[dns-operations] DS keys for child zones on same server & inline signing
Joe Abley
jabley at hopcount.ca
Fri Mar 15 15:51:13 UTC 2013
On 2013-03-15, at 00:27, Phil Pennock <dnsop+phil at spodhuis.org> wrote:
> I finally fixed it with re-running the rndc signing command (preserving
> the previous salt ... I don't believe that's necessary, but shouldn't
> hurt):
>
> rndc signing -nsec3param 1 7 100 $salt_from_logs globnix.net
If you want online signing to work nicely, edit the zone using dynamic updates/nsupdate.
If you're editing the zone manually, be sure to rndc freeze/thaw around your edits.
I think (but I haven't checked) that a manual edit wrapped in a freeze/thaw will still do the wrong thing in some circumstances due to signature reuse where signatures really ought to have been regenerated. Same may well go for NSEC/NSEC3 RRSets. If you really need to make changes with manual edits, I would suggest removing all NSEC/NSEC3/RRSIG scaffolding around whatever you change before you thaw, then rndc sign afterwards.
Really though, using dynamic updates is cleaner.
Joe
More information about the dns-operations
mailing list