[dns-operations] DS keys for child zones on same server & inline signing
Carlos M. Martinez
carlosm3011 at gmail.com
Fri Mar 15 17:06:33 UTC 2013
It is not, starting with 9.9.0.
However, you should _never_ edit the signed version of the zone
manually. Edit the unsigned file, increment the SOA serial appropriately
and then rndc sign.
The SOA increment can be a bit tricky, If you have a signed zone with
autodnssec maintain, then BIND will periodically resign your zone and
will increment the SOA serial.
When you edit your unsigned file you should first check with dig /
nslookup what is the current value of the SOA serial for the signed
zone, and obviously use a larger one.
On 3/15/13 1:01 PM, Tony Finch wrote:
> Joe Abley <jabley at hopcount.ca> wrote:
>> If you want online signing to work nicely, edit the zone using dynamic
>> If you're editing the zone manually, be sure to rndc freeze/thaw around
>> your edits.
> I thought that wasn't necessary with inline-signing mode.
More information about the dns-operations