Removed the signing files: domain.com.* and re-ran the siging process with named not running. With a new 'domain.com.signed' file created by the signing process and in the named.conf zone section: file "domain.com.signed"; Started named and everything appears to be working fine.
https://dnssec-debugger.verisignlabs.com Showing all green indicators! Not all green at first, reloaded the browser and now all Ok again. Thanks muchly, -kim On Thu, Mar 29, 2018 at 6:24 PM, Kim Culhan <w8hd...@gmail.com> wrote: > > un "rndc zonestatus <zonename>" on it. > > Then I look for the "serial:" and "signed serial:" values.On Thu, Mar > 29, 2018 at 5:17 PM, Douglas C. Stephens <steph...@ameslab.gov> wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> Kim, >> >> I run BIND 9.11 so this might or might not translate down to BIND 9.10. >> >> When this happens to me, I run "rndc zonestatus <zonename>" on it. >> Then I look for the "serial:" and "signed serial:" values. >> > > Running rndc zonestatus <zonename> > > FWIW returns serial: and signed serial: which are not the same and are from > 1 day ago. > > Normally, you would be correct in only needing to increment the >> unsigned SOA serial to at least +1 larger than the "serial:" value >> shown by the above output. Sometimes, however, to make BIND load the >> update, I need to increase the SOA serial in the unsigned zone file to >> be higher than the SOA serial signed zone file. Then run "rndc reload >> <zonename>". >> >> Another thing to check is whether you're actually checking the zone >> serial of a slave instead of at the master BIND doing the signing. If >> so, are they higher than the signed zone serial at your master? >> > > ATM there are 2 masters, I'm working on 1 now. > > >> >> Also, something that looks odd to me compared with my live running >> config is your "file" line. Does that "domain.com.signed" filespec >> actually point to the BIND-maintained .signed file, or does it means >> something else? If the latter, then I would guess you have a >> "domain.com.signed.signed" file alongside it which is the one > > maintained by BIND. >> > > Yes, this is true: domain.com.signed.signed > >> >> I'm also using "auto-dnssec maintain" and "inline-signing yes", but my >> zone "file" points to my unsigned zone file, while the .signed version >> (and its .signed.jnl) is wholly created and maintained by BIND. > > > I have those files but I don't know how to get BIND to maintain them. > > That appears to be the problem. > > This helps, I'm not sure where to go from here though. > > I've googled this for hours and keep thinking the solution is just another > google away but just now I'm not so sure. > >> >> > Hope this helps. > > > This helps and thanks for replying to my post. > > -kim > > >> On 3/29/2018 3:15 PM, Kim Culhan wrote: >> > Some additional info here, from named.conf, dnssec config: >> > >> > options { directory "/var/named"; [lines omitted] dnssec-validation >> > auto; managed-keys-directory "/var/named/keys"; >> > >> > From the zone section; >> > >> > file "domain.com.signed"; key-directory "/var/named/keys/domain.com >> > <http://domain.com>"; auto-dnssec maintain; inline-signing yes; >> > >> > Zone file is in /var/named >> > >> > Sorry did not include this in the original post. >> > >> > thanks -kim >> > >> > -- >> > >> > >> > >> > _______________________________________________ Please visit >> > https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe >> > from this list >> > >> > bind-users mailing list bind-users@lists.isc.org >> > https://lists.isc.org/mailman/listinfo/bind-users >> > >> >> - -- >> Douglas C. Stephens | Network Systems Analyst >> Enterprise Information Services | Phone: (515) 294-6102 >> Ames Laboratory, US DOE | Email: steph...@ameslab.gov >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v2.0.17 (MingW32) >> >> iEYEARECAAYFAlq9V+MACgkQ46phdn656QQGdgCfdyHd1QaeNvrF1v2p+yXqdqtE >> pisAoIQPCgKPMKUJpP/mCLITTgP43+1P >> =D7S2 >> -----END PGP SIGNATURE----- >> _______________________________________________ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users >> > >
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
