On 02/07/2023 12:27, Matthias Fechner wrote:
I have the following problem that changes in a zone file do not get active, no matter if I reload the zone using rndc or restarting bind 9.16.42 on FreeBSD. If I update a zone I edit the zone file, adapt the serial in the SOA and normally do a rndc reload fechner.net.

The nameserver is more or less setup like it is described here:
https://wiki.idefix.fechner.net/freebsd/bind/

The zonefile for domain fechner.net are in directory: /usr/local/etc/namedb/master/fechner.net

It is not a dynamic zone file or better I cannot freeze it:
  rndc freeze fechner.net
rndc: 'freeze' failed: not dynamic

But if I delete the files:
fechner.net.jbk
fechner.net.signed.jnl

and restart bind, zone changes are correctly loaded and I can see an increased serial in:
dig -t soa fechner.net.

Would be nice if someone can explain me, how I need to edit a zone file, that has a dnssec-policy attached that modification get active, without the need to delete the `*.[jbk|jnl] files.


Personally, I maintain zone files with DNSSEC signing on FreeBSD using the dns/p5-DNS-nsdiff port, which is a perl module written by Tony Finch -- someone well known on this list.

You can keep your zone files in git or whatever code repository suits you. nsdiff will compare what's live in your DNS zone against whats in your updated zone file and generate a script for nsupdate(1) to make the former match the latter.

You'll need to configure appropriate levels of access for nsupdate(1). That can be from pretty much any machine given you set up zone policies and distribute keys appropriately. Although if you run nsdiff directly on your primary DNS machine, you should be able to use the built-in /var/run/named/session.key with a per-zone policy like:

```
         update-policy {
             grant local-ddns zonesub any;
         };
```

See the '-l' flag to nsupdate(1)

        Cheers,

        Matthew




--
Dr Matthew J Seaman
1 Newland St, Eynsham, Witney, OXON, 0X29 4LB

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to