Re: DNSKEY and RRSIG DNSKEY TTL values aren't changed after changing of zone's TTL
Александр Остапенко wrote:
> Thanks for a workaround. But in this case - after "dnssec-settime -L ttl" I
> need unsign/sign zone (p.1 of steps above) in order to new TTL value
> appeared in DNSKEY RRset ("service bind9 reload" or "rndc loadkeys" has no
> effect). But I would like to find a solution without the need of
> unsigning/signing cycle.
You might be able to change the TTL using `nsupdate`, but I'm not
confident it'll work - the update has to delete all the DNSKEY records
then re-add them, so it might end up unsigning and resigning the zone.
(If `named` can't change the TTL directly and you do not have
"dnssec-secure-to-insecure yes;" the update will be rejected.)
The other option is to freeze the zone, manually edit the TTL in the
signed master file, then unfreeze.
Tony.
--
f.anthony.n.finchhttp://dotat.at/ - I xn--zr8h punycode
German Bight, Humber, Thames, Dover: Southwest 5 or 6, becoming variable 3 or
4 later. Slight or moderate. Rain, fair later. Moderate or good, occasionally
poor.___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Query on Bind Operations
Harshith Mulky wrote: > > Can max-cache-ttl be used on the client( client which supports bind) to > override the default ttl time sent in response by Bind server for > Positive Responses? Yes. Tony. -- f.anthony.n.finchhttp://dotat.at/ - I xn--zr8h punycode Irish Sea: Southwest becoming cyclonic 4 or 5, occasionally 6 later. Slight or moderate. Occasional rain, fog patches. Moderate or good, occasionally very poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: creating IPv6 interface eth0 failed; interface ignored
Wolfgang Riedel wrote: > > not sure if this is a bug or a feature but had been scratching my head > for months now running BIND on Fedora22-24 and all the time I did a > reboot BIND didn’t came up and I needed to restart the process to get it > running. After some googling around I realized that I am not alone with > this but there has never been a clear solution beside some proposals to > change the sequence of IPv4/IPv6 entries within ifcfg which didn’t work > for me. Do you have an explicit listen-on directive in your named.conf? Does named start more reliably if you have no listen-on directive, so that it listens on all the interfaces that are available? Named will use the routing socket to learn about interface reconfiguration, so if systemd starts named before systemd has finished bringing up the interfaces, named should be able to add the v6 sockets when they appear (I hope). Alternatively, maybe you could add something to the ExecStartPre in the unit file to poll `ip addr show` until all the expected interface addresses are present, so that named doesn't start until the rest of the system has untangled its legs. http://cdn.gifbay.com/2013/07/baby_giraffe_first_steps-61661.gif Tony. -- f.anthony.n.finchhttp://dotat.at/ - I xn--zr8h punycode Tyne, Dogger: Southwest 5 or 6, veering west 4 or 5. Slight or moderate. Rain or showers. Good, occasionally poor.___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: creating IPv6 interface eth0 failed; interface ignored
On 22/08/16 13:07, Tony Finch wrote: Alternatively, maybe you could add something to the ExecStartPre in the unit file to poll `ip addr show` until all the expected interface addresses are present, so that named doesn't start until the rest of the system has untangled its legs. I've run into similar things. We have a listen-on, and named gets started after the network. However, the IPv6 addresses go through the "tentative" state for a few seconds and can't be listened on during that phase. Our local sysvinit script has this in it: if [ -x /sbin/ip ]; then # hold off for a few seconds if any # IPv6 addresses are tentative / in DAD for attempt in 1 2 3 4; do /sbin/ip -6 addr | grep -q tentative if [ $? -ne 0 ]; then break fi sleep 2 done fi Yes, yes I know :o( ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Query on Bind Operations
In article , Harshith Mulky wrote: > Hello Experts, > > > Can > > > max-cache-ttl be used on the client( client which supports bind) to override > the default ttl time sent in response by Bind server for Positive Responses? That's the only place where it can be used. The authoritative server doesn't have the records in cache, it's loaded permanently. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
a question about the serial
Hello! In a zone I set up update-policy local; auto-dnssec maintain; inline-signing yes; After reloading or stopping and starting the serial is not changed and shows a value serial 2016080310. Why is the serial not updated? Regards Andreas pgpntHMpZtfSu.pgp Description: Digitale Signatur von OpenPGP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: a question about the serial
Andreas Meyer schrieb am 22.08.16 um 23:57:20 Uhr: > Hello! > > In a zone I set up > > update-policy local; > auto-dnssec maintain; > inline-signing yes; > > After reloading or stopping and starting the serial is not changed > and shows a value serial 2016080310. > > Why is the serial not updated? I found out that the signed zone is not updated with a reload or restart of bind9 but with a rndc reload it is. Allright then! Greetings Andreas pgpqcGo724HUn.pgp Description: Digitale Signatur von OpenPGP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: a question about the serial
Andreas Meyer schrieb am 23.08.16 um 00:18:02 Uhr: > > After reloading or stopping and starting the serial is not changed > > and shows a value serial 2016080310. > > > > Why is the serial not updated? > > I found out that the signed zone is not updated with a reload or > restart of bind9 but with a rndc reload it is. No, it is not :( Andreas pgpahosPTq9ko.pgp Description: Digitale Signatur von OpenPGP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: a question about the serial
In message <20160823015248.02edc3f2@workstation.bitcorner.intern>, Andreas Meye r writes: > Andreas Meyer schrieb am 23.08.16 um 00:18:02 Uhr: > > > > After reloading or stopping and starting the serial is not changed > > > and shows a value serial 2016080310. > > > > > > Why is the serial not updated? > > > > I found out that the signed zone is not updated with a reload or > > restart of bind9 but with a rndc reload it is. > > No, it is not :( > > Andreas The inline serial is mostly independent of the raw zone file. BIND 9.11 has: rndc signing -serial zone [class [view]] Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
