Re: Bind 9.9.0b2 inline signing...
On 11/28/2011 4:33 PM, Bill Owens wrote: > > I think that if I had to use a Windows workstation my first installs would be the ISC binary kit and wireshark, since AFAIK Windows doesn't come with a packet capture program either. . . > There is one. I forget what it's called. I think it's in one of the resource kits. I prefer wireshark (ethereal as it used to be called). For most problems with BIND9 you should run it in debug mode. For that you need to build it yourself because ISC doesn't make a debug version available. Mostly it's hard to understand what is happening unless you run it from VS which is about the only reason to want wireshark. Danny ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.9.0b2 inline signing...
On 11/28/2011 1:03 PM, wbr...@e1b.org wrote: > Todd wrote on 11/24/2011 11:29:14 AM: > >> I don't understand why Windows doesn't include dig by default, even >> now. Free software hate? > > And grep and logrotate! At least the GnuWin32 project has a good version > of grep. > I have a good version of grep and it's not gnu or cywin > > > Confidentiality Notice: There's nothing confidential about these messages regardless of these nonsense disclaimers. Danny ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Bind 9.9.0b2 inline signing...
> > > I don't understand why Windows doesn't include dig by default, even now. > > > Free software hate? > > And grep and logrotate! At least the GnuWin32 project has a good version > > of grep. > I think that if I had to use a Windows workstation my first installs would be > the ISC binary kit and wireshark, since AFAIK Windows doesn't come with a > packet capture program either. . . Bill: Microsoft Network Monitor 3.4 is available. See http://support.microsoft.com/kb/933741. I do prefer Wireshark myself. Windows PowerShell offers similar functionality to grep in the Select-String cmdlet. See http://technet.microsoft.com/en-us/library/dd315403.aspx. This goes somewhat against the object-oriented grain of PowerShell, however. The Windows event viewer can be configured to archive event logs when they reach a certain size, but I don't think this matches the functionality of logrotate. Jeff. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.9.0b2 inline signing...
On Mon, Nov 28, 2011 at 01:03:15PM -0500, wbr...@e1b.org wrote: > Todd wrote on 11/24/2011 11:29:14 AM: > > > I don't understand why Windows doesn't include dig by default, even > > now. Free software hate? > > And grep and logrotate! At least the GnuWin32 project has a good version > of grep. There are others who sympathize with you: https://twitter.com/dns_borat/status/139996381661237248 ;) I think that if I had to use a Windows workstation my first installs would be the ISC binary kit and wireshark, since AFAIK Windows doesn't come with a packet capture program either. . . Bill. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Bind 9.9.0b2 inline signing...
You can install Cygwin under Windoze and then get most Linux packages under that. Alternatively you can just install the Windows zip file for BIND and use the dig.exe it provides. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of wbr...@e1b.org Sent: Monday, November 28, 2011 1:03 PM To: Todd Snyder Cc: bind-users-bounces+wbrown=e1b@lists.isc.org; bind-users@lists.isc.org Subject: RE: Bind 9.9.0b2 inline signing... Todd wrote on 11/24/2011 11:29:14 AM: > I don't understand why Windows doesn't include dig by default, even > now. Free software hate? And grep and logrotate! At least the GnuWin32 project has a good version of grep. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Athena(r), Created for the Cause(tm) Making a Difference in the Fight Against Breast Cancer - CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Bind 9.9.0b2 inline signing...
Todd wrote on 11/24/2011 11:29:14 AM: > I don't understand why Windows doesn't include dig by default, even > now. Free software hate? And grep and logrotate! At least the GnuWin32 project has a good version of grep. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.9.0b2 inline signing...
On 11/24/2011 11:21 AM, Jan-Piet Mens wrote: > Jeffry, > >> I have had a tendency to dig axfr from my Windows workstation > > +1 to you for using `dig' on Windows; most don't even know it exists > and suffer the `nslookup' pain. ;-) > It comes with the Windows version of BIND9. Danny ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Bind 9.9.0b2 inline signing...
