In message <[email protected]>, Mathew Ian Eis write s: > Isnt auto-dnssec maintain; (which we have enabled) supposed to > effectively do the same thing as rndc sign zone?
auto-dnssec maintain assumes a sane clock. "rndc sign zone" forces the zone to be fully re-signed now irrespectived of when the records are due for re-signing. > Mathew Eis > Northern Arizona University > Information Technology Services > > -----Original Message----- > From: Mark Andrews <[email protected]> > Date: Thursday, February 25, 2016 at 5:14 PM > To: Mathew Eis <[email protected]> > Cc: "[email protected]" <[email protected]> > Subject: Re: force re-sign of individual host record? > > > > > "rndc sign zone class view" should do it. > > > >In message <[email protected]>, Mathew Ian > Eis write > >s: > >> Hi BIND, > >> > >> Anyone know if there is a good way to force named to resign a single > host > >> record? (e.g. without generating new ZSKs, etc.?) > >> > >> An ntp glitch recently caused our master nameserver to jump many hours > >> into the future, whereupon it began issuing invalid (to the world) > RRSIGs > >> with an inception time many hours into the future. > >> > >> After correcting the server time, named's signature rollover algorithm > >> didnt pick up on the fact that there were invalid RRSIGs (even after > >> restarting the named process), so we were left with manually repairing > >> them. > >> > >> We ended up modifying the TTLs (thus forcing named to update the > RRSIGs), > >> and then restoring the TTLs to their previous state. > >> > >> It seems like there should be a better way was that the "best" > approach? > >> ( Even better, it seems like named could automagically correct for this > >> particular problem if we can put it on the wishlist ;-) ) > >> > >> Thoughts? > >> > >> Thanks in advance, > >> > >> Mathew Eis > >> Northern Arizona University > >> Information Technology Services > >> > > > >-- > >Mark Andrews, ISC > >1 Seymour St., Dundas Valley, NSW 2117, Australia > >PHONE: +61 2 9871 4742 INTERNET: [email protected] -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list [email protected] https://lists.isc.org/mailman/listinfo/bind-users
