Bind 9.9.x inline signing

Sun, 03 Jun 2012 09:20:58 -0700 

Eventually got down to some experimenting again.
These are observations - which may help others.

I followed example 1 of Evan Hunts
https://kb.isc.org/article/AA-00626/0/Inline-Signing-in-ISC-BIND-9.9.0-Examples.html
(I'm using bind 9.9.1)

I did change the name of the zone and didn't bother with
"allow-transfer" - using the default behaviour of BIND instead (using
the NS records in the zone instead)

I first created the zone and got it working as normally between two
machine (on the same lan - etc). This works fine, add a record to the
first zone, bump the SOA Serial, rndc reload, and the slave gets the
update notify.

I then went through the example and added automatic DNSSEC.

The Slave no longer seems to get NOTIFY - I had to stop, remove the
saved slaves file, and restart the slave to force the transfer.

Initially, making a change to the unsigned zone works.
(Edit unsigned, add data, bump SOA by one, save, rndc reload)
Log:  03-Jun-2012 17:23:35.941 general: info: zone yellowbutton.co.za/IN
(signed): serial 2012060307 (unsigned 2012060304)

I didn't like the fact that the unsigned serial (which I manage) was
lower than that of the signed zone. Making it bigger than the signed
zones version appears to have gotten the zones back in sync - however
the slave is still not getting any Notifies (and has not yet caught up).
I also expect that in the future, any 'magic bind key-signing' may also
de-sync my unsigned zone's concept of the current SOA Serial as well. 

Its the apparent lack of NOTIFY's thats really bugging me, I did modify
the secondary zone config in named.conf and added
"masterfile-format text;" - which saves the zone in nice, easy to debug,
ascii. 
Is the NOTIFY from 'Inline-signing' zones currently broken?


-- 
  .  .     ___. .__      Posix Systems - (South) Africa
 /| /|       / /__       m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to