Hi,
What is the best practice for signing/re-singing zones with journal?
We manually resign our domain, and use journaling, resigning is a PIA.
if we forget to thaw, the zone bails and stays unloaded because journal
roll forward error, which bring the question why? since resolution to this
is stop
The best way is to configure you zone for dynamic updates and let named
automatically resign the zone as needed.
> On 14 Dec 2018, at 11:13 am, Edwardo Garcia wrote:
>
> Hi,
> What is the best practice for signing/re-singing zones with journal?
>
> We manually resign our domain, and use journal
zone ".com" {
type master;
allow-transfer { sysops; slaves; };
file "xx.signed";
allow-query { any; };
allow-update { key "corp"; };
};
This is what we use now, so by dynamic update we are doing yes?
And now we need just have named do automa
auto-dnssec maintain;
> On 14 Dec 2018, at 11:39 am, Edwardo Garcia wrote:
>
>
> zone ".com" {
> type master;
> allow-transfer { sysops; slaves; };
> file "xx.signed";
> allow-query { any; };
> allow-update { key "corp"; };
> };
>
> Thi
And make sure named knows where the keys are "key-directory ;"
> On 14 Dec 2018, at 11:42 am, Mark Andrews wrote:
>
> auto-dnssec maintain;
>
>> On 14 Dec 2018, at 11:39 am, Edwardo Garcia wrote:
>>
>>
>> zone ".com" {
>>type master;
>>allow-transfer { sysops; slaves;
That seems simpler than what we once tried, OK we add that now. Thanks.
And if we need to modify the zone file itself to make a change, rndc reload
will do all this or do we need to
dnssec-signzone -a -e +secondshere -K keys/ -N INCREMENT xxx.com
freeze/thaw? etc like for new zone?
On Fri, De
I have answered my own Question, yes it does, thank you! (after removing
the .signed in named,conf, else auto signing does .signed.signed
:-)
Thank you Mark!
On Fri, Dec 14, 2018 at 10:50 AM Edwardo Garcia wrote:
> That seems simpler than what we once tried, OK we add that now. Thanks.
You use nsupdate to make the changes to the zone.
nsupdate -k Kcorp…
update add …
update del …
send
There is also contrib/zone-edit which transfers a copy of the zone from
the server, allows you to edit it, generates a delta and then applies
that via nsupdate.
There are other tools that do simil
Sounds like you added inline-signing yes;
> On 14 Dec 2018, at 12:02 pm, Edwardo Garcia wrote:
>
> I have answered my own Question, yes it does, thank you! (after removing the
> .signed in named,conf, else auto signing does .signed.signed :-)
>
> Thank you Mark!
>
> On Fri, Dec 1
Yes, I did.
key-directory "keys/";
inline-signing yes; <- is this not required ?
auto-dnssec maintain;
On Fri, Dec 14, 2018 at 11:05 AM Mark Andrews wrote:
> Sounds like you added inline-signing yes;
>
> > On 14 Dec 2018, at 12:02 pm, Edwardo Garcia wrote:
> >
inline-signing is optional. It all depends on how you want to maintain the
zone.
I prefer doing all the changed over nsupdate. Not editing the master file by
hand
removes a set of operator errors.
Mark
> On 14 Dec 2018, at 12:07 pm, Edwardo Garcia wrote:
>
> Yes, I did.
>key-direc
Ok, thanks.
On Fri, Dec 14, 2018 at 11:16 AM Mark Andrews wrote:
> inline-signing is optional. It all depends on how you want to maintain
> the zone.
>
> I prefer doing all the changed over nsupdate. Not editing the master file
> by hand
> removes a set of operator errors.
>
> Mark
>
> > On 14
12 matches
Mail list logo
