> On 19 Mar 2019, at 10:59 am, LeBlanc, Daniel James > <daniel.lebl...@bellaliant.ca> wrote: > > Thanks Mark for your quick response. > > On page 29 of the Bv9-12-3-P1ARM I had seen the following, which is why I > thought that I "needed" to have one of those statements: > > > " Using the auto-dnssec option requires the zone to be configured to allow > dynamic updates, by adding an allow-update or update-policy statement to the > zone configuration. If this has not been done, the configuration will fail.”
Which applies to master zones w/o "inline-signing yes;”. If I’m remembering history correctly auto-dnssec existed well before inline-signing and that description wasn’t updated. > I was looking to do fully automatic signing using auto-dnssec maintain;. If > that is not possible I could still live with an rndc-based approach if > required. Name will maintain the zone. Switching between NSEC and NSEC3 requires rndc as you don’t directly manipulate the zone content with dynamic updates. Rolling the keys is done with dnssec-settime and dnssec-keygen or dnssec-keymgr. > I will try this out in the morning. > > Thanks again! > > Daniel J. LeBlanc, P.Eng., MBA, DTME | Senior Network Architect | Bell Canada > > -----Original Message----- > From: Mark Andrews [mailto:ma...@isc.org] > Sent: March-18-19 8:40 PM > To: LeBlanc, Daniel James > Cc: bind-users@lists.isc.org > Subject: Re: ISC BIND 9.12.3-P1 Question re: DNSSEC Zone Signing > > You don’t need update-policy local. In inline-signing mode named maintains > its own copy > of the zone with the DNSSEC records in addition to the copy from upstream. > DNSSEC is > controlled by rndc. > >> On 19 Mar 2019, at 10:33 am, LeBlanc, Daniel James >> <daniel.lebl...@bellaliant.ca> wrote: >> >> Hello All. >> >> I have a pair of ISC BIND 9.12.3-P1 servers that are configured as slaves to >> a pair of Hidden Master servers. The Hidden Masters are a proprietary >> product and unfortunately when used to sign the zones, the SOA records are >> not populated as expected. As a result, I was looking into signing the >> zones within ISC BIND instead. Reviewed the literature, came up with a plan >> and the required configuration changes. However, things are not proceeding >> as I had hoped… >> >> If I include required statements within the zone options BIND complained >> that update-policy local is not permitted in a zone of type slave (and >> failed to start): >> >> key-directory "keys/externals/{{ zone.zonename }}"; >> inline-signing yes; >> auto-dnssec maintain; >> update-policy local; >> >> So I switched it out for the allow-update { localhost; };, and BIND >> complained that allow-update is not permitted in a zone of type slave (and >> failed to start). >> >> So I changed my zone type from slave to master (recall that these BIND >> instances are intended to be slaved off of the Hidden Masters), and BIND >> complained that masters statements were not permitted in zones of type >> master (meaning that updates would not be accepted). >> >> Is there a way for me to sign the zones on the slave servers, even though I >> intend to provision content into those same zones on the proprietary Hidden >> Masters? >> >> Thanks. >> >> Daniel J. LeBlanc, P.Eng., MBA, DTME | Senior Network Architect | Bell Canada >> >> _______________________________________________ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users > > -- > Mark Andrews, ISC > 1 Seymour St., Dundas Valley, NSW 2117, Australia > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users