at>  http://dotat.at/
Faeroes, South-east Iceland: Southerly or southwesterly 5 to 7, occasionally
gale 8 in Southeast Iceland. Rough or very rough. Rain then showers. Moderate
or good, occasionally poor at first.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

inline-signing

Reply via email to