Kevin: I did something similar, using nsupdate to modify the unsigned zone
instead of a manual edit. The myzone.db, myzone.db.jnl, myzone.db.signed, and
myzone.db.signed.jnl files all get updated appropriately. "rndc reload" is not
necessary. It is interesting to note that the serial number in the signed zone
gets incremented more than the serial number in the unsigned zone. A dig
request for the SOA record returns the serial number from the signed zone.
To allow for this I have the following in my configuration file:
zone "myzone" {
type master;
file "/var/lib/bind/myzone/myzone.db";
key-directory "/var/lib/bind/myzone";
update-policy local;
auto-dnssec maintain;
inline-signing yes;
};
I'll give it a try with a manual edit and let you know. Jeff.
From: bind-users-bounces+spainj=countryday....@lists.isc.org
[mailto:bind-users-bounces+spainj=countryday....@lists.isc.org] On Behalf Of
McConville, Kevin
Sent: Tuesday, November 22, 2011 11:58 AM
To: bind-users@lists.isc.org
Subject: Bind 9.9.0b2 inline signing...
I have opened up a Bug ticket with ISC on this - #26676, but I just wanted to
make sure that I'm not doing anything "wrong" that may be causing the issue.
Has anyone been able to get inline-signing to work on a static master zone
using an authoritative server?
When we manually change the Master static zone file - ualbanytest.org - the
signed and signed.jnl files are not getting an update - as shown by the
time/date stamps below (just using rndc reload).
-rw-rw-r-- 1 named root 1077 Nov 22 11:22 ualbanytest.org
-rw------- 1 named named 9415 Nov 22 11:14 ualbanytest.org.signed
-rw------- 1 named named 12041 Nov 22 11:02 ualbanytest.org.signed.jnl
The log shows the correct serial for the unsigned zone, but then pulls the
wrong signed file.
>>>>>>>
22-Nov-2011 11:25:28.314 general: info: received control channel command
'reload'
22-Nov-2011 11:25:28.314 general: info: loading configuration from
'/etc/named.conf'
22-Nov-2011 11:25:28.315 general: info: using default UDP/IPv4 port range:
[1024, 65535]
22-Nov-2011 11:25:28.315 general: info: using default UDP/IPv6 port range:
[1024, 65535]
22-Nov-2011 11:25:28.316 general: info: sizing zone task pool based on 4 zones
22-Nov-2011 11:25:28.318 general: info: zone ualbanytest.org/IN (signed):
(master) removed
22-Nov-2011 11:25:28.318 general: info: reloading configuration succeeded
22-Nov-2011 11:25:28.318 general: info: reloading zones succeeded
22-Nov-2011 11:25:28.320 general: info: zone ualbanytest.org/IN (unsigned):
loaded serial 2011112201
22-Nov-2011 11:25:28.320 general: info: zone ualbanytest.org/IN (signed):
loaded serial 2011112114 (DNSSEC signed)
22-Nov-2011 11:25:28.320 general: notice: all zones loaded
22-Nov-2011 11:25:28.320 general: notice: running
22-Nov-2011 11:25:28.320 general: info: zone ualbanytest.org/IN (signed):
reconfiguring zone keys
22-Nov-2011 11:25:28.321 general: info: zone ualbanytest.org/IN (signed): next
key event: 22-Nov-2011 11:35:28.321
22-Nov-2011 11:25:28.321 notify: info: zone ualbanytest.org/IN (signed):
sending notifies (serial 2011112114)
>>>>>>>
>From Named.conf:
>>>>>>>>>>>>>>>>>>>>>>>>
options {
directory "/conf";
pid-file "/var/run/named.pid";
statistics-file "/var/run/named.stats";
dump-file "/var/run/named.db";
version "[secured]";
dnssec-enable yes;
sig-validity-interval 10;
dnssec-loadkeys-interval 10;
empty-zones-enable no;
};
# DNSSEC Zone
zone "ualbanytest.org" {
type master;
file "ualbanytest.org";
auto-dnssec maintain;
inline-signing yes;
key-directory "/conf";
serial-update-method increment;
};
>>>>>>>>>>>>>>>>>>>>>
Has anyone gotten this to work on an authoritative (meaning that I am missing
something) or is it a "real" bug? I just don't want to be claiming it's a "bug"
if it's something that I messed up or fat fingered :)
Thanks you all in advance.
Thanks,
-Kevin
Kevin McConville
University at Albany
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