> I don't understand why Windows doesn't include dig by default, even now. > Free software hate? I wonder if it some kind of intellectual property issue. Microsoft has to be able to sell Windows and therefore must consider any added costs related to including a component that they do not own and would have to license. I suppose they could develop a similar application themselves, but I think they tend to focus more on end-user rather than administrative functionality in their development efforts. This is certainly not Microsoft's only issue with DNS. They have pretty much developed their own DNS ecosystem over the years, starting with Active Directory for Windows 2000, and they have not kept up with the functionality in bind. For example, the current iteration of Microsoft DNS in Windows Server 2008 R2 has a faulty implementation of DNSSEC -- you can't enter the root zone trust anchor. I have set up my Windows domain controllers (DNS servers) to forward to a DNSSEC-enabled bind recursive resolver. Even that turned out to be a challenge because of the way Windows uses the CD and DO flags in DNS queries. Supposedly DNS in Windows 8 server is going to fix these issues. We shall see. Jeff. Jeffry A. Spain Network Administrator Cincinnati Country Day School ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Bind 9.9.0b2 inline signing...
> > > I have had a tendency to dig axfr from my Windows workstation > > +1 to you for using `dig' on Windows; most don't even know it exists > and suffer the `nslookup' pain. ;-) > First thing I do on a new windows box is download the BIND package and throw dig on the box ... well, right after I get FF/Chrome. I don't understand why Windows doesn't include dig by default, even now. Free software hate? t. - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.9.0b2 inline signing...
Chris Thompson wrote: > > If we are trying to turn Tony's ad hoc command into something publishable, See the loadzone, axfrzone, and cleanzone functions in http://www-uxsup.csx.cam.ac.uk/~fanf2/hermes/conf/bind/bin/nsdiff Writing code to process arbitrary zones is a rather different job from a quick command line to make it easier to eyeball a simple zone you know well. Tony. -- f.anthony.n.finchhttp://dotat.at/ Northwest Hebrides, Bailey: Southerly veering southwesterly storm 10 to hurricane force 12, veering westerly 7 to severe gale 9 later. Very high. Rain then squally showers. Moderate or good occasional poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.9.0b2 inline signing...
Jeffry, > I have had a tendency to dig axfr from my Windows workstation +1 to you for using `dig' on Windows; most don't even know it exists and suffer the `nslookup' pain. ;-) -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Bind 9.9.0b2 inline signing...
> dig axfr dotat.at | grep -v RRSIG. Tony. > dig axfr dotat.at | grep -v RRSIG | grep -v TYPE65534 | grep -v DNSKEY | grep > -v NSEC3PARAM. JP. > dig axfr zone | awk '$4 !~ "^NSEC$|^NSEC3$|^RRSIG$" {print}'. Shumon. Thank you, gentlemen. These are very helpful. As we are primarily Windows users, I have had a tendency to dig axfr from my Windows workstation and remove the DNSSEC-related records with a regular expression search in my text editor. I really should take the time to learn more about grep and awk. Happy Thanksgiving to all. Jeff. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.9.0b2 inline signing...
On Nov 24 2011, Shumon Huque wrote: On Thu, Nov 24, 2011 at 02:29:05PM +0100, Jan-Piet Mens wrote: On Thu Nov 24 2011 at 13:52:32 CET, Tony Finch wrote: > I use `dig axfr dotat.at | grep -v RRSIG` ... | grep -v TYPE65534 | grep -v DNSKEY | grep -v NSEC3PARAM hoping, of course, that no owner name is called 'RRSIG' et. al. ;-) -JP How about something like: dig axfr zone | awk '$4 !~ "^NSEC$|^NSEC3$|^RRSIG$" {print}' awk requires a tiny bit more typing, but the result is much more precise .. If we are trying to turn Tony's ad hoc command into something publishable, it would be better to use dig +nocmd +nostats +onesoa AXFR zone | awk ... (although for +onesoa you need the dig from BIND 9.8 or later). -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.9.0b2 inline signing...
