Well after the various discussion a short while back, I decided to give
the inline-signing a run, and after setup I must say it did appear to do
what I expected. Of course anything that went that easy had to have a
snag, and it did, and at the moment I am wondering what I have missed so
figured I would post and see if anyone had any suggestions.
After setting up a zone with DNSSEC using inline-signing, I have run into
the issue where if I do anything that updates the unsigned file that is
input into BIND, that it never seems to update the signed data it generated.
As an example, I had serial number of 2012012701 in the test zone file, and
when I started named up it happily created the signed zone. So then I went
in and changed this serial to 2012012801, and performed an 'rndc reload' and
nothing, it saw the updated unsigned zone, but never kicked off an event to
resign the signed data it was dishing out when asked, so the changes were
not available. I then went and did a full restart on named, thinking maybe
a hard restart would make it sign, but no luck, in fact it sees the zones,
that the serial numbers are different, but never re-signs the served zone.
Looking at my log I see:
named[8422]: zone leadmon.org/IN/internal (unsigned): loaded serial
2012012802
named[8422]: zone leadmon.org/IN/internal (signed): loaded serial 2012012708
(DNSSEC signed)
named[8422]: zone leadmon.org/IN/internal (signed): receive_secure_serial:
unchanged
named[8422]: zone leadmon.org/IN/internal (signed): reconfiguring zone keys
named[8422]: zone leadmon.org/IN/internal (signed): next key event:
29-Jan-2012 11:53:54.971
named[8422]: zone leadmon.org/IN/internal (signed): sending notifies (serial
2012012708)
So it is seeing that the signed and unsigned zones have different serials,
but it's sure not picking up that I have made a change to the unsigned file,
and that it needs to resign the zone it's serving.
As to my config over here, I have the following in the zone:
zone "leadmon.org" {
type master;
file "master/leadmon.org/db.leadmon.org-internal";
key-directory "keys";
allow-transfer {
primary_servers;
};
auto-dnssec maintain;
inline-signing yes;
};
Have I missed any additional commands I need to make this play correctly,
or is something broken here that I have run into?
---
Howard Leadmon
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
