[dns-operations] DS keys for child zones on same server & inline signing

Carlos M. Martinez carlosm3011 at gmail.com
Sun Mar 17 15:55:25 UTC 2013

I sent an email to the list with some details on that, but somehow it didn't make it to the list.

In a few words: always edit your unsigned zone, never the signed one. Always check the CURRENT serial as published on the signed zone before incrementing. This last thing almost drove me crazy a year ago. 

Then you do an rndc reload zone, the answer should be "zone reload queued". If you get a zone up to date message, you got the serial wrong.



Sent from my iPad

On 17 Mar 2013, at 08:10, Hauke Lampe <lampe at hauke-lampe.de> wrote:

> (This is probably more a thread for bind-users, but...)
> On 15.03.2013 22:44, Doug Barton wrote:
>> FWIW, the docs in the 9.9 ARM say that you can just increment the serial
>> number in the unsigned zone, and that it will then do the right thing
>> with the automatic signing. That turns out not to be the case, you
>> actually have to increment the serial in the unsigned zone to be higher
>> than the one in the signed zone (which implies checking it by hand
>> first, as Evan suggested).
>> You also have to do specifically 'rndc reload <zone>' after you edit,
>> just plain 'rndc reload' won't cut it. I've also tripped over that one
>> myself, but at least I learned from the experience. :)
> FWIW, just incrementing the serial in the unsigned zone and plain "rndc reload" works for me (BIND 9.9.2rc1):
> |zone example.org/IN/authoritative (unsigned): loaded serial 24
> |zone example.org/IN/authoritative (signed): serial 192341 (unsigned 24)
> Hauke.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs

More information about the dns-operations mailing list