On Thu, Nov 24, 2011 at 02:29:05PM +0100, Jan-Piet Mens wrote: > On Thu Nov 24 2011 at 13:52:32 CET, Tony Finch wrote: > > > I use `dig axfr dotat.at | grep -v RRSIG` > > ... | grep -v TYPE65534 | grep -v DNSKEY | grep -v NSEC3PARAM > > hoping, of course, that no owner name is called 'RRSIG' et. al. ;-) > > -JP How about something like: dig axfr zone | awk '$4 !~ "^NSEC$|^NSEC3$|^RRSIG$" {print}' awk requires a tiny bit more typing, but the result is much more precise .. -- Shumon Huque University of Pennsylvania. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.9.0b2 inline signing...
Jan-Piet Mens wrote: > On Thu Nov 24 2011 at 13:52:32 CET, Tony Finch wrote: > > > I use `dig axfr dotat.at | grep -v RRSIG` > > ... | grep -v TYPE65534 | grep -v DNSKEY | grep -v NSEC3PARAM I think it is more useful to see those records than to spend effort stripping them out. > hoping, of course, that no owner name is called 'RRSIG' et. al. ;-) Knowing rather than hoping, but yes, it is good enough for the command line but not safe to embed in a script. Tony. -- f.anthony.n.finchhttp://dotat.at/ Biscay: Southerly 4 or 5 occasional 6 in north, veering westerly 3 or 4. Rough. Mainly fair. Moderate or good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.9.0b2 inline signing...
On Thu Nov 24 2011 at 13:52:32 CET, Tony Finch wrote: > I use `dig axfr dotat.at | grep -v RRSIG` ... | grep -v TYPE65534 | grep -v DNSKEY | grep -v NSEC3PARAM hoping, of course, that no owner name is called 'RRSIG' et. al. ;-) -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Bind 9.9.0b2 inline signing...
Spain, Dr. Jeffry A. wrote: > > From time to time I want to review the current state of the zone files. > I have been accustomed with v9.8 to taking a copy of a signed zone file > and stripping out the DNSSEC-related records in a text editor for easy > review. I use `dig axfr dotat.at | grep -v RRSIG`. Tony. -- f.anthony.n.finchhttp://dotat.at/ Faeroes: Southwest 6 to gale 8, becoming cyclonic severe gale 9 to violent storm 11, perhaps hurricane force 12 later. High or very high, occasionally phenomenal. Rain or squally showers. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Bind 9.9.0b2 inline signing...
> Now, you can *also* turn on DDNS and use nsupdate on an inline-signing > zone... but, if you're going to be using DDNS anyway, then I'm unclear what > operational need is being served by separating the data. With or without > inline-singing, your master file will be overwritten, and you'll have to > concern yourself with freezing and thawing... and *with* inline-signing, > there are more moving parts. So, I'd probably just use DDNS, turn off > inline-signing, and let the zone take care of itself. Thank you for your detailed response, Evan. Here's my operational plan. First of all we are a small organization with a few DNS zones that we manage for ourselves. I have also grown accustomed to using nsupdate -- the changes to the zone files are few and infrequent. From time to time I want to review the current state of the zone files. I have been accustomed with v9.8 to taking a copy of a signed zone file and stripping out the DNSSEC-related records in a text editor for easy review. I have been using dnsviz.net to verify periodically that DNSSEC is operating properly. Now in v9.9, I can eliminate this somewhat tedious step with my text editor because with inline signing, there is always an unsigned zone file available to me. If I am in a hurry to do my review after making an update, I can use "rndc sync myzone". Similarly in my nightly backup cron job, I can now backup both the signed and unsigned zone files after "rndc freeze myzone" to make sure they have incorporated th e latest changes. I'm assuming that "rndc freeze myzone" freezes both the signed and unsigned zone files. I'm not worried about the freezing and thawing -- my cron job has been doing that with v9.8 with no apparent problems. I am also not worried about the increased number of moving parts -- I think it is reasonable to rely upon ISC to get this all working correctly. In v9.9.0b2, there is a problem with "rndc freeze" (reported earlier as [ISC-Bugs #26632]) so I will continue to test this with subsequent versions. Thanks again. Jeff. Jeffry A. Spain Network Administrator Cincinnati Country Day School ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.9.0b2 inline signing...
