On Thu, 19 Dec 2013, Evan Hunt wrote:
You're using inline-signing? Which server do you have doing the signing?
Only the master has 'auto-dnssec maintain' in the zone config.
Name servers can get out of sync because the slaves haven't refreshed
recently, but in that case I would expect the m
On Wed, Dec 18, 2013 at 08:06:22PM -1000, Antonio Querubin wrote:
> Currently the serial numbers are all in sync. What I don't understand is
> what condition cause them to get out of sync (ie. the slave's serial
> number exceeds the master's serial number).
You're using inline-signing? Which s
On Wed, 18 Dec 2013, Alan Clegg wrote:
On Dec 18, 2013, at 11:05 AM, Antonio Querubin wrote:
Is there a way to keep the serial numbers synced between the primary
and slaves for auto-maintained zones? Every once in a while the
primary and slaves somehow get out of sync and the logs start
ge
> You can look at the sequence of changes to the signed zone by using
>
> dig ixfr=2013120400 adi.com @[yourauthserver]
>
> or by applying named-journalprint to the .signed.jnl file, unless the
> journal has been pruned as a result of exceeding the max-journal-size
> setting. But this won't te
On Dec 18, 2013, at 11:05 AM, Antonio Querubin wrote:
> Is there a way to keep the serial numbers synced between the primary and
> slaves for auto-maintained zones? Every once in a while the primary and
> slaves somehow get out of sync and the logs start generating error messages
> about the
Is there a way to keep the serial numbers synced between the primary and
slaves for auto-maintained zones? Every once in a while the primary and
slaves somehow get out of sync and the logs start generating error
messages about the mis-match. The mis-match also gets noticed by various
DNS sani
Thomas Schulz wrote:
> Checking the resulting serial number, I find that it is 2013120423. The
> serial number in the static zone file is 2013120400. Why did it bump it
> up to 23? I expected something like 02.
Have a look at the sig-signing-signatures option which says (by default)
that named s
On Dec 18 2013, Alan Clegg wrote:
On Dec 18, 2013, at 10:17 AM, Thomas Schulz wrote:
I have a question about the serial number as modified by inline signing.
I have a static zone, adi.com, that I am setting up for dnssec. I added
inline-signing yes;
key-directory "dnssec";
On Dec 18, 2013, at 10:17 AM, Thomas Schulz wrote:
> I have a question about the serial number as modified by inline signing.
> I have a static zone, adi.com, that I am setting up for dnssec. I added
>inline-signing yes;
>key-directory "dnssec";
>auto-dnssec maintain;
> t
I have a question about the serial number as modified by inline signing.
I have a static zone, adi.com, that I am setting up for dnssec. I added
inline-signing yes;
key-directory "dnssec";
auto-dnssec maintain;
to my named.conf file after generating the keys and then did a r
10 matches
Mail list logo
