On 2/19/14, 8:59 PM, Chris Thompson wrote: > What is the right way ... or maybe I should be asking IS there a right > way ... to change a zone that has been signed by inline signing (i.e. with > "inline-signing yes; auto-dnssec maintain;" in it zone statement) to > unsigned? > > When I change the zone statement to remove the inline signing part, and > update the SOA serial in the zone file for good measure, and then do > either "rndc reload" or "rndc reconfig", I get messages like > > named[22954]: general: error: zone playground.test/IN: > journal rollforward failed: journal out of sync with zone > named[22954]: general: error: zone playground.test/IN: > not loaded due to errors. > > and the zone goes into SERVFAIL state. > > The only way I found out of this was to remove the [zone-file].signed > and [zone-file].signed.jnl files manually, and *then* do "rndc reconfig". > Surely there must be something better than that? >
Have you tried setting "dnssec-secure-to-insecure" then setting all of the keys to deleted? AlanC
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
