> After setting up a zone with DNSSEC using inline-signing, I have run into the > issue where if I do anything that updates the unsigned file that is input > into BIND, that it never seems to update the signed data it generated.
> As an example, I had serial number of 2012012701 in the test zone file, and > when I started named up it happily created the signed zone. So then I went > in and changed this serial to 2012012801, and performed an 'rndc reload' and > nothing, it saw the updated unsigned zone, but never kicked off an event to > resign the signed data it was dishing out when asked, so the changes were not available. I have been using inline signing successfully, but am using a different method to make changes to the unsigned data. My zone configuration contains "update-policy local;" and I have been using "nsupdate -l" to make changes to the unsigned zone. Nsupdate automatically increments the serial number on the SOA record in the unsigned zone. The signed zone typically has a different and higher serial number due to signing activity that occurs automatically, e.g. resigning a record with an expired signature. With regard to "rndc reload" not working for you, see https://lists.isc.org/pipermail/bind-users/2011-November/085739.html. Per that message, try "rndc reload leadmon.org". Also verify that the UID under which the named process is running is the owner of the various zone data and journal files. Jeffry A. Spain Network Administrator Cincinnati Country Day School _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
