First off, Thank you to all who responded/helped in my previous post - this list is a wonderful community. The inline-signing is now working...sort of.
We edit the static zone, adding a resource record (of any type), increment the serial, and then do a rndc reload. However, Bind is still looking at the previous dnssec signed file - it's not picking up the new records. Another strange thing is that using the auto-dnssec maintain option, it is still creating a journal file - -rw-rw-r-- 1 named root 2250 Nov 17 11:29 ualbanytest.org.db -rw------- 1 named named 9969 Nov 16 12:04 ualbanytest.org.db.signed -rw------- 1 named named 13095 Nov 16 11:52 ualbanytest.org.db.signed.jnl Doing an rndc stop, removing the signed and signed.jnl files, the new resource records are picked up when named is restarted. But, that defeats the point of inline-signing. Below is info from our named.conf and our log file (we are using it a chroot and is being run as user named): >>>>>> options { directory "/conf"; pid-file "/var/run/named.pid"; statistics-file "/var/run/named.stats"; dump-file "/var/run/named.db"; version "[secured]"; dnssec-enable yes; sig-validity-interval 10; dnssec-loadkeys-interval 10; empty-zones-enable no; }; # DNSSEC Zone zone "ualbanytest.org" { type master; file "ualbanytest.org.db"; auto-dnssec maintain; inline-signing yes; key-directory "/conf"; serial-update-method increment; }; >>>>>>>>> 17-Nov-2011 11:29:56.865 general: info: received control channel command 'reload' 17-Nov-2011 11:29:56.865 general: info: loading configuration from '/etc/named.conf' 17-Nov-2011 11:29:56.866 general: info: using default UDP/IPv4 port range: [1024, 65535] 17-Nov-2011 11:29:56.866 general: info: using default UDP/IPv6 port range: [1024, 65535] 17-Nov-2011 11:29:56.867 general: info: sizing zone task pool based on 4 zones 17-Nov-2011 11:29:56.869 general: info: zone ualbanytest.org/IN (signed): (master) removed 17-Nov-2011 11:29:56.869 general: info: reloading configuration succeeded 17-Nov-2011 11:29:56.869 general: info: reloading zones succeeded 17-Nov-2011 11:29:56.871 general: info: zone ualbanytest.org/IN (unsigned): loaded serial 2011111701 17-Nov-2011 11:29:56.871 general: info: zone ualbanytest.org/IN (signed): loaded serial 2011111507 (DNSSEC signed) 17-Nov-2011 11:29:56.871 general: notice: all zones loaded 17-Nov-2011 11:29:56.871 general: notice: running 17-Nov-2011 11:29:56.871 general: info: zone ualbanytest.org/IN (signed): reconfiguring zone keys 17-Nov-2011 11:29:56.872 general: info: zone ualbanytest.org/IN (signed): next key event: 17-Nov-2011 11:39:56.872 17-Nov-2011 11:29:56.872 notify: info: zone ualbanytest.org/IN (signed): sending notifies (serial 2011111507) >>>>>>> I'm probably missing something, but this list has really been very helpful. Any ideas or suggestions are greatly appreciated. Thanks, -Kevin Kevin McConville University at Albany
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users