On Wed Nov 23 2011 at 20:21:00 CET, Evan Hunt wrote: > Correct, but... let me start by explaining the situation in releases prior > to 9.9, without the inline-signing feature. And would you now kindly do all of us and all future readers a favor and copy/paste that text *verbatim* into the ARM? Thank you. :) -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.9.0b2 inline signing...
> Evan: I'd like to ask for clarification. My understanding is that > "inline-signing yes:" is necessary to cause bind to keep separate signed > and unsigned zone files, and that the source of the unsigned zone file > can be a disk file in the case of a master, or a zone transfer in the > case of a slave. Correct. > I further understand that "update-policy local;" is > necessary to allow the use of nsupdate on the local machine to operate on > the applicable master zone. Therefore if you want to use nsupdate locally > and have separate signed and unsigned master zone files, you need both of > the above statements in the zone configuration. Would you please comment > on any misunderstanding on my part about this. Correct, but... let me start by explaining the situation in releases prior to 9.9, without the inline-signing feature. When you turn on DDNS (whether it's via update-policy local, some other update-policy, or the allow-update ACL), the contents of the zone can be modified by named. Changes to the zone are written to a journal file, and then periodically synced to the master file. This process obliterates the master file you originally provided, removing any comments you may have had, and reordering the records; should you wish to edit the zone file directly, it's necessary to 'freeze' and 'thaw' the zone. For some operators, this is undesirable: they're accustomed to maintaining zone files by hand, or having them generated by provisioning tools, and they run 'rndc reload' or kill and restart their servers when there are changes to be picked up. They only want to use DDNS if they have an specific need for it, such as a DHCP pool; the rest of the time they prefer to keep it simple. Turning on DDNS, however, will enable a zone to keep itself signed. If named has access to the private signing keys for the zone, it will detect and replace expiring RRSIGs. If you use 'auto-dnssec maintain', it can also keep your DNSKEYs up to date, rolling on schedule and such. This only works if you have DDNS turned on; otherwise, named isn't allowed to modify the zone contents. So, in 9.7 and 9.8, the easiest way to maintain a DNSSEC-signed zone is to turn on DDNS. In my own domains, I simply don't bother editing zone files anymore; I use nsupdate for everything. But, for the reasons above, some operators dislike that approach. Now in 9.9, we have the ability to separate the signed and unsigned data internally within named. If you want to do things the old- fashioned way--edit and reload when necessary, with named never overwriting your zone file--but you still want to use DNSSEC, then you turn on inline-signing. The assorted RRSIG and DNSKEY changes are synced to the "signed" zonefile, not to the original master file, and there's no more need to worry about freezing and thawing. Now, you can *also* turn on DDNS and use nsupdate on an inline-signing zone... but, if you're going to be using DDNS anyway, then I'm unclear what operational need is being served by separating the data. With or without inline-singing, your master file will be overwritten, and you'll have to concern yourself with freezing and thawing... and *with* inline-signing, there are more moving parts. So, I'd probably just use DDNS, turn off inline-signing, and let the zone take care of itself. (Mind you, I'm grateful that you've been beta-testing this scenario, I just don't think I'd be likely to run in that way in production myself.) > By the way, I think there is a typo on page 99 of Bv9ARM.pdf: For > "inline-signing inline-signing", read "inline-signing". Thank you, fixed now. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Bind 9.9.0b2 inline signing...
