On 2/21/19 6:28 PM, @lbutlr wrote:
rndc reload did not recreate (or at least update the time stamp) on the .signed file.
Hum. Maybe it's something different about how you're doing DNSSEC than I am.
I have BIND managing DNSSEC for me via "auto-dnssec maintain;". So I don't get .signed files.
I was just able to do the following: rndc freeze $ZONE rndc sync -clean $ZONE $EDITOR $ZONEFILE rndc thaw $ZONE rndc sign $ZONEI did have to manually do the "rndc sign" for DNSViz to be happy with the new test entry. I don't know if that's expected or not.
But at no point do I get the new subdomains I added to the zone added to the zone.signed
The new record showed up exactly as expected. Granted, I only added an A record and didn't create a new sub-domain.
I’ll try sync clean and see if I get further.Nope, now the .signed file isn’t touched at all after the zone file is edited.zone "example.com" { type master; file "master/example.com.signed"; update-policy local; auto-dnssec maintain; };
I don't have .signed files.
So I am still with a zone file that contains two subdomains that are not represented in the .signed zone file, so do not load and nothing that I do seems to be able to recreate the .signed file with the correct information.
Does your actual zone file have the DNSSEC records in it? That's where mine are. I don't have a separate unsigned zone file.
Is the original random key that was generated at the time of signing kept somewhere? NSEC3 seems to contain a 16 character hex sting that recurs throughout the file.
I believe so. Do you have a "managed-keys-directory" entry in your named.conf file? (I do. My .key and .private files are in the specified directory.)
-- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users