[dns-operations] DS keys for child zones on same server & inline signing

Joe Abley jabley at hopcount.ca
Fri Mar 15 15:51:13 UTC 2013

On 2013-03-15, at 00:27, Phil Pennock <dnsop+phil at spodhuis.org> wrote:

> I finally fixed it with re-running the rndc signing command (preserving
> the previous salt ... I don't believe that's necessary, but shouldn't
> hurt):
>  rndc signing -nsec3param 1 7 100 $salt_from_logs globnix.net

If you want online signing to work nicely, edit the zone using dynamic updates/nsupdate.

If you're editing the zone manually, be sure to rndc freeze/thaw around your edits.

I think (but I haven't checked) that a manual edit wrapped in a freeze/thaw will still do the wrong thing in some circumstances due to signature reuse where signatures really ought to have been regenerated. Same may well go for NSEC/NSEC3 RRSets. If you really need to make changes with manual edits, I would suggest removing all NSEC/NSEC3/RRSIG scaffolding around whatever you change before you thaw, then rndc sign afterwards.

Really though, using dynamic updates is cleaner.


More information about the dns-operations mailing list