[dns-operations] DS keys for child zones on same server & inline signing

Doug Barton dougb at dougbarton.us
Fri Mar 15 21:44:23 UTC 2013


On 03/15/2013 01:46 PM, Evan Hunt wrote:
> On Fri, Mar 15, 2013 at 08:12:18PM +0000, Evan Hunt wrote:
>> This may be a bug, I'll try it and see.
>
> And the answer is, it's working as expected for me.
>
> Phil, if you want to take this off the list, I'd be happy to work
> through it with you and try to figure out what the glitch was.
> Perhaps I didn't do things in exactly the same order you did.

FWIW, the docs in the 9.9 ARM say that you can just increment the serial 
number in the unsigned zone, and that it will then do the right thing 
with the automatic signing. That turns out not to be the case, you 
actually have to increment the serial in the unsigned zone to be higher 
than the one in the signed zone (which implies checking it by hand 
first, as Evan suggested).

You also have to do specifically 'rndc reload <zone>' after you edit, 
just plain 'rndc reload' won't cut it. I've also tripped over that one 
myself, but at least I learned from the experience. :)

Doug




More information about the dns-operations mailing list