We have a stealth master which has several zone secured with DNSSEC. We recently upgraded to 9.11 and enabled auto-maintain and inline-update for DNSSEC. The initial zone resign and load went smoothly. However, when I now update the master zone records and serial number the changed zone is not transferred to the authoritative slaves. In fact I cannot find any evidence that the changes in the master zone file have had any effect whatsoever.
drill drill harte-lyne.ca gives this:
;; ANSWER SECTION:
harte-lyne.ca. 172800 IN SOA dns01.harte-lyne.ca. nameservice.harte-lyne.ca. 2019040501 10800 3600 1209600 7200
but the serial number in the master file is this: 2019041603
rndc reload harte-lyne.ca produces this:
zone reload up-to-date
rndc freeze and thaw do not work as the zone is defined in named.conf as a master and not as a dynamic zone.
What is the technique used to cause bind to resign and reload a modified master zone file immediately following a manual update?
If I run rndc zonestatus then I get this:
# rndc zonestatus harte-lyne.ca
name: harte-lyne.ca
type: master
files: /usr/local/etc/namedb/master/harte-lyne.ca.hosts
serial: 2019041603
signed serial: 2019041617
nodes: 1198
last loaded: Tue, 16 Apr 2019 19:50:26 GMT
secure: yes
inline signing: yes
key maintenance: automatic
next key event: Wed, 17 Apr 2019 13:51:16 GMT
next resign node: _22._tcp.inet17.mississauga.harte-lyne.ca/NSEC
next resign time: Wed, 17 Apr 2019 13:46:37 GMT
dynamic: no
reconfigurable via modzone: no
This tells me that the zone is being updated and resigned on a schedule. But how do I force an immediate update and notify following a manual change to the master zone file?
The significance of the next resign node also escapes me. I have not been able to locate an explanation of this in the available documentation, including the 9.11 admin guide.
0 Answers