[dns-operations] DS keys for child zones on same server & inline signing

Doug Barton dougb at dougbarton.us
Sun Mar 17 14:07:28 UTC 2013


On 03/17/2013 04:10 AM, Hauke Lampe wrote:
> (This is probably more a thread for bind-users, but...)
>
> On 15.03.2013 22:44, Doug Barton wrote:
>
>> FWIW, the docs in the 9.9 ARM say that you can just increment the serial
>> number in the unsigned zone, and that it will then do the right thing
>> with the automatic signing. That turns out not to be the case, you
>> actually have to increment the serial in the unsigned zone to be higher
>> than the one in the signed zone (which implies checking it by hand
>> first, as Evan suggested).
>>
>> You also have to do specifically 'rndc reload <zone>' after you edit,
>> just plain 'rndc reload' won't cut it. I've also tripped over that one
>> myself, but at least I learned from the experience. :)
>
> FWIW, just incrementing the serial in the unsigned zone and plain "rndc
> reload" works for me (BIND 9.9.2rc1):
>
> |zone example.org/IN/authoritative (unsigned): loaded serial 24
> |zone example.org/IN/authoritative (signed): serial 192341 (unsigned 24)

Interesting. I'm using 9.9.2-P1.




More information about the dns-operations mailing list