On 21 Feb 2019, at 20:43, Grant Taylor via bind-users <bind-users@lists.isc.org> wrote: > > On 2/21/19 6:28 PM, @lbutlr wrote: >> rndc reload did not recreate (or at least update the time stamp) on the >> .signed file. > > Hum. Maybe it's something different about how you're doing DNSSEC than I am. > > I have BIND managing DNSSEC for me via "auto-dnssec maintain;". So I don't > get .signed files.
the .signed files were created when I first signed the zones with dnssec-signzone which is what gave me the dsset file containing the information I needed to add DNSSEC to my domain's registrar. dnssec-signzone -3 $(head -c 1000 /dev/random | shasum | cut -b 1-16) -A -N INCREMENT -o ZONE -t ZONEFILE I was assuming, perhaps wrongly, that these ,signed files continue to be required, as they were placed alongside the regular zone files. > I was just able to do the following: > > rndc freeze $ZONE > rndc sync -clean $ZONE > $EDITOR $ZONEFILE > rndc thaw $ZONE > rndc sign $ZONE > > I did have to manually do the "rndc sign" for DNSViz to be happy with the new > test entry. I don't know if that's expected or not. Overnight, many of my zones have new zone.signed.jnl files > Does your actual zone file have the DNSSEC records in it? That's where mine > are. I don't have a separate unsigned zone file. I have three files for each zone: example.com (less than 2K, unsigned, no DNSSEC info, contains $INCLUDE lines at the end for the two public keys. example.com.signed (12K, All the DNSSEC info) example.com.signed.jnl (Created by bind, about double the size of .signed and a binary file) This file is updated when I issue the rind sign ZONE command. > I believe so. Do you have a "managed-keys-directory" entry in your > named.conf file? (I do. My .key and .private files are in the specified > directory.) My private files are in that directory, I have the public ones in both the directory and the master/ directory Which is what seems to be needed (probably because of the include statement). In named.conf I have zone "example.com" { type master; file "master/example.com.signed"; update-policy local; auto-dnssec maintain; }; -- "Alas, earwax." _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users