Re: DNSSEC and slaves error
Thanks, that did the trick! On 3/8/12, Mark Andrews ma...@isc.org wrote: In message CAMD-=VKxKssRXfD4XSgPua-v6=ooazylgc3yb3cy51ihopw...@mail.gmail.com , Nick Edwards writes: On 3/8/12, Nick Edwards nick.z.edwa...@gmail.com wrote: On 3/7/12, Mark Andrews wrote: resigned it again as about 3 months using:dnssec-signzone -a -e +15724800 -K keys/ -N INCREMENT guilty_domain.here You should have fed dnssec-signzone the old signed zone not the unsigned zone. dnssec-signzone -f guilty_domain.here.signed -N INCREMENT guilty_domain.here.signed Thank you Mark, in all of the so called howto's I've read, I recall none of them mentioning resigning the signed file. I've changed my cheat sheet to reflect above is only useful for initial signing, and your example as all subsequent signings Thanks again. Hrmm, is thatreally the correct command? dnssec-signzone -f xx.org.signed -a -e +15724800 -K keys/ -N INCREMENT xx.org.signed fatal: failed loading zone from 'xxx.org.signed': not at top of zone -o xxx.org -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNSSEC and slaves error
I am an old hand at bind, but - DNSSEC Newbie alert :- I am after clarification on how slaves handle DNSSEC. I have two slaves, both were stale, like since Feb 9 ! One I directly control, the second, I do not, so I can not provide details on how that one is configured, but given it is a reputable provider, I assume setup is as good or better than mine. The zone was resigned 3 weeks ago as 30 days, but one week ago I resigned it again as about 3 months using:dnssec-signzone -a -e +15724800 -K keys/ -N INCREMENT guilty_domain.here After all this time, still no change on slaves, I had to edit the zone (inserted a dummy TXT entry) then resign the zone, and then they both picked up changes. Shouldn't they detect the change from the increment and update? I checked my controlled slave and it was stale RRSIGs until I altered the actual zone, then RRSIG updated. my controlled servers: Linux Slackware (x2) Bind 9.9.0 uncontrolled server Bind 9.9.0, RedHat (release unknown) /options master dnssec-enable yes; dnssec-validation yes; zone type master; allow-transfer { lan; slavedns; }; file xx.org.signed; allow-query { any; }; allow-update { none; }; /options slave dnssec-enable yes; zone type slave; masters { x.x.x.x; }; file xx.org; allow-query { any; }; Am I doing something wrong? thanks Nik ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and slaves error
In message CAMD-=VK+-sbgeMDnOmKf2Sebb=sD=+wakfeftk-rf73wnoa...@mail.gmail.com , Nick Edwards writes: I am an old hand at bind, but - DNSSEC Newbie alert :- I am after clarification on how slaves handle DNSSEC. I have two slaves, both were stale, like since Feb 9 ! One I directly control, the second, I do not, so I can not provide details on how that one is configured, but given it is a reputable provider, I assume setup is as good or better than mine. The zone was resigned 3 weeks ago as 30 days, but one week ago I resigned it again as about 3 months using:dnssec-signzone -a -e +15724800 -K keys/ -N INCREMENT guilty_domain.here You should have fed dnssec-signzone the old signed zone not the unsigned zone. dnssec-signzone -f guilty_domain.here.signed -N INCREMENT guilty_domain.here.signed After all this time, still no change on slaves, I had to edit the zone (inserted a dummy TXT entry) then resign the zone, and then they both picked up changes. Shouldn't they detect the change from the increment and update? I checked my controlled slave and it was stale RRSIGs until I altered the actual zone, then RRSIG updated. my controlled servers: Linux Slackware (x2) Bind 9.9.0 uncontrolled server Bind 9.9.0, RedHat (release unknown) /options master dnssec-enable yes; dnssec-validation yes; zone type master; allow-transfer { lan; slavedns; }; file xx.org.signed; allow-query { any; }; allow-update { none; }; /options slave dnssec-enable yes; zone type slave; masters { x.x.x.x; }; file xx.org; allow-query { any; }; Am I doing something wrong? thanks Nik ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and slaves error
On 3/7/12, Mark Andrews wrote: resigned it again as about 3 months using:dnssec-signzone -a -e +15724800 -K keys/ -N INCREMENT guilty_domain.here You should have fed dnssec-signzone the old signed zone not the unsigned zone. dnssec-signzone -f guilty_domain.here.signed -N INCREMENT guilty_domain.here.signed Thank you Mark, in all of the so called howto's I've read, I recall none of them mentioning resigning the signed file. I've changed my cheat sheet to reflect above is only useful for initial signing, and your example as all subsequent signings Thanks again. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and slaves error
On 3/8/12, Nick Edwards nick.z.edwa...@gmail.com wrote: On 3/7/12, Mark Andrews wrote: resigned it again as about 3 months using:dnssec-signzone -a -e +15724800 -K keys/ -N INCREMENT guilty_domain.here You should have fed dnssec-signzone the old signed zone not the unsigned zone. dnssec-signzone -f guilty_domain.here.signed -N INCREMENT guilty_domain.here.signed Thank you Mark, in all of the so called howto's I've read, I recall none of them mentioning resigning the signed file. I've changed my cheat sheet to reflect above is only useful for initial signing, and your example as all subsequent signings Thanks again. Hrmm, is thatreally the correct command? dnssec-signzone -f xx.org.signed -a -e +15724800 -K keys/ -N INCREMENT xx.org.signed fatal: failed loading zone from 'xxx.org.signed': not at top of zone ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and slaves error
In message CAMD-=VKxKssRXfD4XSgPua-v6=ooazylgc3yb3cy51ihopw...@mail.gmail.com , Nick Edwards writes: On 3/8/12, Nick Edwards nick.z.edwa...@gmail.com wrote: On 3/7/12, Mark Andrews wrote: resigned it again as about 3 months using:dnssec-signzone -a -e +15724800 -K keys/ -N INCREMENT guilty_domain.here You should have fed dnssec-signzone the old signed zone not the unsigned zone. dnssec-signzone -f guilty_domain.here.signed -N INCREMENT guilty_domain.here.signed Thank you Mark, in all of the so called howto's I've read, I recall none of them mentioning resigning the signed file. I've changed my cheat sheet to reflect above is only useful for initial signing, and your example as all subsequent signings Thanks again. Hrmm, is thatreally the correct command? dnssec-signzone -f xx.org.signed -a -e +15724800 -K keys/ -N INCREMENT xx.org.signed fatal: failed loading zone from 'xxx.org.signed': not at top of zone -o xxx.org -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users