Re: Freeze/thaw and signed zone files

Fri, 22 Feb 2019 06:40:57 -0800 

On 21 Feb 2019, at 20:43, Grant Taylor via bind-users 
<[email protected]> wrote:
> 
> On 2/21/19 6:28 PM, @lbutlr wrote:
>> rndc reload did not recreate (or at least update the time stamp) on the 
>> .signed file.
> 
> Hum.  Maybe it's something different about how you're doing DNSSEC than I am.
> 
> I have BIND managing DNSSEC for me via "auto-dnssec maintain;".  So I don't 
> get .signed files.

the .signed files were created when I first signed the zones with 
dnssec-signzone which is what gave me the dsset file containing the information 
I needed to add DNSSEC to my domain's registrar.

dnssec-signzone -3 $(head -c 1000 /dev/random | shasum | cut -b 1-16) -A -N 
INCREMENT -o ZONE -t ZONEFILE

I was assuming, perhaps wrongly, that these ,signed files continue to be 
required, as they were placed alongside the regular zone files.

> I was just able to do the following:
> 
> rndc freeze $ZONE
> rndc sync -clean $ZONE
> $EDITOR $ZONEFILE
> rndc thaw $ZONE
> rndc sign $ZONE
> 
> I did have to manually do the "rndc sign" for DNSViz to be happy with the new 
> test entry.  I don't know if that's expected or not.

Overnight, many of my zones have new zone.signed.jnl files

> Does your actual zone file have the DNSSEC records in it?  That's where mine 
> are.  I don't have a separate unsigned zone file.

I have three files for each zone:

example.com (less than 2K, unsigned, no DNSSEC info, contains $INCLUDE lines at 
the end for the two public keys.

example.com.signed (12K, All the DNSSEC info)

example.com.signed.jnl (Created by bind, about double the size of .signed and a 
binary file) This file is updated when I issue the rind sign ZONE command.

> I believe so.  Do you have a "managed-keys-directory" entry in your 
> named.conf file?  (I do.  My .key and .private files are in the specified 
> directory.)

My private files are in that directory, I have the public ones in both the 
directory and the master/ directory Which is what seems to be needed (probably 
because of the include statement).

In named.conf I have


zone "example.com" { type master; file "master/example.com.signed"; 
update-policy local; auto-dnssec maintain; };


-- 
"Alas, earwax."

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to