Ok, thanks.
On Fri, Dec 14, 2018 at 11:16 AM Mark Andrews wrote:
> inline-signing is optional. It all depends on how you want to maintain
> the zone.
>
> I prefer doing all the changed over nsupdate. Not editing the master file
> by hand
> removes a set of operator errors.
>
> Mark
>
> > On 14
inline-signing is optional. It all depends on how you want to maintain the
zone.
I prefer doing all the changed over nsupdate. Not editing the master file by
hand
removes a set of operator errors.
Mark
> On 14 Dec 2018, at 12:07 pm, Edwardo Garcia wrote:
>
> Yes, I did.
>key-direc
Yes, I did.
key-directory "keys/";
inline-signing yes; <- is this not required ?
auto-dnssec maintain;
On Fri, Dec 14, 2018 at 11:05 AM Mark Andrews wrote:
> Sounds like you added inline-signing yes;
>
> > On 14 Dec 2018, at 12:02 pm, Edwardo Garcia wrote:
> >
Sounds like you added inline-signing yes;
> On 14 Dec 2018, at 12:02 pm, Edwardo Garcia wrote:
>
> I have answered my own Question, yes it does, thank you! (after removing the
> .signed in named,conf, else auto signing does .signed.signed :-)
>
> Thank you Mark!
>
> On Fri, Dec 1
You use nsupdate to make the changes to the zone.
nsupdate -k Kcorp…
update add …
update del …
send
There is also contrib/zone-edit which transfers a copy of the zone from
the server, allows you to edit it, generates a delta and then applies
that via nsupdate.
There are other tools that do simil
I have answered my own Question, yes it does, thank you! (after removing
the .signed in named,conf, else auto signing does .signed.signed
:-)
Thank you Mark!
On Fri, Dec 14, 2018 at 10:50 AM Edwardo Garcia wrote:
> That seems simpler than what we once tried, OK we add that now. Thanks.
That seems simpler than what we once tried, OK we add that now. Thanks.
And if we need to modify the zone file itself to make a change, rndc reload
will do all this or do we need to
dnssec-signzone -a -e +secondshere -K keys/ -N INCREMENT xxx.com
freeze/thaw? etc like for new zone?
On Fri, De
And make sure named knows where the keys are "key-directory ;"
> On 14 Dec 2018, at 11:42 am, Mark Andrews wrote:
>
> auto-dnssec maintain;
>
>> On 14 Dec 2018, at 11:39 am, Edwardo Garcia wrote:
>>
>>
>> zone ".com" {
>>type master;
>>allow-transfer { sysops; slaves;
auto-dnssec maintain;
> On 14 Dec 2018, at 11:39 am, Edwardo Garcia wrote:
>
>
> zone ".com" {
> type master;
> allow-transfer { sysops; slaves; };
> file "xx.signed";
> allow-query { any; };
> allow-update { key "corp"; };
> };
>
> Thi
zone ".com" {
type master;
allow-transfer { sysops; slaves; };
file "xx.signed";
allow-query { any; };
allow-update { key "corp"; };
};
This is what we use now, so by dynamic update we are doing yes?
And now we need just have named do automa
The best way is to configure you zone for dynamic updates and let named
automatically resign the zone as needed.
> On 14 Dec 2018, at 11:13 am, Edwardo Garcia wrote:
>
> Hi,
> What is the best practice for signing/re-singing zones with journal?
>
> We manually resign our domain, and use journal
Hi,
What is the best practice for signing/re-singing zones with journal?
We manually resign our domain, and use journaling, resigning is a PIA.
if we forget to thaw, the zone bails and stays unloaded because journal
roll forward error, which bring the question why? since resolution to this
is stop
12 matches
Mail list logo
