inline-signing is optional. It all depends on how you want to maintain the zone.
I prefer doing all the changed over nsupdate. Not editing the master file by hand removes a set of operator errors. Mark > On 14 Dec 2018, at 12:07 pm, Edwardo Garcia <wdgar...@gmail.com> wrote: > > Yes, I did. > key-directory "keys/"; > inline-signing yes; <----- is this not required ? > auto-dnssec maintain; > > > On Fri, Dec 14, 2018 at 11:05 AM Mark Andrews <ma...@isc.org> wrote: > Sounds like you added inline-signing yes; > > > On 14 Dec 2018, at 12:02 pm, Edwardo Garcia <wdgar...@gmail.com> wrote: > > > > I have answered my own Question, yes it does, thank you! (after removing > > the xxxx.signed in named,conf, else auto signing does xxxx.signed.signed > > :-) > > > > Thank you Mark! > > > > On Fri, Dec 14, 2018 at 10:50 AM Edwardo Garcia <wdgar...@gmail.com> wrote: > > That seems simpler than what we once tried, OK we add that now. Thanks. > > > > And if we need to modify the zone file itself to make a change, rndc reload > > will do all this or do we need to > > dnssec-signzone -a -e +secondshere -K keys/ -N INCREMENT xxxxxxx.com > > freeze/thaw? etc like for new zone? > > > > On Fri, Dec 14, 2018 at 10:42 AM Mark Andrews <ma...@isc.org> wrote: > > auto-dnssec maintain; > > > > > On 14 Dec 2018, at 11:39 am, Edwardo Garcia <wdgar...@gmail.com> wrote: > > > > > > > > > zone "xxxxxxxx.com" { > > > type master; > > > allow-transfer { sysops; slaves; }; > > > file "xxxxxxxxxx.signed"; > > > allow-query { any; }; > > > allow-update { key "corp"; }; > > > }; > > > > > > This is what we use now, so by dynamic update we are doing yes? > > > > > > And now we need just have named do automatic (re)signing? > > > Last time we tried, we kept killing our domain so google fail us, do you > > > know of a valid reference URL that is clear? that would be good? > > > Thanks > > > > > > On Fri, Dec 14, 2018 at 10:24 AM Mark Andrews <ma...@isc.org> wrote: > > > The best way is to configure you zone for dynamic updates and let named > > > automatically resign the zone as needed. > > > > > > > On 14 Dec 2018, at 11:13 am, Edwardo Garcia <wdgar...@gmail.com> wrote: > > > > > > > > Hi, > > > > What is the best practice for signing/re-singing zones with journal? > > > > > > > > We manually resign our domain, and use journaling, resigning is a PIA. > > > > if we forget to thaw, the zone bails and stays unloaded because journal > > > > roll forward error, which bring the question why? since resolution to > > > > this is stop named, remove journal file and restart, could named and > > > > rndc not be smarter in these instance? or at very least, reload zone > > > > from file so at least it does not take unsuspecting peoples off air. > > > > > > > > So, way we (try to remember to) do is: > > > > (modify zonefile if need) > > > > rndc freeze > > > > dnssec-signzone -options > > > > rndc thaw > > > > > > > > or is better way? it is the freeze/thaw we keep forgetting :-! > > > > > > > > _______________________________________________ > > > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > > > > unsubscribe from this list > > > > > > > > bind-users mailing list > > > > bind-users@lists.isc.org > > > > https://lists.isc.org/mailman/listinfo/bind-users > > > > > > -- > > > Mark Andrews, ISC > > > 1 Seymour St., Dundas Valley, NSW 2117, Australia > > > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > > > > > > > -- > > Mark Andrews, ISC > > 1 Seymour St., Dundas Valley, NSW 2117, Australia > > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > > > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users