Some updates:
Eventually got VirtualBox to behave and now have two virtual instances
of Gentoo/BIND on my box. Now I have a cleaner test environment.
Rebuilt Evans demo and its now working well. Running BIND 9.9.1 and
'haveged' on both machines. I have modified my 'signer' script so if the
zone type is 'Auto', I just manage the Keys and BIND does the rest. The
script also check the SOA of the signed zone and brings the unsigned
zone up to the same Serial Number. Seems to be keeping in Sync now.
Some other 'changes' I've made, I create keys with SHA256 rather than
SHA1, thus my 'dnssec-keygen' invocation looks like:
dnssec-keygen -a RSASHA256 -b 1024
dnssec-keygen -fk -a RSASHA256 -b 2048
So I have a beautiful NSEC managed zone - on to test with NSEC3!
On Sun, 2012-06-03 at 18:01 +0200, Mark Elkins wrote:
Eventually got down to some experimenting again.
These are observations - which may help others.
I followed example 1 of Evan Hunts
https://kb.isc.org/article/AA-00626/0/Inline-Signing-in-ISC-BIND-9.9.0-Examples.html
(I'm using bind 9.9.1)
I did change the name of the zone and didn't bother with
allow-transfer - using the default behaviour of BIND instead (using
the NS records in the zone instead)
I first created the zone and got it working as normally between two
machine (on the same lan - etc). This works fine, add a record to the
first zone, bump the SOA Serial, rndc reload, and the slave gets the
update notify.
I then went through the example and added automatic DNSSEC.
The Slave no longer seems to get NOTIFY - I had to stop, remove the
saved slaves file, and restart the slave to force the transfer.
Initially, making a change to the unsigned zone works.
(Edit unsigned, add data, bump SOA by one, save, rndc reload)
Log: 03-Jun-2012 17:23:35.941 general: info: zone yellowbutton.co.za/IN
(signed): serial 2012060307 (unsigned 2012060304)
I didn't like the fact that the unsigned serial (which I manage) was
lower than that of the signed zone. Making it bigger than the signed
zones version appears to have gotten the zones back in sync - however
the slave is still not getting any Notifies (and has not yet caught up).
I also expect that in the future, any 'magic bind key-signing' may also
de-sync my unsigned zone's concept of the current SOA Serial as well.
Its the apparent lack of NOTIFY's thats really bugging me, I did modify
the secondary zone config in named.conf and added
masterfile-format text; - which saves the zone in nice, easy to debug,
ascii.
Is the NOTIFY from 'Inline-signing' zones currently broken?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
. . ___. .__ Posix Systems - (South) Africa
/| /| / /__ m...@posix.co.za - Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
smime.p7s
Description: S/MIME cryptographic signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users