Evan: I'd like to ask for clarification. My understanding is that "inline-signing yes:" is necessary to cause bind to keep separate signed and unsigned zone files, and that the source of the unsigned zone file can be a disk file in the case of a master, or a zone transfer in the case of a slave. I further understand that "update-policy local;" is necessary to allow the use of nsupdate on the local machine to operate on the applicable master zone. Therefore if you want to use nsupdate locally and have separate signed and unsigned master zone files, you need both of the above statements in the zone configuration. Would you please comment on any misunderstanding on my part about this. By the way, I think there is a typo on page 99 of Bv9ARM.pdf: For "inline-signing inline-signing", read "inline-signing". Thanks. Jeff. -Original Message- From: bind-users-bounces+spainj=countryday@lists.isc.org [mailto:bind-users-bounces+spainj=countryday@lists.isc.org] On Behalf Of Evan Hunt Sent: Wednesday, November 23, 2011 12:01 PM To: Jan-Piet Mens Cc: bind-users@lists.isc.org Subject: Re: Bind 9.9.0b2 inline signing... > > I did something similar, using nsupdate to modify the unsigned zone > > instead of a manual edit. [...] "rndc reload" is not necessary. > > `rndc reload' never is necessary if you use DDNS to update master zones. True, but in that situation 'inline-signing' isn't necessary either. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.9.0b2 inline signing...
> > I did something similar, using nsupdate to modify the unsigned zone > > instead of a manual edit. [...] "rndc reload" is not necessary. > > `rndc reload' never is necessary if you use DDNS to update master zones. True, but in that situation 'inline-signing' isn't necessary either. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.9.0b2 inline signing...
On Tue Nov 22 2011 at 20:34:46 CET, Spain, Dr. Jeffry A. wrote: > I did something similar, using nsupdate to modify the unsigned zone > instead of a manual edit. [...] "rndc reload" is not necessary. `rndc reload' never is necessary if you use DDNS to update master zones. -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Bind 9.9.0b2 inline signing...
Kevin: I did something similar, using nsupdate to modify the unsigned zone instead of a manual edit. The myzone.db, myzone.db.jnl, myzone.db.signed, and myzone.db.signed.jnl files all get updated appropriately. "rndc reload" is not necessary. It is interesting to note that the serial number in the signed zone gets incremented more than the serial number in the unsigned zone. A dig request for the SOA record returns the serial number from the signed zone. To allow for this I have the following in my configuration file: zone "myzone" { type master; file "/var/lib/bind/myzone/myzone.db"; key-directory "/var/lib/bind/myzone"; update-policy local; auto-dnssec maintain; inline-signing yes; }; I'll give it a try with a manual edit and let you know. Jeff. From: bind-users-bounces+spainj=countryday@lists.isc.org [mailto:bind-users-bounces+spainj=countryday@lists.isc.org] On Behalf Of McConville, Kevin Sent: Tuesday, November 22, 2011 11:58 AM To: bind-users@lists.isc.org Subject: Bind 9.9.0b2 inline signing... I have opened up a Bug ticket with ISC on this - #26676, but I just wanted to make sure that I'm not doing anything "wrong" that may be causing the issue. Has anyone been able to get inline-signing to work on a static master zone using an authoritative server? When we manually change the Master static zone file - ualbanytest.org - the signed and signed.jnl files are not getting an update - as shown by the time/date stamps below (just using rndc reload). -rw-rw-r-- 1 named root 1077 Nov 22 11:22 ualbanytest.org -rw--- 1 named named 9415 Nov 22 11:14 ualbanytest.org.signed -rw--- 1 named named 12041 Nov 22 11:02 ualbanytest.org.signed.jnl The log shows the correct serial for the unsigned zone, but then pulls the wrong signed file. >>> 22-Nov-2011 11:25:28.314 general: info: received control channel command 'reload' 22-Nov-2011 11:25:28.314 general: info: loading configuration from '/etc/named.conf' 22-Nov-2011 