[dns-operations] DS keys for child zones on same server & inline signing

Hauke Lampe lampe at hauke-lampe.de
Sun Mar 17 11:10:07 UTC 2013

(This is probably more a thread for bind-users, but...)

On 15.03.2013 22:44, Doug Barton wrote:

> FWIW, the docs in the 9.9 ARM say that you can just increment the serial
> number in the unsigned zone, and that it will then do the right thing
> with the automatic signing. That turns out not to be the case, you
> actually have to increment the serial in the unsigned zone to be higher
> than the one in the signed zone (which implies checking it by hand
> first, as Evan suggested).
> You also have to do specifically 'rndc reload <zone>' after you edit,
> just plain 'rndc reload' won't cut it. I've also tripped over that one
> myself, but at least I learned from the experience. :)

FWIW, just incrementing the serial in the unsigned zone and plain "rndc 
reload" works for me (BIND 9.9.2rc1):

|zone example.org/IN/authoritative (unsigned): loaded serial 24
|zone example.org/IN/authoritative (signed): serial 192341 (unsigned 24)


More information about the dns-operations mailing list