Re: DNSSEC and slaves error
Thanks, that did the trick! On 3/8/12, Mark Andrews ma...@isc.org wrote: In message CAMD-=VKxKssRXfD4XSgPua-v6=ooazylgc3yb3cy51ihopw...@mail.gmail.com , Nick Edwards writes: On 3/8/12, Nick Edwards nick.z.edwa...@gmail.com wrote: On 3/7/12, Mark Andrews wrote: resigned it again as about 3 months using:dnssec-signzone -a -e +15724800 -K keys/ -N INCREMENT guilty_domain.here You should have fed dnssec-signzone the old signed zone not the unsigned zone. dnssec-signzone -f guilty_domain.here.signed -N INCREMENT guilty_domain.here.signed Thank you Mark, in all of the so called howto's I've read, I recall none of them mentioning resigning the signed file. I've changed my cheat sheet to reflect above is only useful for initial signing, and your example as all subsequent signings Thanks again. Hrmm, is thatreally the correct command? dnssec-signzone -f xx.org.signed -a -e +15724800 -K keys/ -N INCREMENT xx.org.signed fatal: failed loading zone from 'xxx.org.signed': not at top of zone -o xxx.org -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNSSEC and slaves error
I am an old hand at bind, but - DNSSEC Newbie alert :-
I am after clarification on how slaves handle DNSSEC.
I have two slaves, both were stale, like since Feb 9 ! One I directly
control, the second, I do not, so I can not provide details on how
that one is configured, but given it is a reputable provider, I assume
setup is as good or better than mine.
The zone was resigned 3 weeks ago as 30 days, but one week ago I
resigned it again as about 3 months using:dnssec-signzone -a -e
+15724800 -K keys/ -N INCREMENT guilty_domain.here
After all this time, still no change on slaves, I had to edit the zone
(inserted a dummy TXT entry) then resign the zone, and then they
both picked up changes.
Shouldn't they detect the change from the increment and update? I
checked my controlled slave and it was stale RRSIGs until I altered
the actual zone, then RRSIG updated.
my controlled servers:
Linux Slackware (x2)
Bind 9.9.0
uncontrolled server Bind 9.9.0, RedHat (release unknown)
/options master
dnssec-enable yes;
dnssec-validation yes;
zone
type master;
allow-transfer { lan; slavedns; };
file xx.org.signed;
allow-query { any; };
allow-update { none; };
/options slave
dnssec-enable yes;
zone
type slave;
masters { x.x.x.x; };
file xx.org;
allow-query { any; };
Am I doing something wrong?
thanks
Nik
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and slaves error
In message CAMD-=VK+-sbgeMDnOmKf2Sebb=sD=+wakfeftk-rf73wnoa...@mail.gmail.com
, Nick Edwards writes:
I am an old hand at bind, but - DNSSEC Newbie alert :-
I am after clarification on how slaves handle DNSSEC.
I have two slaves, both were stale, like since Feb 9 ! One I directly
control, the second, I do not, so I can not provide details on how
that one is configured, but given it is a reputable provider, I assume
setup is as good or better than mine.
The zone was resigned 3 weeks ago as 30 days, but one week ago I
resigned it again as about 3 months using:dnssec-signzone -a -e
+15724800 -K keys/ -N INCREMENT guilty_domain.here
You should have fed dnssec-signzone the old signed zone not the unsigned zone.
dnssec-signzone -f guilty_domain.here.signed -N INCREMENT
guilty_domain.here.signed
After all this time, still no change on slaves, I had to edit the zone
(inserted a dummy TXT entry) then resign the zone, and then they
both picked up changes.
Shouldn't they detect the change from the increment and update? I
checked my controlled slave and it was stale RRSIGs until I altered
the actual zone, then RRSIG updated.
my controlled servers:
Linux Slackware (x2)
Bind 9.9.0
uncontrolled server Bind 9.9.0, RedHat (release unknown)
/options master
dnssec-enable yes;
dnssec-validation yes;
zone
type master;
allow-transfer { lan; slavedns; };
file xx.org.signed;
allow-query { any; };
allow-update { none; };
/options slave
dnssec-enable yes;
zone
type slave;
masters { x.x.x.x; };
file xx.org;
allow-query { any; };
Am I doing something wrong?
thanks
Nik
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and slaves error
On 3/7/12, Mark Andrews wrote: resigned it again as about 3 months using:dnssec-signzone -a -e +15724800 -K keys/ -N INCREMENT guilty_domain.here You should have fed dnssec-signzone the old signed zone not the unsigned zone. dnssec-signzone -f guilty_domain.here.signed -N INCREMENT guilty_domain.here.signed Thank you Mark, in all of the so called howto's I've read, I recall none of them mentioning resigning the signed file. I've changed my cheat sheet to reflect above is only useful for initial signing, and your example as all subsequent signings Thanks again. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and slaves error
On 3/8/12, Nick Edwards nick.z.edwa...@gmail.com wrote: On 3/7/12, Mark Andrews wrote: resigned it again as about 3 months using:dnssec-signzone -a -e +15724800 -K keys/ -N INCREMENT guilty_domain.here You should have fed dnssec-signzone the old signed zone not the unsigned zone. dnssec-signzone -f guilty_domain.here.signed -N INCREMENT guilty_domain.here.signed Thank you Mark, in all of the so called howto's I've read, I recall none of them mentioning resigning the signed file. I've changed my cheat sheet to reflect above is only useful for initial signing, and your example as all subsequent signings Thanks again. Hrmm, is thatreally the correct command? dnssec-signzone -f xx.org.signed -a -e +15724800 -K keys/ -N INCREMENT xx.org.signed fatal: failed loading zone from 'xxx.org.signed': not at top of zone ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and slaves error
In message CAMD-=VKxKssRXfD4XSgPua-v6=ooazylgc3yb3cy51ihopw...@mail.gmail.com , Nick Edwards writes: On 3/8/12, Nick Edwards nick.z.edwa...@gmail.com wrote: On 3/7/12, Mark Andrews wrote: resigned it again as about 3 months using:dnssec-signzone -a -e +15724800 -K keys/ -N INCREMENT guilty_domain.here You should have fed dnssec-signzone the old signed zone not the unsigned zone. dnssec-signzone -f guilty_domain.here.signed -N INCREMENT guilty_domain.here.signed Thank you Mark, in all of the so called howto's I've read, I recall none of them mentioning resigning the signed file. I've changed my cheat sheet to reflect above is only useful for initial signing, and your example as all subsequent signings Thanks again. Hrmm, is thatreally the correct command? dnssec-signzone -f xx.org.signed -a -e +15724800 -K keys/ -N INCREMENT xx.org.signed fatal: failed loading zone from 'xxx.org.signed': not at top of zone -o xxx.org -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
