On Fri, Nov 18, 2011 at 11:57:51PM +, Spain, Dr. Jeffry A. wrote:
> I'd like to ask for clarification on the operational issue stated below.
> Suppose there are no current changes to an inline-signed master zone,
> i.e. myzone.db.signed timestamp is later than myzone.db timestamp. In
> this cir
painj=countryday@lists.isc.org] On Behalf Of
Evan Hunt
Sent: Friday, November 11, 2011 12:48 PM
To: Adam Tkac
Cc: bind-users@lists.isc.org
Subject: Re: OT: Bind 9.9.0B1 Inline-Signing Question
I should mention that there is a known operational issue in the current
version of inline-signing that you s
well
as keeping everyone up to date on the issue.
Thanks,
-Kevin
Kevin McConville
University at Albany
-Original Message-
From: Evan Hunt [mailto:e...@isc.org]
Sent: Thursday, November 17, 2011 2:15 PM
To: McConville, Kevin
Cc: bind-users@lists.isc.org
Subject: Re: Bind 9.9.0B1 I
> Thank you for responding. Unfortunately, it seems that the journal file
> isn't getting updated when we manually edit/increment the static zone
> file. The time/date stamps are off - both ualbanytest.org.db.signed and
> ualbanytest.org.db.signed.jnl show Nov 16 while the static zone file
> ualban
From: Evan Hunt [mailto:e...@isc.org]
Sent: Thursday, November 17, 2011 12:27 PM
To: McConville, Kevin
Cc: bind-users@lists.isc.org
Subject: Re: Bind 9.9.0B1 Inline-Signing Question
> We edit the static zone, adding a resource record (of any type),
> increment the serial, and then do a rnd
> We edit the static zone, adding a resource record (of any type),
> increment the serial, and then do a rndc reload. However, Bind is still
> looking at the previous dnssec signed file - it's not picking up the new
> records. Another strange thing is that using the auto-dnssec maintain
> option,
First off, Thank you to all who responded/helped in my previous post - this
list is a wonderful community. The inline-signing is now working...sort of.
We edit the static zone, adding a resource record (of any type), increment the
serial, and then do a rndc reload. However, Bind is still looking
> I have just one question, what should inline-zone admin do? I assume
> that named automatically regenerates & removes expired RRSIGs so is it
> sufficient to put new KSK and ZSK to the key-directory when needed and
> revoke older ones? Thanks for your answer in advance.
Yes, it will keep RRSIGs
> So the error being logged isn't really an error, it just looks like
> one; we should probably see about silencing it.
The error is indeed confusing, maybe it should say "not yet signed" ?
11-Nov-2011 12:32:35.838 zone inline.aa/IN/internal (unsigned): loaded serial 2
11-Nov-2011 12:32:35.838 zo
On 11/10/2011 11:16 PM, Evan Hunt wrote:
>> I know that this isn't the forum for betas
> Sure it is. :)
>
>> We have been testing with the alphas and now with the beta. What we are
>> seeing is that whenever named starts, it initially creates the signed
>> static zone file, but never really finishe
> I know that this isn't the forum for betas
Sure it is. :)
> We have been testing with the alphas and now with the beta. What we are
> seeing is that whenever named starts, it initially creates the signed
> static zone file, but never really finishes.
What do you mean by "never really finishes"
Do you see that each time named starts or just on the first load of the zone?
What happens if you send a query to the server with dig +dnssec?
On Nov 10, 2011, at 14:23, "McConville, Kevin" wrote:
> I know that this isn’t the forum for betas, which is why I put off-topic on
> the subject li
I know that this isn't the forum for betas, which is why I put off-topic on the
subject line. We are trying to implement DNSSEC for our static zones. While
the dynamic signing has been automated, static inline-signing isn't available
until Bind 9.9
We have been testing with the alphas and now
13 matches
Mail list logo
