First off, Thank you to all who responded/helped in my previous post - this
list is a wonderful community. The inline-signing is now working...sort of.
We edit the static zone, adding a resource record (of any type), increment the
serial, and then do a rndc reload. However, Bind is still looking at the
previous dnssec signed file - it's not picking up the new records.
Another strange thing is that using the auto-dnssec maintain option, it is
still creating a journal file -
-rw-rw-r-- 1 named root 2250 Nov 17 11:29 ualbanytest.org.db
-rw------- 1 named named 9969 Nov 16 12:04 ualbanytest.org.db.signed
-rw------- 1 named named 13095 Nov 16 11:52 ualbanytest.org.db.signed.jnl
Doing an rndc stop, removing the signed and signed.jnl files, the new resource
records are picked up when named is restarted. But, that defeats the point of
inline-signing.
Below is info from our named.conf and our log file (we are using it a chroot
and is being run as user named):
>>>>>>
options {
directory "/conf";
pid-file "/var/run/named.pid";
statistics-file "/var/run/named.stats";
dump-file "/var/run/named.db";
version "[secured]";
dnssec-enable yes;
sig-validity-interval 10;
dnssec-loadkeys-interval 10;
empty-zones-enable no;
};
# DNSSEC Zone
zone "ualbanytest.org" {
type master;
file "ualbanytest.org.db";
auto-dnssec maintain;
inline-signing yes;
key-directory "/conf";
serial-update-method increment;
};
>>>>>>>>>
17-Nov-2011 11:29:56.865 general: info: received control channel command
'reload'
17-Nov-2011 11:29:56.865 general: info: loading configuration from
'/etc/named.conf'
17-Nov-2011 11:29:56.866 general: info: using default UDP/IPv4 port range:
[1024, 65535]
17-Nov-2011 11:29:56.866 general: info: using default UDP/IPv6 port range:
[1024, 65535]
17-Nov-2011 11:29:56.867 general: info: sizing zone task pool based on 4 zones
17-Nov-2011 11:29:56.869 general: info: zone ualbanytest.org/IN (signed):
(master) removed
17-Nov-2011 11:29:56.869 general: info: reloading configuration succeeded
17-Nov-2011 11:29:56.869 general: info: reloading zones succeeded
17-Nov-2011 11:29:56.871 general: info: zone ualbanytest.org/IN (unsigned):
loaded serial 2011111701
17-Nov-2011 11:29:56.871 general: info: zone ualbanytest.org/IN (signed):
loaded serial 2011111507 (DNSSEC signed)
17-Nov-2011 11:29:56.871 general: notice: all zones loaded
17-Nov-2011 11:29:56.871 general: notice: running
17-Nov-2011 11:29:56.871 general: info: zone ualbanytest.org/IN (signed):
reconfiguring zone keys
17-Nov-2011 11:29:56.872 general: info: zone ualbanytest.org/IN (signed): next
key event: 17-Nov-2011 11:39:56.872
17-Nov-2011 11:29:56.872 notify: info: zone ualbanytest.org/IN (signed):
sending notifies (serial 2011111507)
>>>>>>>
I'm probably missing something, but this list has really been very helpful. Any
ideas or suggestions are greatly appreciated.
Thanks,
-Kevin
Kevin McConville
University at Albany
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
