Kevin: I did something similar, using nsupdate to modify the unsigned zone instead of a manual edit. The myzone.db, myzone.db.jnl, myzone.db.signed, and myzone.db.signed.jnl files all get updated appropriately. "rndc reload" is not necessary. It is interesting to note that the serial number in the signed zone gets incremented more than the serial number in the unsigned zone. A dig request for the SOA record returns the serial number from the signed zone.
To allow for this I have the following in my configuration file: zone "myzone" { type master; file "/var/lib/bind/myzone/myzone.db"; key-directory "/var/lib/bind/myzone"; update-policy local; auto-dnssec maintain; inline-signing yes; }; I'll give it a try with a manual edit and let you know. Jeff. From: bind-users-bounces+spainj=countryday....@lists.isc.org [mailto:bind-users-bounces+spainj=countryday....@lists.isc.org] On Behalf Of McConville, Kevin Sent: Tuesday, November 22, 2011 11:58 AM To: bind-users@lists.isc.org Subject: Bind 9.9.0b2 inline signing... I have opened up a Bug ticket with ISC on this - #26676, but I just wanted to make sure that I'm not doing anything "wrong" that may be causing the issue. Has anyone been able to get inline-signing to work on a static master zone using an authoritative server? When we manually change the Master static zone file - ualbanytest.org - the signed and signed.jnl files are not getting an update - as shown by the time/date stamps below (just using rndc reload). -rw-rw-r-- 1 named root 1077 Nov 22 11:22 ualbanytest.org -rw------- 1 named named 9415 Nov 22 11:14 ualbanytest.org.signed -rw------- 1 named named 12041 Nov 22 11:02 ualbanytest.org.signed.jnl The log shows the correct serial for the unsigned zone, but then pulls the wrong signed file. >>>>>>> 22-Nov-2011 11:25:28.314 general: info: received control channel command 'reload' 22-Nov-2011 11:25:28.314 general: info: loading configuration from '/etc/named.conf' 22-Nov-2011 11:25:28.315 general: info: using default UDP/IPv4 port range: [1024, 65535] 22-Nov-2011 11:25:28.315 general: info: using default UDP/IPv6 port range: [1024, 65535] 22-Nov-2011 11:25:28.316 general: info: sizing zone task pool based on 4 zones 22-Nov-2011 11:25:28.318 general: info: zone ualbanytest.org/IN (signed): (master) removed 22-Nov-2011 11:25:28.318 general: info: reloading configuration succeeded 22-Nov-2011 11:25:28.318 general: info: reloading zones succeeded 22-Nov-2011 11:25:28.320 general: info: zone ualbanytest.org/IN (unsigned): loaded serial 2011112201 22-Nov-2011 11:25:28.320 general: info: zone ualbanytest.org/IN (signed): loaded serial 2011112114 (DNSSEC signed) 22-Nov-2011 11:25:28.320 general: notice: all zones loaded 22-Nov-2011 11:25:28.320 general: notice: running 22-Nov-2011 11:25:28.320 general: info: zone ualbanytest.org/IN (signed): reconfiguring zone keys 22-Nov-2011 11:25:28.321 general: info: zone ualbanytest.org/IN (signed): next key event: 22-Nov-2011 11:35:28.321 22-Nov-2011 11:25:28.321 notify: info: zone ualbanytest.org/IN (signed): sending notifies (serial 2011112114) >>>>>>> >From Named.conf: >>>>>>>>>>>>>>>>>>>>>>>> options { directory "/conf"; pid-file "/var/run/named.pid"; statistics-file "/var/run/named.stats"; dump-file "/var/run/named.db"; version "[secured]"; dnssec-enable yes; sig-validity-interval 10; dnssec-loadkeys-interval 10; empty-zones-enable no; }; # DNSSEC Zone zone "ualbanytest.org" { type master; file "ualbanytest.org"; auto-dnssec maintain; inline-signing yes; key-directory "/conf"; serial-update-method increment; }; >>>>>>>>>>>>>>>>>>>>> Has anyone gotten this to work on an authoritative (meaning that I am missing something) or is it a "real" bug? I just don't want to be claiming it's a "bug" if it's something that I messed up or fat fingered :) Thanks you all in advance. Thanks, -Kevin Kevin McConville University at Albany
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users