[dns-operations] DS keys for child zones on same server & inline signing
dougb at dougbarton.us
Fri Mar 15 21:44:23 UTC 2013
On 03/15/2013 01:46 PM, Evan Hunt wrote:
> On Fri, Mar 15, 2013 at 08:12:18PM +0000, Evan Hunt wrote:
>> This may be a bug, I'll try it and see.
> And the answer is, it's working as expected for me.
> Phil, if you want to take this off the list, I'd be happy to work
> through it with you and try to figure out what the glitch was.
> Perhaps I didn't do things in exactly the same order you did.
FWIW, the docs in the 9.9 ARM say that you can just increment the serial
number in the unsigned zone, and that it will then do the right thing
with the automatic signing. That turns out not to be the case, you
actually have to increment the serial in the unsigned zone to be higher
than the one in the signed zone (which implies checking it by hand
first, as Evan suggested).
You also have to do specifically 'rndc reload <zone>' after you edit,
just plain 'rndc reload' won't cut it. I've also tripped over that one
myself, but at least I learned from the experience. :)
More information about the dns-operations