The configuration below is for a bind 9.9.0rc3 server named nsb0s providing
inline signing service for a hidden master nsb0 and slaves nsb1 and nsb2. The
latter three are running bind10-devel-20120119. Nsb1 and nsb2 are also known as
ns1.jaspain.net and ns2.jaspain.net.
In an effort to test the response of these systems to a zone update, I
incremented the serial number for the unsigned zone jaspain.biz on server nsb0
and reloaded the zone data. The current SOA for jaspain.biz on nsb0 is:
jaspain.biz. 3600 IN SOA ns1.jaspain.net. hostmaster.countryday.net. 2012013003
86400 3600 1209600 3600
Unfortunately bind10 is not sending notifies properly, so I restarted bind9 on
nsb0s an an attempt to have it check for updates itself. On nsb0s, the unsigned
zone jaspain.biz is not being updated. 'named-checkzone -f raw -F text -o - -j
jaspain.biz jaspain.biz.db' shows in part:
jaspain.biz. 3600 IN SOA ns1.jaspain.net. hostmaster.countryday.net. 2012013001
86400 3600 1209600 3600
jaspain.biz. 3600 IN NS ns1.jaspain.net.
jaspain.biz. 3600 IN NS ns2.jaspain.net.
After restarting bind9 on nsb0s, I see the following related log entries:
Feb 21 10:27:27 nsb0s named[30314]: zone jaspain.biz/IN (unsigned): loaded
serial 2012013001
Feb 21 10:27:27 nsb0s named[30314]: zone jaspain.biz/IN (signed): loaded serial
2012013004 (DNSSEC signed)
Feb 21 10:27:27 nsb0s named[30314]: zone jaspain.biz/IN (signed):
receive_secure_serial: unchanged
Feb 21 10:27:27 nsb0s named[30314]: zone jaspain.biz/IN (signed): reconfiguring
zone keys
Feb 21 10:27:27 nsb0s named[30314]: zone jaspain.biz/IN (signed): next key
event: 21-Feb-2012 11:27:27.248
Feb 21 10:27:27 nsb0s named[30314]: zone jaspain.biz/IN (signed): sending
notifies (serial 2012013004)
Using tcpdump, I don't see any communication between nsb0s and nsb0 in the
aftermath of the restart.
I also tried ' rndc retransfer jaspain.biz', which resulted in the following
error message:
rndc: 'retransfer' failed: not found
Thanks for any suggestions about further troubleshooting steps or errors that
you may see in the nsb0s configuration, which follows. Regards, Jeff.
acl transferees {
2001:4870:20ca:a:dc72:3ddd:1cbc:5ef0; // noc1.countryday.net
2001:4870:20ca:200:940a:afef:ba57:ff15; // jaspain.countryday.net
2001:4870:20ca:158:4423:f19d:4ead:5c20; // nsb1.countryday.net
2001:4870:20ca:9:1890:f431:72c9:caaf; // nsb2.countryday.net
};
options {
directory "/var/cache/bind";
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
version none;
recursion no;
notify explicit;
allow-transfer { transferees; };
};
key nsb0-nsb0s {
algorithm hmac-sha256;
secret "<base64 key>";
};
key nsb0s-nsb1 {
algorithm hmac-sha256;
secret "<base64 key>";
};
key nsb0s-nsb2 {
algorithm hmac-sha256;
secret "<base64 key>";
};
server 2001:4870:20ca:158:14ff:7695:9632:e9ec {
keys { nsb0-nsb0s; };
};
server 2001:4870:20ca:158:4423:f19d:4ead:5c20 {
keys { nsb0s-nsb1; };
};
server 2001:4870:20ca:9:1890:f431:72c9:caaf {
keys { nsb0s-nsb2; };
};
zone "jaspain.biz" {
type slave;
file "/var/cache/bind/jaspain.biz.db";
masters {
2001:4870:20ca:158:14ff:7695:9632:e9ec; // nsb0.countryday.net
};
also-notify {
2001:4870:20ca:158:4423:f19d:4ead:5c20; // nsb1.countryday.net
2001:4870:20ca:9:1890:f431:72c9:caaf; // nsb2.countryday.net
};
key-directory "/var/lib/bind/jaspain.biz";
auto-dnssec maintain;
inline-signing yes;
};
Jeffry A. Spain
Network Administrator
Cincinnati Country Day School
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
