Re: rndc addzone|delzone: some questions
> 1. Is named 'deaf' during an `rndc addzone'? I don't think so, but I'm >finding it hard to determine definitely. I'm primarily concerned with >named being able to handle any NOTIFYs it gets. The addzone task (like several other rndc commands) will temporarily acquire exclusive control of the named process so nothing else can happen at the same time. I confess I don't know whether notifies that arrive during this window would be dropped or queued... but my guess is dropped. > 2. When I `rndc addzone ... type "slave"; ...' named immediately picks >that up, transfers the zone and creates the specified file. However, >`rndc delzone', while it drops the zone from named, does not remove >the zone file from the file system. Is that a bug or was that >implemented intentionally? > >It seems a bit illogical to me that the zone file isn't removed from >the file system, but perhaps I'm interpreting 'delzone' too strongly? :) Delzone just means delete the zone from named, not delete the zone file from the filesystem. (And I reckon we can do a good deal more harm by deleting files you wanted to keep than by leaving files for you to delete yourself...) > 3. If I direct `rndc addzone|delzone' to the same named instance from >multiple processes (from the same source IP address), is there any >danger of the .nzf file being corrupted? No. (Or, if so, it would be a serious flaw, and I haven't seen any bug reports about that.) -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: key rollover with BIND 9.9
- Original Message - > What are other people using to automate key rollovers with 9.9? I use cron to generate new ZSKs at regular intervals (1st of every 3rd month, with a 10 day window.) and do periodic resigns (every payday, and rely on the tools to handle the rollover correctly. Though my crontab formula breaks in 2016, because 2015 will have 53 weeks.) The only time the tools balked, was when I switched from NSEC to NSEC3 But, that was back with 9.7 and before I knew about the problem with wildcards and NSEC3, where upgrading to 9.9 was needed. Instead we got rid of the wildcard. The wildcard exists only in the external view, because we didn't want the names of internal hosts exposed...but users kept sending mail with the internal host nameso we put a wildcard MX in the external view. But, now we don't allow them to send mail out with an internal host name. Which reminds meI'm not getting emails from our F5 anymore, because I'm guessing the postfix settings got reset after the upgrade so its not using its outside name anymore. Yup/etc/postfix/canonical isn't saved in the ucs. Plus it doesn't autostart after an upgrade either :) -- Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator For: Enterprise Server Technologies (EST) -- & SafeZone Ally Snail: Computing and Telecommunications Services (CTS) Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102 Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkc...@ksu.edu Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: key rollover with BIND 9.9
> What are other people using to automate key rollovers with 9.9? Michael: I automated mine by generating a set of 9 ZSKs and 2 KSKs for each zone in advance, setting the timing metadata to achieve a 90-day prepublication rollover cycle for the ZSKs and a 720-day rollover cycle for the KSKs. Once the keys are copied to a zone's key directory, bind takes care of the rollovers automatically. My domain registrar is GoDaddy.com, so I have to manually upload the DS records for the KSKs, but I only have a few domains, and the manual process is required only at 2-year intervals. I have a bash script that generates the keys and DS records using ISC's dnssec-keygen and dnssec-dsfromkey. Please contact me off list if you want a copy of it. Regards, Jeff. Jeffry A. Spain Network Administrator Cincinnati Country Day School ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: key rollover with BIND 9.9
On Sat, Jan 26, 2013 at 10:49:39AM +0100, Axel Rau wrote: > > Am 26.01.2013 um 00:39 schrieb Michael W. Lucas: > It's your responsibility to create the keys and to renew the DS-RR with your > registrar. Thank you for the straightforward answer. > I have written a python3 script which does all this housekeeping including > registrar updates for 2 registrars. > You find it here > https://github.com/mc3/DSKM Appreciate it, I will take a look. I'm also looking at dnssec-tools, but that appears to use dnssec-tools for the zone signing. I want to use as few outside tools as possible. What are other people using to automate key rollovers with 9.9? ==ml -- Michael W. Lucas http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/ Latest book: SSH Mastery http://www.michaelwlucas.com/nonfiction/ssh-mastery mwlu...@michaelwlucas.com, Twitter @mwlauthor ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
rndc addzone|delzone: some questions
Hello, we have a few BIND (9.9) slave servers, each slaving a couple of hundred thousand small zones (a dozen records in each). A file included into named.conf is periodically generated from a database, and named is reconfigured (rndc reconfig) to load new slave zones. I'm considering replacing this scheme of doing things by calls to `rndc addzone' to add the slave zone to named on the fly, because we're seeing NOTIFYs going unanswered (for existing zones) while BIND is reloading. I'd appreciate if you could help me clarify a few things, please. 1. Is named 'deaf' during an `rndc addzone'? I don't think so, but I'm finding it hard to determine definitely. I'm primarily concerned with named being able to handle any NOTIFYs it gets. 2. When I `rndc addzone ... type "slave"; ...' named immediately picks that up, transfers the zone and creates the specified file. However, `rndc delzone', while it drops the zone from named, does not remove the zone file from the file system. Is that a bug or was that implemented intentionally? It seems a bit illogical to me that the zone file isn't removed from the file system, but perhaps I'm interpreting 'delzone' too strongly? :) 3. If I direct `rndc addzone|delzone' to the same named instance from multiple processes (from the same source IP address), is there any danger of the .nzf file being corrupted? Thank you for your time. Regards, -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: key rollover with BIND 9.9
Am 26.01.2013 um 00:39 schrieb Michael W. Lucas: > Hi, > > I'm trying to automate key rollover with BIND 9.9.2 (will soon upgrade > to new rev). I have a couple of elementary questions that seem to be > answered briefly in the documentation, but I suspect that my grasp of > key rollover is clouded by the last decade of blog posts about tools > and techniques that are no longer necessary. > > I have a test zone set with "auto-dnssec maintain" and "inline-signing > yes". My zone gets signed, RRSIGs get generated, and so on. > > The 9.9 ARM says at 4.9.7 that named will automatically carry out the > key rollover. Does this include creation of new key files? > > When the KSK rolls over, do I need to update my registrar? Or does > that happen automatically? (I see hints that the root servers pick up > the new DS record, but that seems too good to be true.) > > By default, keys have no expiration date. I'm assuming I must set an > expiration date on the ZSK and KSK for named to automatically create > the new key? > > As a test, I've set my test zone ZSK with a fairly short time to > expire. > > dnssec-settime -I +7d -D +14d Kabsolutenetbsd.com.+005+39543 > > named hasn't created a new ZSK, however. Should I expect it to? Or is > there some other document I need to read? > It's your responsibility to create the keys and to renew the DS-RR with your registrar. I have written a python3 script which does all this housekeeping including registrar updates for 2 registrars. You find it here https://github.com/mc3/DSKM Axel --- PGP-Key:29E99DD6 ☀ +49 151 2300 9283 ☀ computing @ chaos claudius ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
