[dns-operations] DS keys for child zones on same server & inline signing

Carlos M. Martinez carlosm3011 at gmail.com
Fri Mar 15 17:06:33 UTC 2013

It is not, starting with 9.9.0.

However, you should _never_ edit the signed version of the zone
manually. Edit the unsigned file, increment the SOA serial appropriately
and then rndc sign.

The SOA increment can be a bit tricky, If you have a signed zone with
autodnssec maintain, then BIND will periodically resign your zone and
will increment the SOA serial.

When you edit your unsigned file you should first check with dig /
nslookup what is the current value of the SOA serial for the signed
zone, and obviously use a larger one.



On 3/15/13 1:01 PM, Tony Finch wrote:
> Joe Abley <jabley at hopcount.ca> wrote:
>> If you want online signing to work nicely, edit the zone using dynamic
>> updates/nsupdate.
>> If you're editing the zone manually, be sure to rndc freeze/thaw around
>> your edits.
> I thought that wasn't necessary with inline-signing mode.
> Tony.

More information about the dns-operations mailing list