I have answered my own Question, yes it does, thank you! (after removing the xxxx.signed in named,conf, else auto signing does xxxx.signed.signed :-)
Thank you Mark! On Fri, Dec 14, 2018 at 10:50 AM Edwardo Garcia <wdgar...@gmail.com> wrote: > That seems simpler than what we once tried, OK we add that now. Thanks. > > And if we need to modify the zone file itself to make a change, rndc > reload will do all this or do we need to > dnssec-signzone -a -e +secondshere -K keys/ -N INCREMENT xxxxxxx.com > freeze/thaw? etc like for new zone? > > On Fri, Dec 14, 2018 at 10:42 AM Mark Andrews <ma...@isc.org> wrote: > >> auto-dnssec maintain; >> >> > On 14 Dec 2018, at 11:39 am, Edwardo Garcia <wdgar...@gmail.com> wrote: >> > >> > >> > zone "xxxxxxxx.com" { >> > type master; >> > allow-transfer { sysops; slaves; }; >> > file "xxxxxxxxxx.signed"; >> > allow-query { any; }; >> > allow-update { key "corp"; }; >> > }; >> > >> > This is what we use now, so by dynamic update we are doing yes? >> > >> > And now we need just have named do automatic (re)signing? >> > Last time we tried, we kept killing our domain so google fail us, do >> you know of a valid reference URL that is clear? that would be good? >> > Thanks >> > >> > On Fri, Dec 14, 2018 at 10:24 AM Mark Andrews <ma...@isc.org> wrote: >> > The best way is to configure you zone for dynamic updates and let named >> > automatically resign the zone as needed. >> > >> > > On 14 Dec 2018, at 11:13 am, Edwardo Garcia <wdgar...@gmail.com> >> wrote: >> > > >> > > Hi, >> > > What is the best practice for signing/re-singing zones with journal? >> > > >> > > We manually resign our domain, and use journaling, resigning is a >> PIA. >> > > if we forget to thaw, the zone bails and stays unloaded because >> journal roll forward error, which bring the question why? since resolution >> to this is stop named, remove journal file and restart, could named and >> rndc not be smarter in these instance? or at very least, reload zone from >> file so at least it does not take unsuspecting peoples off air. >> > > >> > > So, way we (try to remember to) do is: >> > > (modify zonefile if need) >> > > rndc freeze >> > > dnssec-signzone -options >> > > rndc thaw >> > > >> > > or is better way? it is the freeze/thaw we keep forgetting :-! >> > > >> > > _______________________________________________ >> > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> > > >> > > bind-users mailing list >> > > bind-users@lists.isc.org >> > > https://lists.isc.org/mailman/listinfo/bind-users >> > >> > -- >> > Mark Andrews, ISC >> > 1 Seymour St., Dundas Valley, NSW 2117, Australia >> > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org >> > >> >> -- >> Mark Andrews, ISC >> 1 Seymour St., Dundas Valley, NSW 2117, Australia >> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org >> >>
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users