11:25:28.315 general: info: using default UDP/IPv4 port range: [1024, 65535] 22-Nov-2011 11:25:28.315 general: info: using default UDP/IPv6 port range: [1024, 65535] 22-Nov-2011 11:25:28.316 general: info: sizing zone task pool based on 4 zones 22-Nov-2011 11:25:28.318 general: info: zone ualbanytest.org/IN (signed): (master) removed 22-Nov-2011 11:25:28.318 general: info: reloading configuration succeeded 22-Nov-2011 11:25:28.318 general: info: reloading zones succeeded 22-Nov-2011 11:25:28.320 general: info: zone ualbanytest.org/IN (unsigned): loaded serial 202201 22-Nov-2011 11:25:28.320 general: info: zone ualbanytest.org/IN (signed): loaded serial 202114 (DNSSEC signed) 22-Nov-2011 11:25:28.320 general: notice: all zones loaded 22-Nov-2011 11:25:28.320 general: notice: running 22-Nov-2011 11:25:28.320 general: info: zone ualbanytest.org/IN (signed): reconfiguring zone keys 22-Nov-2011 11:25:28.321 general: info: zone ualbanytest.org/IN (signed): next key event: 22-Nov-2011 11:35:28.321 22-Nov-2011 11:25:28.321 notify: info: zone ualbanytest.org/IN (signed): sending notifies (serial 202114) >>> >From Named.conf: options { directory "/conf"; pid-file"/var/run/named.pid"; statistics-file "/var/run/named.stats"; dump-file "/var/run/named.db"; version "[secured]"; dnssec-enable yes; sig-validity-interval 10; dnssec-loadkeys-interval 10; empty-zones-enable no; }; # DNSSEC Zone zone "ualbanytest.org" { type master; file "ualbanytest.org"; auto-dnssec maintain; inline-signing yes; key-directory "/conf"; serial-update-method increment; }; > Has anyone gotten this to work on an authoritative (meaning that I am missing something) or is it a "real" bug? I just don't want to be claiming it's a "bug" if it's something that I messed up or fat fingered :) Thanks you all in advance. Thanks, -Kevin Kevin McConville University at Albany ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Bind 9.9.0b2 inline signing...
Jan-Piet you get the Gold Star!!! You totally got it right! If I specify a "rndc reload", the journal files never get updated and Bind loads the outdated signed file. However, if I specify an "rndc reload ualbanytest.org" - the changes get picked up and a journal file is created for the unsigned zone as well. -rw-rw-r-- 1 named root 1096 Nov 22 13:06 ualbanytest.org -rw--- 1 named named 772 Nov 22 13:08 ualbanytest.org.jnl -rw--- 1 named named 10523 Nov 22 13:16 ualbanytest.org.signed -rw--- 1 named named 14727 Nov 22 13:08 ualbanytest.org.signed.jnl Now, I'm guessing (hoping) that for the production release of 9.9, we can go back to using "rndc reload" without having to specify each individual zone? Currently in production we just use the "rndc reload" without specifying the zone name. Or is having to specify the zone going to be the new normal? Thanks, -Kevin Kevin McConville University at Albany -Original Message- From: Jan-Piet Mens [mailto:jpm...@gmail.com] On Behalf Of Jan-Piet Mens Sent: Tuesday, November 22, 2011 1:02 PM To: McConville, Kevin Cc: bind-users@lists.isc.org Subject: Re: Bind 9.9.0b2 inline signing... > 22-Nov-2011 11:25:28.320 general: notice: all zones loaded > 22-Nov-2011 11:25:28.320 general: notice: running This looks to me as though you've cycled the server, which isn't currently allowed. Evan pointed out recently here that it can actually corrupt the zone... My experience is that, after changing the zone, I have to reload with the zone name explicitly given: rndc reload zonename What I'd do is remove journal and the signed version and start over. :) -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.9.0b2 inline signing...
> 22-Nov-2011 11:25:28.320 general: notice: all zones loaded > 22-Nov-2011 11:25:28.320 general: notice: running This looks to me as though you've cycled the server, which isn't currently allowed. Evan pointed out recently here that it can actually corrupt the zone... My experience is that, after changing the zone, I have to reload with the zone name explicitly given: rndc reload zonename What I'd do is remove journal and the signed version and start over. :) -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users