Re: moving DNSSEC to a hidden master

Mon, 14 Oct 2013 10:45:29 -0700 

On Oct 13, 2013, at 9:03 PM, David Newman <[email protected]> wrote:

> >>> This is where things fall apart. I run 'rndc freeze' and
> >>> increment the zone file's serial number (or make any other
> >>> change), and then run 'rndc thaw' and 'rndc reload'.

So, I'm going to jump back a bit here.... If the configuration that you posted 
is what is actually running, you should get the following when you try to "rndc 
freeze":

root@server00:/etc/namedb# rndc freeze example.com
rndc: 'freeze' failed: not dynamic
root@server00:/etc/namedb# 

With the associated logging:

14-Oct-2013 17:36:00.310 received control channel command 'freeze example.com'

You have views... is the definition of the internal one different from the 
external one (which you posted)?

So, I re-created your zone with the following zone entry:

zone "example.com" in {
        type master;
        file "master/example.com";
        allow-query { any; };
        allow-transfer { any; };
        notify yes;
        key-directory "keys/";
        inline-signing yes;
        auto-dnssec maintain;
};

This zone isn't dynamic based on what you have posted.

It also works fine when I make changes (no "freeze"/"thaw" needed):

== Commands typed ==
root@server00:/etc/namedb# ls
bind.keys  keys  master  named.conf  rndc.key
root@server00:/etc/namedb# cd master
root@server00:/etc/namedb/master# ls
example.com  example.com.jbk  example.com.signed  example.com.signed.jnl
root@server00:/etc/namedb/master# vi example.com
root@server00:/etc/namedb/master# rndc reload example.com
zone reload queued
root@server00:/etc/namedb/master# 

== Logging produced ==
14-Oct-2013 17:39:26.565 received control channel command 'reload example.com'
14-Oct-2013 17:39:26.571 zone example.com/IN (unsigned): loaded serial 2
14-Oct-2013 17:39:26.571 zone example.com/IN (signed): serial 4 (unsigned 2)

And for those of you that have taken the DNS and BIND class, yes, I'm really 
using the very same lab environment that you used in class to test things... it 
works!

AlanC
-- 
Alan Clegg | +1-919-355-8851 | [email protected]

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to