9.9.0b1 inline-signing questions

Fri, 18 Nov 2011 10:36:12 -0800 

I am testing bind 9.9.0b1 compiled on Ubuntu Oneiric x64 (nstest.jaspain.net). 
I configured a zone as follows:

zone "jaspain.net" {
        type master;
        file "/var/lib/bind/jaspain.net/jaspain.net.db";
        key-directory "/var/lib/bind/jaspain.net";
        update-policy local;
        auto-dnssec maintain;
        inline-signing yes;
};

On initial startup, bind created jaspain.net.db.signed and 
jaspain.net.db.signed.jnl. Looking at the latter with named-journalprint, the 
entries appear to be consistent with the zone signing process. I used nsupdate 
-l to create a new A record, and that succeeded. The file jaspain.net.db.jnl 
was created in the process. I attempted to freeze the zone using "rndc freeze 
jaspain.net", and this resulted in the error message "rndc: 'freeze' failed: 
not dynamic". "rndc thaw jaspain.net" yielded no messages, but added a syslog 
entry that it was successful. The freeze failure is contrary to what I would 
have expected. Are "update-policy local;" and "inline-signing yes;" 
incompatible?

The serial numbers in the SOA records in the various zone-related files are 
different, but I believe they are consistent. In jaspain.net.db, the SOA serial 
number was originally 2011111501. Looking at jaspain.net.db.signed.jnl, the SOA 
serial number got updated to 2011111504 as a result of the initial signing 
process. Following the record addition with nsupdate, the SOA serial number in 
jaspain.net.db.jnl was updated to 2011111502. Twelve minutes later bind rewrote 
jaspain.net.db with this same serial number and the added A record. Immediately 
after the nsupdate, jaspain.net.db.signed.jnl showed the signing activity for 
the new A record and an update of the SOA serial number to 2011111505. This is 
the serial number that is returned by a dig of the SOA record. The 
named-journalprint output for both jaspain.net.db.jnl and 
jaspain.net.db.signed.jnl starts with the line BITWS=2011111502. What does that 
mean?

Fourteen minutes after the nsupdate, bind rewrote jaspain.net.db.signed. Is 
there a utility akin to named-journalprint that would display the contents of 
jaspain.net.db.signed in human-readable form?

Thanks for providing this interesting new feature, which I hope to understand 
more fully.

Jeffry A. Spain
Network Administrator
Cincinnati Country Day School

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to