Re: How to update zone with dnssec-policy

Sun, 02 Jul 2023 06:42:27 -0700 

On 02/07/2023 12:27, Matthias Fechner wrote:
I have the following problem that changes in a zone file do not get active, no matter if I reload the zone using rndc or restarting bind 9.16.42 on FreeBSD. If I update a zone I edit the zone file, adapt the serial in the SOA and normally do a rndc reload fechner.net. 

The nameserver is more or less setup like it is described here:
https://wiki.idefix.fechner.net/freebsd/bind/


The zonefile for domain fechner.net are in directory: 
/usr/local/etc/namedb/master/fechner.net


It is not a dynamic zone file or better I cannot freeze it:
  rndc freeze fechner.net
rndc: 'freeze' failed: not dynamic

But if I delete the files:
fechner.net.jbk
fechner.net.signed.jnl


and restart bind, zone changes are correctly loaded and I can see an 
increased serial in:

dig -t soa fechner.net.


Would be nice if someone can explain me, how I need to edit a zone file, 
that has a dnssec-policy attached that modification get active, without 
the need to delete the `*.[jbk|jnl] files.





Personally, I maintain zone files with DNSSEC signing on FreeBSD using 
the dns/p5-DNS-nsdiff port, which is a perl module written by Tony Finch 
-- someone well known on this list.



You can keep your zone files in git or whatever code repository suits 
you. nsdiff will compare what's live in your DNS zone against whats in 
your updated zone file and generate a script for nsupdate(1) to make the 
former match the latter.



You'll need to configure appropriate levels of access for nsupdate(1). 
That can be from pretty much any machine given you set up zone policies 
and distribute keys appropriately. Although if you run nsdiff directly 
on your primary DNS machine, you should be able to use the built-in 
/var/run/named/session.key with a per-zone policy like:


```
         update-policy {
             grant local-ddns zonesub any;
         };
```

See the '-l' flag to nsupdate(1)

        Cheers,

        Matthew




--
Dr Matthew J Seaman
1 Newland St, Eynsham, Witney, OXON, 0X29 4LB



Attachment:
OpenPGP_signature

Description: OpenPGP digital signature


-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






















					Reply via email to